Where to write the logic for read manipulation

a - An IRP_MJ_READ/IRP_MJ_WRITE IRP has the byte offset of the operation
in the IO stack location. You’ll need to determine the block size
(there’s a disk I/O control you can use for this if you’re above the
disk driver, otherwise you need to send a READ_CAPACITY SRB to the
device) to compute sector number from byte offset.

b - You can assume all disk I/O is direct I/O. And you’re correct that
you can’t modify the data being read until it’s been read, so you’ll
need to do your modification in the completion routine. Note that your
filter’s completion routine will almost always be called at
DISPATCH_LEVEL so you’re processing can’t require touching paged memory
or calling system APIs that do so.

-p


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Amitrajit
Banerjee.
Sent: Tuesday, June 14, 2005 11:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Where to write the logic for read manipulation

Dear ppl,

a. How can I find out the sector number of a disk being read or written
to? Something similar to what sysinternals Diskmon does. I am attaching
my driver to Disk.sys.

b. If I want to manipulate data fetched from the disk, before they are
passed on to the driver above me, how do I do it? IRP_MJ_READ is a
request to fetch the data, ultimately, disk.sys gets the data for it and
puts it in the MDL (depending on whether it is DIREcT_IO or not).
So is it true that I have to wait till the data is fetched, that is, I
have to write my manipulation logic in the Irp completion routine,
rather than in the major function?

best Regards,

amitr0

Note:-

  1. Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
  2. Kindly Acknowledge This Mail At The Earliest.
  3. This E-Mail Might contain Confidential information. If You Are Not
    Entitled
    To View it, Please Delete The Message Immediately And Inform Me.
    Thanking You,
    Amitrajit Banerjee.

http: — Questions?
First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed
to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com</http:>

If the OP wants to modify/examine sector based disk IO operations
perhaps he should be a LOWER filter driver for physical disks and should
be looking at IRP_MJ_SCSI and not READ/WRITE.


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Wednesday, June 15, 2005 11:50 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Where to write the logic for read manipulation

a - An IRP_MJ_READ/IRP_MJ_WRITE IRP has the byte offset of the operation
in the IO stack location. You’ll need to determine the block size
(there’s a disk I/O control you can use for this if you’re above the
disk driver, otherwise you need to send a READ_CAPACITY SRB to the
device) to compute sector number from byte offset.

b - You can assume all disk I/O is direct I/O. And you’re correct that
you can’t modify the data being read until it’s been read, so you’ll
need to do your modification in the completion routine. Note that your
filter’s completion routine will almost always be called at
DISPATCH_LEVEL so you’re processing can’t require touching paged memory
or calling system APIs that do so.

-p


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Amitrajit
Banerjee.
Sent: Tuesday, June 14, 2005 11:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Where to write the logic for read manipulation

Dear ppl,

a. How can I find out the sector number of a disk being read or written
to? Something similar to what sysinternals Diskmon does. I am attaching
my driver to Disk.sys.

b. If I want to manipulate data fetched from the disk, before they are
passed on to the driver above me, how do I do it? IRP_MJ_READ is a
request to fetch the data, ultimately, disk.sys gets the data for it and
puts it in the MDL (depending on whether it is DIREcT_IO or not).
So is it true that I have to wait till the data is fetched, that is, I
have to write my manipulation logic in the Irp completion routine,
rather than in the major function?

best Regards,

amitr0

Note:-

  1. Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
  2. Kindly Acknowledge This Mail At The Earliest.
  3. This E-Mail Might contain Confidential information. If You Are Not
    Entitled
    To View it, Please Delete The Message Immediately And Inform Me.
    Thanking You,
    Amitrajit Banerjee.

http: — Questions?
First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed
to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:>

To continue Amitrajit’s question:

My purpose is to catch ALL writes; I attach my filter as an upper one right above disk.sys and everything seems
to work just fine, except that SOME writes are missed!

I load my filter at boot time and save everything until I get PowerSystemShutdown (I do not get any new
reads/writes after that).

After physically comparing the disk “before” and “after” (“after” minus “before”, kind of) with my logs - there
are actual changes on the disk that did not pass through the filter.

How can this be? In other words, is the following statement true or false: “all writes to the the disk are done
through IRP_MJ_WRITE directed to disk.sys”?

It is definitely not true for reads (ntldr and friends do read what they need long before disk.sys comes into play), but what about writes?

Any advice will be appreciated.

Regards,
Alex

----- Original Message -----
From: Peter Wieland
To: Windows System Software Devs Interest List
Sent: Wednesday, June 15, 2005 11:50 AM
Subject: RE: [ntdev] Where to write the logic for read manipulation

a - An IRP_MJ_READ/IRP_MJ_WRITE IRP has the byte offset of the operation in the IO stack location. You’ll need to determine the block size (there’s a disk I/O control you can use for this if you’re above the disk driver, otherwise you need to send a READ_CAPACITY SRB to the device) to compute sector number from byte offset.

b - You can assume all disk I/O is direct I/O. And you’re correct that you can’t modify the data being read until it’s been read, so you’ll need to do your modification in the completion routine. Note that your filter’s completion routine will almost always be called at DISPATCH_LEVEL so you’re processing can’t require touching paged memory or calling system APIs that do so.

-p


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Amitrajit Banerjee.
Sent: Tuesday, June 14, 2005 11:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Where to write the logic for read manipulation

Dear ppl,

a. How can I find out the sector number of a disk being read or written to? Something similar to what sysinternals Diskmon does. I am attaching my driver to Disk.sys.

b. If I want to manipulate data fetched from the disk, before they are passed on to the driver above me, how do I do it? IRP_MJ_READ is a request to fetch the data, ultimately, disk.sys gets the data for it and puts it in the MDL (depending on whether it is DIREcT_IO or not).
So is it true that I have to wait till the data is fetched, that is, I have to write my manipulation logic in the Irp completion routine, rather than in the major function?

best Regards,

amitr0

Note:-

  1. Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
  2. Kindly Acknowledge This Mail At The Earliest.
  3. This E-Mail Might contain Confidential information. If You Are Not Entitled
    To View it, Please Delete The Message Immediately And Inform Me.
    Thanking You,
    Amitrajit Banerjee.

— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

ntldr does a few writes to the disk.
the disk driver also initiates a few writes on its own (partition table
stuff mostly) that you won’t catch if you’re above the disk.

-p


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Wednesday, June 15, 2005 10:23 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Where to write the logic for read manipulation

To continue Amitrajit’s question:

My purpose is to catch ALL writes; I attach my filter as an upper one
right above disk.sys and everything seems
to work just fine, except that SOME writes are missed!

I load my filter at boot time and save everything until I get
PowerSystemShutdown (I do not get any new
reads/writes after that).

After physically comparing the disk “before” and “after” (“after” minus
“before”, kind of) with my logs - there
are actual changes on the disk that did not pass through the filter.

How can this be? In other words, is the following statement true or
false: “all writes to the the disk are done
through IRP_MJ_WRITE directed to disk.sys”?

It is definitely not true for reads (ntldr and friends do read what they
need long before disk.sys comes into play), but what about writes?

Any advice will be appreciated.

Regards,
Alex

----- Original Message -----
From: Peter Wieland mailto:xxxxx
To: Windows System Software Devs Interest List
mailto:xxxxx
Sent: Wednesday, June 15, 2005 11:50 AM
Subject: RE: [ntdev] Where to write the logic for read
manipulation

a - An IRP_MJ_READ/IRP_MJ_WRITE IRP has the byte offset of the
operation in the IO stack location. You’ll need to determine the block
size (there’s a disk I/O control you can use for this if you’re above
the disk driver, otherwise you need to send a READ_CAPACITY SRB to the
device) to compute sector number from byte offset.

b - You can assume all disk I/O is direct I/O. And you’re
correct that you can’t modify the data being read until it’s been read,
so you’ll need to do your modification in the completion routine. Note
that your filter’s completion routine will almost always be called at
DISPATCH_LEVEL so you’re processing can’t require touching paged memory
or calling system APIs that do so.

-p

________________________________

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Amitrajit
Banerjee.
Sent: Tuesday, June 14, 2005 11:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Where to write the logic for read manipulation

Dear ppl,

a. How can I find out the sector number of a disk being read or
written to? Something similar to what sysinternals Diskmon does. I am
attaching my driver to Disk.sys.

b. If I want to manipulate data fetched from the disk, before
they are passed on to the driver above me, how do I do it? IRP_MJ_READ
is a request to fetch the data, ultimately, disk.sys gets the data for
it and puts it in the MDL (depending on whether it is DIREcT_IO or not).
So is it true that I have to wait till the data is fetched, that
is, I have to write my manipulation logic in the Irp completion routine,
rather than in the major function?

best Regards,

amitr0

Note:-
1) Spelling Mistakes and Grammatical Errors, If Any, Are
Regretted.
2) Kindly Acknowledge This Mail At The Earliest.
3) This E-Mail Might contain Confidential information. If You
Are Not Entitled
To View it, Please Delete The Message Immediately And Inform Me.
Thanking You,
Amitrajit Banerjee.

http:
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed
to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to %%email.unsub%% —
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to %%email.unsub%%


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></mailto:xxxxx></mailto:xxxxx>

Thanks, Peter.

I must note though that there not a single mentioning of ntldr (or any other boot-related module) writing something
in, say, Russinovich/Solomon book “MS Windows Internals” (ch. 5), or anywhere else, for that matter - I did my
share of googling and testing, up to installing a debug version of disk.sys, recompiled from the DDK.

What’s worse, no partition table - related changes happen in my experiemnts.

What’s even worse, the diffs I get are in $Mft (!), $MftMirr (!) etc. - within volumes.

So the question becomes: where should I put the filter to catch ALL writes directed to volume-allocated space on a disk?

What exactly the upper filter misses (and why)?

Is a LowerFilter to disk.sys a correct place to be?
[Actually I already tried this one and did not notice any difference, but I’m not 100% sure.]

Regards,
Alex

----- Original Message -----
From: Peter Wieland
To: Windows System Software Devs Interest List
Sent: Wednesday, June 15, 2005 1:36 PM
Subject: RE: [ntdev] Where to write the logic for read manipulation

ntldr does a few writes to the disk.
the disk driver also initiates a few writes on its own (partition table stuff mostly) that you won’t catch if you’re above the disk.

-p


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Wednesday, June 15, 2005 10:23 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Where to write the logic for read manipulation

To continue Amitrajit’s question:

My purpose is to catch ALL writes; I attach my filter as an upper one right above disk.sys and everything seems
to work just fine, except that SOME writes are missed!

I load my filter at boot time and save everything until I get PowerSystemShutdown (I do not get any new
reads/writes after that).

After physically comparing the disk “before” and “after” (“after” minus “before”, kind of) with my logs - there
are actual changes on the disk that did not pass through the filter.

How can this be? In other words, is the following statement true or false: “all writes to the the disk are done
through IRP_MJ_WRITE directed to disk.sys”?

It is definitely not true for reads (ntldr and friends do read what they need long before disk.sys comes into play), but what about writes?

Any advice will be appreciated.

Regards,
Alex

----- Original Message -----
From: Peter Wieland
To: Windows System Software Devs Interest List
Sent: Wednesday, June 15, 2005 11:50 AM
Subject: RE: [ntdev] Where to write the logic for read manipulation

a - An IRP_MJ_READ/IRP_MJ_WRITE IRP has the byte offset of the operation in the IO stack location. You’ll need to determine the block size (there’s a disk I/O control you can use for this if you’re above the disk driver, otherwise you need to send a READ_CAPACITY SRB to the device) to compute sector number from byte offset.

b - You can assume all disk I/O is direct I/O. And you’re correct that you can’t modify the data being read until it’s been read, so you’ll need to do your modification in the completion routine. Note that your filter’s completion routine will almost always be called at DISPATCH_LEVEL so you’re processing can’t require touching paged memory or calling system APIs that do so.

-p


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Amitrajit Banerjee.
Sent: Tuesday, June 14, 2005 11:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Where to write the logic for read manipulation

Dear ppl,

a. How can I find out the sector number of a disk being read or written to? Something similar to what sysinternals Diskmon does. I am attaching my driver to Disk.sys.

b. If I want to manipulate data fetched from the disk, before they are passed on to the driver above me, how do I do it? IRP_MJ_READ is a request to fetch the data, ultimately, disk.sys gets the data for it and puts it in the MDL (depending on whether it is DIREcT_IO or not).
So is it true that I have to wait till the data is fetched, that is, I have to write my manipulation logic in the Irp completion routine, rather than in the major function?

best Regards,

amitr0

Note:-

  1. Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
  2. Kindly Acknowledge This Mail At The Earliest.
  3. This E-Mail Might contain Confidential information. If You Are Not Entitled
    To View it, Please Delete The Message Immediately And Inform Me.
    Thanking You,
    Amitrajit Banerjee.

— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to %%email.unsub%% —
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to %%email.unsub%%

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com