Hello.
I want to make the system to pop up a verified dialog when someone open
the volume,so i hook the API—CreateFile.but failed.
CreateFile can be hooked?
if not,Can anyone tell me how to accomplish my purpose?
Thanks in advance.
sailing_an
Yes the kernel mode API ZwCreateFile() can be hooked. Have a look at Rajeev
Nagar’s NT FileSystem Internals for the exact prototype of the API and refer
to the Dr.Dobbs Journal paper by Mark Russonovich et.al. for the method of
system call hooking.
“beginner_an” wrote in message news:xxxxx@ntdev…
>
> Hello.
>
> I want to make the system to pop up a verified dialog when someone open
> the volume,so i hook the API—CreateFile.but failed.
>
> CreateFile can be hooked?
>
> if not,Can anyone tell me how to accomplish my purpose?
>
> Thanks in advance.
>
> sailing_an
>
>
PLEASE don’t give advice like this to new list members. If he wants to
hook filesystem requests, first tell him about the DOCUMENTED method (a
filesystem filter). Hooking ZwCreateFile is ugly, undocumented, and
completely unnecessary if you write a filesystem filter. If he insists
the IFSKIT is too expensive and he’s just coding a one-off hack, then
fine, but if he’s trying to develop a commercial product (which is what
it sounds like here), it benefits us all to make sure it will be as
reliable as possible. 
- Nick Ryan
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Samarth Sharma
Sent: Wednesday, June 04, 2003 4:48 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why can’t hook CreateFile?Yes the kernel mode API ZwCreateFile() can be hooked. Have a
look at Rajeev Nagar’s NT FileSystem Internals for the exact
prototype of the API and refer to the Dr.Dobbs Journal paper
by Mark Russonovich et.al. for the method of system call hooking.“beginner_an” wrote in message
news:xxxxx@ntdev…
>
> Hello.
>
> I want to make the system to pop up a verified dialog when someone
> open the volume,so i hook the API—CreateFile.but failed.
>
> CreateFile can be hooked?
>
> if not,Can anyone tell me how to accomplish my purpose?
>
> Thanks in advance.
>
> sailing_an
>
>
—
You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Nick,
Thanks for your advice.
I have hooked filesystem request(IRP_MJ_CREATE) ago,but failed.Because i
don’t know how to have the driver block the create on an
event(IRP_MJ_CREATE),Can u please elaborate what are the possible way to
arrive at block?
thanks,
sailing_an
“beginner_an” wrote in message news:xxxxx@ntdev…
>
> Hi Nick,
> Thanks for your advice.
>
> I have hooked filesystem request(IRP_MJ_CREATE) ago,but failed.Because i
> don’t know how to have the driver block the create on an
> event(IRP_MJ_CREATE),Can u please elaborate what are the possible way to
> arrive at block?
You see, file system will never now about IRP_MJ_CREATE until you call
IoCallDriver. So you need suspend execution, for example by calling
KeWaitForSingleObject, while you do your verification. Then either call
IoCallDriver if you don’t want to fail the request, or set
IRP->IoStatus.Status to some error code and call IoCompleteRequest without
calling IoCallDriver if you want to fail the request.
In your original question you asked how to display some dialog and get
response from the user. There is no way to do it directly from the driver.
You have to implement application that will work with you driver and perform
some job on driver’s behalf. There are several ways to achieve this, they
were discussed in NTFSD list.
Alexei.
Hi Alexei,
Thank you very much!
Let me try.
But I am a newbie,can you give some source code?
the following code baseed THE FILEDISK SOURCE CODE
NTSTATUS
FileDiskCreateClose (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
UNICODE_STRING EventName;
RtlInitUnicodeString(&EventName, L"\BaseNamedObjects\SharedEventOpen");
SharedEventOpen = IoCreateNotificationEvent(&EventName,
&SharedEventHandle);
PAGED_CODE();
if (SharedEventOpen != NULL)
{
KeSetEvent(SharedEventOpen, 0, FALSE);//inform APP popup dialog
/*
How to do the following?
*/
}
}
Thanks in advance for your help.
Regards
sailing_an
NTSTATUS
FileDiskCreateClose (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
if ( GotPermission() )
{
IoSkipCurrentCurentIrpStackLocation (Irp);
return IoCallDriver (pFileSystemDO, Irp);
}
else
{
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
}
Function GotPermision should do the following:
- Notify user mode application
- Wait for response from user mode application
- Return result depending on user choice
One approach to implement it is following:
1 define your private IOCTL
2 Let application call DeviceIoControl with the IOCTL, use overlapped IO
3. In your driver mark the IRP related to the IOCTL pending and do not
complete it. You will complete it when you need to notify application.
- From your GotPermision function fill the buffer of the IRP from step 3
with relevant information and complete the IRP. Then wait for response from
application. You can wait for some event that is internal for the driver,
the event doesn’t need to have name. - Completion of the IRP will tell application that DeviceIoControl
completed. Application can get the data from driver and shows dialog - define another private IOCTL that application will use to provide answer
- Application sends answer to driver using second IOCTL, driver copies
result somewhere and signals event which GotPermission function is waiting
for.
The description I provided is oversimplified and doesn’t contain many
details:
- you need to handle cancelling of IRPs that you hold for a long time
- you need to detect that application finished, so you will never get the
answer you are waiting for; you should not rely on application to tell you
this, it may just crash or it may be terminated. You can get this
notification via IRP_MJ_CLOSE related to the file object that was used to
send IOCTL. - there may be some time period when application didn’t send you IRP that is
used for notification yet, but driver already is in GotPermission function;
you need wait for the IRP to arrive - you need to handle concurrent create requests
and so on
The approach I described is not the only possible, there are other ways to
communicate with application. Check NTFSD archive for disscusions on the
topic.
Alexei.
Hi Alexei,
Thank you very much!!
sailing_an