Hi All,
Could any one tell me why this is happening to me:
every time I ask filespy to filter the same partition which I am also
Attached to ,when I eventually detach/delete from it the
FilespyFastIoDetachDevice get Invoked by the system (see the call stack
and code below).
Thanks,
Daniel.
my dynamic unhook:
MyDeviceExtension = MyDeviceObjectsL[Drive]->DeviceExtension;
IoDetachDevice(My DeviceExtension->FileSystem );
IoDeleteDevice( MyDeviceObjectsL[Drive] );
MyDeviceObjectsL[Drive] = NULL;
}
return TRUE;
fileSpy code:
SpyFastIoDetachDevice( IN PDEVICE_OBJECT SourceDevice, IN
PDEVICE_OBJECT TargetDevice)
{
PRECORD_LIST recordList;
BOOLEAN shouldLog;
PDEVICE_EXTENSION devext;
PAGED_CODE();
devext = SourceDevice->DeviceExtension;
ASSERT(devext->Type == FILESPY_DEVICE_TYPE);
ExAcquireFastMutex( &gSpyDeviceExtensionListLock );
RemoveEntryList(&devext->NextDevice); // remove from LOG list
ExReleaseFastMutex( &gSpyDeviceExtensionListLock );
…
// Detach from the file system’s volume device object.
IoDetachDevice( TargetDevice );
IoDeleteDevice( SourceDevice );
}
call stack:
FramePtr RetAddr Param1 Param2 Param3 Function Name
f3206d2c 80114558 809a1e60 808f5260 808f5260
FILESPY!SpyFastIoDetachDevice (EBP) [filespy.c @ 2080]
f3206d78 80111ee8 808f5260 00000000 f3f23650 NT!KeDetachProcess+0xa6
(FPO: [ebp f3206db0] [0,1,4])
f3206d8c f3f21706 808f5260 808f5318 808f5260
NT!IoSetThreadHardErrorMode+0x1a (FPO: [1,0,1])
f3206db8 f3f225c9 00000000 80ad0cf0 f3f23650
MYFILTER!MyDetachDevice+0x80 (EBP) [clearmp.c @ 772]
f3206e0c 8016f29e 80a50aa8 00000001 00000000
MYFILTER!MyFfilterFastIoDeviceControl+0x138 (EBP) [clearmp.c @ 1385]
f3206ea0 80169a30 00000158 00000000 00000000
NT!IopCreateMadeupNode+0x1f0 (EBP)
f3206ed4 8013dde4 00000158 00000000 00000000
NT!BuildQueryDirectoryIrp+0x440 (EBP)
f3206f04 00000000 00000000 00000000 00000000
NT!V86CriticalInstruction+0x307 (No FPO)
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com