Hi, I’m developing an encryption filter based on minifilter.
I use FltCreateFile in Pre-Create routine to create shadow file object, things all goes well just except winword.exe(which is the program of office word, in fact).
My filter catchs IRP_MJ_CREATE in pre-create routine and calls FltCreateFile to create a shadow file object, it’s expect to return STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST), but it just returned STATUS_OBJECT_NAME_NOT_FOUND.
I do not understand, the FltCreateFile is called with FILE_OPEN(CreateDiposition), the following are my codes:
status = FltCreateFile( ksd.Filter,
FltObjects->Instance,
&pStreamHandleContext->shadowFile,
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess,
&objAttributes, // objAttributes
&Data->IoStatus,
&Data->Iopb->Parameters.Create.AllocationSize,
Data->Iopb->Parameters.Create.FileAttributes,
Data->Iopb->Parameters.Create.ShareAccess,
createDiposition, // CreateDiposition
createOptions, // CreateOptions
Data->Iopb->Parameters.Create.EaBuffer,
Data->Iopb->Parameters.Create.EaLength,
IO_FORCE_ACCESS_CHECK //Flags
);
Why does it return STATUS_OBJECT_NAME_NOT_FOUND for FILE_OPEN?(createDiposition is 1 and createOptions is 0 at here)
Any help will be appreciated!
> FltCreateFile to create a shadow file object, it’s expect to return
STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST),
What makes you think that?
Why does it return STATUS_OBJECT_NAME_NOT_FOUND for FILE_OPEN?
That is usual and expected if the file does not exist.
There is another create request my filter caught before this one and it is exactly the same, only the name of the file is different and it returned STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST).
Besieds, I use FileSpy.exe to trace the IRPs of winword.exe, and this request should return STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST), or else winword.exe can not even work.
As Rod inquired, what makes you expect the "STATUS_SUCCESS with
Information(FILE_DOES_NOT_EXIST) "? If you are basing this on a previous
trace of the calls, then I suspect you are receiving the pre-create with
the SL_OPEN_TARGET_DIRECTORY flag set in the OperationFlags. Thus the
parent directory is actually being opened and the Information status is
indicating the file represented by the final component does not exist.
Hence when you try to perform a ‘normal’ open on the file, it is not
found, as the FILE_DOES_NOT_EXIST indicates.
You can perform the check yourself, that is open the parent and
determine if the file exists, returning the correct Information status.
Or you could try the IO_OPEN_TARGET_DIRECTORY flag.
Pete
On 10/9/2014 6:33 AM, xxxxx@serpurity.com wrote:
Hi, I’m developing an encryption filter based on minifilter.
I use FltCreateFile in Pre-Create routine to create shadow file object, things all goes well just except winword.exe(which is the program of office word, in fact).
My filter catchs IRP_MJ_CREATE in pre-create routine and calls FltCreateFile to create a shadow file object, it’s expect to return STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST), but it just returned STATUS_OBJECT_NAME_NOT_FOUND.
I do not understand, the FltCreateFile is called with FILE_OPEN(CreateDiposition), the following are my codes:
status = FltCreateFile( ksd.Filter,
FltObjects->Instance,
&pStreamHandleContext->shadowFile,
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess,
&objAttributes, // objAttributes
&Data->IoStatus,
&Data->Iopb->Parameters.Create.AllocationSize,
Data->Iopb->Parameters.Create.FileAttributes,
Data->Iopb->Parameters.Create.ShareAccess,
createDiposition, // CreateDiposition
createOptions, // CreateOptions
Data->Iopb->Parameters.Create.EaBuffer,
Data->Iopb->Parameters.Create.EaLength,
IO_FORCE_ACCESS_CHECK //Flags
);
Why does it return STATUS_OBJECT_NAME_NOT_FOUND for FILE_OPEN?(createDiposition is 1 and createOptions is 0 at here)
Any help will be appreciated!
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
One more point, which I should have indicated in the previous post …
this is usually a precursor to a rename request. This request will be
sent against the target of the rename operation so soon after you see
this request, you should see a rename of a file TO the file you are
processing in this pre-create.
Pete
On 10/9/2014 7:11 AM, Peter Scott wrote:
As Rod inquired, what makes you expect the "STATUS_SUCCESS with
Information(FILE_DOES_NOT_EXIST) "? If you are basing this on a
previous trace of the calls, then I suspect you are receiving the
pre-create with the SL_OPEN_TARGET_DIRECTORY flag set in the
OperationFlags. Thus the parent directory is actually being opened and
the Information status is indicating the file represented by the final
component does not exist. Hence when you try to perform a ‘normal’
open on the file, it is not found, as the FILE_DOES_NOT_EXIST indicates.You can perform the check yourself, that is open the parent and
determine if the file exists, returning the correct Information
status. Or you could try the IO_OPEN_TARGET_DIRECTORY flag.Pete
On 10/9/2014 6:33 AM, xxxxx@serpurity.com wrote:
> Hi, I’m developing an encryption filter based on minifilter.
> I use FltCreateFile in Pre-Create routine to create shadow file
> object, things all goes well just except winword.exe(which is the
> program of office word, in fact).
> My filter catchs IRP_MJ_CREATE in pre-create routine and calls
> FltCreateFile to create a shadow file object, it’s expect to return
> STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST), but it just
> returned STATUS_OBJECT_NAME_NOT_FOUND.
> I do not understand, the FltCreateFile is called with
> FILE_OPEN(CreateDiposition), the following are my codes:
> status = FltCreateFile( ksd.Filter,
> FltObjects->Instance,
> &pStreamHandleContext->shadowFile,
> Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess,
> &objAttributes, // objAttributes
> &Data->IoStatus,
> &Data->Iopb->Parameters.Create.AllocationSize,
> Data->Iopb->Parameters.Create.FileAttributes,
> Data->Iopb->Parameters.Create.ShareAccess,
> createDiposition, // CreateDiposition
> createOptions, // CreateOptions
> Data->Iopb->Parameters.Create.EaBuffer,
> Data->Iopb->Parameters.Create.EaLength,
> IO_FORCE_ACCESS_CHECK //Flags
> );
> Why does it return STATUS_OBJECT_NAME_NOT_FOUND for
> FILE_OPEN?(createDiposition is 1 and createOptions is 0 at here)
> Any help will be appreciated!
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Thanks Rod and Peter.
You do help me a lot, what rod said is correct, it should be an valid status returned by the FlrCreateFile.
And Peter’s advice is especially helpful, after aplying IO_OPEN_TARGET_DIRECTORY to the createFlags of FltCreateFile, it do return STATUS_SUCCESS with Information(FILE_DOES_NOT_EXIST) as I have expected, thanks a lot!