Would memory mapped file call cache functiion

In user mode I open memory mapped file like:

{
HANDLE hHandle = CreateFile(“fsm.txt”, GENERIC_WRITE|GENERIC_READ, 0, 0, OPEN_ALWAYS, 0, 0);
if (!hHandle) break;

HANDLE hMapping = CreateFileMapping(hHandle, 0, PAGE_READWRITE, 0,256, 0);
char* lpBuffer = (char*)MapViewOfFile(hMapping, FILE_MAP_ALL_ACCESS, 0, 0, 0);
*lpBuffer = ‘2’;
printf(“lpBuffer:%s\n”, lpBuffer);

UnmapViewOfFile(lpBuffer);
CloseHandle(hMapping);
CloseHandle(hHandle);
}

But when use inline hook, found none of these cache functions are called:
CcInitializeCacheMap,
CcCopyRead,
CcMdlRead,
CcMapData

I think memory mapped file would deal with cache also, actually in CreateFileMapping would call MmCreateSection.

Below is what I reversed for reference:

CreateFileMapping
NtCreateSection
MmCreateSection
nt!MiCreatePagingFileMap
nt!FsRtlAcquireToCreateMappedSection
nt!IoSetTopLevelIrp
nt!MiFindImageSectionObject
nt!MiInsertImageSectionObject
nt!MiFlushDataSection
nt!FsRtlGetFileSize
nt!FsRtlReleaseFile
nt!MiRemoveImageSectionObject
nt!MiCreateImageFileMap
nt!MiCreateDataFileMap
nt!FsRtlGetFileSize
nt!FsRtlSetFileSize
nt!XIPLocatePages
nt!MiMakeControlAreaRom
nt!MiCheckControlArea
nt!MiFindEmptyAddressRangeDownBasedTree
nt!MiInsertBasedSection
nt!MmExtendSection

CcInitializeCacheMap would call MmCreateSection also
CcCleanSharedCacheMapList (variable)
nt!ObfReferenceObject
nt!MmCreateSection
nt!ObDeleteCapturedInsertInfo
nt!MmDisableModifiedWriteOfSection
nt!CcCreateVacbArray
nt!MmExtendSection
nt!CcExtendVacbArray
nt!CcDeleteSharedCacheMap

nt!MiMapViewOfPhysicalSection
nt!MiMapViewOfImageSection
nt!MiMapViewOfDataSection
nt!MiCheckPurgeAndUpMapCount
nt!MiAddViewsForSectionWithPfn
nt!MiFindEmptyAddressRange
nt!MiFindEmptyAddressRangeDownTree
nt!MiRemoveViewsFromSectionWithPfn
nt!MiCheckForConflictingVadExistence
nt!MiDereferenceControlArea
nt!MiChargeCommitment
nt!MiInsertVad

Can anybody tell which cache function would be called for memory mapped file? Thanks!

I even restarted the computer, but the situation is the same, …

These cache functions are essentially doing the same what you’re doing yourself by CreateFileMapping and immediate write to the mapped address. Why do you expect your calls would pass through those functions?

> Can anybody tell which cache function would be called for memory mapped file?

The answer is very simple -none at all…

You can think of CM as of a component that maps and unmaps files, modifies and flushes mappings, etc
in the kernel mode by means of MM functions (i.e. exactly the same functions that stand behind UM memory-mapping functions) upon the requests of FSDs. If you need more info, try to get yourself Rageev Nagar’s classic - I think this is the only source in existence that gives a thorough, in-detail description of Windows CM…

Anton Bassov

> Can anybody tell which cache function would be called for memory mapped file? Thanks!

Cache functions are not called for mmaped file, if it was opened noncached.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> Cache functions are not called for mmaped file, if it was opened noncached.

A couple of observations:

1. FILE_FLAG_NO_BUFFERING has absolutely nothing to do with file mapping - it is related to file IO functions, i.e. ReadFile() and WriteFile(). When you create a file mapping it does not matter whether this flag was specified in CreateFile() call. The only parameters that matter are related to file protection. For example, you cannot map a file with RW page protection attribute if its handle was opened for RO access. This is the only thing that matters

2. A section is not created until IO is performed on file for the first time. Therefore, CM functions are called only when IO is performed on file…

In any case, this question seems to belong on NTFSD, rather than NTDEV…

Anton Bassov

> 1. FILE_FLAG_NO_BUFFERING has absolutely nothing to do with file mapping - it is related to file

IO functions, i.e. ReadFile() and WriteFile(). When you create a file mapping it does not matter
whether this flag was specified in CreateFile() call.

Yes. Surely.

But, if the flag is not set in CreateFile, then the next read/write calls CcInitializeCacheMap and thus starts the cache for the file.

2. A section is not created until IO is performed on file for the first time.

With mmap, this is not true. NtCreateSection (aka CreateFileMapping) creates it.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Thus how to intercept memory mapped file? OK, I would post to NTFSD also to see if can get more useful response, sorry, because I do not know how to move the thread.