writing a simple filter, please assist

lallous-2 · December 26, 2005, 5:28am

Hello

I am writing small volume filter to monitor a given partition’s I/O traffic.

I install a PNP notification on VolumeClassGuid from DriverEntry
When I get an arrival notification, I query the symbolic link to get the
link target
I pass the target to a system thread, then IoGetDeviceObjectPointer()
create my own device object with same attributes as the devobj from (3)
IoAttachDeviceToDeviceStack( (4), (3) )
In my driver object, the dispatch entries are directed to a simple
passthru dispatch handler.

However, after step (6), I am receiving IRPs, such as CREATE=0/READ=2, but
cannot access the drive…
I am getting “(1) Incorrect function.” error.

Please advise.

–
Elias

lallous-2 · December 26, 2005, 5:31am

Here’s a log:

After “net start service_name”
Then after I insert a new volume “HarddiskVolume2”

#DriverEntry(): Compiled on Dec 23 2005 15:40:47
#StartCommandThread(): start
#StartCommandThread(): devExt->objCommandThread=FEDF7DA8
#StartCommandThread(): end
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\FDC#GENERIC_FLOPPY_DRIVE#1&f6fd67c&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\FloppyPDO0
#PNPNotify(): new notify struct: E1443D90
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\IDE#CdRomMS_C#DVD-ROM _______________________3.0 #4&13b4afd&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\Ide\IdeDeviceP1T0L0-e
#PNPNotify(): new notify struct: E1122150
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\STORAGE#Volume#1&30a96598&0&Signature9C6E9C6EOffset7E00LengthF9898200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\HarddiskVolume1
#PNPNotify(): new notify struct: E18B33E8
#DriverEntry(): end
#CommandHandlerRoutine(): start
#AttachDetach(): \Device\HarddiskVolume1 Arrival: YES SymLink:
??\STORAGE#Volume#1&30a96598&0&Signature9C6E9C6EOffset7E00LengthF9898200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer() failed with status=C0000043, DevObj=F7E74DAC
FileObj=F8134C50
#-> Want this device: NO on: Arrival
#AttachDetach(): \Device\Ide\IdeDeviceP1T0L0-e Arrival: YES SymLink:
??\IDE#CdRomMS_C#DVD-ROM _______________________3.0 #4&13b4afd&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer(): status=00000000 DevObj=FFBDC030
FileObj=811704F0
#-> Want this device: NO on: Arrival
#AttachDetach(): \Device\FloppyPDO0 Arrival: YES SymLink:
??\FDC#GENERIC_FLOPPY_DRIVE#1&f6fd67c&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer(): status=00000000 DevObj=81178870
FileObj=811704F0
#-> Want this device: NO on: Arrival
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\STORAGE#Volume#1&30a96598&0&Signature25872604Offset800Length1DFD800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\HarddiskVolume2
#PNPNotify(): new notify struct: E1443D90
#AttachDetach(): \Device\HarddiskVolume2 Arrival: YES SymLink:
??\STORAGE#Volume#1&30a96598&0&Signature25872604Offset800Length1DFD800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer(): status=00000000 DevObj=FEA0D020
FileObj=8121A230
#->IoCreateDevice() -> Name: \Device\exp1filter00000000 DevObj: FEA0C760
#->IoAttachDeviceToDeviceStack(FEA0D020, FEA0C760)=FEA0D020
#-> Want this device: YES on: Arrival
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): mjFunction=00000003 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: C0000034
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): mjFunction=00000003 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000

Doron_Holan · December 26, 2005, 2:46pm

Attaching yourself to an already started pnp stack is not kosher. There
can be components which precompute the number of required stack
locations for the stack during IRP_MN_START_DEVICE and by attaching to
the stack later, you throw those computations off and PIRPs entering the
stack may have too few stack locations in them and result in a bugcheck.

If you want to filter all the volumes, insert your driver into the
volume class guid’s class upper filter list.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: Monday, December 26, 2005 2:29 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] writing a simple filter, please assist

Here’s a log:

After “net start service_name”
Then after I insert a new volume “HarddiskVolume2”

#DriverEntry(): Compiled on Dec 23 2005 15:40:47
#StartCommandThread(): start
#StartCommandThread(): devExt->objCommandThread=FEDF7DA8
#StartCommandThread(): end
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\FDC#GENERIC_FLOPPY_DRIVE#1&f6fd67c&0&0#{53f5630d-b6bf-11d0-94f2-00a0
c91efb8b}
#PNPNotify(): Link target: \Device\FloppyPDO0
#PNPNotify(): new notify struct: E1443D90
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\IDE#CdRomMS_C#DVD-ROM _______________________3.0 #4&13b4afd&
0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\Ide\IdeDeviceP1T0L0-e
#PNPNotify(): new notify struct: E1122150
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\STORAGE#Volume#1&30a96598&0&Signature9C6E9C6EOffset7E00LengthF989820
0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\HarddiskVolume1
#PNPNotify(): new notify struct: E18B33E8
#DriverEntry(): end
#CommandHandlerRoutine(): start
#AttachDetach(): \Device\HarddiskVolume1 Arrival: YES SymLink:
??\STORAGE#Volume#1&30a96598&0&Signature9C6E9C6EOffset7E00LengthF989820
0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer() failed with status=C0000043,
DevObj=F7E74DAC
FileObj=F8134C50
#-> Want this device: NO on: Arrival
#AttachDetach(): \Device\Ide\IdeDeviceP1T0L0-e Arrival: YES SymLink:
??\IDE#CdRomMS_C#DVD-ROM _______________________3.0 #4&13b4afd&
0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer(): status=00000000 DevObj=FFBDC030
FileObj=811704F0
#-> Want this device: NO on: Arrival
#AttachDetach(): \Device\FloppyPDO0 Arrival: YES SymLink:
??\FDC#GENERIC_FLOPPY_DRIVE#1&f6fd67c&0&0#{53f5630d-b6bf-11d0-94f2-00a0
c91efb8b}
#->IoGetDeviceObjectPointer(): status=00000000 DevObj=81178870
FileObj=811704F0
#-> Want this device: NO on: Arrival
#PNPNotify(): ->Event GUID: CB3A4004-46F0-11D0-B08F00609713053F
#PNPNotify(): ->Event: Arrival / SymName:
??\STORAGE#Volume#1&30a96598&0&Signature25872604Offset800Length1DFD800#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#PNPNotify(): Link target: \Device\HarddiskVolume2
#PNPNotify(): new notify struct: E1443D90
#AttachDetach(): \Device\HarddiskVolume2 Arrival: YES SymLink:
??\STORAGE#Volume#1&30a96598&0&Signature25872604Offset800Length1DFD800#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
#->IoGetDeviceObjectPointer(): status=00000000 DevObj=FEA0D020
FileObj=8121A230
#->IoCreateDevice() -> Name: \Device\exp1filter00000000 DevObj: FEA0C760
#->IoAttachDeviceToDeviceStack(FEA0D020, FEA0C760)=FEA0D020
#-> Want this device: YES on: Arrival
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): mjFunction=00000003 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: C0000034
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): mjFunction=00000003 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000000 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000012 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000
#DispatcherDevices(): mjFunction=00000002 mjMinor=00000000
#DispatcherDevices(): ->status: 00000000

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · December 29, 2005, 8:04pm

Register yourself as UpperFilter for Volume class, like VolSnap does. This
is a better idea.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “lallous”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, December 26, 2005 1:26 PM
Subject: [ntdev] writing a simple filter, please assist

> Hello
>
> I am writing small volume filter to monitor a given partition’s I/O traffic.
>
> 1. I install a PNP notification on VolumeClassGuid from DriverEntry
> 2. When I get an arrival notification, I query the symbolic link to get the
> link target
> 3. I pass the target to a system thread, then IoGetDeviceObjectPointer()
> 4. create my own device object with same attributes as the devobj from (3)
> 5. IoAttachDeviceToDeviceStack( (4), (3) )
> 6. In my driver object, the dispatch entries are directed to a simple
> passthru dispatch handler.
>
> However, after step (6), I am receiving IRPs, such as CREATE=0/READ=2, but
> cannot access the drive…
> I am getting “(1) Incorrect function.” error.
>
> Please advise.
>
> –
> Elias
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com