OS: Win 2K3 R2 32 bit Sp2 (but might be possible with other oses too, havent
verified)
Design: User mode DLL calls kernel mode Volume filter Driver using IOCTLS.
Volumte filter attaches itself to all mounted volumes.
Feature of Driver: User mode DLL passes A file name to the Driver through
it’s APIs Example:
MyDriverCreateFile(volname, relative path,…)
This internally translates to an IOCTL in the DLL which does a CreateFile on
the volume name (C:, D:, VOLume GUID…) and then passes an IOCTL down to
the volume filter with the relative path.
The driver (since it is attached to a real device, gets th IOCTL on one of
the mounted volumes like \dev\hdv1 and makes a path like
\dev\hdv1<relativepath and file name> and calls ZwCreate on it.
Issue: I have seen that when we call MyCreateFile(C:,“ABCD.txt”,…) it
works perfectly, but when it is called with
MyCreateFile(Volume{GUID},“ABCD.txt”…)
even though the device is opened properly and the path of the file passed to
ZwCreateFile is same \dev\hdv1<relativepath and file name>, ZwCreateFile
fails with Object path not found.
Every parameter in the two names for Zw* are same, but using symbolic links
to open the device passes where as the volume guid path males it fail.
I am stumped. Can someone throw some light on this?