ZwMapViewOfSection

OSR_Community_User · October 23, 2001, 4:57pm

Hi, I’m making a File Filter System Driver to deny access to files with viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search viruses in the file. Can I use ZwMapViewOfSection to read the file? Will that work even if it is a very big file? Or should I use several ZwReadFile using non paged memory buffers?
Thanks.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 24, 2001, 9:46am

ZwMapViewOfSection maps memory in the user virtual address space. Will
you be accessing this memory in a known process context?

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Tuesday, October 23, 2001 3:49 PM
To: File Systems Developers
Subject: [ntfsd] ZwMapViewOfSection

Hi, I’m making a File Filter System Driver to deny access to files with
viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search
viruses in the file. Can I use ZwMapViewOfSection to read the file? Will
that work even if it is a very big file? Or should I use several
ZwReadFile using non paged memory buffers?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 24, 2001, 10:58am

Yes. I do it once, use it, unmap the view and close the section, in the same process, at PASSIVE_LEVEL. I don’t know what process it is, but it all happens in the same function, so that’s OK, isn’t it?
----- Original Message -----
From: Rob Fuller
To: File Systems Developers
Sent: Wednesday, October 24, 2001 8:22 AM
Subject: [ntfsd] RE: ZwMapViewOfSection

ZwMapViewOfSection maps memory in the user virtual address space. Will you be accessing this memory in a known process context?
-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Tuesday, October 23, 2001 3:49 PM
To: File Systems Developers
Subject: [ntfsd] ZwMapViewOfSection

Hi, I’m making a File Filter System Driver to deny access to files with viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search viruses in the file. Can I use ZwMapViewOfSection to read the file? Will that work even if it is a very big file? Or should I use several ZwReadFile using non paged memory buffers?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 24, 2001, 11:31am

I would be concerned about side effects, especially if I’m mapping a
large file. For example, while you’re scanning the virus, the process
may try to allocate memory and fail because you’ve consumed the
remainder of its virtual address space.

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, October 24, 2001 9:50 AM
To: File Systems Developers
Subject: [ntfsd] RE: ZwMapViewOfSection

Yes. I do it once, use it, unmap the view and close the section, in the
same process, at PASSIVE_LEVEL. I don’t know what process it is, but it
all happens in the same function, so that’s OK, isn’t it?

----- Original Message -----
From: Rob mailto:xxxxx Fuller
To: File Systems mailto:xxxxx Developers
Sent: Wednesday, October 24, 2001 8:22 AM
Subject: [ntfsd] RE: ZwMapViewOfSection

ZwMapViewOfSection maps memory in the user virtual address space. Will
you be accessing this memory in a known process context?

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Tuesday, October 23, 2001 3:49 PM
To: File Systems Developers
Subject: [ntfsd] ZwMapViewOfSection

Hi, I’m making a File Filter System Driver to deny access to files with
viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search
viruses in the file. Can I use ZwMapViewOfSection to read the file? Will
that work even if it is a very big file? Or should I use several
ZwReadFile using non paged memory buffers?
Thanks.

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:xxxxx>

OSR_Community_User · October 24, 2001, 11:53am

Thanks.
But it is not probably to have a larger than 1GB file, User virtual space is 2GB.
But I will consider that.
I posted a message because I can’t successfully call ZwCreateSection.
Do you know the reason why I get invalid 6th parameter?
Thank you.
----- Original Message -----
From: Rob Fuller
To: File Systems Developers
Sent: Wednesday, October 24, 2001 11:28 AM
Subject: [ntfsd] RE: ZwMapViewOfSection

I would be concerned about side effects, especially if I’m mapping a large file. For example, while you’re scanning the virus, the process may try to allocate memory and fail because you’ve consumed the remainder of its virtual address space.
-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, October 24, 2001 9:50 AM
To: File Systems Developers
Subject: [ntfsd] RE: ZwMapViewOfSection

Yes. I do it once, use it, unmap the view and close the section, in the same process, at PASSIVE_LEVEL. I don’t know what process it is, but it all happens in the same function, so that’s OK, isn’t it?
----- Original Message -----
From: Rob Fuller
To: File Systems Developers
Sent: Wednesday, October 24, 2001 8:22 AM
Subject: [ntfsd] RE: ZwMapViewOfSection

ZwMapViewOfSection maps memory in the user virtual address space. Will you be accessing this memory in a known process context?
-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Tuesday, October 23, 2001 3:49 PM
To: File Systems Developers
Subject: [ntfsd] ZwMapViewOfSection

Hi, I’m making a File Filter System Driver to deny access to files with viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search viruses in the file. Can I use ZwMapViewOfSection to read the file? Will that work even if it is a very big file? Or should I use several ZwReadFile using non paged memory buffers?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 24, 2001, 1:10pm

And… If you do this in the system process context, it will map the
section into the user address space of the system process; which is all
but emty, so you can get up to the entire 2 gig or 3 gig.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rob Fuller
Sent: Wednesday, October 24, 2001 5:23 AM
To: File Systems Developers
Subject: [ntfsd] RE: ZwMapViewOfSection

ZwMapViewOfSection maps memory in the user virtual address space. Will
you be accessing this memory in a known process context?

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Tuesday, October 23, 2001 3:49 PM
To: File Systems Developers
Subject: [ntfsd] ZwMapViewOfSection

Hi, I’m making a File Filter System Driver to deny access to files with
viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search
viruses in the file. Can I use ZwMapViewOfSection to read the file? Will
that work even if it is a very big file? Or should I use several
ZwReadFile using non paged memory buffers?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 24, 2001, 1:35pm

Do this from a system thread. It will give you almost 2 gig of address
space.

On another note, I am not sure that it is a good idea to scan like this.
I would read the data using NO_INTERMEDIATE_BUFFERING and always get the
data directly from the disk; remeber, you must read on sector aligned
boundries. THis may prove to be the fastest and most efficent way. Why
brig in the cache manager? I think, if I remember the quote correctly,
75% of file system are not data related. So, there are many opens and
closes that get file attribute information, and the likes, but read no
data; even if the file is opened with read access.

In your scenario, you will be creating, reading and taring down your
section object more than required.

Maybe the ultimate solution is to initiate the scan on the first read of
the data from the file. This would improve performance of the virus
scanner by “leaps and bounds”.

I loaded NAI a few weeks ago to do some compatibility testing and I was
amazed at the hit on system performance I noticed. Each open caused the
disk to thrash.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rob Fuller
Sent: Wednesday, October 24, 2001 8:28 AM
To: File Systems Developers
Subject: [ntfsd] RE: ZwMapViewOfSection

I would be concerned about side effects, especially if I’m mapping a
large file. For example, while you’re scanning the virus, the process
may try to allocate memory and fail because you’ve consumed the
remainder of its virtual address space.

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Wednesday, October 24, 2001 9:50 AM
To: File Systems Developers
Subject: [ntfsd] RE: ZwMapViewOfSection

Yes. I do it once, use it, unmap the view and close the section, in the
same process, at PASSIVE_LEVEL. I don’t know what process it is, but it
all happens in the same function, so that’s OK, isn’t it?

----- Original Message -----
From: Rob mailto:xxxxx Fuller
To: File Systems Developers mailto:xxxxx
Sent: Wednesday, October 24, 2001 8:22 AM
Subject: [ntfsd] RE: ZwMapViewOfSection

ZwMapViewOfSection maps memory in the user virtual address space. Will
you be accessing this memory in a known process context?

-----Original Message-----
From: Ratmil Torres [mailto:xxxxx@seg.inf.cu]
Sent: Tuesday, October 23, 2001 3:49 PM
To: File Systems Developers
Subject: [ntfsd] ZwMapViewOfSection

Hi, I’m making a File Filter System Driver to deny access to files with
viruses.
I intercept the CREATE calls and handle reentrancy ok. Then I search
viruses in the file. Can I use ZwMapViewOfSection to read the file? Will
that work even if it is a very big file? Or should I use several
ZwReadFile using non paged memory buffers?
Thanks.

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:xxxxx>

OSR_Community_User · October 24, 2001, 2:00pm

Wow. I sure have sloppy fingers today; not to mention I reinstalled
outlook and forgot to turn on auto-spell check

I apologize for the horrid grammar ad spelling in this posting

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Wednesday, October 24, 2001 2:23 AM
To: File Systems Developers
Subject: [ntfsd] RE: ZwMapViewOfSection