Developer Forum

Hi,
I'm a newbee to MS driver development and I'm trying to write a filesystem
filter driver, which should spy out all I/O-Operations on a defined volume
and detect if a file on the attached drive is going to be
changed/overwritten (deleted or renamed). In these cases I want to first
make a copy of that original file.

I started to extend the filespy example from the IFS-Kit (if anyone knows
it).
I wrote a Dispatch-Routine for IRP_MAYOR_WRITE and tried just to Create a
new file with ZwCreateFile and then closing the returned handle by calling
ZwClose and then passing through the IRP (using the SpyPassThrough Routine
from the filespy example). Just Passing through the IRP works well !!

The File gets correctly created but the system gets stuck and hang off (no
bluescreen, but has to be restarted).

Is it possible to do the FileCopy Operation in IRP_MAJOR_WRITE dispatch
routine ??

Here is my dispatch routine :
-----------------------------------------------------------------------------------
NTSTATUS SpyFsPrototype ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){

NTSTATUS status = STATUS_SUCCESS;

PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation( Irp );


OBJECT_ATTRIBUTES oa;

IO_STATUS_BLOCK iostatus;

HANDLE hfile;

UNICODE_STRING pathname;



ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);

if (DeviceObject == gControlDeviceObject)

return SpyDispatch( DeviceObject, Irp ); //handling control device
object IRP's


RtlInitUnicodeString(&pathname, L"\\??\\C:\\foo.txt");

InitializeObjectAttributes(&oa, &pathname,

OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);


if (KeGetCurrentIrql() == PASSIVE_LEVEL) {

status = ZwCreateFile(&hfile, GENERIC_WRITE,

&oa, &iostatus, NULL, 0, FILE_SHARE_READ, FILE_OVERWRITE_IF,

FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);


status = ZwClose(hfile);

}

// Pass Through the IRP to next lower Level


return SpyPassThrough( DeviceObject, Irp );

}

---------------------------------------------------------------------------------------------------------------------------------------------

Thanks for help !!

Sven

You have to deal with the fact that you Zw operations will go through your
filter, and you have to account for them.

First you should realized that newbie's and file system filters do not mix.
This is like saying, I a newbie to medicine so I am trying brain surgery.
The place to be asking questions on file system development is NTFSD hosted
at http://www.yqcomputer.com/ (you have to register). Also on that site is a
FAQ for file system development
http://www.yqcomputer.com/

If you need to do this, take a good course in driver development, then
practice some, then take OSR's class on file system development.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply