首页>驱动开发>文件系统(过滤)驱动程序开发>请教过滤驱动中在FastIoQueryOpen下创建IRP_...
回复
« 返回列表
liio
liio
驱动小牛
驱动小牛
  • 注册日期2005-12-24
  • 最后登录2022-06-16
  • 粉丝4
  • 关注1
  • 积分24分
  • 威望343点
  • 贡献值0点
  • 好评度171点
  • 原创分0分
  • 专家分0分
写私信
  • 社区居民
阅读:3747回复:6

请教过滤驱动中在FastIoQueryOpen下创建IRP_MJ_CREATE的问题

楼主#
更多 发布于:2007-01-13 01:32
  在FastIoQueryOpen消息里尝试传递IRP_MJ_CREATE消息打开文件时蓝屏了,请高人帮我看看ISICreate部分的代码对不对。我无法建立调试环境,希望大家能帮我找出引次STOP的原因。
小人菜菜,实在没办法。注释掉下面这句调用不会蓝,传递到ISICreate中的FileObject是FastIoQueryOpen例程的FileObject

还请问在FastIoQueryOpen中直接传递IRP_MJ_CREATE到下层打开文件是否会成功呢



蓝屏码:

第一次
HANDLE hFile;

STOP:0x8E

第二次

PHANDLE hFile

STOP:0x7F

调用部分:

hFile = -2;
ISICreateFile(hFile ,DeviceObject ,FileObject ,GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE);
TIMESTAMPSTOP();
LogRecord( TRUE, NULL, &dateTime, &timeResult,"|%d|%s|FO|%s|%s", hFile,FilemonGetProcess(name), fullPathName, retval ? "ok" : "err" );
if(hFile)
{
    ZwClose(hFile);
}

函数:


NTSTATUS
ISICreateFile(
PHANDLE pFile,
PDEVICE_OBJECT DeviceObject,
PFILE_OBJECT FileObject,
ACCESS_MASK DesiredAccess//GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE
 )
{
NTSTATUSStatus;
PIRP Irp;
KEVENT event;
IO_STATUS_BLOCK IoStatusBlock;
PIO_STACK_LOCATIONIoStackLocation;
IO_SECURITY_CONTEXTIoSecurityContext;
ACCESS_STATEAccessState;
PGENERIC_MAPPINGpGenericMapping;

ULONG*pAuxData = ExAllocatePool(NonPagedPool, 1024);

if (pAuxData == NULL)
{
MemFree(pAuxData);
return STATUS_INSUFFICIENT_RESOURCES;
}

memset(pAuxData, 0, 1024);

Status = ObInsertObject ((PVOID)FileObject,
NULL,
DesiredAccess,
0,
NULL,
pFile);
 if (!NT_SUCCESS(Status))
     {
        ObDereferenceObject (FileObject);
        return(Status);
     }



KeInitializeEvent(&event, NotificationEvent, FALSE);


Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);

if (!Irp)
return FALSE;


Irp->UserEvent = &event;
Irp->UserIosb = &IoStatusBlock;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = FileObject;
Irp->RequestorMode = KernelMode;
Irp->Flags = IRP_CREATE_OPERATION|IRP_SYNCHRONOUS_API;

Irp->PendingReturned=FALSE;
Irp->Cancel=FALSE;
Irp->MdlAddress=NULL;
Irp->CancelRoutine=NULL;
Irp->Tail.Overlay.AuxiliaryBuffer=NULL;


IoStackLocation = IoGetNextIrpStackLocation(Irp);
IoStackLocation->MajorFunction = IRP_MJ_CREATE;
IoStackLocation->DeviceObject = DeviceObject;
IoStackLocation->FileObject = FileObject;

pGenericMapping = IoGetFileObjectGenericMapping();
SeCreateAccessState(&AccessState,&pAuxData,DesiredAccess,pGenericMapping);
IoSecurityContext.AccessState = &AccessState;
IoSecurityContext.DesiredAccess = DesiredAccess;
IoSecurityContext.SecurityQos=NULL;
IoSecurityContext.FullCreateOptions=0;
IoStackLocation->Parameters.Create.SecurityContext=&IoSecurityContext;
IoStackLocation->Parameters.Create.Options=FILE_OPEN << 24;
IoStackLocation->Parameters.Create.FileAttributes = FILE_ATTRIBUTE_NORMAL;
IoStackLocation->Parameters.Create.ShareAccess = FILE_SHARE_READ | FILE_SHARE_WRITE; ;
IoStackLocation->Parameters.Create.EaLength=0;
IoStackLocation->Context=NULL;
IoStackLocation->Control=SL_INVOKE_ON_CANCEL|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR;
//IoStackLocation->CompletionRoutine = IoCompletionRoutine;

IoSetCompletionRoutine(Irp, ISICreateFileCompleted, 0, TRUE, TRUE, TRUE);

(void) IoCallDriver(DeviceObject, Irp);


KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);

return( NT_SUCCESS( IoStatusBlock.Status ));
}

NTSTATUS
ISICreateFileCompleted(
  PDEVICE_OBJECT DeviceObject,
  PIRP Irp,
  PVOID Context
  )
{

*Irp->UserIosb = Irp->IoStatus;

if( !NT_SUCCESS(Irp->IoStatus.Status) ) {

DbgPrint(("QueryFileInformationCompleted  ERROR ON IRP: %x\n", Irp->IoStatus.Status ));
}


KeSetEvent(Irp->UserEvent, 0, FALSE);


IoFreeIrp(Irp);

return STATUS_MORE_PROCESSING_REQUIRED;
}
喜欢0
回复
liio
liio
驱动小牛
驱动小牛
  • 注册日期2005-12-24
  • 最后登录2022-06-16
  • 粉丝4
  • 关注1
  • 积分24分
  • 威望343点
  • 贡献值0点
  • 好评度171点
  • 原创分0分
  • 专家分0分
写私信
  • 社区居民
沙发#
发布于:2007-01-16 09:56
Thanks,呵呵.我会尝试你所说的.

FastIO的知识又多了解了一些,谢谢你

我先写完代码吧,如果碰到些问题,还是请你帮帮我.

谢谢了.

难得一见的好人!
回复(0) 喜欢(0)
michaelgz
michaelgz
论坛版主
论坛版主
  • 注册日期2005-01-26
  • 最后登录2012-10-22
  • 粉丝1
  • 关注1
  • 积分150分
  • 威望1524点
  • 贡献值1点
  • 好评度213点
  • 原创分0分
  • 专家分2分
写私信
板凳#
发布于:2007-01-16 02:04
FastIO is not normal IRP based request. The book "NT File System Internals" has very detailed information about it.

"我已经获取了设备的IRP并且我失败掉此IRP能成功的过滤掉设备的访问". Sorry I don't quite understand this. What are you trying to achieve. Are you developing FSFD? Are you trying to filter some specific devices such as USB?

"当一个应用程序打开时最先发送的消息是FASTIO中的查询打开消息".
 -- For an user mode application this maybe true (I'm not positive on this). But there could be other kernel drivers, such as anti-virus, sitting on top of your driver which won't send any FastIO at all.

"MJ_CREATE在一个应用程序的运行时,会有很多次。而FASTIO比较少。"
  -- No matter what, you have to handle both cases.

Let me quote a sentence from the book "NT File System Internals" here:
    "if data transfer is not possible using the fast I/O path, ..., the I/O manager simply resorts to using standard IRP method ...."
This is the reason why I suggested you faild this particular FastIO and put your logic into MJ_CREATE.

If you really want to send down a CREAET IRP, try using shadow device or the function IoCreateFileSpecifyDeviceObjectHint() for XP and later instead of rolling out your own create IRP. If you roll out your own CREATE IRP, you have to think about how to handle the newly created file object such as how to handle process object table, how to clean-up this file object, ........ It is not the same as rolling out a QUERY or READ IRP. So my suggestion is don't do it by yourself.

Error 0x8E is KERNEL_MODE_EXCEPTION_NOT_HANDLED, 0x7F is UNEXPECTED_KERNEL_MODE_TRAP. These two errors may be easily located if you have a kernel debugger connected.
回复(0) 喜欢(0)
liio
liio
驱动小牛
驱动小牛
  • 注册日期2005-12-24
  • 最后登录2022-06-16
  • 粉丝4
  • 关注1
  • 积分24分
  • 威望343点
  • 贡献值0点
  • 好评度171点
  • 原创分0分
  • 专家分0分
写私信
  • 社区居民
地板#
发布于:2007-01-14 03:04
引用第3楼michaelgz2007-01-14 02:38发表的“”:
 A normal approach would be to fail this FASTIO and put your business logic in coming MJ_CREATE IRP.



上面这句看不明白。

运行环境是可以的。我无法知道是哪句话造成了STOP。也就是我没有建立调试环境。

老兄建议我不要在FASTIO中自定义MJ_Create对吗?我之所以要在FAST_IO中操作是因为当一个应用程序打开时最先发送的消息是FASTIO中的查询打开消息。所以我就在此进行过滤。

而且MJ_CREATE在一个应用程序的运行时,会有很多次。而FASTIO比较少。并且在FASTIO的打开查询消息中我已经获取了设备的IRP并且我失败掉此IRP能成功的过滤掉设备的访问。

请教是否真的无法在FASTIO中自定义MJ_Create还是我代码问题出在哪

楼上觉得我代码没问题吗?
回复(0) 喜欢(0)
michaelgz
michaelgz
论坛版主
论坛版主
  • 注册日期2005-01-26
  • 最后登录2012-10-22
  • 粉丝1
  • 关注1
  • 积分150分
  • 威望1524点
  • 贡献值1点
  • 好评度213点
  • 原创分0分
  • 专家分2分
写私信
地下室#
发布于:2007-01-14 02:38
CREATE IRP is one of the most difficult IRPs to be generated. A general suggestion is don't do it.

The question is why you need to have your own customized CREATE IRP in FASTIO. A normal approach would be to fail this FASTIO and put your business logic in coming MJ_CREATE IRP.

By the way, "我无法建立调试环境", then how can you have a working driver.
回复(0) 喜欢(0)
liio
liio
驱动小牛
驱动小牛
  • 注册日期2005-12-24
  • 最后登录2022-06-16
  • 粉丝4
  • 关注1
  • 积分24分
  • 威望343点
  • 贡献值0点
  • 好评度171点
  • 原创分0分
  • 专家分0分
写私信
  • 社区居民
5楼#
发布于:2007-01-13 20:26
如果需要收费可以商量!
回复(0) 喜欢(0)
liio
liio
驱动小牛
驱动小牛
  • 注册日期2005-12-24
  • 最后登录2022-06-16
  • 粉丝4
  • 关注1
  • 积分24分
  • 威望343点
  • 贡献值0点
  • 好评度171点
  • 原创分0分
  • 专家分0分
写私信
  • 社区居民
6楼#
发布于:2007-01-13 01:33
问题一可能找到了。
会不会不允许GENERIC_WRITE 呢?
回复(0) 喜欢(0)
游客

关于phpwind联系我们问题反馈程序建议

Powered by phpwind v9.0.2 ©2003-2015 phpwind.com 京ICP备05006834号

返回顶部