Windows file filtering Driver Experience Summary

Read the second edition of Chukuangren "file Filter Drive development tutorial", quite a touch. I think, communication is based on the basis of equality, complaining about the atmosphere and the environment is not good at the same time should first think about how much you pay? Only know to ask not to pay people also don't have to complain, to blame can only blame themselves. The person who sends his own experience is no more than two purposes, one is to initiate some discussion, to correct their mistaken understanding, in order to get more knowledge to make their progress faster. The second is to make a memo, when they forget the time can immediately find relevant information. I also summed up in recent years to do file filter driver accumulated some of the small experience, this note is also seen in the Chukuangren of the tutorial, the temporary thought of a small part of it, is to think of where to write, not very full, if you recall what will continue to add. Because of its work, in the recent period of time in the SOLARIS drive and the Linux kernel to devote more energy, the file filter driver under Windows has not been how to touch, so finally the old saying fixme.

1, to obtain the full path of documents and the timing of judgment

Do not attempt to obtain a full path outside of the irp_mj_create, except in the irp_mj_create if you have created the IRP from scratch before all irp_mj_xxx are sent to the underlying device query.

Obcreateobject () is used to establish a valid file_object. In Irp_read Irp_write, they are directly manipulating the FCB (File control block).

2. Create IRP from scratch and send attention

No matter what kind of IRP you build, whether it is irp_mj_create or Irp_mj_directory_control, the most to remind is some signs. Different flags can be different, and some results are returned directly to failure. This refers to the logo is not only irp->flags, but also to consider io_stack_location->flags and other. Especially if you want to achieve some special purpose, at this time more need to note, such as irp_mn_query_directory, different logo results are very different.

3, build the IRP from the beginning to get the full path attention point

To build a irp_mj_query_information IRP from scratch. It is necessary to note that not only irp_mj_create to do the difference processing, but also do the same processing in irp_mj_close, otherwise if the target is NTFS file system can can produce deadlock. If it is NTFS then it is necessary to do the same with the Fo_stream_file type of file when Irp_mj_cleanup.

4. Obtain local/remote access username (domain/sid)

The method is only available in Irp_mj_create, because Io_security_context is only valid in io_stack_location->parameters.create.securitycontext. So that you can get access to TOKEN from io_security_context->securitycontext->accessstate->subjectsecuritycontext.xxxtoken, To further get the user name or SID. Remember that there is a library in the IFS, its LIB export a function allows you to obtain the above information after the user name and domain name. But if you want to be compatible with NT4, you can only analyze it yourself to derive the local and remote SID.

5. Document and catalogue judgment

The right way has been said in the Chu Madman's document, to add one more sentence. If your file filter driver is compatible with all file systems, do not trust the data obtained from the Fileobject->fscontext. The right approach is to return to you after you pass the irp_mj_create from the lowest file system extension device stack.

6, Add/decrypt the judgment point

Only Judge Irp_paging_io, Irp_synchronous_paging_io,irp_nocache is right. If there is a problem, believe it is your own problem. The answer to the question as to whether or not the fo_no_intermediate_buffering in file_object->flags need to be judged is that if you judge the Irp_nocache, you don't have to judge File_object. Because it will eventually set Irp->flags to Irp_nocache. About the IRP you see, such as irp_defer_io_completion, do not take care of it, because it is only a process. The final reading or writing is described above. As for the above IRP which is sent by CC MGR, which is sent by I/O MGR and when sent, this has been a lot of discussion, I believe that can be found.