© 2004 Microsoft Corporation. All rights reserved. 1 Minifilter Generated IO’s.

© 2004 Microsoft Corporation. All rights reserved. 1

Minifilter Generated IO’s


Benefits of Using Filter Manager Routines for IO Generation

Operations can be targeted at a given instance Only seen by instances BELOW the

specified instance You usually specify your current instance

Solves recursive IO problems Minifilter unload will wait for

outstanding operations


Creating/Opening files FltCreateFile()

Filter Manager equivalent to IoCreateFileSpecifyDeviceObjectHint()

Optionally specify instance CREATE and all other operations to this handle will be

seen by all filters BELOW the given instance If instance is NULL, request will go to the top of the

device stack Returns a handle that can be used with Zw() and Nt()

APIs These operations will be properly targeted

Includes “options” parameter like IoCreateFileSpecifyDeviceObjectHint()

IO_IGNORE_SHARE_ACCESS_CHECK – allows share access checks to be bypassed


Reading and writing files FltReadFile()/FltWriteFile()

Equivalent to rolling your own READ/WRITE IRP in legacy model

Specify instance All instances BELOW specified instance will see

operation Takes FileObject, not handle

Works with any FileObject (even those opened in user mode)

Supports Synchronous as well as Asynchronous operations

Determined by whether or not an AsyncCallback parameter is passed in


Reparse points FltTagFile()

Set a reparse point on the given file Equivalent to rolling your own FSCTL_SET_REPARSE_POINT

IRP Specify instance

All instances BELOW specified instance will see operation Takes FileObject, not handle

Works with any FileObject FltUntagFile()

Remove a reparse point from the given file Equivalent to rolling your own

FSCTL_DELETE_REPARSE_POINT IRP Specify instance

All instances BELOW specified instance will see operation Takes FileObject, not handle

Works with any FileObject


Generating your own IOs FltAllocateCallbackData()

Specify instance All instances BELOW specified instance will see operation

Optionally specify Optionally specify FileObject You setup IRP_MAJOR, IRP_MINOR, and operation specific

parameters FltPerformSynchronousIo()

Issues the IO synchronously FltPerformAsynchronousIo()

Issues the IO asynchronously Specify callback routine and context Callback routine may be called at DPC level

FltReissueSynchronousIo()


Generating your own IOs FltReuseCallbackData()

Will reinitialize structure for use with another operation to the same Instance and FileObject

Cannot change Instance or FileObject Faster then freeing and reallocating You re-setup IRP_MAJOR, IRP_MINOR,

operation specific parameters FltFreeCallbackData()

Must free all CallbackData structures you allocate


Reissue IO FltReissueSynchronousIo()

Given an arbitrary CallbackData, will issue a synchronous operation using the current parameter definitions

Cannot change instance All instances BELOW your instance will see

operation Cannot be called from DPC level Sample usage:

Reissuing a create request with the FILE_OPEN_REPARSE_POINT flag set because the original request failed with STATUS_REPARSE


Canceling File Open FltCancelFileOpen()

Allows a filter to close a file that was opened by the file system driver.

Should be called from the post-operation routine after a successful create completion.

The IoCancelFileOpen() bug has been fixed


General Purpose IO Routines FltQueryInformationFile FltSetInformationFile FltQueryVolumeInformationFile FltSetVolumeInformation FltQuerySecurityObject FltFlushBuffers FltFsControlFile FltDeviceIoControlFile


Future

May add more routines for common file operations

We are open to requests

© 2004 Microsoft Corporation. All rights reserved. 1 Minifilter Generated IO’s.

Documents

Transcript of © 2004 Microsoft Corporation. All rights reserved. 1 Minifilter Generated IO’s.