Hi Gurus,
I know that this topic has been discussed extensively in other forums.
But I couldn't get a comprehensive reply form anywhere else. Sorry
for bringing up the same issue again.
In my minifilter (based on swapBuffers sample), I want obtain the data
that is being read in by notepad.exe.
I'm NOT using FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO or
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO in my operation
registration.
At first, I registered only for IRP_MJ_READ . But I noticed that my
IRP_MJ_READ callback did not get called when I opened an existing
1kb .txt file using notepad.exe.
I know that notepad uses memory mapped I/O and I can see
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION callbacks (added later on)
getting called and requestor process ( got by FltGetRequestorProcess )
is notepad.exe.
1. Is there any way, in a minifilter, to intercept data that is being
read in by a process through memory mapped I/O?
2. Which major function should I register for?
2. Though, it is memory mapped I/O, at some point, data must be read
from disk, am I right? How can I trap this call?
Could anybody help me please?
Thanks in advance,
Shaji.
|
|
0
|
|
|
|
Reply
|
 shaji
|
6/10/2009 6:01:52 AM |
|
Go read the NTFSD archives at http://www.osronline.com/
--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"shaji" <shajiparemmal@gmail.com> wrote in message
news:ed113fe1-c934-404e-b99c-7a620754c5dc@g20g2000vba.googlegroups.com...
> Hi Gurus,
> I know that this topic has been discussed extensively in other forums.
> But I couldn't get a comprehensive reply form anywhere else. Sorry
> for bringing up the same issue again.
>
> In my minifilter (based on swapBuffers sample), I want obtain the data
> that is being read in by notepad.exe.
>
> I'm NOT using FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO or
> FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO in my operation
> registration.
>
> At first, I registered only for IRP_MJ_READ . But I noticed that my
> IRP_MJ_READ callback did not get called when I opened an existing
> 1kb .txt file using notepad.exe.
>
> I know that notepad uses memory mapped I/O and I can see
> IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION callbacks (added later on)
> getting called and requestor process ( got by FltGetRequestorProcess )
> is notepad.exe.
>
> 1. Is there any way, in a minifilter, to intercept data that is being
> read in by a process through memory mapped I/O?
>
> 2. Which major function should I register for?
>
> 2. Though, it is memory mapped I/O, at some point, data must be read
> from disk, am I right? How can I trap this call?
>
> Could anybody help me please?
>
> Thanks in advance,
> Shaji.
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4143 (20090610) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4143 (20090610) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
|
|
|
0
|
|
|
|
Reply
|
Don
|
6/10/2009 11:45:13 AM
|
|
Thanks Don,
I've read the discussions on OSR online. But couldn't get any
conclusive reply with which I can convince my boss :).
Buying the OSR data modification kit is certainly out of question
( he'd boot me out if I tell him the cost :) ).
My fundamental question is;
Even in the case of memory mapped I/O, the data must be somehow
fetched from disk, right? So, why can't we obtain that data?
On Jun 10, 4:45=A0pm, "Don Burn" <b...@windrvr.com> wrote:
> Go read the NTFSD archives athttp://www.osronline.com/
>
> --
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website:http://www.windrvr.com
> Blog:http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> "shaji" <shajiparem...@gmail.com> wrote in message
>
> news:ed113fe1-c934-404e-b99c-7a620754c5dc@g20g2000vba.googlegroups.com...
>
>
>
>
>
> > Hi Gurus,
> > I know that this topic has been discussed extensively in other forums.
> > But I couldn't get a comprehensive reply form anywhere else. =A0Sorry
> > for bringing up the same issue again.
>
> > In my minifilter (based on swapBuffers sample), I want obtain the data
> > that is being read in by notepad.exe.
>
> > I'm NOT using FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO or
> > FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO in my operation
> > registration.
>
> > At first, I registered only for IRP_MJ_READ . But I noticed that my
> > IRP_MJ_READ callback did not get called when I opened an existing
> > 1kb .txt file using notepad.exe.
>
> > I know that notepad uses memory mapped I/O and I can see
> > IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION callbacks (added later on)
> > getting called and requestor process ( got by FltGetRequestorProcess )
> > is notepad.exe.
>
> > 1. Is there any way, in a minifilter, to intercept data that is being
> > read in by a process through memory mapped I/O?
>
> > 2. Which major function should I register for?
>
> > 2. Though, it is memory mapped I/O, at some point, data must be read
> > from disk, am I right? How can I trap this call?
>
> > Could anybody help me please?
>
> > Thanks in advance,
> > Shaji.
>
> > __________ Information from ESET NOD32 Antivirus, version of virus
> > signature database 4143 (20090610) __________
>
> > The message was checked by ESET NOD32 Antivirus.
>
> >http://www.eset.com
>
> __________ Information from ESET NOD32 Antivirus, version of virus signat=
ure database 4143 (20090610) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com- Hide quoted text -
>
> - Show quoted text -
|
|
|
0
|
|
|
|
Reply
|
shaji
|
6/11/2009 12:14:16 PM
|
|
>Even in the case of memory mapped I/O, the data must be somehow
>fetched from disk, right? So, why can't we obtain that data?
Intercept the paging IO.
--=20
Maxim S. Shatskih
Windows DDK MVP
maxim@storagecraft.com
http://www.storagecraft.com
|
|
|
0
|
|
|
|
Reply
|
Maxim
|
6/12/2009 5:45:28 PM
|
|
shaji <shajiparemmal@gmail.com> wrote:
>
> I've read the discussions on OSR online. But couldn't get any
>conclusive reply with which I can convince my boss :).
>Buying the OSR data modification kit is certainly out of question
>( he'd boot me out if I tell him the cost :) ).
The cost is FAR less than the cost of your salary over the time it will
take you to reinvent what they have already done. It's a Return On
Investment issue.
>My fundamental question is;
>Even in the case of memory mapped I/O, the data must be somehow
>fetched from disk, right? So, why can't we obtain that data?
You can, but you can't tell which pages are the ones you want. If you
intercept in the paging path, you'll get ALL "page in" operations, and the
paging path doesn't know anything about file systems or directories or file
names.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
|
|
|
0
|
|
|
|
Reply
|
Tim
|
6/13/2009 6:19:07 AM
|
|
Thanks Max,
What is the method to intercept paging I/O?
I'm not skipping any paging I/O in my minifilter. But I can't see any
calls to my IRP_MJ_READ callback function when I open the .txt file
with notepad.exe.
As I said in my original post, I'm not using
FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO or
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO
Is there any major function ( other than IRP_MJ_READ ) that I should
register for, in order to intercept paging I/O?
Thanks,
Shaji
On Jun 12, 10:45=A0pm, "Maxim S. Shatskih"
<ma...@storagecraft.com.no.spam> wrote:
> >Even in the case of memory mapped I/O, the data must be somehow
> >fetched from disk, right? So, why can't we obtain that data?
>
> Intercept the paging IO.
>
> --
> Maxim S. Shatskih
> Windows DDK MVP
> ma...@storagecraft.comhttp://www.storagecraft.com
|
|
|
0
|
|
|
|
Reply
|
shaji
|
6/15/2009 5:51:39 AM
|
|
Thanks a lot Tim,
A couple of questions, just out of curiosity...
If the paging path does not know anything about the file, how doews it
manage to map the file to the virtual address space of our process?
The system must know which file to map from, right?
If it doesn't use the file system, how does it manage to locate the
file?
Thanks,
Shaji.
On Jun 13, 11:19=A0am, Tim Roberts <t...@probo.com> wrote:
> shaji <shajiparem...@gmail.com> wrote:
>
> > I've read the discussions on OSR online. But couldn't get any
> >conclusive reply with which I can convince my boss :).
> >Buying the OSR data modification kit is certainly out of question
> >( he'd boot me out if I tell him the cost :) ).
>
> The cost is FAR less than the cost of your salary over the time it will
> take you to reinvent what they have already done. =A0It's a Return On
> Investment issue.
>
> >My fundamental question is;
> >Even in the case of memory mapped I/O, the data must be somehow
> >fetched from disk, right? So, why can't we obtain that data?
>
> You can, but you can't tell which pages are the ones you want. =A0If you
> intercept in the paging path, you'll get ALL "page in" operations, and th=
e
> paging path doesn't know anything about file systems or directories or fi=
le
> names.
> --
> Tim Roberts, t...@probo.com
> Providenza & Boekelheide, Inc.
|
|
|
0
|
|
|
|
Reply
|
shaji
|
6/15/2009 5:58:53 AM
|
|
shaji <shajiparemmal@gmail.com> wrote:
>
>If the paging path does not know anything about the file, how doews it
>manage to map the file to the virtual address space of our process?
>The system must know which file to map from, right?
>
>If it doesn't use the file system, how does it manage to locate the
>file?
Remember that drivers are all layered, and each layer has very specialized
knowledge. The file system layers know about file names, but the layers
below that, including the disk drivers that deal with sectors, do not.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
|
|
|
0
|
|
|
|
Reply
|
Tim
|
6/17/2009 5:07:44 AM
|
|
> Remember that drivers are all layered, and each layer has very specialize=
d
> knowledge. =A0The file system layers know about file names, but the layer=
s
> below that, including the disk drivers that deal with sectors, do not.
Thanks a lot for this point, Tim.
But, unfortunately, I'm stiil confused about my minifilter pre-read
call back not getting called.
Max said that I should intercept paging I/O. But I'm not getting any
calls in the preread at all, when I open that tiny text file with
notepad. And I'm not skipping any paging I/O.
I've found on OSR, a post ( http://www.osronline.com/showThread.cfm?link=3D=
119140
) which lists out some steps to be followed in encrypting/decrypting
filter. But it says that I should start my driver at boot time because
windows may prefetch some file data.
So, here in my case, could it be that, the system prefetched my
notepad file data?
What kind of data does the system prefetch?
Thanks,
Shaji.
|
|
|
0
|
|
|
|
Reply
|
shaji
|
6/17/2009 7:41:21 AM
|
|
Hi Max, Tim,
I can see that even when I click the text file icon in the explorer,
read IRPs are generated. Typically with a read length of 24 bytes.
This means that the file is taken into cache and when I open the file
later on, the data is read from cache.
After searching the OSR archives, I've come to believe that when data
is being read in from cache, READ callbacks does not get invoked in
minifilter. Is my understanding correct?
Is there any way to purge the cache so that my text file will be read
from disk when I open it again?
Thanks,
Shaji.
|
|
|
0
|
|
|
|
Reply
|
shaji
|
6/17/2009 10:41:13 AM
|
|
|
9 Replies
1656 Views
(page loaded in 0.219 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
40 articles. 
1 followers. 