Re[2]: How do i redirect writes and create a mapping table of logical blocks to offsets

NTFSD
1

Hello,

Yes, keep a bitmask that you get on initialization of the volume to
indicate where the free sectors are on the disk. Keep this in memory for
quick access.

At the volume filter layer you are almost never called in the context of
the original calling thread/process. You are generally seeing system
threads from system modules performing flushes, etc. For this type of
context you need to be in the file system stack.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295

------ Original Message ------
From: xxxxx@yahoo.fr
To: “Windows File Systems Devs Interest List”
Sent: 9/1/2015 10:11:21 PM
Subject: RE:[ntfsd] How do i redirect writes and create a mapping table
of logical blocks to offsets

>First of all, I want to thank all of you for your time trying to
>provide answers to my misunderstandings, I am still a newbie to driver
>development.
>I have examined the diskperf sample and being able to understand most
>of it. My assignment consists of storing the modified blocks on the
>same volume and for that i was considering throwing them on a flat file
>while maintaining a mapping table of offset, but i think (correct me if
>i’m wrong) saving them on a file residing on the same volume won’t work
>since the protection applies to the whole partition. I am able to get
>the write’s data, able to store the write offset in an AVL structure
>though. So here are my questions.
>1) Since i expect a lot of change, how do i get the next free space on
>disk to stash the writes away? I read here that I should create a
>bitmap of the volume and consequently be able to retrieve free sectors
>numbers and write on them, if that’s the case, can you clarify what i
>need to do that?
>Also is a storage filter driver the kind i need to add exclusions so
>that certain IRPs are filtered depending on some conditions: like the
>process that is responsible of the thread writing data to disk?
>
>Thank you.
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer

2

Thank you Scott.
I managed to retrieve the bitmap buffer on initialization and i’m stuck on how to get free clusters so I can just write on them. can you point me toward a way to do that?

Thanks

3

Get the file system bitmap for the volume in question.

On Thu, Sep 3, 2015 at 3:49 AM, wrote:

> Thank you Scott.
> I managed to retrieve the bitmap buffer on initialization and i’m stuck
> on how to get free clusters so I can just write on them. can you point me
> toward a way to do that?
>
> Thanks
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.

4

Sorry… Too fast on the send button.

If you have the file system bitmap, then you know which clusters are free;
the bits not set. You need to make the assumption that every write you get
after you get the FS bitmap is from the file system; so you may have to
move some of your private data from time to time. One idea that would
require some more thought, it to mark the clusters bad; but then you have
to distinguish between good clusters and actual bad clusters.

There are too many change tracking and snapshot drivers out there are
require re-entry into the file system while processing an I/O request down
the volume/disk stack. It is just an ugly way to do things.

I think Microsoft should add previsions to the file systems to support
cluster change tracking. It would be as simple as an FS maintained archive
bit for each cluster (another hidden bitmap file.) Add a couple of APIs to
read and clear the archive bits.

On Thu, Sep 3, 2015 at 9:21 AM, Jamey Kirby wrote:

> Get the file system bitmap for the volume in question.
> ᐧ
>
> On Thu, Sep 3, 2015 at 3:49 AM, wrote:
>
>> Thank you Scott.
>> I managed to retrieve the bitmap buffer on initialization and i’m stuck
>> on how to get free clusters so I can just write on them. can you point me
>> toward a way to do that?
>>
>> Thanks
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> Jamey Kirby
> Disrupting the establishment since 1964
>
> This is a personal email account and as such, emails are not subject to
> archiving. Nothing else really matters.
>


Jamey Kirby
Disrupting the establishment since 1964

This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.

5

Thanks Jamey,
I’m trying to get the volume bitmap but i get error 0xC34 when i call the ZwCreateFile to open the the volume, meaning The object name is not found. Seems like i have an error in my path. I have been googling this and trying few naming rules but no results yet. Can you tell me what i am doing wrong? or is there a better way to get the volume bitmap?

Thank you

Here is the function i am using

HANDLE fileHandle;
IO_STATUS_BLOCK iosb;
OBJECT_ATTRIBUTES objectAttributes;
STARTING_LCN_INPUT_BUFFER slib;
ULONG bufferLength;
UNICODE_STRING fileName;
NTSTATUS status = STATUS_SUCCESS;
PVOLUME_BITMAP_BUFFER info;

LONG open = GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE;
LONG share = FILE_SHARE_READ | FILE_SHARE_WRITE;
LONG options = FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_NONALERT |FILE_RANDOM_ACCESS | FILE_NO_INTERMEDIATE_BUFFERING;

RtlInitUnicodeString(&fileName, L"\DosDevices\C:"); //i have tried ??\ C:
InitializeObjectAttributes(&objectAttributes,
&fileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
status = ZwCreateFile(&fileHandle, open, &objectAttributes, &iosb, NULL,
FILE_ATTRIBUTE_NORMAL, share, FILE_OPEN,
options, NULL, 0);
s1 = status;
bufferLength = 8 * 1024 * 1024;

do {
if (!NT_SUCCESS(status)) {
break;
}
info = (PVOLUME_BITMAP_BUFFER)ExAllocatePool(PagedPool, bufferLength);
if (!info) {
ZwClose(fileHandle);
status = STATUS_INSUFFICIENT_RESOURCES;
break;
}

slib.StartingLcn.QuadPart = 0;
status = STATUS_UNSUCCESSFUL;
while (!NT_SUCCESS(status))
{
status = ZwFsControlFile(fileHandle, NULL, NULL, NULL, &iosb,
FSCTL_GET_VOLUME_BITMAP, &slib,
sizeof(slib), info, bufferLength);
if (status == STATUS_PENDING)
{
ZwWaitForSingleObject(fileHandle, FALSE, NULL);
status = iosb.Status;
}
if (!NT_SUCCESS(status)) {
if ((STATUS_BUFFER_TOO_SMALL == status) ||
(STATUS_BUFFER_OVERFLOW == status)) {
ExFreePool(info);
bufferLength *= 2;
info = ExAllocatePool(PagedPool, bufferLength);
if (!info) {
status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
}
else {
break;
}
}
}
s2 = status;
ZwClose(fileHandle);
if (!NT_SUCCESS(status)) {
break;
}
*buffer = info;
} while (FALSE);
return status;
}