How to write data to a file from ClassifyFN in Windows Filtering Platform

Hello,

I want to create a file or open an existing txt file and then write some data into that file from ClassifyFn in Windows Filtering Platform. I am using ZwCreateFile to create or open the file but its not working. Here is my code for writing to the ftxt file.

Code:

HANDLE handle;
IO_STATUS_BLOCK ioStatusBlock;
UNICODE_STRING uniName;
OBJECT_ATTRIBUTES objAttr;

RtlInitUnicodeString(&uniName, L"\??\E:\log_net_buffer.txt");

InitializeObjectAttributes(&objAttr, &uniName, OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE, NULL, NULL);

status = ZwCreateFile(&handle,
GENERIC_WRITE,
&objAttr, &ioStatusBlock, NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
NULL, 0);

if (status != STATUS_SUCCESS)
{
DbgPrint(“The file create failed:%x\n”, status);
return;
}

status = NtWriteFile(handle, NULL, NULL, NULL, &ioStatusBlock,
pContiguousData, strlen(pContiguousData), NULL, NULL);

if (status != STATUS_SUCCESS)
{
DbgPrint(“The file write failed:%x\n”, status);
return;
}

NtClose(handle);

Reply as soon as possible.

Offload the file operations to a worker thread/work item.

Also, it is probably better to use ETW and write the .etl log file using ETW calls, which are callable from DISPATCH_LEVEL.

Then parse it in your user mode code using WMI calls.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hello,
>
> I want to create a file or open an existing txt file and then write some data into that file from ClassifyFn in Windows Filtering Platform. I am using ZwCreateFile to create or open the file but its not working. Here is my code for writing to the ftxt file.
>
> Code:
>
>
> HANDLE handle;
> IO_STATUS_BLOCK ioStatusBlock;
> UNICODE_STRING uniName;
> OBJECT_ATTRIBUTES objAttr;
>
> RtlInitUnicodeString(&uniName, L"\??\E:\log_net_buffer.txt");
>
> InitializeObjectAttributes(&objAttr, &uniName, OBJ_CASE_INSENSITIVE |OBJ_KERNEL_HANDLE, NULL, NULL);
>
> status = ZwCreateFile(&handle,
> GENERIC_WRITE,
> &objAttr, &ioStatusBlock, NULL,
> FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_WRITE,
> FILE_OPEN_IF,
> FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
> NULL, 0);
>
> if (status != STATUS_SUCCESS)
> {
> DbgPrint(“The file create failed:%x\n”, status);
> return;
> }
>
> status = NtWriteFile(handle, NULL, NULL, NULL, &ioStatusBlock,
> pContiguousData, strlen(pContiguousData), NULL, NULL);
>
> if (status != STATUS_SUCCESS)
> {
> DbgPrint(“The file write failed:%x\n”, status);
> return;
> }
>
> NtClose(handle);
>
> Reply as soon as possible.
>

Hello Maxim S. Shatskih,

Can you share an example or sample code for doing that. I am novice in WFP coding.

Thanks

Just create a worker thread and initialize a queue to add buffers to it. Synchronize it with a spin lock and thats pretty much it.

The ETW , well there are already tons of samples out there and it is not really a WFP thing.


Gabriel Bercea

Windows Kernel Driver Consulting

www.kasardia.com

On Fri, Apr 29, 2016 at 5:19 AM -0700, wrote:

Hello Maxim S. Shatskih,

Can you share an example or sample code for doing that. I am novice in WFP coding.

Thanks


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at

To unsubscribe, visit the List Server section of OSR Online at

Hello Gabriel Bercea,

Thanks for your reply. But my question is that " Can’t I write to a file from driver in Windows Filtering Platform?". I just want to write the variable which is of NET_BUFFER structure type to a file from driver.

Thanks
Nishant Varshney

Oh believe me I understood your question. WFP is nothing special, just a framework to make things easier for you the filter driver writer. you’re still in KM and can do what a km driver can do but with regards to the “rules”. The problems we were mentioning were that you cannot access paged memory or code from the majority of the WFP callbacks. If you try hard enough to understand this then your answer will be revealed to you and my post will make sense, otherwise …

Just make sure you understand how the basics of kernel works in general, then worry about WFP.

Coming back to your initial question, as pointed out there are several other better approaches to logging. See ETW for example. In the end it depends on what you want to do overall.


Gabriel Bercea

Windows Kernel Driver Consulting

www.kasardia.com

On Sun, May 1, 2016 at 10:39 PM -0700, wrote:

Hello Gabriel Bercea,

Thanks for your reply. But my question is that " Can’t I write to a file from driver in Windows Filtering Platform?". I just want to write the variable which is of NET_BUFFER structure type to a file from driver.

Thanks
Nishant Varshney


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at

To unsubscribe, visit the List Server section of OSR Online at