bsod in attempt to redirect to different volume

Hi all,

im trying to redirect to different volume . from mup to local drive c. i have these snippet code in precreate for redirection but only works for same volume.

code snippet:

{
if(bRedirect)
{
int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
WCHAR * redirPath = NULL;
NTSTATUS status;

try{
if( Data == NULL ||
FltObjects == NULL){
iRet = DLPFS_ERROR_PARAM_NULL;
goto cleanup;
}

DbgPrint(“gKernelData->RootDeviceInstance:%x, current Instance: %x\r\n”, gKernelData->RootDeviceInstance, FltObjects->Instance);

if(DFLAG) DbgPrint(“%s - filename:%S\r\n”, FUNCTION, FltObjects->FileObject->FileName.Buffer);
//allocate new
redirPath = (WCHAR*)ExAllocatePool(NonPagedPool, sizeof(WCHAR) * MAX_PATH_LEN);
if(redirPath == NULL)
goto cleanup;

DbgPrint(“redirPath: %S\r\n”, redirPath);
RtlStringCchCopyW(redirPath, MAX_PATH_LEN, L"\test_copyfile.docx");

//free previous
ExFreePool(FltObjects->FileObject->FileName.Buffer);
FltObjects->FileObject->FileName.Buffer = NULL;

//replace with new
FltObjects->FileObject->FileName.Length = (USHORT) wcslen(redirPath) * sizeof(WCHAR);
FltObjects->FileObject->FileName.MaximumLength = FltObjects->FileObject->FileName.Length;
FltObjects->FileObject->FileName.Buffer = redirPath;

Data->Iopb->TargetFileObject->RelatedFileObject = NULL;

Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;

if(DFLAG) DbgPrint(“%s - redirect\r\n”, FUNCTION);

FltSetCallbackDataDirty(Data);
return FLT_PREOP_SUCCESS_WITH_CALLBACK;

} except(EXCEPTION_EXECUTE_HANDLER) {
DPE(GetExceptionCode());
iRet = DLPFS_ERROR_EXCEPTION;
}
}
}

i read Alex’s article http://fsfilters.blogspot.my/2011/09/file-io-redirection-between-volumes.html

and try to modify my code to work with different volume. i got my root drive instance during driverentry & instanceSetup, but when i assign Data->iopb->targetinstace it cause me a bsod in PostOperation

modified code:

if(FltObjects->FileObject->DeviceObject->DeviceType == FILE_DEVICE_NETWORK_FILE_SYSTEM )
{
if(bRedirect)
{
int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
WCHAR * redirPath = NULL;
//PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
NTSTATUS status;

try{
if( Data == NULL ||
FltObjects == NULL){
iRet = DLPFS_ERROR_PARAM_NULL;
goto cleanup;
}

DbgPrint(“gKernelData->RootDeviceInstance:%x, current Instance: %x\r\n”, gKernelData->RootDeviceInstance, FltObjects->Instance);
if(FltObjects->Instance != gKernelData->RootDeviceInstance)
{
BOOLEAN bAllowRedir = FALSE, bAllowRedirIO = FALSE, bStackSizeModified = FALSE;
NTSTATUS ntstat;

ntstat = FltIsIoRedirectionAllowed(FltObjects->Instance, (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir);
DbgPrint(“FltIsIoRedirectionAllowed return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
if(ntstat == STATUS_SUCCESS){
if(!bAllowRedir){
ntstat = FltAdjustDeviceStackSizeForIoRedirection(FltObjects->Instance, gKernelData->RootDeviceInstance, &bStackSizeModified);
DbgPrint(“FltAdjustDeviceStackSizeForIoRedirection return:%x, bStackSizeModified: %d\r\n”, ntstat, bStackSizeModified);

}
}

DbgPrint(“FltObjects->Instance:%x, bAllowgKernelData->RootDeviceInstance: %x\r\n”, FltObjects->Instance, gKernelData->RootDeviceInstance);
ntstat = FltIsIoRedirectionAllowedForOperation(Data, (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir, &bAllowRedirIO);
DbgPrint(“FltIsIoRedirectionAllowedForOperation return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
if(ntstat == STATUS_SUCCESS){
if(bAllowRedir){

DbgPrint(“TargetInstance: %x\r\n”, Data->Iopb->TargetInstance);
DbgPrint(“TargetFileObject: %x\r\n”, Data->Iopb->TargetFileObject);
Data->Iopb->TargetInstance = gKernelData->RootDeviceInstance;
}
}
}

if(DFLAG) DbgPrint(“%s - filename:%S\r\n”, FUNCTION, FltObjects->FileObject->FileName.Buffer);
//allocate new
redirPath = (WCHAR*)ExAllocatePool(NonPagedPool, sizeof(WCHAR) * MAX_PATH_LEN);
if(redirPath == NULL)
goto cleanup;

RtlStringCchCopyW(redirPath, MAX_PATH_LEN, L"\test_copyfile.docx");

//free previous
ExFreePool(FltObjects->FileObject->FileName.Buffer);
FltObjects->FileObject->FileName.Buffer = NULL;

//replace with new
FltObjects->FileObject->FileName.Length = (USHORT) wcslen(redirPath) * sizeof(WCHAR);
FltObjects->FileObject->FileName.MaximumLength = FltObjects->FileObject->FileName.Length;
FltObjects->FileObject->FileName.Buffer = redirPath;

Data->Iopb->TargetFileObject->RelatedFileObject = NULL;

Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;

if(DFLAG) DbgPrint(“%s - filename:%S\r\n”, FUNCTION, FltObjects->FileObject->FileName.Buffer);
if(DFLAG) DbgPrint(“%s - redirect\r\n”, FUNCTION);

FltSetCallbackDataDirty(Data);

return FTL_PREOP_SUCCESS_WITH_CALLBACK;

} except(EXCEPTION_EXECUTE_HANDLER) {
DPE(GetExceptionCode());
iRet = DLPFS_ERROR_EXCEPTION;
}
}
}

bugcheck analysis:

MUP_FILE_SYSTEM (103)
MUP file system detected an error.
Arguments:
Arg1: 00000001, MUP_BUGCHECK_NO_FILECONTEXT
Could not locate MUP file context corresponding to a file object.
Arg2: 860af8e0, Irp Address if an IRP was used, NULL otherwise.
Arg3: 8606c038, FILE_OBJECT Address whose MUP file context could not be found
Arg4: 85038e10, DEVICE_OBJECT Address

Debugging Details:

Page 27cd9 not present in the dump file. Type “.hh dbgerr004” for details

DEVICE_OBJECT: 85038e10

DRIVER_OBJECT: 85038f38

IMAGE_NAME: mup.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbfc6

MODULE_NAME: mup

FAULTING_MODULE: 87e23000 mup

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x103

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 87e29123 to 829031e0

STACK_TEXT:
9a7c340c 87e29123 00000103 00000001 860af8e0 nt!KeBugCheckEx+0x1e
9a7c3434 8285f186 85038e10 860af8e0 860af8e0 mup!MupFsdIrpPassThrough+0x78
9a7c344c 877c59e3 9a7c34e4 8503835c 85038348 nt!IofCallDriver+0x63
9a7c3480 877c7c1b 85038e10 8606c038 9a7c34a8 fltmgr!FltpQueryInformationFile+0xc3
9a7c34c0 877c80c9 85038348 85038e10 8606c038 fltmgr!QueryStandardLinkInformation+0x75
9a7c34f8 877b2969 85038348 00000001 00000000 fltmgr!SetStreamListStandardInformationFlags+0x109
9a7c3538 877b2fa3 00000000 84b38258 84b38310 fltmgr!FltpGetFileNameInformation+0x169
9a7c3560 9440b1b2 00b382b8 00000101 9a7c35a4 fltmgr!FltGetFileNameInformation+0x12b
9a7c3810 944082d6 9a7c38c4 84b382b8 9a7c3880 GWEFS!getFilePath+0x1a2
9a7c38a0 877ac324 84b382b8 9a7c38c4 00000000 GWEFS!ScannerPostDetectLifeCycle+0x106
9a7c3908 877af512 00b38258 84b38258 10000008 fltmgr!FltpPerformPostCallbacks+0x24a
9a7c391c 877afb46 84b38258 856c1e28 9a7c395c fltmgr!FltpProcessIoCompletion+0x10
9a7c392c 877b029c 8e53d0c0 856c1e28 84b38258 fltmgr!FltpPassThroughCompletion+0x98
9a7c395c 877c38c9 9a7c397c 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a
9a7c39a8 8285f186 85038878 85038348 8606c094 fltmgr!FltpCreate+0x2db
9a7c39c0 82a364ca 131301ba 9a7c3b70 00000000 nt!IofCallDriver+0x63
9a7c3aa0 82a396ae 85038e10 c52eb7a8 84a81430 nt!IopParseDevice+0xf08
9a7c3b1c 82a7876f 00000000 9a7c3b70 00000040 nt!ObpLookupObjectName+0x510
9a7c3b78 82aa39b2 03aaf700 842eb7a8 fe838901 nt!ObOpenObjectByName+0x165
9a7c3d24 828659c6 03aaf700 03aaf6c8 03aaf730 nt!NtQueryFullAttributesFile+0x136
9a7c3d24 778571c6 03aaf700 03aaf6c8 03aaf730 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
03aaf730 00000000 00000000 00000000 00000000 0x778571c6

STACK_COMMAND: kb

FOLLOWUP_IP:
mup!MupFsdIrpPassThrough+78
87e29123 8d4d0c lea ecx,[ebp+0Ch]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: mup!MupFsdIrpPassThrough+78

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78

BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78

do i need to change the Data->Iopb->TargetFileObject too? Any advice would be appreciated. Thanks in advance

First of all I would think of using IoReplaceFileObjectName since doing it
manually will cause a verifier memory leak trigger when you unload.
If GWEFS is your filter then I see you actually make it to post create but
the name query causes a crash.
This is an issue you might have to figure out yourself, but my bet is that
you are not expecting something that FltMgr might to here and that is
putting back the old pointers in the FltCallbackData before calling your
PostCreate
This means that the FileObject has now an initialized FCB for the local FS
but FltMgr puts back the pointer to the Mup Instance in the CBD before
calling you and therefore the MUP is confused saying: This is not my FCB,
so I will crash.
This is just a hunch, you will need to debug it yourself.

Cheers,
Gabriel
www.kasardia.com
Windows Kernel Driver Consulting

On Tue, May 24, 2016 at 8:11 AM, wrote:

> Hi all,
>
> im trying to redirect to different volume . from mup to local drive c. i
> have these snippet code in precreate for redirection but only works for
> same volume.
>
> code snippet:
> ---------------
> {
> if(bRedirect)
> {
> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
> WCHAR * redirPath = NULL;
> NTSTATUS status;
>
> try{
> if( Data == NULL ||
> FltObjects == NULL){
> iRet = DLPFS_ERROR_PARAM_NULL;
> goto cleanup;
> }
>
> DbgPrint(“gKernelData->RootDeviceInstance:%x,
> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
> FltObjects->Instance);
>
> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
> FUNCTION , FltObjects->FileObject->FileName.Buffer);
> //allocate new
> redirPath = (WCHAR*)ExAllocatePool(NonPagedPool,
> sizeof(WCHAR) * MAX_PATH_LEN);
> if(redirPath == NULL)
> goto cleanup;
>
>
> DbgPrint(“redirPath: %S\r\n”, redirPath);
> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
> L"\test_copyfile.docx");
>
> //free previous
>
> ExFreePool(FltObjects->FileObject->FileName.Buffer);
> FltObjects->FileObject->FileName.Buffer = NULL;
>
> //replace with new
> FltObjects->FileObject->FileName.Length = (USHORT)
> wcslen(redirPath) * sizeof(WCHAR);
> FltObjects->FileObject->FileName.MaximumLength =
> FltObjects->FileObject->FileName.Length;
> FltObjects->FileObject->FileName.Buffer =
> redirPath;
>
> Data->Iopb->TargetFileObject->RelatedFileObject =
> NULL;
>
> Data->IoStatus.Information = IO_REPARSE;
> Data->IoStatus.Status = STATUS_REPARSE;
>
> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
> FUNCTION );
>
> FltSetCallbackDataDirty(Data);
> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>
> } except(EXCEPTION_EXECUTE_HANDLER) {
> DPE(GetExceptionCode());
> iRet = DLPFS_ERROR_EXCEPTION;
> }
> }
> }
>
> —
> i read Alex’s article
> http://fsfilters.blogspot.my/2011/09/file-io-redirection-between-volumes.html
>
> and try to modify my code to work with different volume. i got my root
> drive instance during driverentry & instanceSetup, but when i assign
> Data->iopb->targetinstace it cause me a bsod in PostOperation
>
> modified code:
> -----------------
> if(FltObjects->FileObject->DeviceObject->DeviceType ==
> FILE_DEVICE_NETWORK_FILE_SYSTEM )
> {
> if(bRedirect)
> {
> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
> WCHAR * redirPath = NULL;
> //PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
> NTSTATUS status;
>
> try{
> if( Data == NULL ||
> FltObjects == NULL){
> iRet = DLPFS_ERROR_PARAM_NULL;
> goto cleanup;
> }
>
> DbgPrint(“gKernelData->RootDeviceInstance:%x,
> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
> FltObjects->Instance);
> if(FltObjects->Instance !=
> gKernelData->RootDeviceInstance)
> {
> BOOLEAN bAllowRedir = FALSE, bAllowRedirIO
> = FALSE, bStackSizeModified = FALSE;
> NTSTATUS ntstat;
>
>
> ntstat =
> FltIsIoRedirectionAllowed(FltObjects->Instance,
> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir);
> DbgPrint(“FltIsIoRedirectionAllowed
> return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
> if(ntstat == STATUS_SUCCESS){
> if(!bAllowRedir){
> ntstat =
> FltAdjustDeviceStackSizeForIoRedirection(FltObjects->Instance,
> gKernelData->RootDeviceInstance, &bStackSizeModified);
>
> DbgPrint(“FltAdjustDeviceStackSizeForIoRedirection return:%x,
> bStackSizeModified: %d\r\n”, ntstat, bStackSizeModified);
>
> }
> }
>
>
> DbgPrint(“FltObjects->Instance:%x,
> bAllowgKernelData->RootDeviceInstance: %x\r\n”, FltObjects->Instance,
> gKernelData->RootDeviceInstance);
> ntstat =
> FltIsIoRedirectionAllowedForOperation(Data,
> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir,
> &bAllowRedirIO);
>
> DbgPrint(“FltIsIoRedirectionAllowedForOperation return:%x, bAllowRedir:
> %d\r\n”, ntstat, bAllowRedir);
> if(ntstat == STATUS_SUCCESS){
> if(bAllowRedir){
>
> DbgPrint(“TargetInstance:
> %x\r\n”, Data->Iopb->TargetInstance);
>
> DbgPrint(“TargetFileObject: %x\r\n”, Data->Iopb->TargetFileObject);
> Data->Iopb->TargetInstance
> = gKernelData->RootDeviceInstance;
> }
> }
> }
>
>
> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
> FUNCTION , FltObjects->FileObject->FileName.Buffer);
> //allocate new
> redirPath = (WCHAR*)ExAllocatePool(NonPagedPool,
> sizeof(WCHAR) * MAX_PATH_LEN);
> if(redirPath == NULL)
> goto cleanup;
>
> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
> L"\test_copyfile.docx");
>
> //free previous
>
> ExFreePool(FltObjects->FileObject->FileName.Buffer);
> FltObjects->FileObject->FileName.Buffer = NULL;
>
> //replace with new
> FltObjects->FileObject->FileName.Length = (USHORT)
> wcslen(redirPath) * sizeof(WCHAR);
> FltObjects->FileObject->FileName.MaximumLength =
> FltObjects->FileObject->FileName.Length;
> FltObjects->FileObject->FileName.Buffer =
> redirPath;
>
>
> Data->Iopb->TargetFileObject->RelatedFileObject =
> NULL;
>
> Data->IoStatus.Information = IO_REPARSE;
> Data->IoStatus.Status = STATUS_REPARSE;
>
> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
> FUNCTION , FltObjects->FileObject->FileName.Buffer);
> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
> FUNCTION );
>
> FltSetCallbackDataDirty(Data);
>
> return FTL_PREOP_SUCCESS_WITH_CALLBACK;
>
> } except(EXCEPTION_EXECUTE_HANDLER) {
> DPE(GetExceptionCode());
> iRet = DLPFS_ERROR_EXCEPTION;
> }
> }
> }
>
> bugcheck analysis:
> ----------------------
> MUP_FILE_SYSTEM (103)
> MUP file system detected an error.
> Arguments:
> Arg1: 00000001, MUP_BUGCHECK_NO_FILECONTEXT
> Could not locate MUP file context corresponding to a file object.
> Arg2: 860af8e0, Irp Address if an IRP was used, NULL otherwise.
> Arg3: 8606c038, FILE_OBJECT Address whose MUP file context could not be
> found
> Arg4: 85038e10, DEVICE_OBJECT Address
>
> Debugging Details:
> ------------------
>
> Page 27cd9 not present in the dump file. Type “.hh dbgerr004” for details
>
> DEVICE_OBJECT: 85038e10
>
> DRIVER_OBJECT: 85038f38
>
> IMAGE_NAME: mup.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbfc6
>
> MODULE_NAME: mup
>
> FAULTING_MODULE: 87e23000 mup
>
> DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
>
> BUGCHECK_STR: 0x103
>
> PROCESS_NAME: explorer.exe
>
> CURRENT_IRQL: 0
>
> LAST_CONTROL_TRANSFER: from 87e29123 to 829031e0
>
> STACK_TEXT:
> 9a7c340c 87e29123 00000103 00000001 860af8e0 nt!KeBugCheckEx+0x1e
> 9a7c3434 8285f186 85038e10 860af8e0 860af8e0 mup!MupFsdIrpPassThrough+0x78
> 9a7c344c 877c59e3 9a7c34e4 8503835c 85038348 nt!IofCallDriver+0x63
> 9a7c3480 877c7c1b 85038e10 8606c038 9a7c34a8
> fltmgr!FltpQueryInformationFile+0xc3
> 9a7c34c0 877c80c9 85038348 85038e10 8606c038
> fltmgr!QueryStandardLinkInformation+0x75
> 9a7c34f8 877b2969 85038348 00000001 00000000
> fltmgr!SetStreamListStandardInformationFlags+0x109
> 9a7c3538 877b2fa3 00000000 84b38258 84b38310
> fltmgr!FltpGetFileNameInformation+0x169
> 9a7c3560 9440b1b2 00b382b8 00000101 9a7c35a4
> fltmgr!FltGetFileNameInformation+0x12b
> 9a7c3810 944082d6 9a7c38c4 84b382b8 9a7c3880 GWEFS!getFilePath+0x1a2
> 9a7c38a0 877ac324 84b382b8 9a7c38c4 00000000
> GWEFS!ScannerPostDetectLifeCycle+0x106
> 9a7c3908 877af512 00b38258 84b38258 10000008
> fltmgr!FltpPerformPostCallbacks+0x24a
> 9a7c391c 877afb46 84b38258 856c1e28 9a7c395c
> fltmgr!FltpProcessIoCompletion+0x10
> 9a7c392c 877b029c 8e53d0c0 856c1e28 84b38258
> fltmgr!FltpPassThroughCompletion+0x98
> 9a7c395c 877c38c9 9a7c397c 00000000 00000000
> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a
> 9a7c39a8 8285f186 85038878 85038348 8606c094 fltmgr!FltpCreate+0x2db
> 9a7c39c0 82a364ca 131301ba 9a7c3b70 00000000 nt!IofCallDriver+0x63
> 9a7c3aa0 82a396ae 85038e10 c52eb7a8 84a81430 nt!IopParseDevice+0xf08
> 9a7c3b1c 82a7876f 00000000 9a7c3b70 00000040 nt!ObpLookupObjectName+0x510
> 9a7c3b78 82aa39b2 03aaf700 842eb7a8 fe838901 nt!ObOpenObjectByName+0x165
> 9a7c3d24 828659c6 03aaf700 03aaf6c8 03aaf730
> nt!NtQueryFullAttributesFile+0x136
> 9a7c3d24 778571c6 03aaf700 03aaf6c8 03aaf730 nt!KiSystemServicePostCall
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 03aaf730 00000000 00000000 00000000 00000000 0x778571c6
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> mup!MupFsdIrpPassThrough+78
> 87e29123 8d4d0c lea ecx,[ebp+0Ch]
>
> SYMBOL_STACK_INDEX: 1
>
> SYMBOL_NAME: mup!MupFsdIrpPassThrough+78
>
> FOLLOWUP_NAME: MachineOwner
>
> FAILURE_BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>
> BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>
>
> do i need to change the Data->Iopb->TargetFileObject too? Any advice would
> be appreciated. Thanks in advance
>
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>

–
Bercea. G.</http:>

Some noob questions.

1. Do i actually need to replace fileobject in FltObjects->FileObject or
   Data->Iopb->TargetFileObject.
2. which preop status i should actually return? FTL_PREOP_SUCCESS_WITH_CALLBACK
   or FTL_PREOP_COMPLETE
3. Other threads like this
   https://www.osronline.com/showthread.cfm?link=139332 seems to be doing the
   opposite of what im doing. which is change the Data->Iopb->TargetFileObject
   & return FTL_PREOP_COMPLETE, but when i tried it. it doesn’t work even for
   same volume.

On Tue, May 24, 2016 at 4:36 PM, Gabriel Bercea wrote:

> First of all I would think of using IoReplaceFileObjectName since doing it
> manually will cause a verifier memory leak trigger when you unload.
> If GWEFS is your filter then I see you actually make it to post create but
> the name query causes a crash.
> This is an issue you might have to figure out yourself, but my bet is that
> you are not expecting something that FltMgr might to here and that is
> putting back the old pointers in the FltCallbackData before calling your
> PostCreate
> This means that the FileObject has now an initialized FCB for the local FS
> but FltMgr puts back the pointer to the Mup Instance in the CBD before
> calling you and therefore the MUP is confused saying: This is not my FCB,
> so I will crash.
> This is just a hunch, you will need to debug it yourself.
>
> Cheers,
> Gabriel
> www.kasardia.com
> Windows Kernel Driver Consulting
>
> On Tue, May 24, 2016 at 8:11 AM, wrote:
>
>> Hi all,
>>
>> im trying to redirect to different volume . from mup to local drive c. i
>> have these snippet code in precreate for redirection but only works for
>> same volume.
>>
>> code snippet:
>> ---------------
>> {
>> if(bRedirect)
>> {
>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>> WCHAR * redirPath = NULL;
>> NTSTATUS status;
>>
>> try{
>> if( Data == NULL ||
>> FltObjects == NULL){
>> iRet = DLPFS_ERROR_PARAM_NULL;
>> goto cleanup;
>> }
>>
>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>> FltObjects->Instance);
>>
>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>> //allocate new
>> redirPath = (WCHAR*)ExAllocatePool(NonPagedPool,
>> sizeof(WCHAR) * MAX_PATH_LEN);
>> if(redirPath == NULL)
>> goto cleanup;
>>
>>
>> DbgPrint(“redirPath: %S\r\n”, redirPath);
>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>> L"\test_copyfile.docx");
>>
>> //free previous
>>
>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>> FltObjects->FileObject->FileName.Buffer = NULL;
>>
>> //replace with new
>> FltObjects->FileObject->FileName.Length =
>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>> FltObjects->FileObject->FileName.MaximumLength =
>> FltObjects->FileObject->FileName.Length;
>> FltObjects->FileObject->FileName.Buffer =
>> redirPath;
>>
>> Data->Iopb->TargetFileObject->RelatedFileObject =
>> NULL;
>>
>> Data->IoStatus.Information = IO_REPARSE;
>> Data->IoStatus.Status = STATUS_REPARSE;
>>
>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>> FUNCTION );
>>
>> FltSetCallbackDataDirty(Data);
>> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>>
>> } except(EXCEPTION_EXECUTE_HANDLER) {
>> DPE(GetExceptionCode());
>> iRet = DLPFS_ERROR_EXCEPTION;
>> }
>> }
>> }
>>
>> —
>> i read Alex’s article
>> http://fsfilters.blogspot.my/2011/09/file-io-redirection-between-volumes.html
>>
>> and try to modify my code to work with different volume. i got my root
>> drive instance during driverentry & instanceSetup, but when i assign
>> Data->iopb->targetinstace it cause me a bsod in PostOperation
>>
>> modified code:
>> -----------------
>> if(FltObjects->FileObject->DeviceObject->DeviceType ==
>> FILE_DEVICE_NETWORK_FILE_SYSTEM )
>> {
>> if(bRedirect)
>> {
>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>> WCHAR * redirPath = NULL;
>> //PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
>> NTSTATUS status;
>>
>> try{
>> if( Data == NULL ||
>> FltObjects == NULL){
>> iRet = DLPFS_ERROR_PARAM_NULL;
>> goto cleanup;
>> }
>>
>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>> FltObjects->Instance);
>> if(FltObjects->Instance !=
>> gKernelData->RootDeviceInstance)
>> {
>> BOOLEAN bAllowRedir = FALSE,
>> bAllowRedirIO = FALSE, bStackSizeModified = FALSE;
>> NTSTATUS ntstat;
>>
>>
>> ntstat =
>> FltIsIoRedirectionAllowed(FltObjects->Instance,
>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir);
>> DbgPrint(“FltIsIoRedirectionAllowed
>> return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
>> if(ntstat == STATUS_SUCCESS){
>> if(!bAllowRedir){
>> ntstat =
>> FltAdjustDeviceStackSizeForIoRedirection(FltObjects->Instance,
>> gKernelData->RootDeviceInstance, &bStackSizeModified);
>>
>> DbgPrint(“FltAdjustDeviceStackSizeForIoRedirection return:%x,
>> bStackSizeModified: %d\r\n”, ntstat, bStackSizeModified);
>>
>> }
>> }
>>
>>
>> DbgPrint(“FltObjects->Instance:%x,
>> bAllowgKernelData->RootDeviceInstance: %x\r\n”, FltObjects->Instance,
>> gKernelData->RootDeviceInstance);
>> ntstat =
>> FltIsIoRedirectionAllowedForOperation(Data,
>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir,
>> &bAllowRedirIO);
>>
>> DbgPrint(“FltIsIoRedirectionAllowedForOperation return:%x, bAllowRedir:
>> %d\r\n”, ntstat, bAllowRedir);
>> if(ntstat == STATUS_SUCCESS){
>> if(bAllowRedir){
>>
>> DbgPrint(“TargetInstance:
>> %x\r\n”, Data->Iopb->TargetInstance);
>>
>> DbgPrint(“TargetFileObject: %x\r\n”, Data->Iopb->TargetFileObject);
>>
>> Data->Iopb->TargetInstance = gKernelData->RootDeviceInstance;
>> }
>> }
>> }
>>
>>
>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>> //allocate new
>> redirPath = (WCHAR*)ExAllocatePool(NonPagedPool,
>> sizeof(WCHAR) * MAX_PATH_LEN);
>> if(redirPath == NULL)
>> goto cleanup;
>>
>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>> L"\test_copyfile.docx");
>>
>> //free previous
>>
>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>> FltObjects->FileObject->FileName.Buffer = NULL;
>>
>> //replace with new
>> FltObjects->FileObject->FileName.Length =
>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>> FltObjects->FileObject->FileName.MaximumLength =
>> FltObjects->FileObject->FileName.Length;
>> FltObjects->FileObject->FileName.Buffer =
>> redirPath;
>>
>>
>> Data->Iopb->TargetFileObject->RelatedFileObject =
>> NULL;
>>
>> Data->IoStatus.Information = IO_REPARSE;
>> Data->IoStatus.Status = STATUS_REPARSE;
>>
>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>> FUNCTION );
>>
>> FltSetCallbackDataDirty(Data);
>>
>> return FTL_PREOP_SUCCESS_WITH_CALLBACK;
>>
>> } except(EXCEPTION_EXECUTE_HANDLER) {
>> DPE(GetExceptionCode());
>> iRet = DLPFS_ERROR_EXCEPTION;
>> }
>> }
>> }
>>
>> bugcheck analysis:
>> ----------------------
>> MUP_FILE_SYSTEM (103)
>> MUP file system detected an error.
>> Arguments:
>> Arg1: 00000001, MUP_BUGCHECK_NO_FILECONTEXT
>> Could not locate MUP file context corresponding to a file object.
>> Arg2: 860af8e0, Irp Address if an IRP was used, NULL otherwise.
>> Arg3: 8606c038, FILE_OBJECT Address whose MUP file context could not be
>> found
>> Arg4: 85038e10, DEVICE_OBJECT Address
>>
>> Debugging Details:
>> ------------------
>>
>> Page 27cd9 not present in the dump file. Type “.hh dbgerr004” for details
>>
>> DEVICE_OBJECT: 85038e10
>>
>> DRIVER_OBJECT: 85038f38
>>
>> IMAGE_NAME: mup.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbfc6
>>
>> MODULE_NAME: mup
>>
>> FAULTING_MODULE: 87e23000 mup
>>
>> DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
>>
>> BUGCHECK_STR: 0x103
>>
>> PROCESS_NAME: explorer.exe
>>
>> CURRENT_IRQL: 0
>>
>> LAST_CONTROL_TRANSFER: from 87e29123 to 829031e0
>>
>> STACK_TEXT:
>> 9a7c340c 87e29123 00000103 00000001 860af8e0 nt!KeBugCheckEx+0x1e
>> 9a7c3434 8285f186 85038e10 860af8e0 860af8e0 mup!MupFsdIrpPassThrough+0x78
>> 9a7c344c 877c59e3 9a7c34e4 8503835c 85038348 nt!IofCallDriver+0x63
>> 9a7c3480 877c7c1b 85038e10 8606c038 9a7c34a8
>> fltmgr!FltpQueryInformationFile+0xc3
>> 9a7c34c0 877c80c9 85038348 85038e10 8606c038
>> fltmgr!QueryStandardLinkInformation+0x75
>> 9a7c34f8 877b2969 85038348 00000001 00000000
>> fltmgr!SetStreamListStandardInformationFlags+0x109
>> 9a7c3538 877b2fa3 00000000 84b38258 84b38310
>> fltmgr!FltpGetFileNameInformation+0x169
>> 9a7c3560 9440b1b2 00b382b8 00000101 9a7c35a4
>> fltmgr!FltGetFileNameInformation+0x12b
>> 9a7c3810 944082d6 9a7c38c4 84b382b8 9a7c3880 GWEFS!getFilePath+0x1a2
>> 9a7c38a0 877ac324 84b382b8 9a7c38c4 00000000
>> GWEFS!ScannerPostDetectLifeCycle+0x106
>> 9a7c3908 877af512 00b38258 84b38258 10000008
>> fltmgr!FltpPerformPostCallbacks+0x24a
>> 9a7c391c 877afb46 84b38258 856c1e28 9a7c395c
>> fltmgr!FltpProcessIoCompletion+0x10
>> 9a7c392c 877b029c 8e53d0c0 856c1e28 84b38258
>> fltmgr!FltpPassThroughCompletion+0x98
>> 9a7c395c 877c38c9 9a7c397c 00000000 00000000
>> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a
>> 9a7c39a8 8285f186 85038878 85038348 8606c094 fltmgr!FltpCreate+0x2db
>> 9a7c39c0 82a364ca 131301ba 9a7c3b70 00000000 nt!IofCallDriver+0x63
>> 9a7c3aa0 82a396ae 85038e10 c52eb7a8 84a81430 nt!IopParseDevice+0xf08
>> 9a7c3b1c 82a7876f 00000000 9a7c3b70 00000040 nt!ObpLookupObjectName+0x510
>> 9a7c3b78 82aa39b2 03aaf700 842eb7a8 fe838901 nt!ObOpenObjectByName+0x165
>> 9a7c3d24 828659c6 03aaf700 03aaf6c8 03aaf730
>> nt!NtQueryFullAttributesFile+0x136
>> 9a7c3d24 778571c6 03aaf700 03aaf6c8 03aaf730 nt!KiSystemServicePostCall
>> WARNING: Frame IP not in any known module. Following frames may be wrong.
>> 03aaf730 00000000 00000000 00000000 00000000 0x778571c6
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> mup!MupFsdIrpPassThrough+78
>> 87e29123 8d4d0c lea ecx,[ebp+0Ch]
>>
>> SYMBOL_STACK_INDEX: 1
>>
>> SYMBOL_NAME: mup!MupFsdIrpPassThrough+78
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> FAILURE_BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>
>> BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>
>>
>> do i need to change the Data->Iopb->TargetFileObject too? Any advice
>> would be appreciated. Thanks in advance
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
>
>
> –
> Bercea. G.
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</http:>

Some quick answer: check the simrep sample from Microsoft.

Regards,
Gabriel
www.kasardia.com
Windows Kernel Driver Consulting

On Wed, May 25, 2016 at 11:02 AM, sukiminna wrote:

> Some noob questions.
>
> 1. Do i actually need to replace fileobject in FltObjects->FileObject or
> Data->Iopb->TargetFileObject.
> 2. which preop status i should actually return? FTL_PREOP_SUCCESS_WITH_CALLBACK
> or FTL_PREOP_COMPLETE
> 3. Other threads like this
> https://www.osronline.com/showthread.cfm?link=139332 seems to be doing
> the opposite of what im doing. which is change the Data->Iopb->TargetFileObject
> & return FTL_PREOP_COMPLETE, but when i tried it. it doesn’t work even
> for same volume.
>
>
>
>
>
> On Tue, May 24, 2016 at 4:36 PM, Gabriel Bercea
> wrote:
>
>> First of all I would think of using IoReplaceFileObjectName since doing
>> it manually will cause a verifier memory leak trigger when you unload.
>> If GWEFS is your filter then I see you actually make it to post create
>> but the name query causes a crash.
>> This is an issue you might have to figure out yourself, but my bet is
>> that you are not expecting something that FltMgr might to here and that is
>> putting back the old pointers in the FltCallbackData before calling your
>> PostCreate
>> This means that the FileObject has now an initialized FCB for the local
>> FS but FltMgr puts back the pointer to the Mup Instance in the CBD before
>> calling you and therefore the MUP is confused saying: This is not my FCB,
>> so I will crash.
>> This is just a hunch, you will need to debug it yourself.
>>
>> Cheers,
>> Gabriel
>> www.kasardia.com
>> Windows Kernel Driver Consulting
>>
>> On Tue, May 24, 2016 at 8:11 AM, wrote:
>>
>>> Hi all,
>>>
>>> im trying to redirect to different volume . from mup to local drive c. i
>>> have these snippet code in precreate for redirection but only works for
>>> same volume.
>>>
>>> code snippet:
>>> ---------------
>>> {
>>> if(bRedirect)
>>> {
>>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>>> WCHAR * redirPath = NULL;
>>> NTSTATUS status;
>>>
>>> try{
>>> if( Data == NULL ||
>>> FltObjects == NULL){
>>> iRet = DLPFS_ERROR_PARAM_NULL;
>>> goto cleanup;
>>> }
>>>
>>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>>> FltObjects->Instance);
>>>
>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>> //allocate new
>>> redirPath = (WCHAR*)ExAllocatePool(NonPagedPool,
>>> sizeof(WCHAR) * MAX_PATH_LEN);
>>> if(redirPath == NULL)
>>> goto cleanup;
>>>
>>>
>>> DbgPrint(“redirPath: %S\r\n”, redirPath);
>>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>>> L"\test_copyfile.docx");
>>>
>>> //free previous
>>>
>>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>>> FltObjects->FileObject->FileName.Buffer = NULL;
>>>
>>> //replace with new
>>> FltObjects->FileObject->FileName.Length =
>>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>>> FltObjects->FileObject->FileName.MaximumLength =
>>> FltObjects->FileObject->FileName.Length;
>>> FltObjects->FileObject->FileName.Buffer =
>>> redirPath;
>>>
>>> Data->Iopb->TargetFileObject->RelatedFileObject
>>> = NULL;
>>>
>>> Data->IoStatus.Information = IO_REPARSE;
>>> Data->IoStatus.Status = STATUS_REPARSE;
>>>
>>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>>> FUNCTION );
>>>
>>> FltSetCallbackDataDirty(Data);
>>> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>>>
>>> } except(EXCEPTION_EXECUTE_HANDLER) {
>>> DPE(GetExceptionCode());
>>> iRet = DLPFS_ERROR_EXCEPTION;
>>> }
>>> }
>>> }
>>>
>>> —
>>> i read Alex’s article
>>> http://fsfilters.blogspot.my/2011/09/file-io-redirection-between-volumes.html
>>>
>>> and try to modify my code to work with different volume. i got my root
>>> drive instance during driverentry & instanceSetup, but when i assign
>>> Data->iopb->targetinstace it cause me a bsod in PostOperation
>>>
>>> modified code:
>>> -----------------
>>> if(FltObjects->FileObject->DeviceObject->DeviceType ==
>>> FILE_DEVICE_NETWORK_FILE_SYSTEM )
>>> {
>>> if(bRedirect)
>>> {
>>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>>> WCHAR * redirPath = NULL;
>>> //PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
>>> NTSTATUS status;
>>>
>>> try{
>>> if( Data == NULL ||
>>> FltObjects == NULL){
>>> iRet = DLPFS_ERROR_PARAM_NULL;
>>> goto cleanup;
>>> }
>>>
>>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>>> FltObjects->Instance);
>>> if(FltObjects->Instance !=
>>> gKernelData->RootDeviceInstance)
>>> {
>>> BOOLEAN bAllowRedir = FALSE,
>>> bAllowRedirIO = FALSE, bStackSizeModified = FALSE;
>>> NTSTATUS ntstat;
>>>
>>>
>>> ntstat =
>>> FltIsIoRedirectionAllowed(FltObjects->Instance,
>>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir);
>>> DbgPrint(“FltIsIoRedirectionAllowed
>>> return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
>>> if(ntstat == STATUS_SUCCESS){
>>> if(!bAllowRedir){
>>> ntstat =
>>> FltAdjustDeviceStackSizeForIoRedirection(FltObjects->Instance,
>>> gKernelData->RootDeviceInstance, &bStackSizeModified);
>>>
>>> DbgPrint(“FltAdjustDeviceStackSizeForIoRedirection return:%x,
>>> bStackSizeModified: %d\r\n”, ntstat, bStackSizeModified);
>>>
>>> }
>>> }
>>>
>>>
>>> DbgPrint(“FltObjects->Instance:%x,
>>> bAllowgKernelData->RootDeviceInstance: %x\r\n”, FltObjects->Instance,
>>> gKernelData->RootDeviceInstance);
>>> ntstat =
>>> FltIsIoRedirectionAllowedForOperation(Data,
>>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir,
>>> &bAllowRedirIO);
>>>
>>> DbgPrint(“FltIsIoRedirectionAllowedForOperation return:%x, bAllowRedir:
>>> %d\r\n”, ntstat, bAllowRedir);
>>> if(ntstat == STATUS_SUCCESS){
>>> if(bAllowRedir){
>>>
>>>
>>> DbgPrint(“TargetInstance: %x\r\n”, Data->Iopb->TargetInstance);
>>>
>>> DbgPrint(“TargetFileObject: %x\r\n”, Data->Iopb->TargetFileObject);
>>>
>>> Data->Iopb->TargetInstance = gKernelData->RootDeviceInstance;
>>> }
>>> }
>>> }
>>>
>>>
>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>> //allocate new
>>> redirPath = (WCHAR*)ExAllocatePool(NonPagedPool,
>>> sizeof(WCHAR) * MAX_PATH_LEN);
>>> if(redirPath == NULL)
>>> goto cleanup;
>>>
>>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>>> L"\test_copyfile.docx");
>>>
>>> //free previous
>>>
>>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>>> FltObjects->FileObject->FileName.Buffer = NULL;
>>>
>>> //replace with new
>>> FltObjects->FileObject->FileName.Length =
>>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>>> FltObjects->FileObject->FileName.MaximumLength =
>>> FltObjects->FileObject->FileName.Length;
>>> FltObjects->FileObject->FileName.Buffer =
>>> redirPath;
>>>
>>>
>>> Data->Iopb->TargetFileObject->RelatedFileObject
>>> = NULL;
>>>
>>> Data->IoStatus.Information = IO_REPARSE;
>>> Data->IoStatus.Status = STATUS_REPARSE;
>>>
>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>>> FUNCTION );
>>>
>>> FltSetCallbackDataDirty(Data);
>>>
>>> return FTL_PREOP_SUCCESS_WITH_CALLBACK;
>>>
>>> } except(EXCEPTION_EXECUTE_HANDLER) {
>>> DPE(GetExceptionCode());
>>> iRet = DLPFS_ERROR_EXCEPTION;
>>> }
>>> }
>>> }
>>>
>>> bugcheck analysis:
>>> ----------------------
>>> MUP_FILE_SYSTEM (103)
>>> MUP file system detected an error.
>>> Arguments:
>>> Arg1: 00000001, MUP_BUGCHECK_NO_FILECONTEXT
>>> Could not locate MUP file context corresponding to a file object.
>>> Arg2: 860af8e0, Irp Address if an IRP was used, NULL otherwise.
>>> Arg3: 8606c038, FILE_OBJECT Address whose MUP file context could not be
>>> found
>>> Arg4: 85038e10, DEVICE_OBJECT Address
>>>
>>> Debugging Details:
>>> ------------------
>>>
>>> Page 27cd9 not present in the dump file. Type “.hh dbgerr004” for details
>>>
>>> DEVICE_OBJECT: 85038e10
>>>
>>> DRIVER_OBJECT: 85038f38
>>>
>>> IMAGE_NAME: mup.sys
>>>
>>> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbfc6
>>>
>>> MODULE_NAME: mup
>>>
>>> FAULTING_MODULE: 87e23000 mup
>>>
>>> DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
>>>
>>> BUGCHECK_STR: 0x103
>>>
>>> PROCESS_NAME: explorer.exe
>>>
>>> CURRENT_IRQL: 0
>>>
>>> LAST_CONTROL_TRANSFER: from 87e29123 to 829031e0
>>>
>>> STACK_TEXT:
>>> 9a7c340c 87e29123 00000103 00000001 860af8e0 nt!KeBugCheckEx+0x1e
>>> 9a7c3434 8285f186 85038e10 860af8e0 860af8e0
>>> mup!MupFsdIrpPassThrough+0x78
>>> 9a7c344c 877c59e3 9a7c34e4 8503835c 85038348 nt!IofCallDriver+0x63
>>> 9a7c3480 877c7c1b 85038e10 8606c038 9a7c34a8
>>> fltmgr!FltpQueryInformationFile+0xc3
>>> 9a7c34c0 877c80c9 85038348 85038e10 8606c038
>>> fltmgr!QueryStandardLinkInformation+0x75
>>> 9a7c34f8 877b2969 85038348 00000001 00000000
>>> fltmgr!SetStreamListStandardInformationFlags+0x109
>>> 9a7c3538 877b2fa3 00000000 84b38258 84b38310
>>> fltmgr!FltpGetFileNameInformation+0x169
>>> 9a7c3560 9440b1b2 00b382b8 00000101 9a7c35a4
>>> fltmgr!FltGetFileNameInformation+0x12b
>>> 9a7c3810 944082d6 9a7c38c4 84b382b8 9a7c3880 GWEFS!getFilePath+0x1a2
>>> 9a7c38a0 877ac324 84b382b8 9a7c38c4 00000000
>>> GWEFS!ScannerPostDetectLifeCycle+0x106
>>> 9a7c3908 877af512 00b38258 84b38258 10000008
>>> fltmgr!FltpPerformPostCallbacks+0x24a
>>> 9a7c391c 877afb46 84b38258 856c1e28 9a7c395c
>>> fltmgr!FltpProcessIoCompletion+0x10
>>> 9a7c392c 877b029c 8e53d0c0 856c1e28 84b38258
>>> fltmgr!FltpPassThroughCompletion+0x98
>>> 9a7c395c 877c38c9 9a7c397c 00000000 00000000
>>> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a
>>> 9a7c39a8 8285f186 85038878 85038348 8606c094 fltmgr!FltpCreate+0x2db
>>> 9a7c39c0 82a364ca 131301ba 9a7c3b70 00000000 nt!IofCallDriver+0x63
>>> 9a7c3aa0 82a396ae 85038e10 c52eb7a8 84a81430 nt!IopParseDevice+0xf08
>>> 9a7c3b1c 82a7876f 00000000 9a7c3b70 00000040 nt!ObpLookupObjectName+0x510
>>> 9a7c3b78 82aa39b2 03aaf700 842eb7a8 fe838901 nt!ObOpenObjectByName+0x165
>>> 9a7c3d24 828659c6 03aaf700 03aaf6c8 03aaf730
>>> nt!NtQueryFullAttributesFile+0x136
>>> 9a7c3d24 778571c6 03aaf700 03aaf6c8 03aaf730 nt!KiSystemServicePostCall
>>> WARNING: Frame IP not in any known module. Following frames may be wrong.
>>> 03aaf730 00000000 00000000 00000000 00000000 0x778571c6
>>>
>>>
>>> STACK_COMMAND: kb
>>>
>>> FOLLOWUP_IP:
>>> mup!MupFsdIrpPassThrough+78
>>> 87e29123 8d4d0c lea ecx,[ebp+0Ch]
>>>
>>> SYMBOL_STACK_INDEX: 1
>>>
>>> SYMBOL_NAME: mup!MupFsdIrpPassThrough+78
>>>
>>> FOLLOWUP_NAME: MachineOwner
>>>
>>> FAILURE_BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>>
>>> BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>>
>>>
>>> do i need to change the Data->Iopb->TargetFileObject too? Any advice
>>> would be appreciated. Thanks in advance
>>>
>>>
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>
>>
>>
>>
>> –
>> Bercea. G.
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at

–
Bercea. G.</http:>

could you pass me a link of the sample code for simrep or maybe point to
where i could get it. simrep sample is removed in wdk7600.

the oldest version of wdk i have is 7600. microsoft no longer host wdk6 in
their download page. any suggestion on how i could get it? ive tried
torrent. but the installer file seems to be corrupted

thank you very much

On Wed, May 25, 2016 at 5:09 PM, Gabriel Bercea wrote:

> Some quick answer: check the simrep sample from Microsoft.
>
> Regards,
> Gabriel
> www.kasardia.com
> Windows Kernel Driver Consulting
>
> On Wed, May 25, 2016 at 11:02 AM, sukiminna wrote:
>
>> Some noob questions.
>>
>> 1. Do i actually need to replace fileobject in FltObjects->FileObject or
>> Data->Iopb->TargetFileObject.
>> 2. which preop status i should actually return? FTL_PREOP_SUCCESS_WITH_CALLBACK
>> or FTL_PREOP_COMPLETE
>> 3. Other threads like this
>> https://www.osronline.com/showthread.cfm?link=139332 seems to be doing
>> the opposite of what im doing. which is change the Data->Iopb->TargetFileObject
>> & return FTL_PREOP_COMPLETE, but when i tried it. it doesn’t work even
>> for same volume.
>>
>>
>>
>>
>>
>> On Tue, May 24, 2016 at 4:36 PM, Gabriel Bercea
>> wrote:
>>
>>> First of all I would think of using IoReplaceFileObjectName since doing
>>> it manually will cause a verifier memory leak trigger when you unload.
>>> If GWEFS is your filter then I see you actually make it to post create
>>> but the name query causes a crash.
>>> This is an issue you might have to figure out yourself, but my bet is
>>> that you are not expecting something that FltMgr might to here and that is
>>> putting back the old pointers in the FltCallbackData before calling your
>>> PostCreate
>>> This means that the FileObject has now an initialized FCB for the local
>>> FS but FltMgr puts back the pointer to the Mup Instance in the CBD before
>>> calling you and therefore the MUP is confused saying: This is not my FCB,
>>> so I will crash.
>>> This is just a hunch, you will need to debug it yourself.
>>>
>>> Cheers,
>>> Gabriel
>>> www.kasardia.com
>>> Windows Kernel Driver Consulting
>>>
>>> On Tue, May 24, 2016 at 8:11 AM, wrote:
>>>
>>>> Hi all,
>>>>
>>>> im trying to redirect to different volume . from mup to local drive c.
>>>> i have these snippet code in precreate for redirection but only works for
>>>> same volume.
>>>>
>>>> code snippet:
>>>> ---------------
>>>> {
>>>> if(bRedirect)
>>>> {
>>>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>>>> WCHAR * redirPath = NULL;
>>>> NTSTATUS status;
>>>>
>>>> try{
>>>> if( Data == NULL ||
>>>> FltObjects == NULL){
>>>> iRet = DLPFS_ERROR_PARAM_NULL;
>>>> goto cleanup;
>>>> }
>>>>
>>>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>>>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>>>> FltObjects->Instance);
>>>>
>>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>>> //allocate new
>>>> redirPath =
>>>> (WCHAR*)ExAllocatePool(NonPagedPool, sizeof(WCHAR) * MAX_PATH_LEN);
>>>> if(redirPath == NULL)
>>>> goto cleanup;
>>>>
>>>>
>>>> DbgPrint(“redirPath: %S\r\n”, redirPath);
>>>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>>>> L"\test_copyfile.docx");
>>>>
>>>> //free previous
>>>>
>>>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>>>> FltObjects->FileObject->FileName.Buffer = NULL;
>>>>
>>>> //replace with new
>>>> FltObjects->FileObject->FileName.Length =
>>>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>>>> FltObjects->FileObject->FileName.MaximumLength
>>>> = FltObjects->FileObject->FileName.Length;
>>>> FltObjects->FileObject->FileName.Buffer =
>>>> redirPath;
>>>>
>>>> Data->Iopb->TargetFileObject->RelatedFileObject
>>>> = NULL;
>>>>
>>>> Data->IoStatus.Information = IO_REPARSE;
>>>> Data->IoStatus.Status = STATUS_REPARSE;
>>>>
>>>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>>>> FUNCTION );
>>>>
>>>> FltSetCallbackDataDirty(Data);
>>>> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>>>>
>>>> } except(EXCEPTION_EXECUTE_HANDLER) {
>>>> DPE(GetExceptionCode());
>>>> iRet = DLPFS_ERROR_EXCEPTION;
>>>> }
>>>> }
>>>> }
>>>>
>>>> —
>>>> i read Alex’s article
>>>> http://fsfilters.blogspot.my/2011/09/file-io-redirection-between-volumes.html
>>>>
>>>> and try to modify my code to work with different volume. i got my root
>>>> drive instance during driverentry & instanceSetup, but when i assign
>>>> Data->iopb->targetinstace it cause me a bsod in PostOperation
>>>>
>>>> modified code:
>>>> -----------------
>>>> if(FltObjects->FileObject->DeviceObject->DeviceType ==
>>>> FILE_DEVICE_NETWORK_FILE_SYSTEM )
>>>> {
>>>> if(bRedirect)
>>>> {
>>>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>>>> WCHAR * redirPath = NULL;
>>>> //PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
>>>> NTSTATUS status;
>>>>
>>>> try{
>>>> if( Data == NULL ||
>>>> FltObjects == NULL){
>>>> iRet = DLPFS_ERROR_PARAM_NULL;
>>>> goto cleanup;
>>>> }
>>>>
>>>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>>>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>>>> FltObjects->Instance);
>>>> if(FltObjects->Instance !=
>>>> gKernelData->RootDeviceInstance)
>>>> {
>>>> BOOLEAN bAllowRedir = FALSE,
>>>> bAllowRedirIO = FALSE, bStackSizeModified = FALSE;
>>>> NTSTATUS ntstat;
>>>>
>>>>
>>>> ntstat =
>>>> FltIsIoRedirectionAllowed(FltObjects->Instance,
>>>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir);
>>>> DbgPrint(“FltIsIoRedirectionAllowed
>>>> return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
>>>> if(ntstat == STATUS_SUCCESS){
>>>> if(!bAllowRedir){
>>>> ntstat =
>>>> FltAdjustDeviceStackSizeForIoRedirection(FltObjects->Instance,
>>>> gKernelData->RootDeviceInstance, &bStackSizeModified);
>>>>
>>>> DbgPrint(“FltAdjustDeviceStackSizeForIoRedirection return:%x,
>>>> bStackSizeModified: %d\r\n”, ntstat, bStackSizeModified);
>>>>
>>>> }
>>>> }
>>>>
>>>>
>>>> DbgPrint(“FltObjects->Instance:%x,
>>>> bAllowgKernelData->RootDeviceInstance: %x\r\n”, FltObjects->Instance,
>>>> gKernelData->RootDeviceInstance);
>>>> ntstat =
>>>> FltIsIoRedirectionAllowedForOperation(Data,
>>>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir,
>>>> &bAllowRedirIO);
>>>>
>>>> DbgPrint(“FltIsIoRedirectionAllowedForOperation return:%x, bAllowRedir:
>>>> %d\r\n”, ntstat, bAllowRedir);
>>>> if(ntstat == STATUS_SUCCESS){
>>>> if(bAllowRedir){
>>>>
>>>>
>>>> DbgPrint(“TargetInstance: %x\r\n”, Data->Iopb->TargetInstance);
>>>>
>>>> DbgPrint(“TargetFileObject: %x\r\n”, Data->Iopb->TargetFileObject);
>>>>
>>>> Data->Iopb->TargetInstance = gKernelData->RootDeviceInstance;
>>>> }
>>>> }
>>>> }
>>>>
>>>>
>>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>>> //allocate new
>>>> redirPath =
>>>> (WCHAR*)ExAllocatePool(NonPagedPool, sizeof(WCHAR) * MAX_PATH_LEN);
>>>> if(redirPath == NULL)
>>>> goto cleanup;
>>>>
>>>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>>>> L"\test_copyfile.docx");
>>>>
>>>> //free previous
>>>>
>>>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>>>> FltObjects->FileObject->FileName.Buffer = NULL;
>>>>
>>>> //replace with new
>>>> FltObjects->FileObject->FileName.Length =
>>>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>>>> FltObjects->FileObject->FileName.MaximumLength
>>>> = FltObjects->FileObject->FileName.Length;
>>>> FltObjects->FileObject->FileName.Buffer =
>>>> redirPath;
>>>>
>>>>
>>>> Data->Iopb->TargetFileObject->RelatedFileObject
>>>> = NULL;
>>>>
>>>> Data->IoStatus.Information = IO_REPARSE;
>>>> Data->IoStatus.Status = STATUS_REPARSE;
>>>>
>>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>>>> FUNCTION );
>>>>
>>>> FltSetCallbackDataDirty(Data);
>>>>
>>>> return FTL_PREOP_SUCCESS_WITH_CALLBACK;
>>>>
>>>> } except(EXCEPTION_EXECUTE_HANDLER) {
>>>> DPE(GetExceptionCode());
>>>> iRet = DLPFS_ERROR_EXCEPTION;
>>>> }
>>>> }
>>>> }
>>>>
>>>> bugcheck analysis:
>>>> ----------------------
>>>> MUP_FILE_SYSTEM (103)
>>>> MUP file system detected an error.
>>>> Arguments:
>>>> Arg1: 00000001, MUP_BUGCHECK_NO_FILECONTEXT
>>>> Could not locate MUP file context corresponding to a file
>>>> object.
>>>> Arg2: 860af8e0, Irp Address if an IRP was used, NULL otherwise.
>>>> Arg3: 8606c038, FILE_OBJECT Address whose MUP file context could not be
>>>> found
>>>> Arg4: 85038e10, DEVICE_OBJECT Address
>>>>
>>>> Debugging Details:
>>>> ------------------
>>>>
>>>> Page 27cd9 not present in the dump file. Type “.hh dbgerr004” for
>>>> details
>>>>
>>>> DEVICE_OBJECT: 85038e10
>>>>
>>>> DRIVER_OBJECT: 85038f38
>>>>
>>>> IMAGE_NAME: mup.sys
>>>>
>>>> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbfc6
>>>>
>>>> MODULE_NAME: mup
>>>>
>>>> FAULTING_MODULE: 87e23000 mup
>>>>
>>>> DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
>>>>
>>>> BUGCHECK_STR: 0x103
>>>>
>>>> PROCESS_NAME: explorer.exe
>>>>
>>>> CURRENT_IRQL: 0
>>>>
>>>> LAST_CONTROL_TRANSFER: from 87e29123 to 829031e0
>>>>
>>>> STACK_TEXT:
>>>> 9a7c340c 87e29123 00000103 00000001 860af8e0 nt!KeBugCheckEx+0x1e
>>>> 9a7c3434 8285f186 85038e10 860af8e0 860af8e0
>>>> mup!MupFsdIrpPassThrough+0x78
>>>> 9a7c344c 877c59e3 9a7c34e4 8503835c 85038348 nt!IofCallDriver+0x63
>>>> 9a7c3480 877c7c1b 85038e10 8606c038 9a7c34a8
>>>> fltmgr!FltpQueryInformationFile+0xc3
>>>> 9a7c34c0 877c80c9 85038348 85038e10 8606c038
>>>> fltmgr!QueryStandardLinkInformation+0x75
>>>> 9a7c34f8 877b2969 85038348 00000001 00000000
>>>> fltmgr!SetStreamListStandardInformationFlags+0x109
>>>> 9a7c3538 877b2fa3 00000000 84b38258 84b38310
>>>> fltmgr!FltpGetFileNameInformation+0x169
>>>> 9a7c3560 9440b1b2 00b382b8 00000101 9a7c35a4
>>>> fltmgr!FltGetFileNameInformation+0x12b
>>>> 9a7c3810 944082d6 9a7c38c4 84b382b8 9a7c3880 GWEFS!getFilePath+0x1a2
>>>> 9a7c38a0 877ac324 84b382b8 9a7c38c4 00000000
>>>> GWEFS!ScannerPostDetectLifeCycle+0x106
>>>> 9a7c3908 877af512 00b38258 84b38258 10000008
>>>> fltmgr!FltpPerformPostCallbacks+0x24a
>>>> 9a7c391c 877afb46 84b38258 856c1e28 9a7c395c
>>>> fltmgr!FltpProcessIoCompletion+0x10
>>>> 9a7c392c 877b029c 8e53d0c0 856c1e28 84b38258
>>>> fltmgr!FltpPassThroughCompletion+0x98
>>>> 9a7c395c 877c38c9 9a7c397c 00000000 00000000
>>>> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a
>>>> 9a7c39a8 8285f186 85038878 85038348 8606c094 fltmgr!FltpCreate+0x2db
>>>> 9a7c39c0 82a364ca 131301ba 9a7c3b70 00000000 nt!IofCallDriver+0x63
>>>> 9a7c3aa0 82a396ae 85038e10 c52eb7a8 84a81430 nt!IopParseDevice+0xf08
>>>> 9a7c3b1c 82a7876f 00000000 9a7c3b70 00000040
>>>> nt!ObpLookupObjectName+0x510
>>>> 9a7c3b78 82aa39b2 03aaf700 842eb7a8 fe838901 nt!ObOpenObjectByName+0x165
>>>> 9a7c3d24 828659c6 03aaf700 03aaf6c8 03aaf730
>>>> nt!NtQueryFullAttributesFile+0x136
>>>> 9a7c3d24 778571c6 03aaf700 03aaf6c8 03aaf730 nt!KiSystemServicePostCall
>>>> WARNING: Frame IP not in any known module. Following frames may be
>>>> wrong.
>>>> 03aaf730 00000000 00000000 00000000 00000000 0x778571c6
>>>>
>>>>
>>>> STACK_COMMAND: kb
>>>>
>>>> FOLLOWUP_IP:
>>>> mup!MupFsdIrpPassThrough+78
>>>> 87e29123 8d4d0c lea ecx,[ebp+0Ch]
>>>>
>>>> SYMBOL_STACK_INDEX: 1
>>>>
>>>> SYMBOL_NAME: mup!MupFsdIrpPassThrough+78
>>>>
>>>> FOLLOWUP_NAME: MachineOwner
>>>>
>>>> FAILURE_BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>>>
>>>> BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>>>
>>>>
>>>> do i need to change the Data->Iopb->TargetFileObject too? Any advice
>>>> would be appreciated. Thanks in advance
>>>>
>>>>
>>>>
>>>> —
>>>> NTFSD is sponsored by OSR
>>>>
>>>>
>>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>> software drivers!
>>>> Details at http:
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at <
>>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>>
>>>
>>>
>>>
>>> –
>>> Bercea. G.
>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>>> visit the List Server section of OSR Online at
>>
>>
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>
>
>
>
> –
> Bercea. G.
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
></http:>

nevermind. i found sample drivers in their github
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/simrep

On Wed, May 25, 2016 at 5:24 PM, sukiminna wrote:

> could you pass me a link of the sample code for simrep or maybe point to
> where i could get it. simrep sample is removed in wdk7600.
>
> the oldest version of wdk i have is 7600. microsoft no longer host wdk6 in
> their download page. any suggestion on how i could get it? ive tried
> torrent. but the installer file seems to be corrupted
>
> thank you very much
>
> On Wed, May 25, 2016 at 5:09 PM, Gabriel Bercea
> wrote:
>
>> Some quick answer: check the simrep sample from Microsoft.
>>
>> Regards,
>> Gabriel
>> www.kasardia.com
>> Windows Kernel Driver Consulting
>>
>> On Wed, May 25, 2016 at 11:02 AM, sukiminna wrote:
>>
>>> Some noob questions.
>>>
>>> 1. Do i actually need to replace fileobject in FltObjects->FileObject
>>> or Data->Iopb->TargetFileObject.
>>> 2. which preop status i should actually return? FTL_PREOP_SUCCESS_WITH_CALLBACK
>>> or FTL_PREOP_COMPLETE
>>> 3. Other threads like this
>>> https://www.osronline.com/showthread.cfm?link=139332 seems to be doing
>>> the opposite of what im doing. which is change the Data->Iopb->TargetFileObject
>>> & return FTL_PREOP_COMPLETE, but when i tried it. it doesn’t work even
>>> for same volume.
>>>
>>>
>>>
>>>
>>>
>>> On Tue, May 24, 2016 at 4:36 PM, Gabriel Bercea
>>> wrote:
>>>
>>>> First of all I would think of using IoReplaceFileObjectName since doing
>>>> it manually will cause a verifier memory leak trigger when you unload.
>>>> If GWEFS is your filter then I see you actually make it to post create
>>>> but the name query causes a crash.
>>>> This is an issue you might have to figure out yourself, but my bet is
>>>> that you are not expecting something that FltMgr might to here and that is
>>>> putting back the old pointers in the FltCallbackData before calling your
>>>> PostCreate
>>>> This means that the FileObject has now an initialized FCB for the local
>>>> FS but FltMgr puts back the pointer to the Mup Instance in the CBD before
>>>> calling you and therefore the MUP is confused saying: This is not my FCB,
>>>> so I will crash.
>>>> This is just a hunch, you will need to debug it yourself.
>>>>
>>>> Cheers,
>>>> Gabriel
>>>> www.kasardia.com
>>>> Windows Kernel Driver Consulting
>>>>
>>>> On Tue, May 24, 2016 at 8:11 AM, wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> im trying to redirect to different volume . from mup to local drive c.
>>>>> i have these snippet code in precreate for redirection but only works for
>>>>> same volume.
>>>>>
>>>>> code snippet:
>>>>> ---------------
>>>>> {
>>>>> if(bRedirect)
>>>>> {
>>>>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>>>>> WCHAR * redirPath = NULL;
>>>>> NTSTATUS status;
>>>>>
>>>>> try{
>>>>> if( Data == NULL ||
>>>>> FltObjects == NULL){
>>>>> iRet = DLPFS_ERROR_PARAM_NULL;
>>>>> goto cleanup;
>>>>> }
>>>>>
>>>>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>>>>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>>>>> FltObjects->Instance);
>>>>>
>>>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>>>> //allocate new
>>>>> redirPath =
>>>>> (WCHAR*)ExAllocatePool(NonPagedPool, sizeof(WCHAR) * MAX_PATH_LEN);
>>>>> if(redirPath == NULL)
>>>>> goto cleanup;
>>>>>
>>>>>
>>>>> DbgPrint(“redirPath: %S\r\n”, redirPath);
>>>>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>>>>> L"\test_copyfile.docx");
>>>>>
>>>>> //free previous
>>>>>
>>>>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>>>>> FltObjects->FileObject->FileName.Buffer = NULL;
>>>>>
>>>>> //replace with new
>>>>> FltObjects->FileObject->FileName.Length =
>>>>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>>>>> FltObjects->FileObject->FileName.MaximumLength
>>>>> = FltObjects->FileObject->FileName.Length;
>>>>> FltObjects->FileObject->FileName.Buffer =
>>>>> redirPath;
>>>>>
>>>>>
>>>>> Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
>>>>>
>>>>> Data->IoStatus.Information = IO_REPARSE;
>>>>> Data->IoStatus.Status = STATUS_REPARSE;
>>>>>
>>>>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>>>>> FUNCTION );
>>>>>
>>>>> FltSetCallbackDataDirty(Data);
>>>>> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>>>>>
>>>>> } except(EXCEPTION_EXECUTE_HANDLER) {
>>>>> DPE(GetExceptionCode());
>>>>> iRet = DLPFS_ERROR_EXCEPTION;
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> —
>>>>> i read Alex’s article
>>>>> http://fsfilters.blogspot.my/2011/09/file-io-redirection-between-volumes.html
>>>>>
>>>>> and try to modify my code to work with different volume. i got my root
>>>>> drive instance during driverentry & instanceSetup, but when i assign
>>>>> Data->iopb->targetinstace it cause me a bsod in PostOperation
>>>>>
>>>>> modified code:
>>>>> -----------------
>>>>> if(FltObjects->FileObject->DeviceObject->DeviceType ==
>>>>> FILE_DEVICE_NETWORK_FILE_SYSTEM )
>>>>> {
>>>>> if(bRedirect)
>>>>> {
>>>>> int DFLAG = 1, iRet = DLPFS_ERROR_SUCCESS;
>>>>> WCHAR * redirPath = NULL;
>>>>> //PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
>>>>> NTSTATUS status;
>>>>>
>>>>> try{
>>>>> if( Data == NULL ||
>>>>> FltObjects == NULL){
>>>>> iRet = DLPFS_ERROR_PARAM_NULL;
>>>>> goto cleanup;
>>>>> }
>>>>>
>>>>> DbgPrint(“gKernelData->RootDeviceInstance:%x,
>>>>> current Instance: %x\r\n”, gKernelData->RootDeviceInstance,
>>>>> FltObjects->Instance);
>>>>> if(FltObjects->Instance !=
>>>>> gKernelData->RootDeviceInstance)
>>>>> {
>>>>> BOOLEAN bAllowRedir = FALSE,
>>>>> bAllowRedirIO = FALSE, bStackSizeModified = FALSE;
>>>>> NTSTATUS ntstat;
>>>>>
>>>>>
>>>>> ntstat =
>>>>> FltIsIoRedirectionAllowed(FltObjects->Instance,
>>>>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir);
>>>>> DbgPrint(“FltIsIoRedirectionAllowed
>>>>> return:%x, bAllowRedir: %d\r\n”, ntstat, bAllowRedir);
>>>>> if(ntstat == STATUS_SUCCESS){
>>>>> if(!bAllowRedir){
>>>>> ntstat =
>>>>> FltAdjustDeviceStackSizeForIoRedirection(FltObjects->Instance,
>>>>> gKernelData->RootDeviceInstance, &bStackSizeModified);
>>>>>
>>>>> DbgPrint(“FltAdjustDeviceStackSizeForIoRedirection return:%x,
>>>>> bStackSizeModified: %d\r\n”, ntstat, bStackSizeModified);
>>>>>
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> DbgPrint(“FltObjects->Instance:%x,
>>>>> bAllowgKernelData->RootDeviceInstance: %x\r\n”, FltObjects->Instance,
>>>>> gKernelData->RootDeviceInstance);
>>>>> ntstat =
>>>>> FltIsIoRedirectionAllowedForOperation(Data,
>>>>> (PFLT_INSTANCE)gKernelData->RootDeviceInstance, &bAllowRedir,
>>>>> &bAllowRedirIO);
>>>>>
>>>>> DbgPrint(“FltIsIoRedirectionAllowedForOperation return:%x, bAllowRedir:
>>>>> %d\r\n”, ntstat, bAllowRedir);
>>>>> if(ntstat == STATUS_SUCCESS){
>>>>> if(bAllowRedir){
>>>>>
>>>>>
>>>>> DbgPrint(“TargetInstance: %x\r\n”, Data->Iopb->TargetInstance);
>>>>>
>>>>> DbgPrint(“TargetFileObject: %x\r\n”, Data->Iopb->TargetFileObject);
>>>>>
>>>>> Data->Iopb->TargetInstance = gKernelData->RootDeviceInstance;
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>>>> //allocate new
>>>>> redirPath =
>>>>> (WCHAR*)ExAllocatePool(NonPagedPool, sizeof(WCHAR) * MAX_PATH_LEN);
>>>>> if(redirPath == NULL)
>>>>> goto cleanup;
>>>>>
>>>>> RtlStringCchCopyW(redirPath, MAX_PATH_LEN,
>>>>> L"\test_copyfile.docx");
>>>>>
>>>>> //free previous
>>>>>
>>>>> ExFreePool(FltObjects->FileObject->FileName.Buffer);
>>>>> FltObjects->FileObject->FileName.Buffer = NULL;
>>>>>
>>>>> //replace with new
>>>>> FltObjects->FileObject->FileName.Length =
>>>>> (USHORT) wcslen(redirPath) * sizeof(WCHAR);
>>>>> FltObjects->FileObject->FileName.MaximumLength
>>>>> = FltObjects->FileObject->FileName.Length;
>>>>> FltObjects->FileObject->FileName.Buffer =
>>>>> redirPath;
>>>>>
>>>>>
>>>>>
>>>>> Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
>>>>>
>>>>> Data->IoStatus.Information = IO_REPARSE;
>>>>> Data->IoStatus.Status = STATUS_REPARSE;
>>>>>
>>>>> if(DFLAG) DbgPrint(“%s - filename:%S\r\n”,
>>>>> FUNCTION , FltObjects->FileObject->FileName.Buffer);
>>>>> if(DFLAG) DbgPrint(“%s - redirect\r\n”,
>>>>> FUNCTION );
>>>>>
>>>>> FltSetCallbackDataDirty(Data);
>>>>>
>>>>> return FTL_PREOP_SUCCESS_WITH_CALLBACK;
>>>>>
>>>>> } except(EXCEPTION_EXECUTE_HANDLER) {
>>>>> DPE(GetExceptionCode());
>>>>> iRet = DLPFS_ERROR_EXCEPTION;
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>> bugcheck analysis:
>>>>> ----------------------
>>>>> MUP_FILE_SYSTEM (103)
>>>>> MUP file system detected an error.
>>>>> Arguments:
>>>>> Arg1: 00000001, MUP_BUGCHECK_NO_FILECONTEXT
>>>>> Could not locate MUP file context corresponding to a file
>>>>> object.
>>>>> Arg2: 860af8e0, Irp Address if an IRP was used, NULL otherwise.
>>>>> Arg3: 8606c038, FILE_OBJECT Address whose MUP file context could not
>>>>> be found
>>>>> Arg4: 85038e10, DEVICE_OBJECT Address
>>>>>
>>>>> Debugging Details:
>>>>> ------------------
>>>>>
>>>>> Page 27cd9 not present in the dump file. Type “.hh dbgerr004” for
>>>>> details
>>>>>
>>>>> DEVICE_OBJECT: 85038e10
>>>>>
>>>>> DRIVER_OBJECT: 85038f38
>>>>>
>>>>> IMAGE_NAME: mup.sys
>>>>>
>>>>> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbfc6
>>>>>
>>>>> MODULE_NAME: mup
>>>>>
>>>>> FAULTING_MODULE: 87e23000 mup
>>>>>
>>>>> DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
>>>>>
>>>>> BUGCHECK_STR: 0x103
>>>>>
>>>>> PROCESS_NAME: explorer.exe
>>>>>
>>>>> CURRENT_IRQL: 0
>>>>>
>>>>> LAST_CONTROL_TRANSFER: from 87e29123 to 829031e0
>>>>>
>>>>> STACK_TEXT:
>>>>> 9a7c340c 87e29123 00000103 00000001 860af8e0 nt!KeBugCheckEx+0x1e
>>>>> 9a7c3434 8285f186 85038e10 860af8e0 860af8e0
>>>>> mup!MupFsdIrpPassThrough+0x78
>>>>> 9a7c344c 877c59e3 9a7c34e4 8503835c 85038348 nt!IofCallDriver+0x63
>>>>> 9a7c3480 877c7c1b 85038e10 8606c038 9a7c34a8
>>>>> fltmgr!FltpQueryInformationFile+0xc3
>>>>> 9a7c34c0 877c80c9 85038348 85038e10 8606c038
>>>>> fltmgr!QueryStandardLinkInformation+0x75
>>>>> 9a7c34f8 877b2969 85038348 00000001 00000000
>>>>> fltmgr!SetStreamListStandardInformationFlags+0x109
>>>>> 9a7c3538 877b2fa3 00000000 84b38258 84b38310
>>>>> fltmgr!FltpGetFileNameInformation+0x169
>>>>> 9a7c3560 9440b1b2 00b382b8 00000101 9a7c35a4
>>>>> fltmgr!FltGetFileNameInformation+0x12b
>>>>> 9a7c3810 944082d6 9a7c38c4 84b382b8 9a7c3880 GWEFS!getFilePath+0x1a2
>>>>> 9a7c38a0 877ac324 84b382b8 9a7c38c4 00000000
>>>>> GWEFS!ScannerPostDetectLifeCycle+0x106
>>>>> 9a7c3908 877af512 00b38258 84b38258 10000008
>>>>> fltmgr!FltpPerformPostCallbacks+0x24a
>>>>> 9a7c391c 877afb46 84b38258 856c1e28 9a7c395c
>>>>> fltmgr!FltpProcessIoCompletion+0x10
>>>>> 9a7c392c 877b029c 8e53d0c0 856c1e28 84b38258
>>>>> fltmgr!FltpPassThroughCompletion+0x98
>>>>> 9a7c395c 877c38c9 9a7c397c 00000000 00000000
>>>>> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a
>>>>> 9a7c39a8 8285f186 85038878 85038348 8606c094 fltmgr!FltpCreate+0x2db
>>>>> 9a7c39c0 82a364ca 131301ba 9a7c3b70 00000000 nt!IofCallDriver+0x63
>>>>> 9a7c3aa0 82a396ae 85038e10 c52eb7a8 84a81430 nt!IopParseDevice+0xf08
>>>>> 9a7c3b1c 82a7876f 00000000 9a7c3b70 00000040
>>>>> nt!ObpLookupObjectName+0x510
>>>>> 9a7c3b78 82aa39b2 03aaf700 842eb7a8 fe838901
>>>>> nt!ObOpenObjectByName+0x165
>>>>> 9a7c3d24 828659c6 03aaf700 03aaf6c8 03aaf730
>>>>> nt!NtQueryFullAttributesFile+0x136
>>>>> 9a7c3d24 778571c6 03aaf700 03aaf6c8 03aaf730 nt!KiSystemServicePostCall
>>>>> WARNING: Frame IP not in any known module. Following frames may be
>>>>> wrong.
>>>>> 03aaf730 00000000 00000000 00000000 00000000 0x778571c6
>>>>>
>>>>>
>>>>> STACK_COMMAND: kb
>>>>>
>>>>> FOLLOWUP_IP:
>>>>> mup!MupFsdIrpPassThrough+78
>>>>> 87e29123 8d4d0c lea ecx,[ebp+0Ch]
>>>>>
>>>>> SYMBOL_STACK_INDEX: 1
>>>>>
>>>>> SYMBOL_NAME: mup!MupFsdIrpPassThrough+78
>>>>>
>>>>> FOLLOWUP_NAME: MachineOwner
>>>>>
>>>>> FAILURE_BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>>>>
>>>>> BUCKET_ID: 0x103_mup!MupFsdIrpPassThrough+78
>>>>>
>>>>>
>>>>> do i need to change the Data->Iopb->TargetFileObject too? Any advice
>>>>> would be appreciated. Thanks in advance
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> NTFSD is sponsored by OSR
>>>>>
>>>>>
>>>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>>> software drivers!
>>>>> Details at http:
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at <
>>>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>>>
>>>>
>>>>
>>>>
>>>> –
>>>> Bercea. G.
>>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>>> WDF, Windows internals and software drivers! Details at To
>>>> unsubscribe, visit the List Server section of OSR Online at
>>>
>>>
>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>>> visit the List Server section of OSR Online at
>>
>>
>>
>>
>> –
>> Bercea. G.
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>>
>
></http:>