I looked at the AVScan project in the driver samples. Among other things, FltCreateSectionForDataScan() is used to create a section handle which is passed to user mode. But this call isn?t supported in Windows 7, so I?d like to imitate that behavior. I was thinking of using ObOpenObjectByPointer() and ZwCreateSection() and other calls. But ObOpenObjectByPointer() can?t be used in the Post-Create because the FO_HANDLE_CREATED bit in FltObjects->FileObject->Flags isn?t set there.
I guess I could use FltGetFileNameInformation() and then call FltCreateFileEx2() and supply the file name before calling ZwCreateSection(). While I think this might work, it seems somewhat cumbersome to retrieve the file name just so it can be parsed again to re-open the same file I already have a FILE_OBJECT for (but no handle). Is there a preferred alternative to obtaining a file handle (or create a section object) in PostCreate in Windows 7?
Thanks,
Michael
You might want to look at ObOpenObjectByPointer() specifying UserMode
and while you are in the context of the process you want to access the
handle.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@segira.com
To: “Windows File Systems Devs Interest List”
Sent: 7/24/2016 8:48:52 AM
Subject: [ntfsd] Obtain file handle in PostCreate
>I looked at the AVScan project in the driver samples. Among other
>things, FltCreateSectionForDataScan() is used to create a section
>handle which is passed to user mode. But this call isn?t supported in
>Windows 7, so I?d like to imitate that behavior. I was thinking of
>using ObOpenObjectByPointer() and ZwCreateSection() and other calls.
>But ObOpenObjectByPointer() can?t be used in the Post-Create because
>the FO_HANDLE_CREATED bit in FltObjects->FileObject->Flags isn?t set
>there.
>
>I guess I could use FltGetFileNameInformation() and then call
>FltCreateFileEx2() and supply the file name before calling
>ZwCreateSection(). While I think this might work, it seems somewhat
>cumbersome to retrieve the file name just so it can be parsed again to
>re-open the same file I already have a FILE_OBJECT for (but no handle).
>Is there a preferred alternative to obtaining a file handle (or create
>a section object) in PostCreate in Windows 7?
>
>Thanks,
>Michael
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
I realize that I can call this in the context of the process I want to pass the handle to. But this doesn’t solve the problem that I cannot use ObOpenObjectByPointer() in Post-Create of my mini filter in the first place as the FO_HANDLE_CREATED bit isn’t set for the file object in question.
Thanks,
Michael
For PostCreate if you cannot use the FO directly and you want a handle to
the section the only way documented way to do it si to re-issue another
create, and use ObOpenObjectByPointer on that.
There is btw a FsRtlCreateSectionForDataScan call which is available from
WIN2k ( with lots of updates ) but the idea is that it does not cover some
cache coherency cases which you must cover yourself.
The FLT version has a callback just for that.
Hope this helps.
Regards,
Gabriel
www.kasardia.com
On Mon, Jul 25, 2016 at 5:46 AM, wrote:
> I realize that I can call this in the context of the process I want to
> pass the handle to. But this doesn’t solve the problem that I cannot use
> ObOpenObjectByPointer() in Post-Create of my mini filter in the first place
> as the FO_HANDLE_CREATED bit isn’t set for the file object in question.
>
> Thanks,
> Michael
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Bercea. G.</http:>
I wasn’t even thinking of looking for an FltCreateSectionForDataScan equivalent for Win7. This sounds like the way to go. Thanks for your help and the tip about potential cache coherency issues.
Best,
Michael