How to send FSCTL_GET_RETRIEVAL_POINTERS in non filter Driver

OSR_Community_User · August 20, 2007, 8:29am

i write a general driver , i want to query file cluster info, so i write this code:
but how to get FSD DeviceObject and send FSCTL_GET_RETRIEVAL_POINTERS query file cluster info . FileObject i can get already .

BOOLEAN QueryFileClustersInfo(PDEVICE_OBJECT DeviceObject,
PFILE_OBJECT FileObject,
PSTARTING_VCN_INPUT_BUFFER pStartingVcn,
ULONG ushStartingVcn,
PRETRIEVAL_POINTERS_BUFFER pVcnPairs,
ULONG ushpVcnPairs)
{
PIRP irp;
KEVENT event;
IO_STATUS_BLOCK IoStatusBlock;
PIO_STACK_LOCATION ioStackLocation;

KeInitializeEvent(&event, NotificationEvent, FALSE);
irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
if (!irp)
return FALSE;

irp->AssociatedIrp.SystemBuffer = pStartingVcn;
irp->UserBuffer = pVcnPairs;
irp->UserEvent = &event;
irp->UserIosb = &IoStatusBlock;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->Tail.Overlay.OriginalFileObject = FileObject;
irp->RequestorMode = KernelMode; irp->Flags = 0;

ioStackLocation = IoGetNextIrpStackLocation(irp);
ioStackLocation->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
ioStackLocation->MinorFunction = IRP_MN_USER_FS_REQUEST;
ioStackLocation->DeviceObject = DeviceObject;
ioStackLocation->FileObject = FileObject;

ioStackLocation->Parameters.DeviceIoControl.IoControlCode = FSCTL_GET_RETRIEVAL_POINTERS ;
ioStackLocation->Parameters.DeviceIoControl.OutputBufferLength = ushpVcnPairs;
ioStackLocation->Parameters.DeviceIoControl.InputBufferLength = ushStartingVcn;
ioStackLocation->Parameters.DeviceIoControl.Type3InputBuffer = pStartingVcn;

IoSetCompletionRoutine(irp, QueryFileClustersInfoComplete, 0, TRUE, TRUE, TRUE);

IoCallDriver(DeviceObject, irp) ;
KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0); return NT_SUCCESS(IoStatusBlock.Status) ;

}// End QueryFileClustersInfo()

NTSTATUS
QueryFileClustersInfoComplete(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context)
{
if (Irp->PendingReturned)
KeSetEvent((PKEVENT)Context, IO_NO_INCREMENT, FALSE);

return STATUS_MORE_PROCESSING_REQUIRED;
}

Don_Burn_1 · August 20, 2007, 9:03am

The file object has a pointer to the device object you need it in.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

<pliceman_110> wrote in message news:xxxxx@ntfsd…
>i write a general driver , i want to query file cluster info, so i write
>this code:
> but how to get FSD DeviceObject and send FSCTL_GET_RETRIEVAL_POINTERS
> query file cluster info . FileObject i can get already .
>
> BOOLEAN QueryFileClustersInfo(PDEVICE_OBJECT DeviceObject,
> PFILE_OBJECT FileObject,
> PSTARTING_VCN_INPUT_BUFFER pStartingVcn,
> ULONG ushStartingVcn,
> PRETRIEVAL_POINTERS_BUFFER pVcnPairs,
> ULONG ushpVcnPairs)
> {
> PIRP irp;
> KEVENT event;
> IO_STATUS_BLOCK IoStatusBlock;
> PIO_STACK_LOCATION ioStackLocation;
>
> KeInitializeEvent(&event, NotificationEvent, FALSE);
> irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
> if (!irp)
> return FALSE;
>
> irp->AssociatedIrp.SystemBuffer = pStartingVcn;
> irp->UserBuffer = pVcnPairs;
> irp->UserEvent = &event;
> irp->UserIosb = &IoStatusBlock;
> irp->Tail.Overlay.Thread = PsGetCurrentThread();
> irp->Tail.Overlay.OriginalFileObject = FileObject;
> irp->RequestorMode = KernelMode; irp->Flags = 0;
>
> ioStackLocation = IoGetNextIrpStackLocation(irp);
> ioStackLocation->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
> ioStackLocation->MinorFunction = IRP_MN_USER_FS_REQUEST;
> ioStackLocation->DeviceObject = DeviceObject;
> ioStackLocation->FileObject = FileObject;
>
> ioStackLocation->Parameters.DeviceIoControl.IoControlCode =
> FSCTL_GET_RETRIEVAL_POINTERS ;
> ioStackLocation->Parameters.DeviceIoControl.OutputBufferLength =
> ushpVcnPairs;
> ioStackLocation->Parameters.DeviceIoControl.InputBufferLength =
> ushStartingVcn;
> ioStackLocation->Parameters.DeviceIoControl.Type3InputBuffer =
> pStartingVcn;
>
> IoSetCompletionRoutine(irp, QueryFileClustersInfoComplete, 0, TRUE, TRUE,
> TRUE);
>
> IoCallDriver(DeviceObject, irp) ;
> KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0); return
> NT_SUCCESS(IoStatusBlock.Status) ;
>
>
> }// End QueryFileClustersInfo()
>
>
> NTSTATUS
> QueryFileClustersInfoComplete(IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp,
> IN PVOID Context)
> {
> if (Irp->PendingReturned)
> KeSetEvent((PKEVENT)Context, IO_NO_INCREMENT, FALSE);
>
> return STATUS_MORE_PROCESSING_REQUIRED;
> }
>
>
>
></pliceman_110>

OSR_Community_User · August 20, 2007, 1:05pm

Thanks Don Burn

you say: The file object has a pointer to the device object need it .
So i use other way :

1> IoCreateFile() open c:\pagefile.sys and get this filehandle is succeed .
2> ZwQueryInformationFile() c:\pagefile.sys by this filehandle is succeed .
But:
3> ZwFsControlFile() send FSCTL_GET_RETRIEVAL_POINTERS query c:\pagefile.sys clusterinfo is failed !
ERROR CODE: STATUS_END_OF_FILE
So i check my code, i find ZwFsControlFile’s tenth parameter is error . i don’t know how to get ZwFsControlFile’s tenth paramete .

Don_Burn_1 · August 20, 2007, 1:10pm

Well the 10th parameter is the output buffer length. But you have another
problem FSCTL_GET_RETRIEVAL_POINTERS does not work for page files. Take a
look at FSCTL_QUERY_RETRIEVAL_POINTERS.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

<pliceman_110> wrote in message news:xxxxx@ntfsd…
> Thanks Don Burn
>
> you say: The file object has a pointer to the device object need it .
> So i use other way :
>
> 1> IoCreateFile() open c:\pagefile.sys and get this filehandle is
> succeed .
> 2> ZwQueryInformationFile() c:\pagefile.sys by this filehandle is succeed
> .
> But:
> 3> ZwFsControlFile() send FSCTL_GET_RETRIEVAL_POINTERS query
> c:\pagefile.sys clusterinfo is failed !
> ERROR CODE: STATUS_END_OF_FILE
> So i check my code, i find ZwFsControlFile’s tenth parameter is error . i
> don’t know how to get ZwFsControlFile’s tenth paramete .
>
>
></pliceman_110>

OSR_Community_User · August 20, 2007, 4:17pm

FSCTL_GET_RETRIEVAL_POINTERS works for the pagefile, if the pagefile’s ACL
will allow you to do so.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“Don Burn” wrote in message news:xxxxx@ntfsd…
> Well the 10th parameter is the output buffer length. But you have another
> problem FSCTL_GET_RETRIEVAL_POINTERS does not work for page files. Take a
> look at FSCTL_QUERY_RETRIEVAL_POINTERS.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> <pliceman_110> wrote in message news:xxxxx@ntfsd…
> > Thanks Don Burn
> >
> > you say: The file object has a pointer to the device object need it .
> > So i use other way :
> >
> > 1> IoCreateFile() open c:\pagefile.sys and get this filehandle is
> > succeed .
> > 2> ZwQueryInformationFile() c:\pagefile.sys by this filehandle is succeed
> > .
> > But:
> > 3> ZwFsControlFile() send FSCTL_GET_RETRIEVAL_POINTERS query
> > c:\pagefile.sys clusterinfo is failed !
> > ERROR CODE: STATUS_END_OF_FILE
> > So i check my code, i find ZwFsControlFile’s tenth parameter is error . i
> > don’t know how to get ZwFsControlFile’s tenth paramete .
> >
> >
> >
>
>
></pliceman_110>

OSR_Community_User · August 21, 2007, 12:07am

Thanks Don Burn Maxim S. Shatskih
pagefile.sys cluster infos is get succeed~~

use FSCTL_QUERY_RETRIEVAL_POINTERS can do it ~~~~