Install filter on FltMgr through IoAttachXXX

I’m trying to install a file system filter on top of the normal NTFS/Filter Manager stack using IoAttachDevice and I’m getting hung up on the right place to find the correct DEVICE_OBJECT. I’m trying to avoid using the Filter Manager APIs (for demo purposes)

My original idea was to open a file and use ObReferenceObjectByHandle to get the the right objects, but that gave me a FILE_OBJECT with devices on the Volume stack (at least on Windows 7 - I think it works on XP), not file system stack.

I can fallback to using IoRegisterFsRegistrationChange and just make a bunch of devices but I was hoping for something a little more granular. Is there a better way or do I need to go through like ObOpenObjectByName with IoDriverObjectType? All I really want to be able to do is filter the IRP_MJ_CREATEs so if I’m missing something obvious I’d appreciate the help.

In case I understand you correctly, have you read about
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551096(v=vs.85).aspx

On Tue, Oct 17, 2017 at 9:38 AM, xxxxx@gmail.com
wrote:

> I’m trying to install a file system filter on top of the normal
> NTFS/Filter Manager stack using IoAttachDevice and I’m getting hung up on
> the right place to find the correct DEVICE_OBJECT. I’m trying to avoid
> using the Filter Manager APIs (for demo purposes)
>
> My original idea was to open a file and use ObReferenceObjectByHandle to
> get the the right objects, but that gave me a FILE_OBJECT with devices on
> the Volume stack (at least on Windows 7 - I think it works on XP), not file
> system stack.
>
> I can fallback to using IoRegisterFsRegistrationChange and just make a
> bunch of devices but I was hoping for something a little more granular. Is
> there a better way or do I need to go through like ObOpenObjectByName with
> IoDriverObjectType? All I really want to be able to do is filter the
> IRP_MJ_CREATEs so if I’m missing something obvious I’d appreciate the help.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

IoGetRelatedDeviceObject is your friend. Open a root directory or any file on a volume or try to open a volume with FILE_WRITE_ATTRIBUTES or MAXIMUM_ALLOWED access as direct volume opening skips mounted file system if the requested access belongs to a particular set which includes attributes read, DAC manipulation, some read access.

Thanks Dhananjay, I’m aware of that API and have it as a backup; maybe I was unclear in my original post but I’m trying to install the filter with the IoAttachXXX APIs.

Thanks, but unless I’m misunderstanding this is the exact opposite of what I want. I don’t want to be a filter on the volume since that’s not going to get the IRP_MJ_CREATEs when someone opens files. I -want- to be on the file system, not skip it. But if I do ZwCreateFile on kernel32.dll for example, the FILE_OBJECT that’s returned has DEVICE_OBJECTS on the volume stack, not NTFS or any other file system

Get a copy of the Vista WDK and look at the Filespy sample, it shows how to attach a legacy filter to the system.

However, I’m not sure why you would ever want to do this. The legacy filter model is completely supplanted by the minifilter model, so the details of this aren’t particularly useful anymore.

-scott
OSR
@OSRDrivers

First - a file object always has FileObject->DeviceObject pointing to a volume.

Second - IoGetRelatedDeviceObject( FileObject ) returns a pointer to a top device in a file system stack mounted to FileObject->DeviceObject unless FileObject is for a direct volume open.

Third - to avoid the above situation with direct volume opening you should either open any file or root directory or open volume asking for some non trivial access like FILE_WRITE_ATTRIBUTES in that case the volume is being opened through a mounted file system and IoGetRelatedDeviceObject returns a device for a file system device stack.