Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Intercepting data read in by Notepad in a minifilter

1,098 views
Skip to first unread message

shaji

unread,
Jun 10, 2009, 2:01:52 AM6/10/09
to
Hi Gurus,
I know that this topic has been discussed extensively in other forums.
But I couldn't get a comprehensive reply form anywhere else. Sorry
for bringing up the same issue again.

In my minifilter (based on swapBuffers sample), I want obtain the data
that is being read in by notepad.exe.

I'm NOT using FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO or
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO in my operation
registration.

At first, I registered only for IRP_MJ_READ . But I noticed that my
IRP_MJ_READ callback did not get called when I opened an existing
1kb .txt file using notepad.exe.

I know that notepad uses memory mapped I/O and I can see
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION callbacks (added later on)
getting called and requestor process ( got by FltGetRequestorProcess )
is notepad.exe.

1. Is there any way, in a minifilter, to intercept data that is being
read in by a process through memory mapped I/O?

2. Which major function should I register for?

2. Though, it is memory mapped I/O, at some point, data must be read
from disk, am I right? How can I trap this call?

Could anybody help me please?

Thanks in advance,
Shaji.

Don Burn

unread,
Jun 10, 2009, 7:45:13 AM6/10/09
to
Go read the NTFSD archives at http://www.osronline.com/


--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

"shaji" <shajip...@gmail.com> wrote in message
news:ed113fe1-c934-404e...@g20g2000vba.googlegroups.com...

> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4143 (20090610) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4143 (20090610) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


shaji

unread,
Jun 11, 2009, 8:14:16 AM6/11/09
to
Thanks Don,
I've read the discussions on OSR online. But couldn't get any
conclusive reply with which I can convince my boss :).
Buying the OSR data modification kit is certainly out of question
( he'd boot me out if I tell him the cost :) ).

My fundamental question is;
Even in the case of memory mapped I/O, the data must be somehow
fetched from disk, right? So, why can't we obtain that data?


On Jun 10, 4:45 pm, "Don Burn" <b...@windrvr.com> wrote:
> Go read the NTFSD archives athttp://www.osronline.com/


>
> --
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website:http://www.windrvr.com
> Blog:http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>

> "shaji" <shajiparem...@gmail.com> wrote in message

> http://www.eset.com- Hide quoted text -
>
> - Show quoted text -

Maxim S. Shatskih

unread,
Jun 12, 2009, 1:45:28 PM6/12/09
to
>Even in the case of memory mapped I/O, the data must be somehow
>fetched from disk, right? So, why can't we obtain that data?

Intercept the paging IO.

--
Maxim S. Shatskih
Windows DDK MVP
ma...@storagecraft.com
http://www.storagecraft.com

Tim Roberts

unread,
Jun 13, 2009, 2:19:07 AM6/13/09
to
shaji <shajip...@gmail.com> wrote:
>
> I've read the discussions on OSR online. But couldn't get any
>conclusive reply with which I can convince my boss :).
>Buying the OSR data modification kit is certainly out of question
>( he'd boot me out if I tell him the cost :) ).

The cost is FAR less than the cost of your salary over the time it will
take you to reinvent what they have already done. It's a Return On
Investment issue.

>My fundamental question is;
>Even in the case of memory mapped I/O, the data must be somehow
>fetched from disk, right? So, why can't we obtain that data?

You can, but you can't tell which pages are the ones you want. If you
intercept in the paging path, you'll get ALL "page in" operations, and the
paging path doesn't know anything about file systems or directories or file
names.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.

shaji

unread,
Jun 15, 2009, 1:51:39 AM6/15/09
to
Thanks Max,
What is the method to intercept paging I/O?

I'm not skipping any paging I/O in my minifilter. But I can't see any
calls to my IRP_MJ_READ callback function when I open the .txt file
with notepad.exe.

As I said in my original post, I'm not using
FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO or
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO

Is there any major function ( other than IRP_MJ_READ ) that I should
register for, in order to intercept paging I/O?

Thanks,
Shaji


On Jun 12, 10:45 pm, "Maxim S. Shatskih"

shaji

unread,
Jun 15, 2009, 1:58:53 AM6/15/09
to
Thanks a lot Tim,
A couple of questions, just out of curiosity...

If the paging path does not know anything about the file, how doews it
manage to map the file to the virtual address space of our process?
The system must know which file to map from, right?

If it doesn't use the file system, how does it manage to locate the
file?

Thanks,
Shaji.


On Jun 13, 11:19 am, Tim Roberts <t...@probo.com> wrote:

> Tim Roberts, t...@probo.com
> Providenza & Boekelheide, Inc.

Tim Roberts

unread,
Jun 17, 2009, 1:07:44 AM6/17/09
to
shaji <shajip...@gmail.com> wrote:
>
>If the paging path does not know anything about the file, how doews it
>manage to map the file to the virtual address space of our process?
>The system must know which file to map from, right?
>
>If it doesn't use the file system, how does it manage to locate the
>file?

Remember that drivers are all layered, and each layer has very specialized
knowledge. The file system layers know about file names, but the layers
below that, including the disk drivers that deal with sectors, do not.

shaji

unread,
Jun 17, 2009, 3:41:21 AM6/17/09
to

> Remember that drivers are all layered, and each layer has very specialized
> knowledge.  The file system layers know about file names, but the layers
> below that, including the disk drivers that deal with sectors, do not.

Thanks a lot for this point, Tim.

But, unfortunately, I'm stiil confused about my minifilter pre-read
call back not getting called.
Max said that I should intercept paging I/O. But I'm not getting any
calls in the preread at all, when I open that tiny text file with
notepad. And I'm not skipping any paging I/O.

I've found on OSR, a post ( http://www.osronline.com/showThread.cfm?link=119140
) which lists out some steps to be followed in encrypting/decrypting
filter. But it says that I should start my driver at boot time because
windows may prefetch some file data.

So, here in my case, could it be that, the system prefetched my
notepad file data?

What kind of data does the system prefetch?

Thanks,
Shaji.

shaji

unread,
Jun 17, 2009, 6:41:13 AM6/17/09
to
Hi Max, Tim,

I can see that even when I click the text file icon in the explorer,
read IRPs are generated. Typically with a read length of 24 bytes.
This means that the file is taken into cache and when I open the file
later on, the data is read from cache.

After searching the OSR archives, I've come to believe that when data
is being read in from cache, READ callbacks does not get invoked in
minifilter. Is my understanding correct?

Is there any way to purge the cache so that my text file will be read
from disk when I open it again?

Thanks,
Shaji.

jrostami

unread,
Jan 18, 2016, 6:28:55 AM1/18/16
to
I in Same problem dear shaji.
do you find clear solution to this problem?
i really be thankful if you share it.

thanks.
Jalil


0 new messages