FLT_PREOP_CALLBACK_STATUS
PreFileOperationCallback (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
NTSTATUS status;
PFLT_FILE_NAME_INFORMATION pFileNameInformation;
PFILE_EVENT pFileEvent;
LARGE_INTEGER CurrentSystemTime;
LARGE_INTEGER CurrentLocalTime;
ULONG returnedLength;
//HANDLE hThread;
//HANDLE handle5;
TIME_FIELDS TimeFields;
BOOLEAN pathNameFound = FALSE;
UNICODE_STRING filePath;
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
/* If this is a callback for a FS Filter driver then we ignore the event */
if(FLT_IS_FS_FILTER_OPERATION(Data))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
/* Allocate a large 64kb string ... maximum path name allowed in windows */
filePath.Length = 0;
filePath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
filePath.Buffer = ExAllocatePoolWithTag(NonPagedPool, filePath.MaximumLength, FILE_POOL_TAG);
if(filePath.Buffer == NULL)
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if (FltObjects->FileObject != NULL && Data != NULL) {
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP,
&pFileNameInformation );
if(NT_SUCCESS(status))
{
if(pFileNameInformation->Name.Length > 0)
{
RtlUnicodeStringCopy(&filePath, &pFileNameInformation->Name);
//RtlStringCbCopyUnicodeString(pFileEvent->filePath, 1024, &pFileNameInformation->Name);
pathNameFound = TRUE;
}
/* Backup the file if it is marked for deletion */
CopyFileIfBeingDeleted (Data,FltObjects,pFileNameInformation);
/* Release the file name information structure if it was used */
if(pFileNameInformation != NULL)
{
FltReleaseFileNameInformation(pFileNameInformation);
}
} else {
NTSTATUS lstatus;
PFLT_FILE_NAME_INFORMATION pLFileNameInformation;
lstatus = FltGetFileNameInformation( Data,
FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP,
&pLFileNameInformation);
if(NT_SUCCESS(lstatus))
{
if(pLFileNameInformation->Name.Length > 0)
{
RtlUnicodeStringCopy(&filePath, &pLFileNameInformation->Name);
//RtlStringCbCopyUnicodeString(pFileEvent->filePath, 1024, &pLFileNameInformation->Name);
pathNameFound = TRUE;
}
/* Backup the file if it is marked for deletion */
CopyFileIfBeingDeleted (Data,FltObjects,pFileNameInformation);
/* Release the file name information structure if it was used */
if(pLFileNameInformation != NULL)
{
FltReleaseFileNameInformation(pLFileNameInformation);
}
}
}
}
/* If path name could not be found the file monitor uses the file name stored
in the FileObject. The documentation says that we shouldn't use this info
as it may not be correct. It does however allow us get some nice file events
such as the system process writing to the $MFT file etc. Remove this code if
problems start to occur */
if( (pathNameFound == FALSE) &&
(FltObjects->FileObject != NULL) &&
(FltObjects->FileObject->RelatedFileObject == NULL) &&
(FltObjects->FileObject->FileName.Length > 0))
{
NTSTATUS status;
ULONG size;
UNICODE_STRING szTempPath;
UNICODE_STRING szDevice;
UNICODE_STRING szFileNameDevice;
/* Check the FileObject->FileName isn't already a complete filepath */
szFileNameDevice.Length = FltObjects->FileObject->FileName.Length;
szFileNameDevice.MaximumLength = FltObjects->FileObject->FileName.MaximumLength;
szFileNameDevice.Buffer = ExAllocatePoolWithTag(NonPagedPool, szFileNameDevice.MaximumLength, FILE_POOL_TAG);
RtlInitUnicodeString(&szDevice, L"\\Device");
if(FltObjects->FileObject->FileName.Length >= szDevice.Length)
{
RtlUnicodeStringCchCopyN(&szFileNameDevice, &FltObjects->FileObject->FileName, 7);
}
if(RtlEqualUnicodeString(&szDevice, &szFileNameDevice, TRUE))
{
RtlUnicodeStringCopy(&filePath, &FltObjects->FileObject->FileName);
pathNameFound = TRUE;
} else {
szTempPath.Length = 0;
szTempPath.MaximumLength = FltObjects->FileObject->FileName.MaximumLength + 2;
/* Get the volume name of where the event came from */
status = FltGetVolumeName(
FltObjects->Volume,
NULL,
&size
);
if(status == STATUS_BUFFER_TOO_SMALL)
{
szTempPath.MaximumLength += (USHORT)size;
szTempPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, szTempPath.MaximumLength, FILE_POOL_TAG);
if(szTempPath.Buffer != NULL)
{
status = FltGetVolumeName(
FltObjects->Volume,
&szTempPath,
&size
);
if(NT_SUCCESS(status))
{
/* Append the file event to the volume name */
RtlUnicodeStringCat(&szTempPath, &FltObjects->FileObject->FileName);
RtlUnicodeStringCopy(&filePath, &szTempPath);
pathNameFound = TRUE;
}
ExFreePoolWithTag(szTempPath.Buffer, FILE_POOL_TAG);
}
}
}
ExFreePoolWithTag(szFileNameDevice.Buffer, FILE_POOL_TAG);
}
if(!pathNameFound)
{
RtlUnicodeStringCatString(&filePath, L"UNKNOWN");
}
/* Allocate file event and put the values into it */
/* NOTE this is freed in the post op callback (which should always get called) */
pFileEvent = ExAllocatePoolWithTag(NonPagedPool, sizeof(FILE_EVENT)+filePath.Length+sizeof(WCHAR), FILE_POOL_TAG);
if(pFileEvent == NULL)
{
ExFreePoolWithTag(filePath.Buffer, FILE_POOL_TAG);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
/* Copy file path into file event */
pFileEvent->filePathLength = filePath.Length+sizeof(WCHAR);
RtlStringCbCopyUnicodeString(pFileEvent->filePath, pFileEvent->filePathLength, &filePath);
/* Free the allocated storage for a filepath */
ExFreePoolWithTag(filePath.Buffer, FILE_POOL_TAG);
pFileEvent->majorFileEventType = Data->Iopb->MajorFunction;
pFileEvent->minorFileEventType = Data->Iopb->MinorFunction;
pFileEvent->processId = 0;
if (FltObjects->FileObject != NULL)
{
pFileEvent->flags = FltObjects->FileObject->Flags;
}
if(Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION)
{
if(Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation)
{
PFILE_DISPOSITION_INFORMATION pFileInfo = (PFILE_DISPOSITION_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
/* If the file is marked for deletion back it up */
if(pFileInfo->DeleteFile)
{
pFileEvent->majorFileEventType = 0x99;
}
}
}
/* Get the process id of the file event */
/* NOTE we are kinda using an undocumented function here but its all available
on the interweb. Plus its much better than accessing the PETHREAD structure
which could change at any time. Also, this one is available to userspace
programs so it should be safe to use. We have to use this function because
a file I/O may either be processed in the context of the userspace program
or the system context. This uses the thread data from FLT_CALLBACK_DATA to
determine which process it actually came from. We default back to getting
the current process id if all else fails. */
/* SECOND NOTE FltGetRequestorProcessId does not get the correct process id, it
looks like it still get the proces id of the context the pre callback gets
called in */
/*
status = ObOpenObjectByPointer(Data->Thread,
OBJ_KERNEL_HANDLE,
NULL,
0,
0,
KernelMode,
&hThread);
if(NT_SUCCESS(status))
{
THREAD_BASIC_INFORMATION threadBasicInformation;
status = ZwQueryInformationThread(hThread,
ThreadBasicInformation,
&threadBasicInformation,
sizeof(THREAD_BASIC_INFORMATION),
&returnedLength );
if(NT_SUCCESS(status))
{
pFileEvent->processId = (HANDLE)threadBasicInformation.UniqueProcessId;
handle5 = pFileEvent->processId;
//DbgPrint("Process4: %i\n", pFileEvent->processId);
} else {
DbgPrint("ZwQueryInformationThread FAILED: %08x\n", status);
}
ZwClose(hThread);
} else {
DbgPrint("ObOpenObjectByPointer FAILED: %08x\n", status);
}
*/
/* New safe get correct process id. One above causes blue screen in some cases */
if(Data->Thread != NULL)
{
PEPROCESS pProcess = IoThreadToProcess( Data->Thread );
pFileEvent->processId = PsGetProcessId(pProcess);
} else {
pFileEvent->processId = PsGetCurrentProcessId();
DbgPrint("CaptureFileMonitor: Process id may be incorrect\n");
}
/*
DbgPrint("%i [%i %i] %s %i %i (%i, %i, %i) %i %i %i %i %i : %ls\n",
KeGetCurrentIrql(),
PsIsSystemThread(Data->Thread),
PsIsSystemThread(PsGetCurrentThread()),
FltGetIrpName(Data->Iopb->MajorFunction),
Data->Iopb->MajorFunction,
Data->Iopb->MinorFunction,
pFileEvent->processId,
PsGetCurrentProcessId(),
FltGetRequestorProcessId(Data),
FLT_IS_FASTIO_OPERATION(Data),
FLT_IS_FS_FILTER_OPERATION(Data),
FLT_IS_IRP_OPERATION(Data),
FLT_IS_REISSUED_IO(Data),
FLT_IS_SYSTEM_BUFFER(Data),
pFileEvent->filePath);
*/
//ASSERT(pFileEvent->processId != 0);
/* Get the time this event occured */
KeQuerySystemTime(&CurrentSystemTime);
ExSystemTimeToLocalTime(&CurrentSystemTime,&CurrentLocalTime);
RtlTimeToTimeFields(&CurrentLocalTime,&TimeFields);
pFileEvent->time = TimeFields;
/* Pass the created file event to the post operation of this pre file operation */
if (Data->Iopb->MajorFunction == IRP_MJ_SHUTDOWN)
{
PostFileOperationCallback( Data,
FltObjects,
pFileEvent,
0 );
return FLT_PREOP_SUCCESS_NO_CALLBACK;
} else {
*CompletionContext = pFileEvent;
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
}
NTSTATUS
CtxInstanceSetup (
__in PCFLT_RELATED_OBJECTS FltObjects,
__in FLT_INSTANCE_SETUP_FLAGS Flags,
__in DEVICE_TYPE VolumeDeviceType,
__in FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
/*++
Routine Description:
This routine is called whenever a new instance is created on a volume. This
gives us a chance to decide if we need to attach to this volume or not.
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance and its associated volume.
Flags - Flags describing the reason for this attach request.
Return Value:
STATUS_SUCCESS - attach
STATUS_FLT_DO_NOT_ATTACH - do not attach
--*/
{
PCTX_INSTANCE_CONTEXT instanceContext = NULL;
NTSTATUS status = STATUS_SUCCESS;
ULONG volumeNameLength;
UNREFERENCED_PARAMETER( Flags );
UNREFERENCED_PARAMETER( VolumeDeviceType );
UNREFERENCED_PARAMETER( VolumeFilesystemType );
PAGED_CODE();
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup started (Volume = %p, Instance = %p)\n",
FltObjects->Volume,
FltObjects->Instance) );
//
// Allocate and initialize the context for this volume
//
//
// Allocate the instance context
//
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS,
("[Ctx]: Allocating instance context (Volume = %p, Instance = %p)\n",
FltObjects->Volume,
FltObjects->Instance) );
status = FltAllocateContext( FltObjects->Filter,
FLT_INSTANCE_CONTEXT,
CTX_INSTANCE_CONTEXT_SIZE,
NonPagedPool,
&instanceContext );
if (!NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Failed to allocate instance context (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
//
// Get the NT volume name length
//
status = FltGetVolumeName( FltObjects->Volume, NULL, &volumeNameLength );
if( !NT_SUCCESS( status ) &&
(status != STATUS_BUFFER_TOO_SMALL) ) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Unexpected failure in FltGetVolumeName. (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
//
// Allocate a string big enough to take the volume name
//
instanceContext->VolumeName.MaximumLength = (USHORT) volumeNameLength;
status = CtxAllocateUnicodeString( &instanceContext->VolumeName );
if( !NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Failed to allocate volume name string. (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
//
// Get the NT volume name
//
status = FltGetVolumeName( FltObjects->Volume, &instanceContext->VolumeName, &volumeNameLength );
if( !NT_SUCCESS( status ) ) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Unexpected failure in FltGetVolumeName. (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
instanceContext->Instance = FltObjects->Instance;
instanceContext->Volume = FltObjects->Volume;
//
// Set the instance context.
//
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS,
("[Ctx]: Setting instance context %p for volume %wZ (Volume = %p, Instance = %p)\n",
instanceContext,
&instanceContext->VolumeName,
FltObjects->Volume,
FltObjects->Instance) );
status = FltSetInstanceContext( FltObjects->Instance,
FLT_SET_CONTEXT_KEEP_IF_EXISTS,
instanceContext,
NULL );
if( !NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCES | DEBUG_TRACE_ERROR,
("[Ctx]: Failed to set instance context for volume %wZ (Volume = %p, Instance = %p, Status = 0x%08X)\n",
&instanceContext->VolumeName,
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
CtxInstanceSetupCleanup:
//
// If FltAllocateContext suceeded then we MUST release the context,
// irrespective of whether FltSetInstanceContext suceeded or not.
//
// FltAllocateContext increments the ref count by one.
// A successful FltSetInstanceContext increments the ref count by one
// and also associates the context with the file system object
//
// FltReleaseContext decrements the ref count by one.
//
// When FltSetInstanceContext succeeds, calling FltReleaseContext will
// leave the context with a ref count of 1 corresponding to the internal
// reference to the context from the file system structures
//
// When FltSetInstanceContext fails, calling FltReleaseContext will
// leave the context with a ref count of 0 which is correct since
// there is no reference to the context from the file system structures
//
if ( instanceContext != NULL ) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS,
("[Ctx]: Releasing instance context %p (Volume = %p, Instance = %p)\n",
instanceContext,
FltObjects->Volume,
FltObjects->Instance) );
FltReleaseContext( instanceContext );
}
if (NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup complete (Volume = %p, Instance = %p). Filter will attach to the volume.\n",
FltObjects->Volume,
FltObjects->Instance) );
} else {
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup complete (Volume = %p, Instance = %p). Filter will not attach to the volume.\n",
FltObjects->Volume,
FltObjects->Instance) );
}
return status;
}
NTSTATUS
CtxInstanceSetup (
__in PCFLT_RELATED_OBJECTS FltObjects,
__in FLT_INSTANCE_SETUP_FLAGS Flags,
__in DEVICE_TYPE VolumeDeviceType,
__in FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
/*++
Routine Description:
This routine is called whenever a new instance is created on a volume. This
gives us a chance to decide if we need to attach to this volume or not.
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance and its associated volume.
Flags - Flags describing the reason for this attach request.
Return Value:
STATUS_SUCCESS - attach
STATUS_FLT_DO_NOT_ATTACH - do not attach
--*/
{
PCTX_INSTANCE_CONTEXT instanceContext = NULL;
NTSTATUS status = STATUS_SUCCESS;
ULONG volumeNameLength;
#if __NDAS_FS_MINI__
ULONG propertyLengthReturned;
UNICODE_STRING ntfs;
UNICODE_STRING ndasNtfs;
UNICODE_STRING fat;
UNICODE_STRING ndasFat;
PNETDISK_PARTITION netdiskPartition;
NETDISK_ENABLE_MODE netdiskEnableMode;
#endif
#if __LFS__
ULONG propertyLengthReturned;
BOOLEAN result;
UNICODE_STRING ntfs;
UNICODE_STRING ndasNtfs;
UNICODE_STRING fat;
UNICODE_STRING ndasFat;
PENABLED_NETDISK enabledNetdisk;
NETDISK_ENABLE_MODE netdiskEnableMode;
#endif
UNREFERENCED_PARAMETER( Flags );
UNREFERENCED_PARAMETER( VolumeDeviceType );
UNREFERENCED_PARAMETER( VolumeFilesystemType );
PAGED_CODE();
#if __NDAS_FS_MINI__
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup started FltObjects = %p\n", FltObjects) );
#endif
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup started (Volume = %p, Instance = %p)\n",
FltObjects->Volume,
FltObjects->Instance) );
//
// Allocate and initialize the context for this volume
//
//
// Allocate the instance context
//
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS,
("[Ctx]: Allocating instance context (Volume = %p, Instance = %p)\n",
FltObjects->Volume,
FltObjects->Instance) );
status = FltAllocateContext( FltObjects->Filter,
FLT_INSTANCE_CONTEXT,
CTX_INSTANCE_CONTEXT_SIZE,
NonPagedPool,
&instanceContext );
if (!NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Failed to allocate instance context (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
#if __NDAS_FS_MINI__
RtlZeroMemory( instanceContext, sizeof(CTX_INSTANCE_CONTEXT) );
status = FltGetVolumeProperties( FltObjects->Volume,
NULL,
0,
&propertyLengthReturned );
DebugTrace( DEBUG_TRACE_INSTANCES,
("[MiniSpy]: IRP_MJ_VOLUME_MOUNT FltGetVolumeProperties, status = %x, propertyLengthReturned = %d\n",
status,
propertyLengthReturned) );
instanceContext->VolumeProperties = ExAllocatePoolWithTag( PagedPool, propertyLengthReturned, CTX_VOLUME_PROPERTY_TAG );
status = FltGetVolumeProperties( FltObjects->Volume,
instanceContext->VolumeProperties,
propertyLengthReturned,
&propertyLengthReturned );
DebugTrace( DEBUG_TRACE_INSTANCES,
("[MiniSpy]: FltGetVolumeProperties, status = %x, propertyLengthReturned = %d\n",
status,
propertyLengthReturned) );
if( !NT_SUCCESS( status )) {
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
DebugTrace( DEBUG_TRACE_INSTANCES,
("[MiniSpy]: FltGetVolumeProperties, DeviceType = %d "
"FileSystemDriverName = %wZ\n"
"FileSystemDeviceName = %wZ "
"RealDeviceName = %wZ\n",
instanceContext->VolumeProperties->DeviceType,
&instanceContext->VolumeProperties->FileSystemDriverName,
&instanceContext->VolumeProperties->FileSystemDeviceName,
&instanceContext->VolumeProperties->RealDeviceName) );
RtlInitUnicodeString( &ntfs, L"\\Ntfs" );
RtlInitUnicodeString( &ndasNtfs, NDAS_NTFS_DEVICE_NAME );
RtlInitUnicodeString( &fat, L"\\Fat" );
RtlInitUnicodeString( &ndasFat, NDAS_FAT_DEVICE_NAME );
if (!(RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ntfs, TRUE) ||
RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE) ||
RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &fat, TRUE) ||
RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE))) {
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
status = FltGetDeviceObject( FltObjects->Volume, &instanceContext->DeviceObject );
if (!NT_SUCCESS(status)) {
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
status = FltGetDiskDeviceObject( FltObjects->Volume, &instanceContext->DiskDeviceObject );
if (!NT_SUCCESS(status)) {
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
DebugTrace( DEBUG_TRACE_INSTANCES,
("DeviceObject = %p, DiskDeviceObject = %p\n", instanceContext->DeviceObject, instanceContext->DiskDeviceObject) );
if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE) &&
!GlobalLfs.NdasFatRwSupport && !GlobalLfs.NdasFatRoSupport ||
RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE) &&
!GlobalLfs.NdasNtfsRwSupport && !GlobalLfs.NdasNtfsRoSupport) {
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE)) {
status = NetdiskManager_PreMountVolume( GlobalLfs.NetdiskManager,
GlobalLfs.NdasFatRwIndirect ? TRUE : FALSE,
instanceContext->DiskDeviceObject, //pIrpSp->Parameters.MountVolume.DeviceObject,
instanceContext->DiskDeviceObject, //pIrpSp->Parameters.MountVolume.Vpb->RealDevice,
&netdiskPartition,
&netdiskEnableMode );
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE)) {
status = NetdiskManager_PreMountVolume( GlobalLfs.NetdiskManager,
GlobalLfs.NdasNtfsRwIndirect ? TRUE : FALSE,
instanceContext->DiskDeviceObject, //pIrpSp->Parameters.MountVolume.DeviceObject,
instanceContext->DiskDeviceObject, //pIrpSp->Parameters.MountVolume.Vpb->RealDevice,
&netdiskPartition,
&netdiskEnableMode );
} else {
status = NetdiskManager_PreMountVolume( GlobalLfs.NetdiskManager,
FALSE,
instanceContext->DiskDeviceObject, //pIrpSp->Parameters.MountVolume.DeviceObject,
instanceContext->DiskDeviceObject, //pIrpSp->Parameters.MountVolume.Vpb->RealDevice,
&netdiskPartition,
&netdiskEnableMode );
}
SPY_LOG_PRINT( LFS_DEBUG_LFS_INFO, ("NetdiskManager_IsNetdiskPartition status = %x\n", status) );
if (!NT_SUCCESS(status)) {
if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE) ||
RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE)) {
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
switch (netdiskEnableMode) {
case NETDISK_READ_ONLY:
if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &fat, TRUE)) {
if (GlobalLfs.NdasFatRoSupport) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE)) {
if (!GlobalLfs.NdasFatRoSupport) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ntfs, TRUE)) {
if (GlobalLfs.NdasNtfsRoSupport) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE)) {
if (!GlobalLfs.NdasNtfsRoSupport) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else {
NDASFS_ASSERT( FALSE );
}
break;
case NETDISK_SECONDARY:
case NETDISK_PRIMARY:
case NETDISK_SECONDARY2PRIMARY:
if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &fat, TRUE)) {
if (GlobalLfs.NdasFatRwSupport &&
FlagOn(netdiskPartition->EnabledNetdisk->NetdiskInformation.EnabledFeatures, NDASFEATURE_SIMULTANEOUS_WRITE)) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE)) {
if (!(GlobalLfs.NdasFatRwSupport &&
FlagOn(netdiskPartition->EnabledNetdisk->NetdiskInformation.EnabledFeatures, NDASFEATURE_SIMULTANEOUS_WRITE))) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ntfs, TRUE)) {
if (GlobalLfs.NdasNtfsRwSupport &&
FlagOn(netdiskPartition->EnabledNetdisk->NetdiskInformation.EnabledFeatures, NDASFEATURE_SIMULTANEOUS_WRITE)) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE)) {
if (!(GlobalLfs.NdasNtfsRwSupport &&
FlagOn(netdiskPartition->EnabledNetdisk->NetdiskInformation.EnabledFeatures, NDASFEATURE_SIMULTANEOUS_WRITE))) {
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
netdiskPartition,
netdiskEnableMode,
FALSE,
0,
NULL,
NULL );
NDASFS_ASSERT( FALSE );
status = STATUS_FLT_DO_NOT_ATTACH;
goto CtxInstanceSetupCleanup;
}
} else {
NDASFS_ASSERT( FALSE );
}
break;
default:
NDASFS_ASSERT( FALSE );
break;
}
LfsReference( &GlobalLfs );
ExInitializeFastMutex( &instanceContext->LfsDeviceExt.FastMutex );
instanceContext->LfsDeviceExt.ReferenceCount = 1;
InitializeListHead( &instanceContext->LfsDeviceExt.LfsQListEntry );
instanceContext->LfsDeviceExt.Flags = LFS_DEVICE_FLAG_INITIALIZING;
instanceContext->LfsDeviceExt.FileSpyDeviceObject = NULL;
instanceContext->LfsDeviceExt.InstanceContext = instanceContext;
FltReferenceContext( instanceContext->LfsDeviceExt.InstanceContext );
instanceContext->LfsDeviceExt.NetdiskPartition = netdiskPartition;
instanceContext->LfsDeviceExt.NetdiskEnabledMode = netdiskEnableMode;
instanceContext->LfsDeviceExt.FilteringMode = LFS_NO_FILTERING;
instanceContext->LfsDeviceExt.DiskDeviceObject = instanceContext->DiskDeviceObject;
instanceContext->LfsDeviceExt.MountVolumeDeviceObject = instanceContext->DiskDeviceObject;
SPY_LOG_PRINT( SPYDEBUG_ERROR,
("FileSpy!CtxInstanceSetup: instanceContext->LfsDeviceExt.DiskDeviceObject = %p\n",
instanceContext->LfsDeviceExt.DiskDeviceObject) );
ExInterlockedInsertTailList( &GlobalLfs.LfsDeviceExtQueue,
&instanceContext->LfsDeviceExt.LfsQListEntry,
&GlobalLfs.LfsDeviceExtQSpinLock );
if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ntfs, TRUE)) {
instanceContext->LfsDeviceExt.FileSystemType = LFS_FILE_SYSTEM_NTFS;
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasNtfs, TRUE)) {
instanceContext->LfsDeviceExt.FileSystemType = LFS_FILE_SYSTEM_NDAS_NTFS;
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &fat, TRUE)) {
instanceContext->LfsDeviceExt.FileSystemType = LFS_FILE_SYSTEM_FAT;
} else if (RtlEqualUnicodeString(&instanceContext->VolumeProperties->FileSystemDeviceName, &ndasFat, TRUE)) {
instanceContext->LfsDeviceExt.FileSystemType = LFS_FILE_SYSTEM_NDAS_FAT;
} else {
NDASFS_ASSERT( FALSE );
}
NetdiskManager_PostMountVolume( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
instanceContext->LfsDeviceExt.NetdiskEnabledMode,
TRUE,
instanceContext->LfsDeviceExt.FileSystemType,
&instanceContext->LfsDeviceExt,
&instanceContext->LfsDeviceExt.NetdiskPartitionInformation );
switch (netdiskEnableMode) {
case NETDISK_READ_ONLY:
instanceContext->LfsDeviceExt.FilteringMode = LFS_READONLY;
break;
case NETDISK_SECONDARY:
instanceContext->LfsDeviceExt.FilteringMode = LFS_SECONDARY;
break;
case NETDISK_PRIMARY:
case NETDISK_SECONDARY2PRIMARY:
instanceContext->LfsDeviceExt.FilteringMode = LFS_PRIMARY;
break;
default:
ASSERT( LFS_BUG );
break;
}
SetFlag( instanceContext->LfsDeviceExt.Flags, LFS_DEVICE_FLAG_MOUNTING );
ASSERT( instanceContext->DiskDeviceObject->Vpb->DeviceObject );
instanceContext->LfsDeviceExt.Vpb = instanceContext->LfsDeviceExt.DiskDeviceObject->Vpb; // Vpb will be changed in IrpSp Why ?
instanceContext->LfsDeviceExt.BaseVolumeDeviceObject = instanceContext->LfsDeviceExt.Vpb->DeviceObject;
switch (instanceContext->LfsDeviceExt.FilteringMode) {
case LFS_READONLY: {
//
// We don't support cache purging yet.
//
SPY_LOG_PRINT( LFS_DEBUG_LFS_INFO, ("LfsFsControlMountVolumeComplete: READONLY newDevExt->LfsDeviceExt = %p "
"newDevExt->LfsDeviceExt.FileSystemType = %d\n",
&instanceContext->LfsDeviceExt, instanceContext->LfsDeviceExt.FileSystemType) );
instanceContext->LfsDeviceExt.AttachedToDeviceObject = instanceContext->DeviceObject; //NULL; //instanceContext->NLExtHeader.AttachedToDeviceObject;
NetdiskManager_MountVolumeComplete( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
instanceContext->LfsDeviceExt.NetdiskEnabledMode,
status,
instanceContext->LfsDeviceExt.AttachedToDeviceObject );
status = SpyFsControlReadonlyMountVolumeComplete( &instanceContext->LfsDeviceExt );
break;
}
case LFS_PRIMARY: {
instanceContext->LfsDeviceExt.AttachedToDeviceObject = instanceContext->DeviceObject; //NULL; //instanceContext->NLExtHeader.AttachedToDeviceObject;
ASSERT( instanceContext->LfsDeviceExt.AttachedToDeviceObject );
NetdiskManager_MountVolumeComplete( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
instanceContext->LfsDeviceExt.NetdiskEnabledMode,
status,
instanceContext->LfsDeviceExt.AttachedToDeviceObject );
SPY_LOG_PRINT( LFS_DEBUG_LFS_INFO, ("LfsFsControlMountVolumeComplete: LFS_PRIMARY newDevExt->LfsDeviceExt = %p "
"newDevExt->LfsDeviceExt.FileSystemType = %d\n",
&instanceContext->LfsDeviceExt, instanceContext->LfsDeviceExt.FileSystemType) );
status = STATUS_SUCCESS;
break;
}
case LFS_SECONDARY: {
instanceContext->LfsDeviceExt.AttachedToDeviceObject = instanceContext->DeviceObject; //NULL; //instanceContext->NLExtHeader.AttachedToDeviceObject;
NetdiskManager_MountVolumeComplete( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
instanceContext->LfsDeviceExt.NetdiskEnabledMode,
status,
instanceContext->LfsDeviceExt.AttachedToDeviceObject );
SPY_LOG_PRINT( LFS_DEBUG_LFS_INFO, ("CtxInstanceSetup: LFS_SECONDARY newDevExt->LfsDeviceExt = %p "
"newDevExt->LfsDeviceExt.FileSystemType = %d\n",
&instanceContext->LfsDeviceExt, instanceContext->LfsDeviceExt.FileSystemType) );
status = SpyFsControlSecondaryMountVolumeComplete( &instanceContext->LfsDeviceExt );
if (instanceContext->LfsDeviceExt.FilteringMode == LFS_SECONDARY_TO_PRIMARY) {
NetdiskManager_ChangeMode( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
&instanceContext->LfsDeviceExt.NetdiskEnabledMode );
}
break;
}
default:
NDASFS_ASSERT( FALSE );
NetdiskManager_MountVolumeComplete( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
instanceContext->LfsDeviceExt.NetdiskEnabledMode,
status,
NULL );
status = STATUS_SUCCESS;
break;
}
//
// We completed initialization of this device object, so now
// clear the initializing flag.
//
if (status == STATUS_SUCCESS) {
ClearFlag( instanceContext->LfsDeviceExt.Flags, LFS_DEVICE_FLAG_INITIALIZING );
ClearFlag( instanceContext->LfsDeviceExt.Flags, LFS_DEVICE_FLAG_MOUNTING );
SetFlag( instanceContext->LfsDeviceExt.Flags, LFS_DEVICE_FLAG_MOUNTED );
} else {
NTSTATUS status2;
NDASFS_ASSERT( FALSE );
//
// Queue an event to notify user applications
//
XevtQueueVolumeInvalidOrLocked( -1,
instanceContext->LfsDeviceExt.NetdiskPartitionInformation.NetdiskInformation.SlotNo,
instanceContext->LfsDeviceExt.NetdiskPartitionInformation.NetdiskInformation.UnitDiskNo );
//
// Try to unplug
//
status2 = NetdiskManager_UnplugNetdisk( GlobalLfs.NetdiskManager,
instanceContext->LfsDeviceExt.NetdiskPartition,
instanceContext->LfsDeviceExt.NetdiskEnabledMode );
ASSERT( NT_SUCCESS(status2) );
}
#endif
//
// Get the NT volume name length
//
status = FltGetVolumeName( FltObjects->Volume, NULL, &volumeNameLength );
if( !NT_SUCCESS( status ) &&
(status != STATUS_BUFFER_TOO_SMALL) ) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Unexpected failure in FltGetVolumeName. (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
//
// Allocate a string big enough to take the volume name
//
instanceContext->VolumeName.MaximumLength = (USHORT) volumeNameLength;
status = CtxAllocateUnicodeString( &instanceContext->VolumeName );
if( !NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Failed to allocate volume name string. (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
//
// Get the NT volume name
//
status = FltGetVolumeName( FltObjects->Volume, &instanceContext->VolumeName, &volumeNameLength );
if( !NT_SUCCESS( status ) ) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS | DEBUG_TRACE_ERROR,
("[Ctx]: Unexpected failure in FltGetVolumeName. (Volume = %p, Instance = %p, Status = 0x%x)\n",
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
instanceContext->Instance = FltObjects->Instance;
instanceContext->Volume = FltObjects->Volume;
//
// Set the instance context.
//
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS,
("[Ctx]: Setting instance context %p for volume %wZ (Volume = %p, Instance = %p)\n",
instanceContext,
&instanceContext->VolumeName,
FltObjects->Volume,
FltObjects->Instance) );
status = FltSetInstanceContext( FltObjects->Instance,
FLT_SET_CONTEXT_KEEP_IF_EXISTS,
instanceContext,
NULL );
if( !NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCES | DEBUG_TRACE_ERROR,
("[Ctx]: Failed to set instance context for volume %wZ (Volume = %p, Instance = %p, Status = 0x%08X)\n",
&instanceContext->VolumeName,
FltObjects->Volume,
FltObjects->Instance,
status) );
goto CtxInstanceSetupCleanup;
}
CtxInstanceSetupCleanup:
#if __NDAS_FS_MINI__
if (status != STATUS_SUCCESS) {
if (instanceContext->DiskDeviceObject) {
ObDereferenceObject( instanceContext->DiskDeviceObject );
instanceContext->DiskDeviceObject = NULL;
}
if (instanceContext->DeviceObject) {
ObDereferenceObject( instanceContext->DeviceObject );
instanceContext->DeviceObject = NULL;
}
if (instanceContext->VolumeProperties) {
ExFreePoolWithTag( instanceContext->VolumeProperties, CTX_VOLUME_PROPERTY_TAG );
instanceContext->VolumeProperties = NULL;
}
if (FlagOn(instanceContext->LfsDeviceExt.Flags, LFS_DEVICE_FLAG_INITIALIZING)) {
LfsDeviceExt_Dereference( &instanceContext->LfsDeviceExt );
}
}
#endif
//
// If FltAllocateContext suceeded then we MUST release the context,
// irrespective of whether FltSetInstanceContext suceeded or not.
//
// FltAllocateContext increments the ref count by one.
// A successful FltSetInstanceContext increments the ref count by one
// and also associates the context with the file system object
//
// FltReleaseContext decrements the ref count by one.
//
// When FltSetInstanceContext succeeds, calling FltReleaseContext will
// leave the context with a ref count of 1 corresponding to the internal
// reference to the context from the file system structures
//
// When FltSetInstanceContext fails, calling FltReleaseContext will
// leave the context with a ref count of 0 which is correct since
// there is no reference to the context from the file system structures
//
if ( instanceContext != NULL ) {
DebugTrace( DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS,
("[Ctx]: Releasing instance context %p (Volume = %p, Instance = %p)\n",
instanceContext,
FltObjects->Volume,
FltObjects->Instance) );
FltReleaseContext( instanceContext );
}
if (NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup complete (Volume = %p, Instance = %p). Filter will attach to the volume.\n",
FltObjects->Volume,
FltObjects->Instance) );
} else {
DebugTrace( DEBUG_TRACE_INSTANCES,
("[Ctx]: Instance setup complete (Volume = %p, Instance = %p). Filter will not attach to the volume.\n",
FltObjects->Volume,
FltObjects->Instance) );
}
return status;
}
NTSTATUS
FmmOpenMetadata (
__in PFMM_INSTANCE_CONTEXT InstanceContext,
__in BOOLEAN CreateIfNotPresent
)
/*++
Routine Description:
This routine opens or creates the Fmm metadata on the specified instance.
Arguments:
InstanceContext - Supplies the instance context for this instance.
CreateIfNotPresent - Supplies if the directory entry must be created if it is not present
Return Value:
Returns the status of this operation.
Note:
The caller must hold the instance context resource exclusive when this routine is called.
--*/
{
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatus;
UNICODE_STRING fileName;
NTSTATUS status;
ULONG length;
PAGED_CODE();
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS,
("[Fmm]: Opening metadata file ... (Volume = %p, CreateIfNotPresent = %X)\n",
InstanceContext->Volume,
CreateIfNotPresent) );
status = STATUS_SUCCESS;
fileName.Buffer = NULL;
//
// Get the volume name and construct the full metadata filename.
//
length = FMM_DEFAULT_VOLUME_NAME_LENGTH + FMM_METADATA_FILE_NAME_LENGTH;
#pragma warning(push)
#pragma warning(disable:4127) // Conditional expression is constant
while (TRUE) {
#pragma warning(pop)
fileName.MaximumLength = (USHORT)length;
status = FmmAllocateUnicodeString( &fileName );
if (!NT_SUCCESS( status )) {
goto FmmOpenMetadataCleanup;
}
status = FltGetVolumeName( InstanceContext->Volume, &fileName, &length );
if (NT_SUCCESS( status )) {
status = RtlAppendUnicodeToString( &fileName, FMM_METADATA_FILE_NAME );
if (NT_SUCCESS( status )) {
break;
}
} else {
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS | DEBUG_TRACE_ERROR,
("[Fmm]: Failed to get volume name (Volume = %p, Status = 0x%x)\n",
InstanceContext->Volume,
status) );
}
if (status != STATUS_BUFFER_TOO_SMALL) {
goto FmmOpenMetadataCleanup;;
}
//
// Free the filename buffer since a bigger one will be allocated
// above
//
FmmFreeUnicodeString( &fileName );
length += FMM_METADATA_FILE_NAME_LENGTH;
}
//
// Initialize the object attributes and open the file.
//
InitializeObjectAttributes( &objectAttributes,
&fileName,
OBJ_KERNEL_HANDLE,
NULL,
NULL );
RetryFltCreateFile:
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS,
("[Fmm]: Calling FltCreateFile for metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
//
// Mark the beginning of a file system operation
//
FmmBeginFileSystemOperation( InstanceContext );
status = FltCreateFile( Globals.Filter,
InstanceContext->Instance,
&InstanceContext->MetadataHandle,
FILE_ALL_ACCESS,
&objectAttributes,
&ioStatus,
(PLARGE_INTEGER) NULL,
FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN,
FILE_SHARE_READ,
(CreateIfNotPresent ? FILE_OPEN_IF : FILE_OPEN),
0L,
NULL,
0L,
0 );
//
// Mark the end of a file system operation
//
FmmEndFileSystemOperation( InstanceContext );
if (!NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS | DEBUG_TRACE_ERROR,
("[Fmm]: FltCreateFile failure for metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
if (CreateIfNotPresent && (status == STATUS_OBJECT_PATH_NOT_FOUND)) {
//
// We need to create the metadata file and the creation failed
// because the SystemVolumeInformation folder does not exist.
// So, create the folder and try again.
//
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS,
("[Fmm]: Creating SystemVolumeInformation folder for metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
//
// Mark the beginning of a file system operation
//
FmmBeginFileSystemOperation( InstanceContext );
status = FltCreateSystemVolumeInformationFolder( InstanceContext->Instance );
//
// Mark the end of a file system operation
//
FmmEndFileSystemOperation( InstanceContext );
if (NT_SUCCESS( status )) {
//
// We have sucessfully created the SystemVolumeInformation folder
// Try to create the metadata file again
//
goto RetryFltCreateFile;
} else {
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS | DEBUG_TRACE_ERROR,
("[Fmm]: FltCreateSystemVolumeInformationFolder failure for metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
}
}
goto FmmOpenMetadataCleanup;
}
//
// Retrieve the FileObject from the handle created
//
status = ObReferenceObjectByHandle( InstanceContext->MetadataHandle,
STANDARD_RIGHTS_REQUIRED,
*IoFileObjectType,
KernelMode,
&InstanceContext->MetadataFileObject,
NULL );
if (!NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS | DEBUG_TRACE_ERROR,
("[Fmm]: Failure to get file object from handle for metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
goto FmmOpenMetadataCleanup;
}
if (ioStatus.Information == FILE_CREATED) {
//
// New metadata was created
//
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS,
("[Fmm]: Created new metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
//
// The filter may want to do some initialization on the newly created
// metadata file here like adding a header to the file
//
}
else {
//
// Existing metadata was opened
//
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS,
("[Fmm]: Opened existing metadata file %wZ (Volume = %p, Status = 0x%x)\n",
&fileName,
InstanceContext->Volume,
status) );
//
// The filter may want to do some sanity checks on the metadata file here
// like validating the header of the file
//
}
//
// Here the filter may read the metadata contents and initialize
// its in memory data structures with the data from the metadata
// file
//
FmmOpenMetadataCleanup:
if (!NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS | DEBUG_TRACE_ERROR,
("[Fmm]: Failed to open metadata (Volume = %p, Status = 0x%x)\n",
InstanceContext->Volume,
status) );
//
// CLose the handle and dereference the file object
//
if (InstanceContext->MetadataHandle) {
//
// Mark the beginning of a file system operation
//
FmmBeginFileSystemOperation( InstanceContext );
FltClose( InstanceContext->MetadataHandle );
//
// Mark the end of a file system operation
//
FmmEndFileSystemOperation( InstanceContext );
InstanceContext->MetadataHandle = NULL;
if (InstanceContext->MetadataFileObject) {
ObDereferenceObject( InstanceContext->MetadataFileObject );
InstanceContext->MetadataFileObject = NULL;
}
}
} else {
DebugTrace( DEBUG_TRACE_METADATA_OPERATIONS,
("[Fmm]: Metadata successfully opened (Volume = %p)\n",
InstanceContext->Volume) );
//
// Set flags to indicate successful open of filter metadata
//
SetFlag( InstanceContext->Flags, INSTANCE_CONTEXT_F_METADATA_OPENED );
}
if (fileName.Buffer != NULL) {
FmmFreeUnicodeString( &fileName );
}
return status;
}
