1

I have a file filter driver that is not receiving callbacks to the IRPs registered in DriverEntry. Has anyone had the problem where their PreOperation and PostOperation callbacks, registered with FltRegisterFilter, do not get called in their file filter driver?

I thought I'd test out the VS2013 file filter driver template (instead of rolling my own) and immediately noticed that the driver is not getting called for the registered IRPs.

I am getting debug trace output on all the driver callbacks specified in FltRegisterFilter:

    MyFileUnload,                           //  MiniFilterUnload
    MyFileInstanceSetup,                    //  InstanceSetup
    MyFileInstanceQueryTeardown,            //  InstanceQueryTeardown
    MyFileInstanceTeardownStart,            //  InstanceTeardownStart
    MyFileInstanceTeardownComplete,         //  InstanceTeardownComplete

... but none from the IRP handlers supplied in the same call. Setting breakpoints in the IRP handlers also don't get hit but breakpoints are hit in the above driver callbacks.

Driver from Win7 x86 target -

kd> !drvobj MyFile
Driver object (84b29168) is for:
 \FileSystem\MyFile
Driver Extension List: (id , addr)

Device Object list:

kd>

Breakpoints

kd> bl
    0 e 925b6000 [f:\MyFile\myfile.c @ 75]     0001 (0001) MyFile!DriverEntry
    1 e 925b3340 [f:\MyFile\myfile.c @ 264]    0001 (0001) MyFile!MyFilePostOperation
    2 e 925b3370 [f:\MyFile\myfile.c @ 143]    0001 (0001) MyFile!MyFilePreOperation

Callback Dump

kd> dt -a10 callbacks
MyFile!Callbacks
[0] @ 925b4068 
---------------------------------------------
   +0x000 MajorFunction    : 0 ''
   +0x004 Flags            : 0
   +0x008 PreOperation     : 0x925b3370     _FLT_PREOP_CALLBACK_STATUS  MyFile!MyFilePreOperation+0
   +0x00c PostOperation    : 0x925b3340     _FLT_POSTOP_CALLBACK_STATUS  MyFile!MyFilePostOperation+0
   +0x010 Reserved1        : (null) 

[1] @ 925b407c 
---------------------------------------------
   +0x000 MajorFunction    : 0x1 ''
   +0x004 Flags            : 0
   +0x008 PreOperation     : 0x925b3370     _FLT_PREOP_CALLBACK_STATUS  MyFile!MyFilePreOperation+0
   +0x00c PostOperation    : 0x925b3340     _FLT_POSTOP_CALLBACK_STATUS  MyFile!MyFilePostOperation+0
   +0x010 Reserved1        : (null) 

[2] @ 925b4090 
---------------------------------------------
   +0x000 MajorFunction    : 0x2 ''
   +0x004 Flags            : 0
   +0x008 PreOperation     : 0x925b3370     _FLT_PREOP_CALLBACK_STATUS  MyFile!MyFilePreOperation+0
   +0x00c PostOperation    : 0x925b3340     _FLT_POSTOP_CALLBACK_STATUS  MyFile!MyFilePostOperation+0
   +0x010 Reserved1        : (null) 

[ ... ]

kd> x Myfile!My*
925b3070          MyFile!MyFileInstanceQueryTeardown (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3410          MyFile!MyFilePreOperationNoPostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3370          MyFile!MyFilePreOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3240          MyFile!MyFileDoRequestOperationStatus (struct _FLT_CALLBACK_DATA *)
925b31c0          MyFile!MyFileUnload (unsigned long)
925b32c0          MyFile!MyFileOperationStatusCallback (struct _FLT_RELATED_OBJECTS *, struct _FLT_IO_PARAMETER_BLOCK *, long, void *)
925b3150          MyFile!MyFileInstanceTeardownStart (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b30e0          MyFile!MyFileInstanceTeardownComplete (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3340          MyFile!MyFilePostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void *, unsigned long)
925b3000          MyFile!MyFileInstanceSetup (struct _FLT_RELATED_OBJECTS *, unsigned long, unsigned long, _FLT_FILESYSTEM_TYPE)

Code Snippet

// Filter registration
//
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {

    { IRP_MJ_CREATE,
      0,
      MyFilePreOperation,
      MyFilePostOperation },

    { IRP_MJ_CREATE_NAMED_PIPE,
      0,
      MyFilePreOperation,
      MyFilePostOperation },

    { IRP_MJ_CLOSE,
      0,
      MyFilePreOperation,
      MyFilePostOperation },

    { IRP_MJ_READ,
      0,
      MyFilePreOperation,
      MyFilePostOperation },

    { IRP_MJ_WRITE,
      0,
      MyFilePreOperation,
      MyFilePostOperation },

    [ ... all other file filter IRPs including fast I/O ... ]

    { IRP_MJ_VOLUME_DISMOUNT,
      0,
      MyFilePreOperation,
      MyFilePostOperation },

    { IRP_MJ_OPERATION_END }
};

CONST FLT_REGISTRATION FilterRegistration = {

    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    0,                                  //  Flags

    NULL,                               //  Context
    Callbacks,                          //  Operation callbacks

    MyFileUnload,                           //  MiniFilterUnload

    MyFileInstanceSetup,                    //  InstanceSetup
    MyFileInstanceQueryTeardown,            //  InstanceQueryTeardown
    MyFileInstanceTeardownStart,            //  InstanceTeardownStart
    MyFileInstanceTeardownComplete,         //  InstanceTeardownComplete

    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent

};

NTSTATUS
DriverEntry (
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
    )
{
    NTSTATUS status;

    UNREFERENCED_PARAMETER( RegistryPath );

    PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
                  ("MyFile!DriverEntry: Entered\n") );

    //
    //  Register with FltMgr to tell it our callback routines
    //

    status = FltRegisterFilter( DriverObject,
                                &FilterRegistration,
                                &gFilterHandle );

    FLT_ASSERT( NT_SUCCESS( status ) );

    if (NT_SUCCESS( status )) {

        //
        //  Start filtering i/o
        //

        status = FltStartFiltering( gFilterHandle );

        if (!NT_SUCCESS( status )) {

            FltUnregisterFilter( gFilterHandle );
        }
    }

    return status;
}

Again, only the DriverEntry and MyFileUnload callbacks get called (verified through dbg tracing and live breakpoints). No IRP handlers get called in the driver (ever).

Thanks for taking a look!

user1966831
  • 55
  • 5

1 Answers1

0

You can check your driver's registry data. xxxx\Instance[your driver name]\Flags is 0? If not, set 0.

baggio
  • 1
  • 1