-1

I want to know the implementation sequence of the function FltGetVolumeGuidName(), I basically want to get the Guid of all volumes from my system ? Below is the code, which I tried, any help will be greatly appreciated , thanks in advance.

        volumeContext->GUIDinfo.Buffer = NULL;                               //kernel crash here  <<<<======
        volumeContext->GUIDinfo.Length = 0;
        volumeContext->GUIDinfo.MaximumLength = 0;
        //fetching correct size
        (void) FltGetVolumeGuidName(pVolumeList, &volumeContext->GUIDinfo, &BufferSizeNeeded);
        //Allocating space
        if (NULL == volumeContext->GUIDinfo.Buffer) {
            status = STATUS_INSUFFICIENT_RESOURCES;
            DbgPrint("\n STATUS_INSUFFICIENT_RESOURCES");
            break;
        }
        //Memory allocation 
        volumeContext->GUIDinfo.Buffer = (PWCHAR)ExAllocatePoolWithTag(PagedPool, BufferSizeNeeded, MEMTAG_VOL_GUID);
        volumeContext->GUIDinfo.Length = 0;
        ASSERT(BufferSizeNeeded <= UNICODE_STRING_MAX_BYTES);
        volumeContext->GUIDinfo.MaximumLength = (ULONG)BufferSizeNeeded;

        ntStatus = FltGetVolumeGuidName(pVolumeList, &volumeContext->GUIDinfo, &BufferSizeNeeded);
        if (ntStatus == STATUS_BUFFER_TOO_SMALL) {
            DbgPrint("\n STATUS_BUFFER_TOO_SMALL");
        }
Ignatius
  • 11
  • 1
  • `FltEnumerateVolumes` returns an array of opaque `PFLT_VOLUME` pointers. You would call `FltGetVolumeGuidName` on each one. The first result, when `MaximumLength` is 0, should return `STATUS_BUFFER_TOO_SMALL`, and `BufferSizeNeeded` will have the required size. AFAIK, all will require the same size, based on the "\??\Volume{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" template, which contains the 32 hexadecimal digits of a 128-bit GUID. That's 48 Unicode characters, or 96 bytes. – Eryk Sun Dec 17 '19 at 18:29
  • Note that not all volumes will actually have a GUID name. Legacy volumes, such as some ramdisk devices, do not support the mount manager. These annoying devices cause failures higher up the food chain, such as causing WINAPI `GetFinalPathNameByHandleW` to fail when requesting a DOS name, since it requires the volume to be registered with the mount manager. – Eryk Sun Dec 17 '19 at 18:34

1 Answers1

0

Eryk, thank you very much. Agreed that each of the PFLT_VOLUME I get a valid pointer. Now when I call FltGetVolumeGuidName(PFLT_VOLUME (pVolumeList) &volumeContext->GUIDinfo, BufferSizeNeeded) as mentioned above and print the values in the &volumeContext->GUIDinfo = (Null) and BufferSizeNeeded = 96. With the literature around on FltGetVolumeGuidName, I understand 1st call FltGetVolumeGuidName to get the BufferSizeNeeded and use this size and allocate memory and call again FltGetVolumeGuidName to fetch Guid.

I have a problem (kernel panic) when I initialize as below 

volumeContext->GUIDinfo.Buffer = NULL;   //kernel crash here  <<<<======
volumeContext->GUIDinfo.Length = 0;
volumeContext->GUIDinfo.MaximumLength = 0;
Ignatius
  • 11
  • 1