1

Topic: IRP_MJ_READ + notepad =... How to solve without ?

There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe With the same problem I faced also. For example, for SearchIndexer.exe it works. For  System. IO.File. WriteAllBytes (that in this - did not look yet) - too. But for the Notepad, really, no. In subjects of 10-year-old prescription it was offered to put  on the functions working with Mapping memory, etc. As I understood, mean SSDT-huki. However with Windows 10 usage of these  became very restricted. If it is fair, itself I do not know about what now I speak, on  with Win 10 x64  worked But, in general, it is not recommended. How to solve without ? - Ring3 not a variant. Only the driver. - simply in IRP_MJ_CREATE  discovery of all files. But there still it is impossible to distinguish, whether there will be this read or write. And algorithms of parsing of any white \black lists here - too big shock on high-speed performance, together with DbgPrint is simply intolerable to debug.

2

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe "does not work" is fuzzy enough statement... Notepad (and some other programs) use display of files in storage (MMF, Memory-Mapped Files). The file (CreateFile) At first opens, then there is an object-section (CreateFileMapping) then display (MapViewOfFile) and further application works with the received display how with normal storage.  the source file can be at that point in time already closed (CloseHandle), it should be considered. IRP_MJ_READ at reading from storage will come (with flag IRP_PAGING_IO or IRP_SYNCHRONOUS_PAGING_IO), also as well as IRP_MJ_WRITE at record. Though record can be strong later (it is possible to wait hours and days, and it and does not happen since the system still keeps the buffer in the memory, without dropping it on a disk). Recently the subject was considered, see here: Mini-Filter, MMF and  - secrets, secrets https://rsdn.org/forum/asm/6968909.all the Author: eight Date: 21.11 17:57

3

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe O> "does not work" is fuzzy enough statement... O> Notepad (and some other programs) use display of files in storage (MMF, Memory-Mapped Files). O> the file (CreateFile) At first opens, then there is an object-section (CreateFileMapping) then display O> (MapViewOfFile) and further application works with the received display how with normal storage. O> Hendl of the source file can be at that point in time already closed (CloseHandle), it should be considered. O> IRP_MJ_READ at reading from storage will come (with flag IRP_PAGING_IO or IRP_SYNCHRONOUS_PAGING_IO), O> also as well as IRP_MJ_WRITE at record. Though record can be strong later (it is possible to wait hours and days, and O> it and does not happen, since The system still keeps the buffer in the memory, without dropping it on a disk). O> Recently the subject was considered, see here: O> Mini-Filter, MMF and  - secrets, secrets O> https://rsdn.org/forum/asm/6968909.all the Author: eight Date: 21.11 17:57 In that also put that IRP_MJ_WRITE works normally. Just opened a file a notepad (length of a file absolutely small - the ten characters, coding ANSI, a Windows 10 x64), changed something and saved. Write already came, already 2 pieces on 1 file, at the first defines ProcessImageInformation as notepad.exe, at the second null (what, the right, a brothel in these filters... Oppresses... The Customer it will not be explicit in delight...) And Read and is not present. By the way, I sit on a computer where my driver is launched. Minutes 30 flight normal. And here on  any phantom BSOD. The problem with Edge is corrected, but all the same  BSOD, and not on the driver) and on ntoskrnl.exe, something now swears about Kernel and Debug. More in detail later a subject separate I will create. It is interesting, whether there can be it of what the processor is overloaded DbgPrintEx', or all the same any bug? The RAM like is not overloaded.

4

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> And here on  any phantom BSOD. The problem with Edge is corrected, but all the same  BSOD, and not on the driver) and on ntoskrnl.exe, something now swears about Kernel and Debug. On symptoms you spoil a stack and then ret to the curve address.

5

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> In that also put that IRP_MJ_WRITE works normally. S> just opened a file a notepad (length of a file absolutely small - the ten characters, coding ANSI, a Windows 10 x64), changed something and saved. S> Write already came, already 2 pieces on 1 file, at the first defines ProcessImageInformation as notepad.exe, at the second null (what, the right, a brothel in these filters... Oppresses... The Customer it will not be explicit in delight...) S> And Read and is not present. Try to look parallely still any Process Monitor. You will see that IRP_MJ_READ all the same is (differently it there would be a mysticism any)...

6

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe as it does not work, other method to read the data are not present. Will walk paging read Only. S> - simply in IRP_MJ_CREATE  discovery of all files. But there still it is impossible to distinguish, whether there will be this read or write. And algorithms of parsing of any white \black lists here - too big shock on high-speed performance, together with DbgPrint is simply intolerable to debug. It is possible to trace section creation - acquire_section_sync, only what for if paging io all the same will be?

7

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> In that also put that IRP_MJ_WRITE works normally. S>> just opened a file a notepad (length of a file absolutely small - the ten characters, coding ANSI, a Windows 10 x64), changed something and saved. S>> Write already came, already 2 pieces on 1 file, at the first defines ProcessImageInformation as notepad.exe, at the second null (what, the right, a brothel in these filters... Oppresses... The Customer it will not be explicit in delight...) S>> And Read and is not present. O> Try to look parallely still any Process Monitor. O> you Will see that IRP_MJ_READ all the same is (differently it there would be a mysticism any)... That is hours and days to wait? Well it does not roll. By the way, Process Monitor from Russinovicha does not show, how it traced it. And it is more it seems that at it Ring3.

8

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> That is hours and days to wait? At all is not present. The notepad somehow read a file, truly? In any way differently, except as to file system, expressly or by implication, it could not make it request about reading. And requests about reading is in 99 % of cases IRP_MJ_READ. S> By the way, Process Monitor from Russinovicha does not show, how it traced it. And it is more it seems that at it Ring3. At it there in resources the packed driver. So all utilities Sysinternals work almost.

9

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, pva, you wrote: pva> Hello, sergey77666, you wrote: S>> And here on  any phantom BSOD. The problem with Edge is corrected, but all the same  BSOD, and not on the driver) and on ntoskrnl.exe, something now swears about Kernel and Debug. pva> On symptoms you spoil a stack and then ret to the curve address. Though and being also the reverse-engineer - about a stack I have vague idea, and valuably to master all arsenal  under the given platform now it would not be desirable. How it can look? To invent for diagnostics something it is cleverer, than simply to include and disconnect pieces. On a section it is a lot of operation with lines -  everyones, in the core  not to UNICODE_STRING, and to PWCHAR (it is necessary to store many data, and u.s. Too short, therefore also applied pwchar). Once there is construction RtlStringCchCatW (pwchar, 5000, unicodeStr. Buffer) which already led phantom BSOD, but that were lines from kernel functions, here str I create this itself. Operation with PWCHAR looks approximately so: PWCHAR buf = NULL; buf = (PWCHAR) ExAllocatePoolWithTag (NonPagedPool, sizeof (WCHAR) * 1024, ' NC __ '); for (i = 0; i <1024; i ++) {buf [i] = 0;} RtlStringCchPrintfW (buf, 1024, L "%wZ", and (pFileObject. FileName)); Still important line. Any ExAllocatePoolWithTag then is not released. Simply it is not released and still disturbs that one of PWCHAR is declared globally, to it addresses  the minifilter (which, apparently, fly ), moreover and a separate flow, which it  and then clears. All it without everyones  and semaphores. On a notebook, I will repeat, all like as works. Though at it unless the processor faster yes the RAM is more.

10

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> That is hours and days to wait? O> at all is not present. O> the Notepad somehow read a file, truly? In any way differently, except as request about reading to file system, O> expressly or by implication, it could not make it. And requests about reading is in 99 % of cases IRP_MJ_READ. It is good, then why for me work IRP_MJ_READ for not-notepad cases? It is stupid to search for operating analog in an Internet is frequent for me a pastime method, now my purpose not to spend time, but to solve a problem, and with quite trivial API. What here not so at me? Any flags about paging or still something - is not set, as see. const FLT_OPERATION_REGISTRATION Callbacks [] = {{IRP_MJ_CREATE, 0, PreCreateFileCallback, PostCreateFileCallback}, {IRP_MJ_READ, 0, PreCreateFileCallback, PostCreateFileCallback}, {IRP_MJ_WRITE, 0, PreCreateFileCallback, PostCreateFileCallback}, {IRP_MJ_OPERATION_END}}; CONST FLT_REGISTRATION FilterRegistration = {sizeof (FLT_REGISTRATION), FLT_REGISTRATION_VERSION, 0,//Flags NULL,//Contexts Callbacks,//Callbacks MyFilterUnload, FilterLoad, NULL, NULL, NULL, NULL, NULL, NULL}; res = FltRegisterFilter (pDriverObject, &FilterRegistration, &MyFilterHandle); S>> By the way, Process Monitor from Russinovicha does not show, how it traced it. And it is more it seems that at it Ring3. O> At it there in resources the packed driver. So all utilities Sysinternals work almost. Well at it could and  to be, it such dear person, any certificate give

11

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> By the way, Process Monitor from Russinovicha does not show, how it traced it. And it is more it seems that at it Ring3. There at it  it is possible to look at a stack for every line (like for this purpose it it is necessary to give dbghelp.dll from debugging tools).

12

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> it is good, then why for me work IRP_MJ_READ for not-notepad cases? There is no saying, without seeing the code entirely. While I can confirm only that correctly assembled minifilter intercepts also "normal" reading (file i/o), and reading of the files displayed in storage (mmf i/o or paging i/o). S> That here not so at me? Any flags about paging or still something - is not set, both see. S>... It and is conceived, what all operations are processed by two  PreCreateFileCallback and PostCreateFileCallback? IMHO, somehow not logically handling, for example, Read to name PreCreate...

13

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, okman, you wrote: O> There is no saying, without seeing the code entirely. Well , I will collect the minimum filter. O> it and is conceived, what all operations are processed by two  PreCreateFileCallback and PostCreateFileCallback? O> IMHO, somehow not logically handling, for example, Read to name PreCreate... Yes, so it is conceived. At first made pair separate for the test - for Read and Write. Launched. It appeared: - like works - Data-> Iopb-> Parameters. Read. ByteOffset or Data-> Iopb-> Parameters. Write. ByteOffset happens it is equal 0 at the first reading \record of this file, and increases with each subsequent call besides to a file. To me, certainly, it is necessary to trace the first, therefore I check it.QuadPart on 0. By the way, whether there can be a problem in it? Still confuses that  can address purposely to a file not from the beginning, and from that place where it is necessary , truth, at first do seek. Whether probably to trace at such circuit? But to space apart the bulky code by functions did not become, therefore everywhere made 1 , and a name yet did not replace. P.S. Whether it is necessary to create new subjects for all new questions? On the one hand, the order, with another already shout that I . Though a new account create. And it was necessary to make - to create many accounts and to alternate.

14

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe How much I remember from the experience of the writing of file systems, for Notepad operation it was necessary to implement FastIO and Paging.

15

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, Cyberax, you wrote: a C> Hello, sergey77666, you wrote: S>> There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe a C> How much I remember from the experience of the writing of file systems, for Notepad operation it was necessary to implement FastIO and Paging. What means to implement? Also it is the minifilter, instead of file system.

16

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S> Yes so it is conceived. At first made pair separate for the test - for Read and Write. Launched. It appeared: S> - like works S> - Data-> Iopb-> Parameters. Read. ByteOffset or Data-> Iopb-> Parameters. Write. ByteOffset happens it is equal 0 at the first reading \record of this file, and increases with each subsequent call besides to a file. To me, certainly, it is necessary to trace the first, therefore I check it.QuadPart on 0. S> By the way, whether there can be a problem in it? A read or write are not obliged to begin not so with zero . And it is not mandatory . S> Still confuses that  can address purposely to a file not from the beginning, and from that place where it is necessary , truth, at first do seek. Whether probably to trace at such circuit? For this purpose it is possible to intercept IRP_MJ_SET_INFORMATION with code FilePositionInformation. There the position of the file pointer is transferred. S> P.S. Whether it is necessary to create new subjects for all new questions? IMHO while questions go in the tideway of one subject - hardly.

17

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, okman, you wrote: O> the Read or write are not obliged to begin not so with zero . But then before it the position of the file pointer is transferred? Or it is optional? Then what for it to trace? It is necessary to create any array in storage (and even with saving on a disk) which will remember these  files, that same on two times not . But dynamic arrays on , it is a problem...

18

Re: IRP_MJ_READ + notepad =... How to solve without ?

Hello, sergey77666, you wrote: S>>> There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe a C>> How much I remember from the experience of the writing of file systems, for Notepad operation it was necessary to implement FastIO and Paging. S> That means to implement? To give necessary callback' for FastIO which will delegate further a call. S> also it is the minifilter, instead of file system. I so understand that without a difference. The file system without FastIO will not work absolutely, and the filter it will be simple to pass some operations.