1

Topic: FS Minifilter, IRP_MJ_CREATE. Curve FileName?

About such code FLT_POSTOP_CALLBACK_STATUS PostFileOperationCallback (IN OUT PFLT_CALLBACK_DATA Data, IN PCFLT_RELATED_OBJECTS FltObjects, IN PVOID CompletionContext, IN FLT_POST_OPERATION_FLAGS Flags) {. FILE_OBJECT pFileObject; PWCHAR bufPFO = NULL;. if (Data! = NULL && Data-> Iopb! = NULL &&! (Data-> Iopb-> Parameters. Create. Options and FILE_DIRECTORY_FILE)) {if (Data-> Iopb-> TargetFileObject! = NULL) {pFileObject = *Data-> Iopb-> TargetFileObject; if (Data-> IoStatus. Information == FILE_CREATED && pFileObject. FileName. Length> 0) {. bufPFO = (PWCHAR) ExAllocatePoolWithTag (NonPagedPool, sizeof (WCHAR) * 1024, ' NC __ '); for (iii = 0; iii <1024; iii ++) {bufPFO [iii] = 0;} res = RtlStringCchPrintfW (bufPFO, 1024, L "%wZ", pFileObject. FileName); And here on this very spot, where RtlStringCchPrintfW, sometimes there is a nonsense. It when I launched Edge was normal and tried to download and launch it ChromeSetup.exe That BSOD, buffer overflow (though 1024 is after all even much for a way to a file, and before it it  and it is visible that there is completely not so much. What thoughts are: - unless in a trace. Time to look, whether in shortages  a problem (it , there is such suspicion) - well and to check up that in this most pFileObject. FileName to take it Buffer to \0 and to try to do without RtlStringCchPrintfW Is what to add? It is possible so directly to push here generally this pFileObject. FileName in PWCHAR or UNICODE_STRING? Still: happened Access violation (in the core again the same Edge), in the same , right at the end, where there is literally nothing, except return FLT_POSTOP_FINISHED_PROCESSING; in which result all branches.

2

Re: FS Minifilter, IRP_MJ_CREATE. Curve FileName?

Hello, sergey77666, you wrote: S> About such code S>... S> And here on this very spot where RtlStringCchPrintfW, sometimes there is a nonsense. 1. The qualifier ' %wZ ' demands pointer transmission on UNICODE_STRING, instead of itself UNICODE_STRING. 2. Instead of  from FILE_OBJECT it is more reliable than a name FltGetFileNameInformation.

3

Re: FS Minifilter, IRP_MJ_CREATE. Curve FileName?

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> About such code S>>... S>> And here on this very spot where RtlStringCchPrintfW, sometimes there is a nonsense. O> 1. The qualifier ' %wZ ' demands pointer transmission on UNICODE_STRING, instead of itself UNICODE_STRING. O> 2. Instead of  from FILE_OBJECT it is more reliable than a name FltGetFileNameInformation. 1. And why then at me around pointerless, and in the core all works? On my notebook the driver worked within minutes 20. Edge too. Anywhere and did not fall. 2. , can and I will alter. As I understood, it gives more "normal" way, with a drive letter is would not prevent... And whether are necessary then there will be numerous checks which are in the beginning of this code? Check PFILE_OBJECT on NULL, check of that returns FltGetFileNameInformation (there structure, in it is a lot of UNICODE_STRING, whether it is necessary to check any of them with the help &str == NULL (or with the help str. Length == 0?) ) 3. Still precisely to define, a file or a folder. All the same my check FILE_DIRECTORY_FILE for some reason sometimes . Like it is not terrible, as I then still check the extension, and folders do not have chance to get to a broad gull if does not terminate .sys/.dll/.exe/.bat etc., and it is very low chance, especially in a combination with "". But...

4

Re: FS Minifilter, IRP_MJ_CREATE. Curve FileName?

Hello, sergey77666, you wrote: S> About such code I have a suspicion that in such style it is better to conduct development under NodeJS and Mongo.

5

Re: FS Minifilter, IRP_MJ_CREATE. Curve FileName?

Hello, Glory, you wrote: Hello, sergey77666, you wrote: S>> About such code I have a suspicion that in such style it is better to conduct development under NodeJS and Mongo. Well I in such style conduct it under tens platforms though Si with  really not so are pleasant, except cases when needs to be made something local, type to crack a program or to write small . But for drivers I can much useful make - library of functions which simplifies operation further. In native API after all even fucking strtok is not present...

6

Re: FS Minifilter, IRP_MJ_CREATE. Curve FileName?

Hello, okman, you wrote: O> Hello, sergey77666, you wrote: S>> About such code S>>... S>> And here on this very spot where RtlStringCchPrintfW, sometimes there is a nonsense. O> 1. The qualifier ' %wZ ' demands pointer transmission on UNICODE_STRING, instead of itself UNICODE_STRING. O> 2. Instead of  from FILE_OBJECT it is more reliable than a name FltGetFileNameInformation. So. From total passage to pointers became worse. DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "CreateFile: %wZ\r\n", and (pFileObject. FileName)); - works res = RtlStringCchPrintfW (bufPFO, 1024, L "%wZ", and (pFileObject. FileName)); - does not work, now permanently produces that 80000005 simply the blank line Means, itself pFileObject. FileName "curves", whether that. Still there are suspicions on function FsRtlIsNameInExpression (&strExeExtCheckPattern, and (pFileObject. FileName), TRUE, NULL where: UNICODE_STRING strExeExtCheckPattern = RTL_CONSTANT_STRING (L "*.EXE"); Hardly it damages this FileName. But nevertheless it is necessary to look. BSOD not there, namely on return, anyway in a situation with Edge. At first it is necessary to throw out on the sly generally all, at least all this madness with lines, and will look that.  at the moment of falling there were 400 MB of free (on the manager of tasks). ChromeSetup does not guzzle so much (and the problem was already after its start).