Comments by Member 13809184

Member 13809184 17-May-18 3:38am View

Hey Jochen, thanks so much for your input. I found my issue it was with my structs. Thanks so much again.

Member 13809184 15-May-18 6:44am View

Thanks Jochen,

I've changed the values accordingly.

Size calculation is = ULONG replySize = ((ULONG)sizeof(replyBuffer.header)) + ((ULONG)sizeof(replyBuffer));

Status is also set in user mode:

replyMessage.header.Status = 0;

The value in kernel mode now is always 40.

As for flow of functions, During driver entry I instantiate my structures and register my communication port(imageFilterData.filterHandle and imageFilterData.clientPort). I'm registered to listen for MJ_CREATE. During PostOperation I get the filename safely , parse it and copy it into sendingBuffer.messageBuffer (message struct definition below). Then I send it off to user-mode with an allocated reply buffer using FltSendMessage. User-mode receives the file-name successfully. Does some basic processing using the filename then returns 0 or 1 to the filter using FltReplyMessage. Then I attempt to see what value is returned to the kernel and I get some constant unrelated value. If user-mode sends the pass flag 0, kernel mode gets 40 or 56. If user-mode sends 1, kernel-mode gets 40 or 56. I know I must be doing something wrong with the buffer.

Sender Message Struct:
This is passed to user-mode. Filename is copied to message buffer.
typedef struct _MESSAGE_STRUCT {

FILTER_MESSAGE_HEADER header;

PVOID messageBuffer[400];

}MESSAGE_STRUCT , *PMESSAGE_STRUCT;

I've read the WDK minispy and scanner samples regarding user communication. I can't seem to catch what I'm missing. But I will continue, I know there is something I'm missing.

Thanks again for taking the time to take a look at my problem!

Member 13809184 15-May-18 6:04am View

Thanks Jochen,

It's my bad, I've left a decent amount of code out to save space. All values are instantiated before being used (Including struct values). Forgive me for not laying out the code correctly there is a decent amount that I left out. I just tried to get the important stuff to save the readers time.

Everything builds and runs correctly. Including a successful message being sent to user-mode from kernel-mode and the reply to kernel-mode from user-mode works as well. The only issue is the passFlag value doesn't change.

Sadly according to Microsoft documentation there can be some padding issues so they recommending calculating the size of the buffer by adding the size of replyStruct.header + replyStruct
Reference:
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff541508(v=vs.85).aspx)

Thanks again for your reply Jochen!

Member 13809184 4-May-18 7:33am View

Thanks for your concern, I've specifically blocked db files coming from C:\
users\%username%\AppData\local\Microsoft\Windows\Explorer to try and minimize side affects. The rest will be decided by testing. Thank you again.

Member 13809184 4-May-18 7:20am View

Hey Jochen, thanks so much for your replies. It turns out, Windows 10 caches the images and stores them in .db files not normal image files. After I blocked .db files my problem was solved. Thank you again for your help.

Member 13809184 3-May-18 3:10am View

Hey thanks so much for your reply really appreciate it. Do you have any ideas on how I can catch the IRP when it’s being loaded into the cache? I’d assume there is some kind of I/O when the image is being loaded into cache? I’m thinking this could happen before my filter loads, however changing the load order group and the altitude hasn’t made much of a difference. Thanks so much again.

Comments by Member 13809184 (Top 6 by date)