[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 429
  • Last Modified:

File Hook in a SYS for NT!!!!

Does anyone know how to make a filehook in a SYS for NT with DDK?
I tried with AttachDevice but I had a lot of problems (The system halt).
I apreciate a sample .....
At least give me some urls or some discussion forums
  • 3
  • 2
1 Solution
try looking at the sources of filemon at www.sysinternals.com.

you might get a clue there

(aaaaaaargh.....1000 points....)
The function you need is 'IoAttachDeviceToDeviceStack()' - here the description from the DDK docs:

            IN PDEVICE_OBJECT  SourceDevice,
            IN PDEVICE_OBJECT  TargetDevice
IoAttachDeviceToDeviceStack attaches the caller's device object to the highest device object in the chain and returns a pointer to the previously highest device object. I/O requests bound for the target device are routed first to the caller.
Points to the caller-created device object.
Points to another driver's device object, such as a pointer returned by a preceding call to IoGetDeviceObjectPointer.
Return Value
IoAttachDeviceToDeviceStack returns a pointer to the device object to which the SourceDevice was attached. The returned device object pointer can differ from TargetDevice if TargetDevice had additional drivers layered on top of it.
IoAttachDeviceToDeviceStack returns NULL if it could not attach the device object because, for example, the target device was being unloaded.
IoAttachDeviceToDeviceStack establishes layering between drivers so that the same IRPs are sent to each driver in the chain.
An intermediate driver can use this routine during initialization to attach its own device object to another driver's device object. Subsequent I/O requests sent to TargetDevice are sent first to the intermediate driver.
This routine sets the AlignmentRequirement in SourceDevice  to the value in the next-lower device object and sets the StackSize to the value in the next-lower-object plus one.
A driver writer must take care to call this routine before any drivers that must layer on top of their driver. IoAttachDeviceToDeviceStack attaches SourceDevice to the highest device object currently layered in the chain and has no way to determine whether drivers are being layered in the correct order.
A driver that acquired a pointer to the target device by calling IoGetDeviceObjectPointer should call ObDereferenceObject with the file object pointer that was returned by IoGetDeviceObjectPointer to release its reference to the file object before it detaches its own device object, for example, when such a higher-level driver is unloaded.
Callers of IoAttachDeviceToDeviceStack must be running at IRQL PASSIVE_LEVEL.

I'll try to find some samples...

BTW  - if livni hadn't already pointed you to www.sysinternals.com, I'd have also ;-)
sysinternals basically do it the the 'older' way:

        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        ntStatus = IoCreateDevice( DriverObject,
                    &hookDevice );
        if ( !NT_SUCCESS(ntStatus) ) {

            DbgPrint(("Filemon: failed to create associated device: %c\n", 'A'+Drive ));  

            return FALSE;
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The key here is:

            IN PDEVICE_OBJECT  SourceDevice,
            IN PDEVICE_OBJECT  TargetDevice
This routine is obsolete; use IoAttachDeviceToDeviceStack.
IoAttachDeviceByPointer attaches the caller's device object to a target device object so that I/O requests bound for the target device are routed first to the caller. This routine returns STATUS_SUCCESS or STATUS_NO_SUCH_DEVICE.

I think JKR is one of world's wonders...

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Tommy HuiEngineerCommented:
You can also get the book Windows NT File System Internals by Rajeev Nagar ISBN: 1-56592-249-2 and read Chapter 12, which thoroughly covers filter drivers.
Yes, that's the book that is found at 'http://www.oreilly.com/catalog/wininternals/index.html' when searching the web for 'IoAttachDeviceToDeviceStack()' ;-)

You might also want to take a look at 'http://msdn.microsoft.com/library/periodic/period98/html/popopenpriveledgedsetofapiswithwindowsntkernelmodedrivers.htm', which descibes how the Win2k EFS driver uses this technique to 'run' atop the NTFS driver (but this one does not go too deep...)
BTW: Make sure to also check out 'www.osr.com'...


Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now