?
Solved

File Hook in a SYS for NT!!!!

Posted on 1999-07-19
6
Medium Priority
?
411 Views
Last Modified: 2013-12-03
Does anyone know how to make a filehook in a SYS for NT with DDK?
I tried with AttachDevice but I had a lot of problems (The system halt).
I apreciate a sample .....
At least give me some urls or some discussion forums
THANKS
0
Comment
Question by:sepia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:livni
ID: 1403308
try looking at the sources of filemon at www.sysinternals.com.

you might get a clue there

(aaaaaaargh.....1000 points....)
0
 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 1403309
The function you need is 'IoAttachDeviceToDeviceStack()' - here the description from the DDK docs:

PDEVICE_OBJECT
      IoAttachDeviceToDeviceStack(
            IN PDEVICE_OBJECT  SourceDevice,
            IN PDEVICE_OBJECT  TargetDevice
            );
IoAttachDeviceToDeviceStack attaches the caller's device object to the highest device object in the chain and returns a pointer to the previously highest device object. I/O requests bound for the target device are routed first to the caller.
Parameters
SourceDevice
Points to the caller-created device object.
TargetDevice
Points to another driver's device object, such as a pointer returned by a preceding call to IoGetDeviceObjectPointer.
 
Return Value
IoAttachDeviceToDeviceStack returns a pointer to the device object to which the SourceDevice was attached. The returned device object pointer can differ from TargetDevice if TargetDevice had additional drivers layered on top of it.
IoAttachDeviceToDeviceStack returns NULL if it could not attach the device object because, for example, the target device was being unloaded.
Comments
IoAttachDeviceToDeviceStack establishes layering between drivers so that the same IRPs are sent to each driver in the chain.
An intermediate driver can use this routine during initialization to attach its own device object to another driver's device object. Subsequent I/O requests sent to TargetDevice are sent first to the intermediate driver.
This routine sets the AlignmentRequirement in SourceDevice  to the value in the next-lower device object and sets the StackSize to the value in the next-lower-object plus one.
A driver writer must take care to call this routine before any drivers that must layer on top of their driver. IoAttachDeviceToDeviceStack attaches SourceDevice to the highest device object currently layered in the chain and has no way to determine whether drivers are being layered in the correct order.
A driver that acquired a pointer to the target device by calling IoGetDeviceObjectPointer should call ObDereferenceObject with the file object pointer that was returned by IoGetDeviceObjectPointer to release its reference to the file object before it detaches its own device object, for example, when such a higher-level driver is unloaded.
Callers of IoAttachDeviceToDeviceStack must be running at IRQL PASSIVE_LEVEL.

I'll try to find some samples...

BTW  - if livni hadn't already pointed you to www.sysinternals.com, I'd have also ;-)
sysinternals basically do it the the 'older' way:

        //
        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        //
        ntStatus = IoCreateDevice( DriverObject,
                    sizeof(HOOK_EXTENSION),
                    NULL,
                    fileSysDevice->DeviceType,
                    0,
                    FALSE,
                    &hookDevice );
        if ( !NT_SUCCESS(ntStatus) ) {

            DbgPrint(("Filemon: failed to create associated device: %c\n", 'A'+Drive ));  

            return FALSE;
        }
        //
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        //
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        //
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        //
        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        //
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The key here is:

NTSTATUS
      IoAttachDeviceByPointer(
            IN PDEVICE_OBJECT  SourceDevice,
            IN PDEVICE_OBJECT  TargetDevice
            );
This routine is obsolete; use IoAttachDeviceToDeviceStack.
IoAttachDeviceByPointer attaches the caller's device object to a target device object so that I/O requests bound for the target device are routed first to the caller. This routine returns STATUS_SUCCESS or STATUS_NO_SUCH_DEVICE.


0
 
LVL 2

Expert Comment

by:livni
ID: 1403310
I think JKR is one of world's wonders...

:-)
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 15

Expert Comment

by:Tommy Hui
ID: 1403311
You can also get the book Windows NT File System Internals by Rajeev Nagar ISBN: 1-56592-249-2 and read Chapter 12, which thoroughly covers filter drivers.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1403312
Yes, that's the book that is found at 'http://www.oreilly.com/catalog/wininternals/index.html' when searching the web for 'IoAttachDeviceToDeviceStack()' ;-)

You might also want to take a look at 'http://msdn.microsoft.com/library/periodic/period98/html/popopenpriveledgedsetofapiswithwindowsntkernelmodedrivers.htm', which descibes how the Win2k EFS driver uses this technique to 'run' atop the NTFS driver (but this one does not go too deep...)
0
 
LVL 86

Expert Comment

by:jkr
ID: 1403313
BTW: Make sure to also check out 'www.osr.com'...


0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows a few slightly more advanced techniques for Windows 7 gadget programming, including how to save and restore user settings for your gadget and how to populate the "details" panel that is displayed in the Windows 7 gadget gallery.  …
For a while now I'v been searching for a circular progress control, much like the one you get when first starting your Silverlight application. I found a couple that were written in WPF and there were a few written in Silverlight, but all appeared o…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question