File Hook in a SYS for NT!!!!

Does anyone know how to make a filehook in a SYS for NT with DDK?
I tried with AttachDevice but I had a lot of problems (The system halt).
I apreciate a sample .....
At least give me some urls or some discussion forums
THANKS
sepiaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

livniCommented:
try looking at the sources of filemon at www.sysinternals.com.

you might get a clue there

(aaaaaaargh.....1000 points....)
0
jkrCommented:
The function you need is 'IoAttachDeviceToDeviceStack()' - here the description from the DDK docs:

PDEVICE_OBJECT
      IoAttachDeviceToDeviceStack(
            IN PDEVICE_OBJECT  SourceDevice,
            IN PDEVICE_OBJECT  TargetDevice
            );
IoAttachDeviceToDeviceStack attaches the caller's device object to the highest device object in the chain and returns a pointer to the previously highest device object. I/O requests bound for the target device are routed first to the caller.
Parameters
SourceDevice
Points to the caller-created device object.
TargetDevice
Points to another driver's device object, such as a pointer returned by a preceding call to IoGetDeviceObjectPointer.
 
Return Value
IoAttachDeviceToDeviceStack returns a pointer to the device object to which the SourceDevice was attached. The returned device object pointer can differ from TargetDevice if TargetDevice had additional drivers layered on top of it.
IoAttachDeviceToDeviceStack returns NULL if it could not attach the device object because, for example, the target device was being unloaded.
Comments
IoAttachDeviceToDeviceStack establishes layering between drivers so that the same IRPs are sent to each driver in the chain.
An intermediate driver can use this routine during initialization to attach its own device object to another driver's device object. Subsequent I/O requests sent to TargetDevice are sent first to the intermediate driver.
This routine sets the AlignmentRequirement in SourceDevice  to the value in the next-lower device object and sets the StackSize to the value in the next-lower-object plus one.
A driver writer must take care to call this routine before any drivers that must layer on top of their driver. IoAttachDeviceToDeviceStack attaches SourceDevice to the highest device object currently layered in the chain and has no way to determine whether drivers are being layered in the correct order.
A driver that acquired a pointer to the target device by calling IoGetDeviceObjectPointer should call ObDereferenceObject with the file object pointer that was returned by IoGetDeviceObjectPointer to release its reference to the file object before it detaches its own device object, for example, when such a higher-level driver is unloaded.
Callers of IoAttachDeviceToDeviceStack must be running at IRQL PASSIVE_LEVEL.

I'll try to find some samples...

BTW  - if livni hadn't already pointed you to www.sysinternals.com, I'd have also ;-)
sysinternals basically do it the the 'older' way:

        //
        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        //
        ntStatus = IoCreateDevice( DriverObject,
                    sizeof(HOOK_EXTENSION),
                    NULL,
                    fileSysDevice->DeviceType,
                    0,
                    FALSE,
                    &hookDevice );
        if ( !NT_SUCCESS(ntStatus) ) {

            DbgPrint(("Filemon: failed to create associated device: %c\n", 'A'+Drive ));  

            return FALSE;
        }
        //
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        //
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        //
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        //
        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        //
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The key here is:

NTSTATUS
      IoAttachDeviceByPointer(
            IN PDEVICE_OBJECT  SourceDevice,
            IN PDEVICE_OBJECT  TargetDevice
            );
This routine is obsolete; use IoAttachDeviceToDeviceStack.
IoAttachDeviceByPointer attaches the caller's device object to a target device object so that I/O requests bound for the target device are routed first to the caller. This routine returns STATUS_SUCCESS or STATUS_NO_SUCH_DEVICE.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
livniCommented:
I think JKR is one of world's wonders...

:-)
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Tommy HuiEngineerCommented:
You can also get the book Windows NT File System Internals by Rajeev Nagar ISBN: 1-56592-249-2 and read Chapter 12, which thoroughly covers filter drivers.
0
jkrCommented:
Yes, that's the book that is found at 'http://www.oreilly.com/catalog/wininternals/index.html' when searching the web for 'IoAttachDeviceToDeviceStack()' ;-)

You might also want to take a look at 'http://msdn.microsoft.com/library/periodic/period98/html/popopenpriveledgedsetofapiswithwindowsntkernelmodedrivers.htm', which descibes how the Win2k EFS driver uses this technique to 'run' atop the NTFS driver (but this one does not go too deep...)
0
jkrCommented:
BTW: Make sure to also check out 'www.osr.com'...


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.