[p30arena]

Hi,
how can i enumerate all active file system devices, like Ntfs, fat32, ... .?

Best Regards,

[EP_X0FF]

Code: Select all

lkd> !object \FileSystem
Object: fffff8a000077650  Type: (fffffa8006c91f30) Directory
    ObjectHeader: fffff8a000077620 (new version)
    HandleCount: 0  PointerCount: 29
    Directory Object: fffff8a000004850  Name: FileSystem

    Hash Address          Type          Name
    ---- -------          ----          ----
     02  fffffa80092d9a70 Driver        mrxsmb
         fffffa8009294270 Driver        mrxsmb10
     03  fffffa80092dd410 Driver        mrxsmb20
     04  fffffa800903f060 Driver        luafv
     11  fffffa8007b4c6e0 Device        CdfsRecognizer
         fffffa80081d4d10 Driver        rdbss
     12  fffffa8007b4ca70 Driver        Fs_Rec
         fffffa8007b4d510 Device        UdfsDiskRecognizer
     13  fffffa80080d8060 Driver        Msfs
     15  fffffa80081d7060 Driver        DfsC
     16  fffffa800978a960 Driver        cdfs
     17  fffffa800971a520 Driver        srvnet
     19  fffffa80093069d0 Driver        srv
         fffff8a0000774a0 Directory     Filters
     21  fffffa8007acbe70 Driver        FltMgr
         fffffa80092a2e30 Driver        bowser
     22  fffffa8007b4e060 Device        FatCdRomRecognizer
     23  fffffa8007b0c490 Driver        Ntfs
     24  fffffa8006d55cb0 Driver        RAW
         fffffa8007be5c50 Driver        Mup
         fffffa800800a060 Driver        Npfs
     28  fffffa8006d1e690 Driver        FileInfo
     31  fffffa8007b4d2e0 Device        FatDiskRecognizer
     33  fffffa8007b4ee30 Device        ExFatRecognizer
         fffffa800814de20 Driver        NetBIOS
         fffffa8009771060 Driver        srv2
     35  fffffa8007b4c390 Device        UdfsCdRomRecognizer
         fffffa8007ae2710 Driver        MpFilter

network is too file system, mailslot, namedpipe too. Specify your question.

[R00tKit]

hi

you can write minifilter also :) :)

The IoRegisterFsRegistrationChange routine registers a file system filter driver's notification routine to be called whenever a file system registers or unregisters itself as an active file system.

Code: Select all

IoRegisterFsRegistrationChange 

when a file system filter driver calls IoRegisterFsRegistrationChange, its notification routine is also called immediately for all currently registered file systems

Code: Select all

VOID
(*PDRIVER_FS_NOTIFICATION) (
    IN struct _DEVICE_OBJECT *DeviceObject,
    IN BOOLEAN FsActive
    ); 

DeviceObject now is Active FileSystem Deviceses

and also for Enumerate all the mounted devices that currently exist for the given file system use obtained DeviceObject with

Code: Select all

IoEnumerateDeviceObjectList

regard :)

[p30arena]

Thank u for reply

well i need to check filesystems on IRP_MN_MOUNT_VOLUME, and enumerate newly mounted devices,
for now i skipped writing a minifilter and i wanna go the easy way!
well you can take a look at my previous question, the bad news is that, have no time to learn minifilters :(
http://www.kernelmode.info/forum/viewto ... =14&t=1832

no matter the type of filesystem, all are accepted :mrgreen:

Best Regards,

[R00tKit]

well i need to check filesystems on IRP_MN_MOUNT_VOLUME, and enumerate newly mounted devices,
for now i skipped writing a minifilter and i wanna go the easy way!

i say all what you must do

minifilter is beast and simple way to do all you want i one hour

[p30arena]

well then
why this code results in BSOD?!!! :shock:
its WDK sample, nullFilter

Code: Select all

#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>

#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")


//---------------------------------------------------------------------------
//      Global variables
//---------------------------------------------------------------------------

#define NULL_FILTER_FILTER_NAME     L"NullFilter"

typedef struct _NULL_FILTER_DATA {

    //
    //  The filter handle that results from a call to
    //  FltRegisterFilter.
    //

    PFLT_FILTER FilterHandle;

} NULL_FILTER_DATA, *PNULL_FILTER_DATA;


/*************************************************************************
    Prototypes for the startup and unload routines used for
    this Filter.

    Implementation in nullFilter.c
*************************************************************************/

DRIVER_INITIALIZE DriverEntry;
NTSTATUS
DriverEntry (
    __in PDRIVER_OBJECT DriverObject,
    __in PUNICODE_STRING RegistryPath
    );

NTSTATUS
NullUnload (
    __in FLT_FILTER_UNLOAD_FLAGS Flags
    );

NTSTATUS
NullQueryTeardown (
    __in PCFLT_RELATED_OBJECTS FltObjects,
    __in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
    );
/*
NTSTATUS InstanceSetupCallback(
  __in  PCFLT_RELATED_OBJECTS FltObjects,
  __in  FLT_INSTANCE_SETUP_FLAGS Flags,
  __in  DEVICE_TYPE VolumeDeviceType,
  __in  FLT_FILESYSTEM_TYPE VolumeFilesystemType
);*/

//
//  Structure that contains all the global data structures
//  used throughout NullFilter.
//

NULL_FILTER_DATA NullFilterData;

//
//  Assign text sections for each routine.
//

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, NullUnload)
#pragma alloc_text(PAGE, NullQueryTeardown)
#endif


//
//  This defines what we want to filter with FltMgr
//

CONST FLT_REGISTRATION FilterRegistration = {

    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    0,                                  //  Flags

    NULL,                               //  Context
    NULL,                               //  Operation callbacks

    NullUnload,                         //  FilterUnload

    NULL,//InstanceSetupCallback,                               //  InstanceSetup
    NullQueryTeardown,                  //  InstanceQueryTeardown
    NULL,                               //  InstanceTeardownStart
    NULL,                               //  InstanceTeardownComplete

    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent

};


/*************************************************************************
    Filter initialization and unload routines.
*************************************************************************/

NTSTATUS
DriverEntry (
    __in PDRIVER_OBJECT DriverObject,
    __in PUNICODE_STRING RegistryPath
    )
/*++

Routine Description:

    This is the initialization routine for this miniFilter driver. This
    registers the miniFilter with FltMgr and initializes all
    its global data structures.

Arguments:

    DriverObject - Pointer to driver object created by the system to
        represent this driver.
    RegistryPath - Unicode string identifying where the parameters for this
        driver are located in the registry.

Return Value:

    Returns STATUS_SUCCESS.

--*/
{
    NTSTATUS status;

    UNREFERENCED_PARAMETER( RegistryPath );

    //
    //  Register with FltMgr
    //

    status = FltRegisterFilter( DriverObject,
                                &FilterRegistration,
                                &NullFilterData.FilterHandle );

    ASSERT( NT_SUCCESS( status ) );

    if (NT_SUCCESS( status )) {

        //
        //  Start filtering i/o
        //

        status = FltStartFiltering( NullFilterData.FilterHandle );

        if (!NT_SUCCESS( status )) {
            FltUnregisterFilter( NullFilterData.FilterHandle );
        }
    }
    return status;
}

NTSTATUS
NullUnload (
    __in FLT_FILTER_UNLOAD_FLAGS Flags
    )
/*++

Routine Description:

    This is the unload routine for this miniFilter driver. This is called
    when the minifilter is about to be unloaded. We can fail this unload
    request if this is not a mandatory unloaded indicated by the Flags
    parameter.

Arguments:

    Flags - Indicating if this is a mandatory unload.

Return Value:

    Returns the final status of this operation.

--*/
{
    UNREFERENCED_PARAMETER( Flags );

    PAGED_CODE();

    FltUnregisterFilter( NullFilterData.FilterHandle );

    return STATUS_SUCCESS;
}

NTSTATUS
NullQueryTeardown (
    __in PCFLT_RELATED_OBJECTS FltObjects,
    __in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
    )
/*++

Routine Description:

    This is the instance detach routine for this miniFilter driver.
    This is called when an instance is being manually deleted by a
    call to FltDetachVolume or FilterDetach thereby giving us a
    chance to fail that detach request.

Arguments:

    FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
        opaque handles to this filter, instance and its associated volume.

    Flags - Indicating where this detach request came from.

Return Value:

    Returns the status of this operation.

--*/
{
    UNREFERENCED_PARAMETER( FltObjects );
    UNREFERENCED_PARAMETER( Flags );

    PAGED_CODE();

    return STATUS_SUCCESS;
}
/*
NTSTATUS InstanceSetupCallback(
  __in  PCFLT_RELATED_OBJECTS FltObjects,
  __in  FLT_INSTANCE_SETUP_FLAGS Flags,
  __in  DEVICE_TYPE VolumeDeviceType,
  __in  FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
{
	UNREFERENCED_PARAMETER( FltObjects );
    UNREFERENCED_PARAMETER( Flags );

    PAGED_CODE();
	//DbgPrint("%s",FltObjects->Volume->Base);
	return STATUS_SUCCESS;
}*/

[p30arena]

oh i think i'm having issues with loading the minifilter
so i tried to use, osrdriverloader, and chose minifilter from the list,
but now, it says dariver is invalid! :D

[R00tKit]

use WDK doc for nullFilter

The nullFilter minifilter comes with an INF file that will install the minifilter. To install the minifilter, do the following:

Make sure that nullFilter.sys and nullFilter.inf are in the same directory.
In Windows Explorer, right-click nullFilter.inf, and click Install.
This installation will make the necessary registry updates to register the metadata service and place nullFilter.sys in the %SystemRoot%\system32\drivers directory.

To load this minifilter, run fltmc load nullFilter or net start nullFilter.

[p30arena]

Thank you, it worked

Best Regards.