[p30arena]

How to get newly mounted volume Label using filter driver

Hi all,
i used IRP_MJ_FILE_SYSTEM_CONTROL to monitor IRP_MN_MOUNT_VOLUME requests:

Code: Select all

NTSTATUS FsFilterFsControl(
    __in PDEVICE_OBJECT DeviceObject,
    __in PIRP           Irp
    )
{
	OBJECT_NAME_INFORMATION ONI;
	ULONG len;
	PIO_STACK_LOCATION irpSp = NULL;
	NTSTATUS ntStatus = STATUS_SUCCESS;
	PIO_STACK_LOCATION nextLoc;
	PFSFILTER_DEVICE_EXTENSION pDevExt = (PFSFILTER_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
	irpSp = IoGetCurrentIrpStackLocation(Irp);
	switch(irpSp->MinorFunction)
	{
		case IRP_MN_MOUNT_VOLUME:
			DbgPrint("Mounting...");
			dev[i] = irpSp->Parameters.MountVolume.Vpb->RealDevice;
			i=(i+1)%5;
			//if(ObQueryNameString(irpSp->Parameters.MountVolume.Vpb->RealDevice,&ONI,sizeof(ONI),&len)==STATUS_SUCCESS)
			//DbgPrint("\nVOLUME : %wZ\n",ONI.Name);
			nextLoc = IoGetNextIrpStackLocation(Irp);
			*nextLoc= *(IoGetCurrentIrpStackLocation(Irp));

			IoSetCompletionRoutine(
							Irp, 
							CompletionRoutine,
							irpSp->Parameters.MountVolume.Vpb->RealDevice,//DeviceObject,//
							TRUE,
							TRUE,
							TRUE
						  );
			nIrpsToComplete= nIrpsToComplete + 1;
			ntStatus= IoCallDriver(
								pDevExt->AttachedToDeviceObject,
								Irp
						   );
			break;

		default:
			return FsFilterDispatchPassThrough(DeviceObject, Irp);
			break;
	}

	return ntStatus;
}

and here is my CompletionRoutine :

Code: Select all

NTSTATUS CompletionRoutine( IN PDEVICE_OBJECT pDeviceObject, 
							IN PIRP pIrp,
							IN PVOID Context
						  )
{
	NTSTATUS ntStatus = STATUS_SUCCESS;
	PIO_STACK_LOCATION irpSp = NULL;
	irpSp = IoGetCurrentIrpStackLocation(pIrp);
	DbgPrint("\nCroutine\n");if(IsVolumeMounted(pDeviceObject))
		DbgPrint("\n%wZ\n",pDeviceObject->Vpb->VolumeLabel);
	else
		DbgPrint("\nNotMounted!\n");
	//DbgPrint("\n%wZ\n",irpSp->Parameters.MountVolume.Vpb->VolumeLabel);
	/*for(j=0;j<5;j++)if(dev[j]!=NULL)if(IsVolumeMounted(dev[j]))
	DbgPrint("\n%wZ\n",dev[j]->Vpb->VolumeLabel);
	else
		DbgPrint("\nNotMounted!\n");*/
	if((*pIrp).PendingReturned)
	{
		IoMarkIrpPending(pIrp);
	}

	nIrpsToComplete = nIrpsToComplete - 1;

	return ntStatus;
}

But it always says... not mounted...
what should i do?!

[p30arena]

Code: Select all

__inline
BOOLEAN
IsVolumeMounted(
    __in PDEVICE_OBJECT DeviceObject
    )
{
    return (DeviceObject->Vpb != NULL) &&
           ((DeviceObject->Vpb->Flags & VPB_MOUNTED) != 0);
}

this is the code to check if the Device is a mounted volume

[xdeadcode]

Hi p30arena,

Please read this http://msdn.microsoft.com/en-us/library ... s.85).aspx

The filter manager calls this routine on the first operation after a new volume is mounted.

IRP_MN_MOUNT_VOLUME is virtual IRP that should be rather used to block mounting of volume.

Best regards,

[p30arena]

Thank you for your reply,
would you please provide me some tutorials on writing minifilters? i'm getting confused somehow! :roll:

Best Regards.

[xdeadcode]

Hi p30arena,

1. msdn: http://msdn.microsoft.com/en-us/library ... s.85).aspx
2. v.good blog: http://fsfilters.blogspot.com/ where you can find most of answers for questions you will probably want to ask.
3. WDK samples for fs drivers.

Best regards,

[p30arena]

Thank you,

i was working on http://www.codeproject.com/Articles/435 ... r-Tutorial
and in the article been said :
"The sample driver lacks a commonly required functionality of attaching to the newly arrived volumes. It is done so to make the driver as easy to understand as possible. You can write a IRP_MJ_FILE_SYSTEM_CONTROL handler of your own to track the newly arrived volumes."

i was wondering, how could i do that?!

[R00tKit]

hi in
IoregisterFsRegistrationChange callback monitor for file system so attach to them and filter IRP_MJ_FILE_SYSTEM_CONTROL


this is my old museum code do like this :

Code: Select all

NTSTATUS FileSystemControl_Handler(IN PDEVICE_OBJECT DeviceObject ,IN PIRP Irp)
{
	NTSTATUS ntstat;
	PIO_STACK_LOCATION CurrentIrpStackLocation;
	PDEVICE_OBJECT out;
	PDEVICE_OBJECT obj, realobj;
	PVPB vpb;
	PDEVICE_EXTENSION f = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
	BOOLEAN bo=FALSE;
	WCHAR buf[512];
	int bytes;
	NTSTATUS  Status;
	
	 //DeviceObject->DeviceType==FILE_DEVICE_DISK_FILE_SYSTEM ||
	 //  DeviceObject->DeviceType==FILE_DEVICE_CD_ROM_FILE_SYSTEM ||
	 //  DeviceObject->DeviceType==FILE_DEVICE_NETWORK_FILE_SYSTEM)
	 
	 CurrentIrpStackLocation=IoGetCurrentIrpStackLocation(Irp);
	 
	 vpb = CurrentIrpStackLocation->Parameters.MountVolume.Vpb;
			if (vpb==NULL)
			{
				DBGPRINT(("vpb is NULL! \n"));
				IoSkipCurrentIrpStackLocation (Irp);
				return IoCallDriver(f->pTargetDeviceObject, Irp);
			}
			else
				realobj = vpb->RealDevice;
			if (realobj==NULL)
			{
				DBGPRINT(("Real Device object is NULL!"));
				IoSkipCurrentIrpStackLocation (Irp);
				return IoCallDriver(f->pTargetDeviceObject, Irp);
			}
			
	

	QueryDeviceSerial(CurrentIrpStackLocation->Parameters.MountVolume.DeviceObject);
	 
	 
	if(DeviceObject->DeviceType==FILE_DEVICE_CD_ROM_FILE_SYSTEM)
	{
	DBGPRINT(("this is cddvd \n"));
		 if (EnableCDDVD)
		{
			DBGPRINT(("allowed cd\n "));
			IoSkipCurrentIrpStackLocation (Irp);
			return IoCallDriver(f->pTargetDeviceObject, Irp);
		}
		else
		{
			DBGPRINT(("denied cd \n"));
			Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
			Irp->IoStatus.Information =0;
			IoCompleteRequest(Irp, IO_NO_INCREMENT);
			return STATUS_ACCESS_DENIED;
		}
	}
	
	
	

		__try
		{

......

and what you mean volume Label?

[p30arena]

i mean, like "\\DosDevices\E:\"
which "E" is the Volume Label

[R00tKit]

_FILE_FS_VOLUME_INFORMATION => VolumeLabel

Code: Select all

typedef struct _FILE_FS_VOLUME_INFORMATION {
  LARGE_INTEGER VolumeCreationTime;
  ULONG         VolumeSerialNumber;
  ULONG         VolumeLabelLength;
  BOOLEAN       SupportsObjects;
  WCHAR         VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;

what is matter about VolumeLabel ? what you want to do?

[p30arena]

Sorry i meant DriveLetter
nothing, just wanna retrieve the drive letter, for future functionality