Issuing IO in minifilters: Part 2 – Flt vs. Zw

Sorry about the frequency of my posts, i’m been really swamped with the IFS Plugfest preparations. Anyway, let’s get down to business. So now the way the create path works should be clear. The basic idea is that FltMgr has some targeting information (in which it stores the minifilters below which altitude should see the…


Issuing IO in minifilters: Part 1 – FltCreateFile

In this post I’ll try to address a couple of questions that are all related and that I’ve seen asked a lot. This is a rather long topic so I’ll split into a couple of posts. I’ll try to explain both how things work and why they are this way (at least, why I think…

1

Filter Manager Concepts: Part 7 – IRP_CTRL

One very important structure that everyone writing minifilters very quickly becomes familiar is the FLT_CALLBACK_DATA. This is pretty much the equivalent of an IRP in the minifilter model. The structure is public and is pretty well documented. However, it is in fact just the public part of the picture. Filter manager has an internal structure…

1

Filter Manager Concepts: Part 6 – STREAM_LIST_CTRL

Now that we’ve discussed contexts in general there is one very important structure to talk about. The STREAM_LIST_CTRL is pretty much filter manager’s context for a stream (it is attached to the FCB or SCB, depending on the file system) and it is used to store stream contexts, streamhandle contexts and file contexts (for file…

1

Filter Manager Concepts: Part 5 – CONTEXT_NODE

Why does one need contexts ? Well, the IO model in NT is based on passing objects around and the various components that handle these objects need a way to save information about each object (for example the file system might need to ‘remember’ where the file is located on disk). This information is basically…


Filter Manager Concepts: Part 4 – FLT_INSTANCE

The next logical structure in the hierarchy is the FLT_INSTANCE. An instance represents an attachment of a filter on a volume. Please note that any given filter may have more than one instance on a given volume, at different altitudes. This is something pretty unusual but the system allows it. I’ve used it when I…


Filter Manager Concepts: Part 3 – FLT_FILTER

Well, as you have probably guessed, FLT_FILTER is a structure that describes a minifilter. It is a pretty important structure and people usually become familiar with it once they discover that their minifilter is not unloading, which invariably happens at some point during development. In the grand scheme of things the FLT_FILTER is very similar…


Filter Manager Concepts: Part 2 – FLT_VOLUME

Right below the FLTP_FRAME in the hierarchy of filter manager objects is the FLT_VOLUME. It is a structure that describes the attachment of the FLTP_FRAME to a volume: So, as you can see, each frame is pretty much a list of volumes. These volumes are in fact DEVICE_OBJECTs with which FltMgr attaches to each IO…


Filter Manager Concepts: Part 1 – FLTP_FRAME

Filter Manager’s only purpose is to simplify writing file system filters and sometimes it does this by abstracting some of the things that a filter needs to deal with. However, in my experience a good understanding of the mechanisms behind any abstraction is worth having as there usually are some corner cases where abstractions are…

4