Query on file system / floppy filter driver

Hi,
I want to write a device driver to monitor all activity to and from
a floppy disk.

In actual fact, all I want to see are create/open/close requests on any
files,
and any read/write activity once those files are open. I have looked at the
FileMon
application (and source) from sysinternals. This does *not* fit my
requirements, because
it does not appear to capture all activity - specifically, it does not show
any
activity as a result of memory-mapped files (i.e. a section object created
from
a file on disk, mapped into a process's address space).

I really want to monitor all reads/writes, even those resulting from virtual
memory operations.
Ideally I would like to be able to easily map these reads/writes back to a
specific
file / file offset.

So, what type of filter driver do I need to implement? A very low-level
filter which
sits under / just above the floppy driver, or some kind of file-system
driver? Which
floppy driver do I need to filter, and at what level is the easiest to
insert a driver into?

Advice on this subject would be much appreciated...

Thanks,
James

Comments inline>

"James Brown" <> wrote
> Hi,
> I want to write a device driver to monitor all activity to and from
> a floppy disk.
>
> In actual fact, all I want to see are create/open/close requests on any
> files,
> and any read/write activity once those files are open. I have looked at
the
> FileMon
> application (and source) from sysinternals. This does *not* fit my
> requirements, because
> it does not appear to capture all activity - specifically, it does not
show
> any
> activity as a result of memory-mapped files (i.e. a section object created
> from
> a file on disk, mapped into a process's address space).
>
> I really want to monitor all reads/writes, even those resulting from
virtual
> memory operations.
> Ideally I would like to be able to easily map these reads/writes back to a
> specific
> file / file offset.
>
What does this requirement mention? Disk sectors? NO. Files? YES. Ergo,
file system filter. At least all you need is FastFat.sys, though it is
possible under some circumstances to get a NTFS formatted floppy. But why
would you care?

> So, what type of filter driver do I need to implement? A very low-level
> filter which
> sits under / just above the floppy driver, or some kind of file-system
> driver? Which
> floppy driver do I need to filter, and at what level is the easiest to
> insert a driver into?
>
Storage filter is the easiest. A file system filter is one of the most
difficult to write, but since you have not mentioned that you want to do
anything with the data going to or coming from the floppy it is much easier
than an active filter. Try sfilter from the IFS Kit. Don't say it costs
money, takes too much time, etc. as your requirements are very specific to
file system filters. Trying to intrepret the file system at a storage
device level is not easy, but I can do it. I doubt that you can from the
questions posed.

> Advice on this subject would be much appreciated...
>
> Thanks,
> James
>
>

"David J. Craig" <> wrote in message
news:...
> Comments inline>
>
> "James Brown" <> wrote
> > Hi,
> > I want to write a device driver to monitor all activity to and from
> > a floppy disk.
> >
> > In actual fact, all I want to see are create/open/close requests on any
> > files,
> > and any read/write activity once those files are open. I have looked at
> the
> > FileMon
> > application (and source) from sysinternals. This does *not* fit my
> > requirements, because
> > it does not appear to capture all activity - specifically, it does not
> show
> > any
> > activity as a result of memory-mapped files (i.e. a section object
created
> > from
> > a file on disk, mapped into a process's address space).
> >
> > I really want to monitor all reads/writes, even those resulting from
> virtual
> > memory operations.
> > Ideally I would like to be able to easily map these reads/writes back to
a
> > specific
> > file / file offset.
> >
> What does this requirement mention? Disk sectors? NO. Files? YES. Ergo,
> file system filter. At least all you need is FastFat.sys, though it is
> possible under some circumstances to get a NTFS formatted floppy. But why
> would you care?
>
> > So, what type of filter driver do I need to implement? A very low-level
> > filter which
> > sits under / just above the floppy driver, or some kind of file-system
> > driver? Which
> > floppy driver do I need to filter, and at what level is the easiest to
> > insert a driver into?
> >
> Storage filter is the easiest. A file system filter is one of the most
> difficult to write, but since you have not mentioned that you want to do
> anything with the data going to or coming from the floppy it is much
easier
> than an active filter. Try sfilter from the IFS Kit. Don't say it costs
> money, takes too much time, etc. as your requirements are very specific to
> file system filters. Trying to intrepret the file system at a storage
> device level is not easy, but I can do it. I doubt that you can from the
> questions posed.
>
> > Advice on this subject would be much appreciated...
> >
> > Thanks,
> > James
> >
> >
>
>


David,
Thanks for the swift reply. You are right, I am very inexperienced with
file-system
drivers, but am quite comfortable with kernel-mode programming in general...

The only thing I want to do with the data that goes to/from a floppy device
is
to buffer it up..I do not want to modify the data, only see what is being
read / written,
so that (for example) I can rebuild a file's contents onto harddisk based on
what my
driver sees being passed through it.

The IFS kit is not a problem, if that is the right way for me to go. I'm
just trying to
get a better picture of what steps I will have to take to solve my problem..

James

"Maxim S. Shatskih" <> wrote in message
news:...
> > So, what type of filter driver do I need to implement? A very
> low-level
> > filter which
> > sits under / just above the floppy driver, or some kind of
> file-system
> > driver? Which
>
> PnP disk filter driver. IIRC the DDK has samples of filter drivers.
> The disk requests are read and write - read sectors and write sectors.
> Surely file-level CreateFile will not be filtered by such a filter, as
> mkdir() and others will not.
>
> Also forget FILEMON, it is a code using dangerous unreliable
> practices, which are more or less OK in a lab tool but unsuitable in
> the product.
>
> Max
>
>


Max,
Thanks for the reply. I'll look into disk filter drivers, for sure. I am
beginning to
realise that I will have a difficult task trying to map file sectors into
actual file contents,
but if this is the only method available then so be it.

I am aware that the filemon sample has a somewhat dubious reputation
regarding
it's implementation, although I am not able to pin-point it's problems at
present..would
you care to indicate some of the problem areas that filemon presents, so
that I can
learn how to avoid these issues in my own drivers?

Thanks,
James

Because your requirements include being able to map data accesses back
to a file/file offset, you need a filesystem filter and not a disk
filter. Although memory-mapped I/O at the 'upper-level' is not
filterable, since the app operates directly on Cache Manager memory
pages, this memory must be paged in upon first access, and dirty pages
written out eventually. The Memory Manager satisfies these requirements
by generating paging I/O read/write IRPs that can be intercepted by your
filter.

I'll re-iterate what Max said and advocate not using FileMon. Start with
the FileSpy sample from the IFSKIT, it is much better.

James Brown wrote:

> Hi,
> I want to write a device driver to monitor all activity to and from
> a floppy disk.
>
> In actual fact, all I want to see are create/open/close requests on any
> files,
> and any read/write activity once those files are open. I have looked at the
> FileMon
> application (and source) from sysinternals. This does *not* fit my
> requirements, because
> it does not appear to capture all activity - specifically, it does not show
> any
> activity as a result of memory-mapped files (i.e. a section object created
> from
> a file on disk, mapped into a process's address space).
>
> I really want to monitor all reads/writes, even those resulting from virtual
> memory operations.
> Ideally I would like to be able to easily map these reads/writes back to a
> specific
> file / file offset.
>
> So, what type of filter driver do I need to implement? A very low-level
> filter which
> sits under / just above the floppy driver, or some kind of file-system
> driver? Which
> floppy driver do I need to filter, and at what level is the easiest to
> insert a driver into?
>
> Advice on this subject would be much appreciated...
>
> Thanks,
> James
>
>

Nick,
Thanks for the response - I had the impression that a file-system filter
was quite high-level in the general scheme of things, and wouldn't
get to see paging I/O Irps as you describe, but the FileSpy sample
seems to be just what I'm looking for..

Thanks,
James

"Nick Ryan" <> wrote in message
newsrHQa.53847$OZ2.9437@rwcrnsc54...
> Because your requirements include being able to map data accesses back
> to a file/file offset, you need a filesystem filter and not a disk
> filter. Although memory-mapped I/O at the 'upper-level' is not
> filterable, since the app operates directly on Cache Manager memory
> pages, this memory must be paged in upon first access, and dirty pages
> written out eventually. The Memory Manager satisfies these requirements
> by generating paging I/O read/write IRPs that can be intercepted by your
> filter.
>
> I'll re-iterate what Max said and advocate not using FileMon. Start with
> the FileSpy sample from the IFSKIT, it is much better.
>
> James Brown wrote:
>
> > Hi,
> > I want to write a device driver to monitor all activity to and from
> > a floppy disk.
> >
> > In actual fact, all I want to see are create/open/close requests on any
> > files,
> > and any read/write activity once those files are open. I have looked at
the
> > FileMon
> > application (and source) from sysinternals. This does *not* fit my
> > requirements, because
> > it does not appear to capture all activity - specifically, it does not
show
> > any
> > activity as a result of memory-mapped files (i.e. a section object
created
> > from
> > a file on disk, mapped into a process's address space).
> >
> > I really want to monitor all reads/writes, even those resulting from
virtual
> > memory operations.
> > Ideally I would like to be able to easily map these reads/writes back to
a
> > specific
> > file / file offset.
> >
> > So, what type of filter driver do I need to implement? A very low-level
> > filter which
> > sits under / just above the floppy driver, or some kind of file-system
> > driver? Which
> > floppy driver do I need to filter, and at what level is the easiest to
> > insert a driver into?
> >
> > Advice on this subject would be much appreciated...
> >
> > Thanks,
> > James
> >
> >
>