EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Logs access HGFS via VMware guest

Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.
#19728
Posted: 04/10/2012 05:33:29
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Hi there,

I am running the latest driver (Version 2.3.46) on a windows XPclient. I have modified the filemon example to intercept and log synchronous callbacks as well as the async notification events.

However, when I attempt to monitor a vmware share in the host PC I get a blue screen with a message "Multiple IRP Complete Requests" - MULTIPLE_IRP_COMPLETE_REQUESTS.

If i run the Microsoft DDK example file system mini-filter called "Minispy" and attach to \device\HGFS (i.e. the nominated vmware share) then I get logs as normal - no blue screen.

Any ideas?
#19731
Posted: 04/10/2012 07:03:54
by Vladimir Cherniga (EldoS Corp.)

Hi,
Callback Filter may not work with a non-Windows shares. Minispy and CBFilter uses a different driver model (minifilter and legacy fs filter driver). Minifilter works with a filter manager(as a plugin), CBFilter works directly with file system.
Anyway, could you share a kernel crash dump with us or provide a working sample to reproduce the problem ? Thanks in advance.
#19735
Posted: 04/10/2012 09:07:16
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Hi Vladimir,

thanks for the quick reply.

So CBFilter is a legacy file system filter driver. Ok. So the legacy file system filter cannot handle HGFS redirects (but its ok with lanman redirector miniport drivers). Is this common between a file system minifilter and a legacy file system driver? I though the minifilters just simplified the process by replacing the usual location of a legacy filter with a filter manager - which handled the mini filters). The I/O requests still goes to either the local file system driver or (in this case) the remote file system driver (via the redirect and TDI transport). The type of remote drive should be irrevalvent. Especially as I get some feedback from the hosts shared folder - so it is almost working.

The sample used was derived from the fileMon sample but I modified the GUI slightly and added callbacks for the synchornous events. I can email you the sample project if that would help.
#19737
Posted: 04/10/2012 09:44:03
by Vladimir Cherniga (EldoS Corp.)

The I/O request forwarded to redirector handles the same way the go to the local file system, but some internal fields in file object structure (representing file handle instance) may used differently in third party redirectors. This fields actively used in filter and this may be the source of the problem causing blue screen. To find the solution we need a kernel dump or a way to reproduce the problem. I thinks it is better to open a corresponding ticket in helpdesk and post sample there.
#20651
Posted: 06/28/2012 05:22:13
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Just a quick note on this - the MSDN minifilter sample for FileMon can intercept redirects for VMWare guest shares normally (just like SMB).
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 2417 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!