none
What is the best way to compute the MD5 of a file from within a filesystem filter driver RRS feed

  • Question

  • Greetings!

    I am developing a filesystem filter driver that monitors file creations. My driver is based on the sample code "scanner" in the DDK. I need to calculate the MD5 of the file in the PostCreate stage. I am using FltReadFile() to read the file where I have to read block by block - which I think is kinda inefficient. Is there a way to get the size of the file before I read ? That way I can allocate enough memory in advance and then read it in one shot. I don't see a FltXxxx function to read the size of the file. How do I do it ?? (Or if there is a another way to calculate MD5 that would work too)

    I also ran into another problem. For block by block reading, I use FltAllocatePoolAlignedWithTag/Free functions. I noticed that if I don't use the same exact variable to Free the block I get bsod. For example I allocate a block using a variable pBlock and then add it to an array of pointers. Later on I Free the blocks with array[index] - then I get the BSOD. The bug check code is BAD_POOL_HEADER. Any idea what is going on ? This is okay to do right ?

    Thanks

    ~B

    Friday, April 10, 2015 8:34 AM

Answers

  • FltQueryInformationFile will get you the size information.  On the BSOD it is likely you are passing the wrong pointer back, give us a !analyze -v of the crash dump, so we can start the process of debugging.  Run your driver with "Driver Verifier" and enable special pool, to catch things.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Friday, April 10, 2015 11:28 AM