none
Get file name extension RRS feed

  • Question

  • Hi

    In my fs filter driver , I want to get file name extension 

    I have used this code but it's crash my driver and show blue screen

    UNICODE_STRING FileName="C:\\Windows\\explorer.exe"; 
    //(i get this name from file object)	    
    UNICODE_STRING ext;
    WCHAR * peek= FileName.Buffer + FileName.Buffer [wcslen(FileName.Buffer) - 1];
    		ext.Buffer=(PWCH)ExAllocatePool( NonPagedPool , 32 ); ext.MaximumLength=32;
    		while (peek >= FileName.Buffer){if (*peek == '.'){RtlCopyMemory(ext.Buffer,peek,32);break;}peek--;}
    		ExFreePool(ext.Buffer);

    And i've tried use FltGetFileNameInformation and it's crash my driver

    Hope your help

    Best wishes

    Thursday, November 22, 2012 9:54 PM

Answers

  • >May you give me what the book i should start with it ??

    File system internals by Rajeev Nagar. It doesn't cover minifilters but most of the information is still valid today.

    For a good overview of the Windows kernel get the Windows Internals book by Russinovich and Solomon.

    Also there is a better forum for asking fs related questions: ntfsd.

    Good luck.

    //Daniel

    • Marked as answer by NOUR ALDEEN Saturday, November 24, 2012 2:57 PM
    Saturday, November 24, 2012 2:53 PM

All replies

  • Well your statement:

    WCHAR * peek= FileName.Buffer + FileName.Buffer [wcslen(FileName.Buffer) - 1];

    is not getting you the end of the buffer.  Try:

    WCHAR * peek= FileName.Buffer + (wcslen(FileName.Buffer) - 1);



    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, November 22, 2012 10:14 PM
  • Well your statement:

    WCHAR * peek= FileName.Buffer + FileName.Buffer [wcslen(FileName.Buffer) - 1];

    is not getting you the end of the buffer.  Try:

    WCHAR * peek= FileName.Buffer + (wcslen(FileName.Buffer) - 1);



    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

          kernel mode exception not handled (BLUE SCREEN)

          any more suggest ?

    Friday, November 23, 2012 4:47 PM
  • Is the statement:

    UNICODE_STRING FileName="C:\\Windows\\explorer.exe";

    Actually being used?  If so you have a serious problem since UNICODE_STRING is a structure.  If this is coming out of the FILE_OBJECT as you comment says then there is no NULL on the name.  Use:

    WCHAR *Peek =((PWCHAR) (((PCHAR) FileName.Buffer) + FileName.Length));



    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, November 23, 2012 6:59 PM
  • Is the statement:

    UNICODE_STRING FileName="C:\\Windows\\explorer.exe";

    Actually being used?  If so you have a serious problem since UNICODE_STRING is a structure.  If this is coming out of the FILE_OBJECT as you comment says then there is no NULL on the name.  Use:

    WCHAR *Peek =((PWCHAR) (((PCHAR) FileName.Buffer) + FileName.Length));



    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

          I get

          (UNICODE_STRING FileName="C:\\Windows\\explorer.exe"; ) of FILE_OBJECT

           Is there different way to get file name extension ?

           more safe of my way

    Friday, November 23, 2012 7:28 PM
  • don gave you the answer,

    WCHAR *Peek =((PWCHAR) (((PCHAR) FileName.Buffer) + FileName.Length));

    this puts you one past the end of the string (remember there is no guarantee of a null terminator), so start walking backwards until you get to a L'.' or the start of the buffer


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, November 23, 2012 7:30 PM
  • it's problem

    BAD_POOL_CALLER

    something else ??
    Friday, November 23, 2012 9:36 PM
  • First it is never worth asking about a blue screen with a !analyze -v of the problem.  You say you are getting this from the FILE_OBJECT when are you getting it?  The filename field is only valid on an IRP_MJ_CREATE, if you need it at any other time store it away yourself.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Friday, November 23, 2012 9:39 PM
  • i'm just working with IRP_MJ_CREATE and that's all my code

    	NTSTATUS status= STATUS_SUCCESS; UNICODE_STRING dLetter,FileName; BOOLEAN IsDir;
    	UNICODE_STRING ext;
    	PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
    	
    
    	__try {
    		if(pFileObject->FileName.Buffer!=NULL){
            WCHAR *Peek =((PWCHAR) (((PCHAR) pFileObject->FileName.Buffer) + pFileObject->FileName.Length));
    		ext.Buffer=(PWCH)ExAllocatePool( NonPagedPool , 32 ); ext.MaximumLength=32;
    		while (Peek >= pFileObject->FileName.Buffer){if (*Peek == '.'){RtlCopyMemory(ext.Buffer,Peek,32);break;}Peek--;}
    		DbgPrint("%wZ\n", &ext);
    		if(ext.Buffer!=NULL){ExFreePool(ext.Buffer);}}
    	status=IoVolumeDeviceToDosName(pFileObject->DeviceObject,&dLetter); if(!NT_SUCCESS(status)){__leave;}
    	FileName.Buffer = (PWCH)ExAllocatePool( PagedPool, 1000 );
    	FileName.MaximumLength= (dLetter.MaximumLength + pFileObject->FileName.MaximumLength);
    	FileName.Length=((ULONG)dLetter.Length + (pFileObject->FileName.Length * sizeof(UNICODE_STRING)));
    	if(NULL == FileName.Buffer) {__leave;}
    	RtlCopyUnicodeString( &FileName, &dLetter );
    	RtlAppendUnicodeStringToString(&FileName,&pFileObject->FileName);
    	//DbgPrint("%wZ\n", &FileName);
    		}
    	
    	__finally{if(FileName.Buffer!=NULL){ExFreePool(FileName.Buffer);}}
        return status;

    Friday, November 23, 2012 9:57 PM
  • >FltGetFileNameInformation  , IoGetCurrentIrpStackLocation (Irp)

    It looks like you are trying to use minifilter functions in a legacy filter.

    >__try

    You shouldn't be using try/except blocks because they obfuscate bugs.

    >RtlCopyMemory(ext.Buffer,Peek,32)

    While copying you are reading from beyond the file name buffer here.

    >32

    What if you encounter a filename that has more than 16 characters after the dot ?

    >FileName.Buffer = (PWCH)ExAllocatePool( PagedPool, 1000 );

    Also you cannot just substitute the FileName buffer which is owned by the I/O manager. There is a IoReplaceFileObjectName routine for that, admitted this only works on Win7 and higher.

    Any good reason you are not writing a minifilter ?

    //Daniel

     


    • Edited by Resplendence Saturday, November 24, 2012 2:08 AM
    Saturday, November 24, 2012 2:04 AM
  • >FltGetFileNameInformation  , IoGetCurrentIrpStackLocation (Irp)

    It looks like you are trying to use minifilter functions in a legacy filter.

    >__try

    You shouldn't be using try/except blocks because they obfuscate bugs.

    >RtlCopyMemory(ext.Buffer,Peek,32)

    While copying you are reading from beyond the file name buffer here.

    >32

    What if you encounter a filename that has more than 16 characters after the dot ?

    >FileName.Buffer = (PWCH)ExAllocatePool( PagedPool, 1000 );

    Also you cannot just substitute the FileName buffer which is owned by the I/O manager. There is a IoReplaceFileObjectName routine for that, admitted this only works on Win7 and higher.

    Any good reason you are not writing a minifilter ?

    //Daniel

     


    Thanks a lot

    I've some questions :

    > What's problem with using

    FltGetFileNameInformation  , IoGetCurrentIrpStackLocation (Irp)

    > About 32 on RtlCopyMemory(ext.Buffer,Peek,32)

    I just need file name extension and i want 4 in mostly

    > i can't use IoReplaceFileObjectName becuase must my driver works on WinXp and higher

    sorry for so many questions

    Saturday, November 24, 2012 8:53 AM
  • > What's problem with using  FltGetFileNameInformation  , IoGetCurrentIrpStackLocation (Irp)

    It looks like you are mixing minifilter and legacy technology. Since you got an IRP it doesn't look like you are developing a minifilter. However considering this is a legacy filter, a good question is, what did you pass in for CallbackData.

    > i can't use IoReplaceFileObjectName becuase must my driver works on WinXp and higher

    You should at least use that function when running on Win7 or higher. By either creating a separate binary or by finding the entry point at runtime using MmGetSystemRoutineAddress. If this is going to work at all, at least this is going to leak pool because the I/O manager owns the FileName buffer.

    MS have announced, years ago that legacy filters are going to be deprecated. This means your filter may not run on Windows 9. Again, why are you developing a legacy filter and not a minifilter ?

    //Daniel

    Saturday, November 24, 2012 9:21 AM
  • > What's problem with using  FltGetFileNameInformation  , IoGetCurrentIrpStackLocation (Irp)

    It looks like you are mixing minifilter and legacy technology. Since you got an IRP it doesn't look like you are developing a minifilter. However considering this is a legacy filter, a good question is, what did you pass in for CallbackData.

    > i can't use IoReplaceFileObjectName becuase must my driver works on WinXp and higher

    You should at least use that function when running on Win7 or higher. By either creating a separate binary or by finding the entry point at runtime using MmGetSystemRoutineAddress. If this is going to work at all, at least this is going to leak pool because the I/O manager owns the FileName buffer.

    MS have announced, years ago that legacy filters are going to be deprecated. This means your filter may not run on Windows 9. Again, why are you developing a legacy filter and not a minifilter ?

    //Daniel

     Thanks for your answer 

     i was used minifilter of example Scanner but i've problem with communicate and so many problem

    like user-mode program doesn't break IO operation if my code doesn't run from main.cpp file even after debug

    I don't found and solution

    and i'm now using "File System Filter Tutorial" Example  of code project site  and this my problems

    i forgot to tell you the "IoGetCurrentIrpStackLocation(Irp)->FileObject;" i get it of codeproject example

    and i want to say sorry again for so many questions

    Saturday, November 24, 2012 1:44 PM
  • Note that you cannot call minifilter functions from a legacy filter. And that developing a minifilter is a very difficult task while a legacy filter makes things even much harder. You are likely to run into much more trouble than you did before.  This is not a suitable beginners project for a kernel developer. Also I don't think you are likely to find any quality code samples on CodeProject.

    It takes a skilled engineer several years before he can reach the level that he can develop production quality code for the filesystem stack. You will need to do lots of studying about lots of topics. Also, you will need to learn to use the kernel debugger. Or many blue screens will come your way without that you have an idea what's going on.

    If this is for learning I suggest your start out with another project to get yourself acquainted with the windows kernel. 

    //Daniel


    • Edited by Resplendence Saturday, November 24, 2012 2:15 PM
    Saturday, November 24, 2012 2:14 PM
  • Thanks for your advice

    May you give me what the book i should start with it ??

    I will start studying everything can help me in my project

    I'm going to build strong antivirus

    And i hope get help of anyone can help me

    In last thanks a lots for all replies

    And i hope to get more help

    Best wishes

    Saturday, November 24, 2012 2:28 PM
  • >May you give me what the book i should start with it ??

    File system internals by Rajeev Nagar. It doesn't cover minifilters but most of the information is still valid today.

    For a good overview of the Windows kernel get the Windows Internals book by Russinovich and Solomon.

    Also there is a better forum for asking fs related questions: ntfsd.

    Good luck.

    //Daniel

    • Marked as answer by NOUR ALDEEN Saturday, November 24, 2012 2:57 PM
    Saturday, November 24, 2012 2:53 PM