none
How to modify the data read in an IRP_MJ_READ RRS feed

  • Question

  • Hello,

    I am writing a driver which should modify the data returned to user when he sends an IRP_MJ_READ. I've been trying multiple things but the data read seems to always be the one in the file I'm opening rather than the altered one. 

    First I tried to set a completion routine and to modify the Irp->UserBuffer but notepad got the unmodified text.

    I then tried to complete the Irp without passing it to the next device but it still did not work which puzzled me...

    By the way, I saw that some people were using the MdlAddress but in my case it is NULL (so is the SecondaryBuffer).

    Can anyone help me?

    Best,

    Matthieu



    • Edited by MatthieuM Wednesday, August 7, 2013 9:59 AM
    Wednesday, August 7, 2013 9:48 AM

Answers

  • You will get an answer on NTFSD, not many people here deal with file systems.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by MatthieuM Friday, August 9, 2013 4:51 PM
    Friday, August 9, 2013 4:31 PM
  • Notepad used memory mapped I/O so you will not see a read from this application.  You will see paging reads for the file.  I suggest you go to http://www.osronline.com/ and join the NTFSD group and look at the archive for the group about memory mapped I/O and notepad.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, August 7, 2013 11:34 AM
  • This is why I pointed you to the discussions on NTFSD.  I haven't had to deal with this is a number of years, so the details are hazy.  


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, August 7, 2013 1:43 PM

All replies

  • Notepad used memory mapped I/O so you will not see a read from this application.  You will see paging reads for the file.  I suggest you go to http://www.osronline.com/ and join the NTFSD group and look at the archive for the group about memory mapped I/O and notepad.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, August 7, 2013 11:34 AM
  • Thanks Don, lot of information there!

    The thing is I just want to intercept the first IRP_MJ_READ that will put data in cache and change that data. I manage to intercept this IRP (the real data can be found inside the UserBuffer) but up to now, all modifications I tried have not modified what was put into the cache. 

    Am I wrong to assume that at least one IRP_MJ_READ will have to be done in the file system in order to fill in the cache ? 

    Matthieu 

    Wednesday, August 7, 2013 12:34 PM
  • There are reads to the file for the caching, but you have to be checking for them.   First, if the file is already in cache you won't see them (and files can spend days in cache).  Second, the cache read will be marked as a paging read, and may not be on the same file object you are used to.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, August 7, 2013 12:37 PM
  • That's interesting. What could the other file objects be? 
    Wednesday, August 7, 2013 1:32 PM
  • This is why I pointed you to the discussions on NTFSD.  I haven't had to deal with this is a number of years, so the details are hazy.  


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, August 7, 2013 1:43 PM
  • Hi,

    I read the archives of NTFSD and I managed to modify the data read by notepad. However, I'm facing a new challenge:

    The new data that I supply to notepad is actually written back in the file (without IRP_MJ_WRITE) and I have not found a way to prevent it.

    Can anyone tell me why (and how)?

    Best regards,

    Matthieu

    Friday, August 9, 2013 3:57 PM
  • You will get an answer on NTFSD, not many people here deal with file systems.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by MatthieuM Friday, August 9, 2013 4:51 PM
    Friday, August 9, 2013 4:31 PM