IRP loop back

Hi guys ,
I'm writnig a filter driver . I want to work with files in kernel mode ,
but the problem is when I call ZwCreateFile / ZwClose to work on a file ,
these Zw APIs create an MJ_CREATE/CLOSE IRP and comes back to my dispatch routine . So what should i do ?
Enjoy ur time...

Without your source code is difficult to help.
Try to read this source codes:
http://www.insidewindows.info/

Regards,
Opc0de

Two method:
1. Add a special flag on you call to zwCreateFile/zwCloseFile so that your driver can distinct them.
2. Create file and close file directly use IRP to lower driver. You must construct IRP that you want to use. It is very difficult because many things is undocument. But it may be work.

You're right! i know if i can create the IRP for create/close file and call "IoCallDriver" to pass the IRP to the lower driver , my problem is solved .
but setting all of the IRP fields correctly is a bit difficult !
and about flagging the IRP , what do u mean ? change the input param of ZwCreateFile/ZwClose ?

I think, you can create a linked list to store information about the incoming IRPs, such as FileObject, FileName, other flags & status. Later, in the next incoming IRPs, you can check some of infos in the linked list and decide to pass the IRP to the lower level driver or not.

Quote:

Originally Posted by hajir

create a linked list to store information about the incoming IRPs.

it seems an interesting idea, i implement it in my code.

i add the algorithm in my code , but i got "UNEXPECTED_KERNEL_MODE_TRAP" , how can i get rid of it

[EDIT JMI: DO NOT answer your own Post. USE THE EDIT BUTTON.]

Try to use WinDbg to open the dump file and debug it.

Regards,
Opc0de