INFO: Using IFSMGR_InstallFileSystemApiHook in Windows 98 to Intercept Executable Files (223282)


The information in this article applies to:

  • Microsoft Windows 98 Driver Development Kit (DDK)
  • Microsoft Windows 98
This article was previously published under Q223282

SUMMARY

Under Windows 98, programs that use the IFSMGR_InstallFileSystemApiHook service to encrypt and/or otherwise modify the content of executable files need to disable the new operation type ENUMH_MAPCACHEBLOCK in the service FS_EnumerateHandle, in order to intercept the entire executable file.

MORE INFORMATION

The new IFSMGR_Ring0FileIO service R0_MAPCACHEBLOCK is included in the Ifs.h header file located in the Windows 98 DDK. This service maps a zero-relative page number (4 KB) within a file into a VCACHE buffer and returns the address of the VCACHE buffer header to the caller. This API is strictly intended for use by the operating system; its purpose is to make more efficient use of system memory by reducing double caching of EXE and DLL files. This service does not exist in Windows 95.

This service replaces the FS_ReadFile calls normally used to read EXE and DLL files. When this service is called, programs that hook the file system observe an incoming FS_EnumerateHandle, containing (new) operation type ENUMH_MAPCACHEBLOCK (also found in Ifs.h). This operation type is handled only by VFAT.

Your file system hooker can disable ENUMH_MAPCACHEBLOCK and therefore force conventional FS_ReadFile application loading behavior (at a cost in system performance) by causing this service to fail; details follow.

There are many restrictions made on this operation; if any restriction fails, this service fails. When this happens, the operating system responds to this by using conventional reads in order to load the executable file. The restrictions are:
  • The file must be open on a volume mounted by a file system that supports this API.
  • The file must be opened as read-only.
  • The file must be opened in share deny-write or share deny-both.
  • The file must reside on a volume that has a cluster size that is at least 4 KB. The call always fails on files open on volumes that have a cluster size less than 4 KB.
  • The file must reside on a volume that is not exclusively locked.
  • The file must reside on a nonremovable volume.
  • The file must reside on a volume that is not paging through MS-DOS.
  • A page must reside within the file. If the page number passed is beyond the end of the file, the mapping will fail.
If any of the above conditions aren't met, VFAT fails the call with ERROR_ACCESS_DENIED returned in ir_error. A NULL pointer is returned from the function:

ENUMH_MAPCACHEBLOCK Details:

Entry   
ir_pos = zero-relative cache block number to map (from beginning of file)
ir_length = number of cache blocks to map (1)
ir_data = 0

Exit   
If success, ir_error = 0
ir_data = VCACHE handle for cache block
To report failure, ir_error = errorcode
Modification Type:MinorLast Reviewed:12/20/2004
Keywords:kbIFS kbinfo kbStorageDev KB223282
©2004 Microsoft Corporation. All rights reserved.