FltRegisterFilter referenced in Function DriverEntry in filter.obj

Question

FltRegisterFilter referenced in Function DriverEntry in filter.obj

720 Views Asked by hashy At 05 June 2022 at 02:18

Basically I am trying create a simple FileSystem MiniFilter Driver where I can modify a notepad file from writing. Following this tutorial. So I created a project in visual studio which is type Filter Driver: NDIS. here is the full code:

/*++

Module Name:

    Filter.c

Abstract:

    Sample NDIS Lightweight filter driver

--*/

#include "precomp.h"

PFLT_FILTER FilterHandle = NULL;
NTSTATUS MiniUnload(FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext, FLT_POST_OPERATION_FLAGS flags);
FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext);
FLT_PREOP_CALLBACK_STATUS MiniPreWrite(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext);


const FLT_OPERATION_REGISTRATION Callbacks[] = {
    {IRP_MJ_CREATE,0,MiniPreCreate,MiniPostCreate},
    {IRP_MJ_WRITE,0,MiniPreCreate,NULL},
    {IRP_MJ_OPERATION_END}
};
const FLT_REGISTRATION FilterRegistration = {
    sizeof(FLT_REGISTRATION),
    FLT_REGISTRATION_VERSION,
    0,
    NULL,
    Callbacks,
    MiniUnload,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL
};
NTSTATUS MiniUnload(FLT_FILTER_UNLOAD_FLAGS Flags) {
    KdPrint(("driver unload \r\n"));
    FltUnregisterFilter(FilterHandle);
    return STATUS_SUCCESS;
}
FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext, FLT_POST_OPERATION_FLAGS flags) {
    KdPrint(("Post Create is running \r\n"));
    return FLT_POSTOP_FINISHED_PROCESSING;
}
FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) {
    PFLT_FILE_NAME_INFORMATION FileNameInfo;
    NTSTATUS status;
    WCHAR Name[300] = { 0 };

    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
    if (NT_SUCCESS(status)) {
        status = FltParseFileNameInformation(FileNameInfo);
        if (NT_SUCCESS(status)) {
            if (FileNameInfo->Name.MaximumLength < 260) {
                RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
                KdPrint(("CreateFile: %ws \r\n", Name));
            }
        }
        FltReleaseFileNameInformation(FileNameInfo);
    }

    return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

FLT_PREOP_CALLBACK_STATUS MiniPreWrite(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) {
    PFLT_FILE_NAME_INFORMATION FileNameInfo;
    NTSTATUS status;
    WCHAR Name[300] = { 0 };

    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
    if (NT_SUCCESS(status)) {
        status = FltParseFileNameInformation(FileNameInfo);
        if (NT_SUCCESS(status)) {
            if (FileNameInfo->Name.MaximumLength < 260) {
                RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
                _wcsupr(Name);
                if (wcsstr(Name, L"OPENME.TXT") != NULL) {
                    KdPrint(("Write File: %ws Blocked \r\n", Name));
                    Data->IoStatus.Status = STATUS_INVALID_PARAMETER;
                    Data->IoStatus.Information = 0;
                    FltReleaseFileNameInformation(FileNameInfo);
                    return FLT_PREOP_COMPLETE;
                }
                KdPrint(("CreateFile: %ws \r\n", Name));
            }
        }
        FltReleaseFileNameInformation(FileNameInfo);
    }

    return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}


NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
    NTSTATUS status;

    status = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle);
    if (NT_SUCCESS(status)) {
        status = FltStartFiltering(FilterHandle);
        if (!NT_SUCCESS(status)) {
            FltUnregisterFilter(FilterHandle);
        }
    }
    return status;
}

The header files have been to precomp.h as below:

#pragma warning(disable:4201)  //nonstandard extension used : nameless struct/union
#pragma warning(disable:4100)
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>
#include <ndis.h>
#include <filteruser.h>
#include <ntddk.h>
#include "flt_dbg.h"
#include "filter.h"

Everything else is default.

Project configuration is Active(x64) under properties.

With all of that I am getting below errors:

Severity    Code    Description Project File    Line    Suppression State
Error   LNK2019 unresolved external symbol FltGetFileNameInformation referenced in function MiniPreCreate   default C:\Users\Abdul\source\repos\default\default\filter.obj  1   
Warning 1324    [Version] section should specify PnpLockdown=1 to prevent external apps from modifying installed driver files.  default C:\Users\Abdul\source\repos\default\default\default.inf 8   
Error   LNK2019 unresolved external symbol FltRegisterFilter referenced in function DriverEntry default C:\Users\Abdul\source\repos\default\default\filter.obj  1   
Error   LNK2019 unresolved external symbol FltUnregisterFilter referenced in function MiniUnload    default C:\Users\Abdul\source\repos\default\default\filter.obj  1   
Error   LNK2019 unresolved external symbol FltStartFiltering referenced in function DriverEntry default C:\Users\Abdul\source\repos\default\default\filter.obj  1   
Error   LNK2019 unresolved external symbol FltReleaseFileNameInformation referenced in function MiniPreCreate   default C:\Users\Abdul\source\repos\default\default\filter.obj  1   
Error   LNK2019 unresolved external symbol FltParseFileNameInformation referenced in function MiniPreCreate default C:\Users\Abdul\source\repos\default\default\filter.obj  1   
Error   LNK2001 unresolved external symbol FilterDriverHandle   default C:\Users\Abdul\source\repos\default\default\device.obj  1   
Error   LNK2001 unresolved external symbol FilterDriverObject   default C:\Users\Abdul\source\repos\default\default\device.obj  1   
Error   LNK2001 unresolved external symbol NdisFilterDeviceHandle   default C:\Users\Abdul\source\repos\default\default\device.obj  1   
Error   LNK2001 unresolved external symbol NdisDeviceObject default C:\Users\Abdul\source\repos\default\default\device.obj  1   
Error   LNK2001 unresolved external symbol FilterListLock   default C:\Users\Abdul\source\repos\default\default\device.obj  1   
Error   LNK2001 unresolved external symbol FilterModuleList default C:\Users\Abdul\source\repos\default\default\device.obj  1   
Error   LNK1120 12 unresolved externals default C:\Users\Abdul\source\repos\default\x64\Debug\default.sys   1

Can Anyone guide on what am I doing wrong?

Original Q&A

There are 1 best solutions below

**Giacomo Casoni** · Answer 1 · 2022-07-03T09:40:04.773000

I ran into the same issue. For me, the problem was that the mini-filter template was not showing in the templates listing for new projects and so I had to create it from scratch and I inevitably missed something. After cross-checking the linker options against the minifilter projects provided by Microsoft as reference (check here) I realized that fltMgr.lib has to be specifically provided to the linker. In order to do that right-click on the project in the "Solution Explorer" left pane. Then go to Properties->Linker->Input->Additional Dependencies. Add $(DDK_LIB_PATH)\fltMgr.lib to the list of additional dependencies and rebuild your project! I hope this does it for you, but like the Microsoft documentation points out LNK2019 can be caused by lots of other problems with your configuration.

FltRegisterFilter referenced in Function DriverEntry in filter.obj

There are 1 best solutions below

Related Questions in C++

Related Questions in MINIFILTER

Trending Questions

Popular # Hahtags

Popular Questions