on_after_ioctl Event
Fires after an IRP_MJ_DEVICE_CONTROL request is processed.
Syntax
class CBFilterAfterIoctlEventParams(object): @property def file_name() -> str: ... @property def io_control_code() -> int: ... @property def in_buffer() -> c_void_p: ... @property def in_buffer_length() -> int: ... @property def in_buffer_valid_bytes() -> int: ... @property def out_buffer() -> c_void_p: ... @property def out_buffer_length() -> int: ... @property def out_buffer_valid_bytes() -> int: ... @out_buffer_valid_bytes.setter def out_buffer_valid_bytes(value) -> None: ... @property def status() -> int: ... @status.setter def status(value) -> None: ... @property def result_code() -> int: ... @result_code.setter def result_code(value) -> None: ... # In class CBFilter: @property def on_after_ioctl() -> Callable[[CBFilterAfterIoctlEventParams], None]: ... @on_after_ioctl.setter def on_after_ioctl(event_hook: Callable[[CBFilterAfterIoctlEventParams], None]) -> None: ...
Remarks
This event fires after an IRP_MJ_DEVICE_CONTROL (IOCTL) request is processed. Such requests are sent using the Windows API's DeviceIoControl function (user mode), or ZwDeviceIoControlFile function (kernel mode); please refer to Microsoft's documentation for more information.
Applications may use this event to modify the output data (if there is any) before the response is returned to the requestor. Applications that choose to do this must:
- Copy no more than OutBufferLength bytes into OutBuffer.
- Update the OutBufferValidBytes parameter's value afterwards so that it correctly reflects the amount of data in OutBuffer.
Applications only need to handle this event if they've added a standard filter rule that includes the FS_CE_AFTER_IOCTL flag.
The FileName parameter reflects the file, directory, or volume targeted by the request.
The IoControlCode parameter reflects the requested I/O Control Code (IOCTL).
The InBuffer parameter points to a memory buffer that contains the data required to perform the operation. The InBufferLength and InBufferValidBytes parameters reflect the capacity of InBuffer and the length of the data it contains (respectively), in bytes; InBufferValidBytes may be less than InBufferLength (unless the request did not include data, in which case both will be 0).
The OutBuffer parameter points to a memory buffer that contains the data returned by the operation. The OutBufferLength and OutBufferValidBytes parameters reflect the capacity of OutBuffer and the length of the data it contains (respectively), in bytes; OutBufferValidBytes may be less than OutBufferLength (unless the operation did not return data, in which case both will be 0).
Please refer to the Buffer Parameters topic for more information on how to work with memory buffer event parameters.
The Status parameter contains an NT status code that indicates the outcome of the operation; 0 indicates success. To convert this value to a Win32 error code, call the nt_status_to_win_32_error method. Please note that this event won't fire for failed requests unless the process_failed_requests property is enabled. Applications may change this parameter's value if they want a different NT status code to be returned.
The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource isn't available, security checks failed, etc.), set it to a non-zero value to report an appropriate error. Please refer to the Error Reporting and Handling topic for more information.
This event is fired synchronously; please refer to the Event Types topic for more information.