The condition you mentioned "if ( NULL == FileObject->SectionObjectPointer
|| NULL == FileObject->SectionObjectPointer->DataSection )" works fine for
But it is is not working properly for intercepting IRP_MJ_READ.
When a .jpg file is read by a photoviewer.dll , some IRP_MJ_READ s are
missed by the mini filter.
Please let me know a method to identify whether a IRP_MJ_READ is going to
disk or cache, for a network volume.
On Sun, Nov 20, 2016 at 11:46 AM, wrote:
> If a notepad file is created inside the network volume, some data is typed
> and saved then the filter driver gets IRP_MJ_WRITE.
> But when a file is copied to the network volume, the filter driver does not
> get IRP_MJ_WRITE.
> Notepad uses a memory mapped file, this is analogues to file being cached.
> When Memory Manager flushes dirty pages the filter receives paging IO.
> Please let me know the way to intercept the write IRP and encrypt the file.
> The correct implementation requires an isolation filter like OSR Data
> Modification Kit.
> In your case you can try to intercept a cached IO for network FS and
> process it as non cached(i.e. encrypt/decrypt) if ( NULL == FileObject->SectionObjectPointer
> || NULL == FileObject->SectionObjectPointer->DataSection ).
> NTFSD is sponsored by OSR
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at
> To unsubscribe, visit the List Server section of OSR Online at <