I'm writing a minifilter driver for the purpose of tracking changes made to files.
What I have tried to do is:
I've registered for IRP_MJ_WRITE and trying to read the file content in pre-operation callback and post-operation callback. There are two main problems:
1. I'm reading the content of the file with FltReadFile(), and if I'm not mistaken nothing promises me that the function will not cause a pagefault. Since the pre\post-operation callback runs in DPC I have a good chance of getting a BSOD.
2. Even if I'll not get a blue screen the above will likely cause very significant penalty to the performance of the system.
Can anyone suggest me a way to deal with the above problems?