I’m doing a project to familiar myself to writing windows drivers, so I wrote a minifilter driver which tries to catch every IO operation related to files.
Now I have two questions that probably related:
I’m monitoring IRP_MJ_{CREATE, WRITE, READ, SET_INFORMATION}.
Within the pre-operation callback I have something like:
if (FltObjects->FileObject != NULL && STATUS_SUCCESS == FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED, &nameInfo)) {
//Do my things here and return FLT_PREOP_SUCCESS_WITH_CALLBACK
}
else {
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
The problem is that for the bellow C# code, I dont get the information I expect probably becase the if statement is not satisfied.
The C# code snipped in question:
private static void EncryptFile(SymmetricAlgorithm alg, string inputFile, string outputFile)
{
var buffer = new byte[65536];
using (var streamIn = new FileStream(inputFile, FileMode.Open))
using (var streamOut = new FileStream(outputFile, FileMode.Create))
using (var encrypt = new CryptoStream(streamOut, alg.CreateEncryptor(), CryptoStreamMode.Write))
{
int bytesRead;
do
{
bytesRead = streamIn.Read(buffer, 0, buffer.Length);
if (bytesRead != 0)
encrypt.Write(buffer, 0, bytesRead);
}
while (bytesRead != 0);
}
}
Do you have an idea why this can happen?
I use FltReadFile both in pre and post operation callbacks, the requirement for it is IRQL = LEVEL_PASIVE
However, nothing promises me that my callbacks run in IEQL = LEVEL_PASIVE
What can I do about it?