Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

importing fltKernel in usera-mode application

omri_aviasromri_aviasr Posts: 12
Hello, I am new to the subject of minifilter development and i wanted to know if i can call functions from fltkernel.h, because i still want to use some of the functions in this api in order to analyze the fltcallbackdata struct. I understand that it is possible to analyze everything in the minifitler and then send it to the user-mode application but i still want the freedom of using this api also in the user-mode application.

I thought that maybe because minifilter usually runs at kernel mode and this library is meant to a driver development maybe i can't access some of those funcitons but i still want to know if i can use it.

Mostly i want access to the structs (which i can build myself but it would be very hard), and FltQueryInformationFile function.

Another short question about the FltQueryInformationFile (I just don't want to open an entire thread just for this question). I know that in order to find a fileobject full path i should access the data structure of a create operation, but in FltQueryInformationFile I can use it on any operation and i can ask for FileNameInformation. So is it possible to get the full path of a WRITE or READ operation with FltQueryInformationFile?

Comments

  • Don_BurnDon_Burn Posts: 1,623
    No you cannot use FltQueryInformationFile or any other FltXXX call in a user
    space application. But you might want to look at
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/
    nf-ntifs-ntqueryinformationfile since ZwQueryInformationFile can be called
    from user space.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
    Sent: Friday, June 08, 2018 6:40 PM
    To: Windows File Systems Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntfsd] importing fltKernel in usera-mode application

    Hello, I am new to the subject of minifilter development and i wanted to
    know if i can call functions from fltkernel.h, because i still want to use
    some of the functions in this api in order to analyze the fltcallbackdata
    struct. I understand that it is possible to analyze everything in the
    minifitler and then send it to the user-mode application but i still want
    the freedom of using this api also in the user-mode application.

    I thought that maybe because minifilter usually runs at kernel mode and this
    library is meant to a driver development maybe i can't access some of those
    funcitons but i still want to know if i can use it.

    Mostly i want access to the structs (which i can build myself but it would
    be very hard), and FltQueryInformationFile function.

    Another short question about the FltQueryInformationFile (I just don't want
    to open an entire thread just for this question). I know that in order to
    find a fileobject full path i should access the data structure of a create
    operation, but in FltQueryInformationFile I can use it on any operation and
    i can ask for FileNameInformation. So is it possible to get the full path of
    a WRITE or READ operation with FltQueryInformationFile?


    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!