Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Getting full file path out of WRITE operation

omri_aviasromri_aviasr Posts: 12
hello, i am developing a minifilter and one of my goals is to know which file in the file system was changed and by which process and how. I am tracking only write operations and i wish to get as much knowledge as i can get about each operation, and send it to a user mode application.
1. One of my goals is finding the full path of the file which was changed and i am a little bit confused about how it could be done. I know it is possible to use FltQueryInformationFile but i couldn't understand if i can get the full path or only the file name. Then someone here in the forums told me about this version of this function in user-mode but still i can't tell if i can get the full path or only the file name. So my question is which is the easiest way of extracting the full path of target file from a WRITE operation passed to the minifilter?

2. Another problem - Can I use the pointer to an OBJECT_FILE given in the minifilter and pass it to the user application and use it there? Because it points only to someplace in the memory.

3. Another small issue if i use XXXQueryinformationFile i should pass the FILE_NAME_INFORMATION to the function but how can i know how much memory to allocate for the path

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Posts: 3,004
    You're at the edge of a cliff and about to walk right off. You need to step
    back and learn more about minifilters.

    Have you tried playing with MiniSpy?

    https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy

    Using it along with FileTest can be very enlightening:

    http://www.zezula.net/en/fstools/filetest.html

    I recommend adding a secondary volume to your system formatted with FAT.
    Then ONLY attach MiniSpy to the FAT volume, add some breakpoints, and start
    getting used to how things work.

    HTH,

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • omri_aviasromri_aviasr Posts: 12
    I understand that my question is about understanding few of the fundamentals of the minifilter.
    But i believe that my question, are simply issuing problems that are originating from lack of documentation.
    For instace, what is it a file object pointer?(question 2) does it point to a struct which is loaded to an individual process or it is a global pointer which every process can use it's address in order to access it?
    Another question was about implementation, how can i get the path without knowing it's length? I have to allocate enough memory for it.
    The first question was also a question which originated from lack of documentation, some pages claimed that the file object can only access the full path if it was created by a CREATE IRP, Although some other pages claimed it was possible to access it no matter what IRP was used to create it and it is very confusing so i would love if someone could just explain those few specific issuses.
  • Sergey_PisarevSergey_Pisarev Posts: 141
    Before you start with minifilters you must understand how kernel works in
    general. Start with Windows Internals book and kernel-mode architecture in
    msdn
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/ . No fast
    and easy way, you must understand kernel environment.

    On Wed, Jun 20, 2018 at 10:05 AM, xxxxx@gmail.com
    wrote:

    > I understand that my question is about understanding few of the
    > fundamentals of the minifilter.
    > But i believe that my question, are simply issuing problems that are
    > originating from lack of documentation.
    > For instace, what is it a file object pointer?(question 2) does it point
    > to a struct which is loaded to an individual process or it is a global
    > pointer which every process can use it's address in order to access it?
    > Another question was about implementation, how can i get the path without
    > knowing it's length? I have to allocate enough memory for it.
    > The first question was also a question which originated from lack of
    > documentation, some pages claimed that the file object can only access the
    > full path if it was created by a CREATE IRP, Although some other pages
    > claimed it was possible to access it no matter what IRP was used to create
    > it and it is very confusing so i would love if someone could just explain
    > those few specific issuses.
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Posts: 3,004
    A File Object represents a unique open instance of a device or a child of a
    device (e.g. stream, file, directory). This is not a minifilter concept,
    this is a fundamental operating system concept. So, what Sergey said.

    For your implementation questions, have you looked at the MiniSpy sample
    yet?

    -scott
    OSR
    @OSRDrivers

    "%%merge inmail_.HdrFrom_%%" wrote in message news:xxxxx@ntfsd...

    I understand that my question is about understanding few of the fundamentals
    of the minifilter.
    But i believe that my question, are simply issuing problems that are
    originating from lack of documentation.
    For instace, what is it a file object pointer?(question 2) does it point to
    a struct which is loaded to an individual process or it is a global pointer
    which every process can use it's address in order to access it?
    Another question was about implementation, how can i get the path without
    knowing it's length? I have to allocate enough memory for it.
    The first question was also a question which originated from lack of
    documentation, some pages claimed that the file object can only access the
    full path if it was created by a CREATE IRP, Although some other pages
    claimed it was possible to access it no matter what IRP was used to create
    it and it is very confusing so i would love if someone could just explain
    those few specific issuses.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!