Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Getting full file path out of WRITE operation

omri_aviasromri_aviasr Member - All Emails Posts: 12
hello, i am developing a minifilter and one of my goals is to know which file in the file system was changed and by which process and how. I am tracking only write operations and i wish to get as much knowledge as i can get about each operation, and send it to a user mode application.
1. One of my goals is finding the full path of the file which was changed and i am a little bit confused about how it could be done. I know it is possible to use FltQueryInformationFile but i couldn't understand if i can get the full path or only the file name. Then someone here in the forums told me about this version of this function in user-mode but still i can't tell if i can get the full path or only the file name. So my question is which is the easiest way of extracting the full path of target file from a WRITE operation passed to the minifilter?

2. Another problem - Can I use the pointer to an OBJECT_FILE given in the minifilter and pass it to the user application and use it there? Because it points only to someplace in the memory.

3. Another small issue if i use XXXQueryinformationFile i should pass the FILE_NAME_INFORMATION to the function but how can i know how much memory to allocate for the path

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,073
    You're at the edge of a cliff and about to walk right off. You need to step
    back and learn more about minifilters.

    Have you tried playing with MiniSpy?

    https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy

    Using it along with FileTest can be very enlightening:

    http://www.zezula.net/en/fstools/filetest.html

    I recommend adding a secondary volume to your system formatted with FAT.
    Then ONLY attach MiniSpy to the FAT volume, add some breakpoints, and start
    getting used to how things work.

    HTH,

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • omri_aviasromri_aviasr Member - All Emails Posts: 12
    I understand that my question is about understanding few of the fundamentals of the minifilter.
    But i believe that my question, are simply issuing problems that are originating from lack of documentation.
    For instace, what is it a file object pointer?(question 2) does it point to a struct which is loaded to an individual process or it is a global pointer which every process can use it's address in order to access it?
    Another question was about implementation, how can i get the path without knowing it's length? I have to allocate enough memory for it.
    The first question was also a question which originated from lack of documentation, some pages claimed that the file object can only access the full path if it was created by a CREATE IRP, Although some other pages claimed it was possible to access it no matter what IRP was used to create it and it is very confusing so i would love if someone could just explain those few specific issuses.
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 141
    Before you start with minifilters you must understand how kernel works in
    general. Start with Windows Internals book and kernel-mode architecture in
    msdn
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/ . No fast
    and easy way, you must understand kernel environment.

    On Wed, Jun 20, 2018 at 10:05 AM, xxxxx@gmail.com
    wrote:

    > I understand that my question is about understanding few of the
    > fundamentals of the minifilter.
    > But i believe that my question, are simply issuing problems that are
    > originating from lack of documentation.
    > For instace, what is it a file object pointer?(question 2) does it point
    > to a struct which is loaded to an individual process or it is a global
    > pointer which every process can use it's address in order to access it?
    > Another question was about implementation, how can i get the path without
    > knowing it's length? I have to allocate enough memory for it.
    > The first question was also a question which originated from lack of
    > documentation, some pages claimed that the file object can only access the
    > full path if it was created by a CREATE IRP, Although some other pages
    > claimed it was possible to access it no matter what IRP was used to create
    > it and it is very confusing so i would love if someone could just explain
    > those few specific issuses.
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,073
    A File Object represents a unique open instance of a device or a child of a
    device (e.g. stream, file, directory). This is not a minifilter concept,
    this is a fundamental operating system concept. So, what Sergey said.

    For your implementation questions, have you looked at the MiniSpy sample
    yet?

    -scott
    OSR
    @OSRDrivers

    "%%merge inmail_.HdrFrom_%%" wrote in message news:xxxxx@ntfsd...

    I understand that my question is about understanding few of the fundamentals
    of the minifilter.
    But i believe that my question, are simply issuing problems that are
    originating from lack of documentation.
    For instace, what is it a file object pointer?(question 2) does it point to
    a struct which is loaded to an individual process or it is a global pointer
    which every process can use it's address in order to access it?
    Another question was about implementation, how can i get the path without
    knowing it's length? I have to allocate enough memory for it.
    The first question was also a question which originated from lack of
    documentation, some pages claimed that the file object can only access the
    full path if it was created by a CREATE IRP, Although some other pages
    claimed it was possible to access it no matter what IRP was used to create
    it and it is very confusing so i would love if someone could just explain
    those few specific issuses.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space