Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

FltGetXXXContext in PsSetCreateProcessNotifyRoutine callback

MDHMDH Member Posts: 16

A FILE_OBJECT is passed during the process create callback and I'd like to lookup the file context of the object. To do that, you need a FLT_INSTANCE which is not passed during the process callback. What is the best way to get an INSTANCE in order to lookup the context?

I haven't tried it yet but it seems like this combination will work however, I'm wondering if there is a better/more appropriate way.
FltGetFilterFromName -> FltGetVolumeFromFileObject -> FltGetTop/BottomInstance -> FltGetFileContext

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,113

    I’d save the FltFilter right after you register. Then get the volume as you say and then use FltEnumerateInstances

  • MDHMDH Member Posts: 16

    @rod_widdowson said:
    I’d save the FltFilter right after you register. Then get the volume as you say and then use FltEnumerateInstances

    Thanks Rod. Didn't even think about saving the filter on registration. What's the benefit of using FltEnumInstances vs just using the top or bottom one? Also if you enum the instances which instance should be used for the context call? The first one returned or does it not matter?

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,113

    Well it looks as though FltEnumInstances does a “lookup by filter”....

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 LIVE ONLINE
Writing WDF Drivers 11 May 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA