A FILE_OBJECT is passed during the process create callback and I'd like to lookup the file context of the object. To do that, you need a FLT_INSTANCE which is not passed during the process callback. What is the best way to get an INSTANCE in order to lookup the context?
I haven't tried it yet but it seems like this combination will work however, I'm wondering if there is a better/more appropriate way.
FltGetFilterFromName -> FltGetVolumeFromFileObject -> FltGetTop/BottomInstance -> FltGetFileContext
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||20 Apr 2020||LIVE ONLINE|
|Writing WDF Drivers||11 May 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|