A FILE_OBJECT is passed during the process create callback and I'd like to lookup the file context of the object. To do that, you need a FLT_INSTANCE which is not passed during the process callback. What is the best way to get an INSTANCE in order to lookup the context?
I haven't tried it yet but it seems like this combination will work however, I'm wondering if there is a better/more appropriate way.
FltGetFilterFromName -> FltGetVolumeFromFileObject -> FltGetTop/BottomInstance -> FltGetFileContext
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|