I wrote a minifilter to filter some operations on a folder. I want pass the operation from my drivers and stop the operation from untrusted program.
However, I can't get some information to determine if the IRP came from my drivers. I can get the process information. But when the operation came from driver, the process's information can help me to determine where the IRP really came from.
Any guidance would be helpful. Thanks.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|