Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Getting the original file name path passed to CreateFile

steven_woottonsteven_wootton Member Posts: 1

Hi, we have a minifilter driver that is successfully reading and monitoring full file paths for opened files using CreateFile called in user land . We're now trying to figure out how to detect paths opened using the raw device path (Sysmon does this somehow, so we know its possible). For example

\.\HarddiskVolume3\windows\temp\devicepath.tst
\.\C:\windows\temp\devicepath2.tst

Users could attempt to get around auditing tools using these paths which are valid but unusual.

Unfortunately, by the time the callback for IRP_MJ_CREATE gets called the paths have been normalized to \device\harddiskvolumeX\windows\temp\devicepath.tst. The original asked for path does not appear in any of the structures (Data or FltObjects). We've tried calling FltGetFileNameInformation without the FLT_FILE_NAME_NORMALIZED parameter but I think that just will get you a relative path not the original path.

ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInformation);

We've reviewed the following thread but that deals with \.\PhysicalDriveX paths which I believe gives you access to the volume's partition table and geometry info.
https://community.osr.com/discussion/252484/intercept-raw-disk-access

Any ideas would be much appreciated. Thanks!

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    The media device name portion gets resolved by the Object Manager, so by the time we see the request at the file system layer all we get is the media device object pointer and the relative path. I'm not sure how Sysmon would manage to get back to the exact originally requested name with the device portion intact (the I/O Manager has it buried in an internal structure but I don't know of a way to get it).

    Can you provide an example of a Sysmon event that has a name like that?

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA