The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Hi, we have a minifilter driver that is successfully reading and monitoring full file paths for opened files using CreateFile called in user land . We're now trying to figure out how to detect paths opened using the raw device path (Sysmon does this somehow, so we know its possible). For example
Users could attempt to get around auditing tools using these paths which are valid but unusual.
Unfortunately, by the time the callback for IRP_MJ_CREATE gets called the paths have been normalized to \device\harddiskvolumeX\windows\temp\devicepath.tst. The original asked for path does not appear in any of the structures (Data or FltObjects). We've tried calling FltGetFileNameInformation without the FLT_FILE_NAME_NORMALIZED parameter but I think that just will get you a relative path not the original path.
ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInformation);
We've reviewed the following thread but that deals with \.\PhysicalDriveX paths which I believe gives you access to the volume's partition table and geometry info.
Any ideas would be much appreciated. Thanks!
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|