find file pointer in pre write operation

Hi,

I am trying to monitor file modification(want to monitor the first few bytes) using minifilter. For this I am using the scanner source code available with ddk. I am able to see the modifications now.
Now I need to check only the data that is written at beginning of the file and neglect rest of the the data.
I want to to modify the pre-write operation. Can we find to which file location the data is meant to be written. Is there anything in (PCFLT_RELATED_OBJECTS FltObjects) that says where the data is meant to written.

I am new to filter driver. Let me know if my approach of modifying the pre-write operation is correct.

Thanks,

See ByteOffset:

https://msdn.microsoft.com/en-us/library/windows/hardware/ff544808(v=vs.85).aspx

As a word of advice, you might want to spend some time playing with MiniSpy
and watching the output before you go any further. Better to spend some time
learning the environment first before going right into trying to value add.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

Hi,

I am trying to monitor file modification(want to monitor the first few
bytes) using minifilter. For this I am using the scanner source code
available with ddk. I am able to see the modifications now.
Now I need to check only the data that is written at beginning of the file
and neglect rest of the the data.
I want to to modify the pre-write operation. Can we find to which file
location the data is meant to be written. Is there anything in
(PCFLT_RELATED_OBJECTS FltObjects) that says where the data is meant to
written.

I am new to filter driver. Let me know if my approach of modifying the
pre-write operation is correct.

Thanks,

Thanks Scott. I’ll definitely follow your advice.