I am trying to develop an auditing minifilter that captures all file/dir/share create/delete/rename/read/writes occurring on a volume. I followed the minispy code that MSFT released and made the following modifications to identify file/dir creates. I replaced the handler for IRP_MJ_CREATE with the following handler
FLT_PREOP_CALLBACK_STATUS
#pragma warning(suppress: 6262) // higher than usual stack usage is considered safe in this case
SpyPreCreateOperationCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
) {
BOOLEAN interested = FALSE;
ULONG createOptions = Data->Iopb->Parameters.Create.Options;
UCHAR disp = (createOptions >> 24) & 0xFF;
if (
FlagOn(createOptions, FILE_DELETE_ON_CLOSE) ||
disp == FILE_SUPERSEDE ||
disp == FILE_CREATE ||
disp == FILE_OPEN_IF ||
disp == FILE_OVERWRITE_IF) {
// We are only interested in creates & delete.
//
// All of the above disposition values can potentially create the file.
// Whether the file was actually created or a existing file was opened can
// only be determined in PostOperationCallback via IoStatus.Information
//
interested = TRUE;
}
if (interested) {
// Follow the minispy path as before.
return SpyPreOperationCallback(Data, FltObjects, CompletionContext);
} else {
// We are not interested. Don't call the PostOp callback.
*CompletionContext = NULL;
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
In user-space I check the IOStatus.information == FILE_CREATED to verify that the file was actually created and not just opened or overwritten. It seems to work from the shell and windows explorer but I am not sure if this code catches all possible ways in which files can be created. Feedback is welcome…