Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FltGetXXXContext in PsSetCreateProcessNotifyRoutine callback

MDHMDH Member Posts: 22

A FILE_OBJECT is passed during the process create callback and I'd like to lookup the file context of the object. To do that, you need a FLT_INSTANCE which is not passed during the process callback. What is the best way to get an INSTANCE in order to lookup the context?

I haven't tried it yet but it seems like this combination will work however, I'm wondering if there is a better/more appropriate way.
FltGetFilterFromName -> FltGetVolumeFromFileObject -> FltGetTop/BottomInstance -> FltGetFileContext

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,158

    I’d save the FltFilter right after you register. Then get the volume as you say and then use FltEnumerateInstances

  • MDHMDH Member Posts: 22

    @rod_widdowson said:
    I’d save the FltFilter right after you register. Then get the volume as you say and then use FltEnumerateInstances

    Thanks Rod. Didn't even think about saving the filter on registration. What's the benefit of using FltEnumInstances vs just using the top or bottom one? Also if you enum the instances which instance should be used for the context call? The first one returned or does it not matter?

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,158

    Well it looks as though FltEnumInstances does a “lookup by filter”....

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE