Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Uniformity of file paths in kernel-mode
Dear board writers !
I'm using PsSetCreateProcessNotifyRoutineEx and a minifilter to restrict access to certain kind of files/pcoesses. When my callback of process creation is triggered, the file path received in parameter has the form of something like \??\C:\Users\root\Desktop\Service.exe. When one of the callbacks of the minifilter is triggered, I use the function FltGetFileNameInformation to retrieve the path of the file, which has the form of \Device\HarddiskVolume4\Users\root\Desktop\Service.exe.
Is there an idiomatic way to represent file paths kernel-side ? How can I unify those two data sources to have a same kind of path formatting ?
Thanks for your help !
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 30 Nov 2020 | LIVE ONLINE |
| Writing WDF Drivers | 7 Dec 2020 | LIVE ONLINE |
| Developing Minifilters | Early 2021 | LIVE ONLINE |
Comments
\??\c:is a symbolic link. There used to be (and may still be) a program called ObjDir to help you understand all that stuff.Pragmatically the easiest way is to open the file, normalize the name and take what the filter manager gives you.
You might also want to worry about volume guids which are persistent.
One way is to open and query the symbolic link with ZwOpenSymbolicLinkObject/ZwQuerySymbolicLinkObject. Another way is to get a handle to the new process and call ZwQueryInformationProcess to get the physical path.
Bill Wandel
Hey, many thanks for your answers!
I need the physical path when the callback of PsSetCreateProcessNotifyRoutineEx is triggered, so I can add the process in a collection. As this callback occurs before the finalization of the process creation, ZwQueryInformationProcess does not work unfortunately.
After your suggestion I tried the program WinObj and effectively, it provides a nice GUI to visualize those paths! I tried to convert the symbolic link into its physical path using ZwOpenSymbolicLinkObject/ZwQuerySymbolicLinkObject, but I cannot make it work for a path with the format **\??**. Here is the code:
OBJECT_ATTRIBUTES objAttr; HANDLE f; InitializeObjectAttributes(&objAttr, (PUNICODE_STRING)CreateInfo->ImageFileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); NTSTATUS status = ZwOpenSymbolicLinkObject(&f, GENERIC_READ, &objAttr);Unfortunately, ZwOpenSymbolicLinkObject returns
STATUS_OBJECT_TYPE_MISMATCH. The image file name is equal to \??\C:\Windows\system32\notepad.exe. I tried to use a static string like \SystemRoot and it works. I guess it is something related with my symbolic path ?@Rod: Do you mean I should rather rely on a volume GUID than storing the first part of the path (\Device\HarddiskVolume4 for example) ?
Thanks for your help !
Actually ZwQueryInformationProcess does work.
Use ObOpenObjectByPointer with the supplied EPROCESS. Use the resulting handle in ZwQueryInrormationProcess.
Bill Wandel
I mean that you might want to think about it, depending on your precise requirements....
Mr Wandel,
You ended hours of headaches with a single function, THANK YOU !
My error is that I was passing the process id as an argument to ZwQueryInformationProcess instead of a real handle of the proces (!!).
Thanks again and enjoy your weekend
You can also call FltGetFileNameInformationUnsafe on CreateInfo->FileObject. This gives you the ability to normalize the path using standard FltMgr options.
-scott
OSR