Hello. My minifilter driver catch irp_mj_create operation(post) then I get filename(exe extensions only) and copy filename to stream context to send it IRP_MJ_CLEANUP. But sometimes I seeing multiple callback.
For example: In python interpereter :
f = open(“2.exe”,‘wb’)
f.close()
f = open(“2.exe”,‘wb’)
in DbgView:
Context not found creating…:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe
Context found:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe
This works well But when I open notepad write some random data and save as exe file I see multiple callback in DbgView:
Context not found creating…:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe
Context not found creating…:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe
non product code:
FLT_POSTOP_CALLBACK_STATUS PostOpCreate(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID CompletionContext,
FLT_POST_OPERATION_FLAGS Flags)
{
PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
PSCANNER_STREAM_CONTEXT scannerContext = NULL;
NTSTATUS status;
if (!NT_SUCCESS(Data->IoStatus.Status) ||
(STATUS_REPARSE == Data->IoStatus.Status)) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
if (!NT_SUCCESS(status))
{
goto exit;
}
status = FltParseFileNameInformation(FileNameInfo);
if (!NT_SUCCESS(status))
{
goto exit;
}
if (FltObjects->FileObject->WriteAccess)
{
if (FileNameInfo->Extension.Length > 0 && FileNameInfo->Extension.Buffer != NULL)
{
if (RtlCompareUnicodeString(&FileNameInfo->Extension, &ExeExtension, FALSE) != 0)
{
goto exit;
}
status = FltGetStreamContext(FltObjects->Instance, FltObjects->FileObject, &scannerContext);
if (NT_SUCCESS(status))
{
DbgPrint("Context found:%S\n", scannerContext->Path);
/*scannerContext->reScan = TRUE;*/
/*FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_KEEP_IF_EXISTS, &scannerContext, NULL);*/
goto exit;
}
else if (status == STATUS_NOT_FOUND)
{
DbgPrint("Context not found creating...:%wZ\n", FileNameInfo->Name);
status = FltAllocateContext(hXRFilter, FLT_STREAM_CONTEXT, sizeof(SCANNER_STREAM_CONTEXT), NonPagedPool, &scannerContext);
if (NT_SUCCESS(status))
{
scannerContext->reScan = FALSE;
RtlCopyMemory(scannerContext->Path, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_REPLACE_IF_EXISTS, scannerContext, NULL);
goto exit;
}
}
else {
goto exit;
}
}
}
exit:
if (FileNameInfo != NULL)
{
FltReleaseFileNameInformation(FileNameInfo);
}
if (scannerContext != NULL)
{
FltReleaseContext(scannerContext);
}
return FLT_POSTOP_FINISHED_PROCESSING;
}
What is problem how can I solve it?Thank you for reading…