Hi, i’m making a minifilter to monitor when images are mapped in a certain path. In order to do that i’m using the PloadImageNotifyRoutine callback registered by PsSetLoadImageNotifyRoutine.
The problem i have is that when the callback is called i have an UNICODE_STRING with a NT path like \Device\HarddiskVolume6. I would like to get the corresponding letter to this device in order to compare it with the path i want to monitor. How can i convert it (or convert the DOS path to an NT one) in order to compare them?
Take a look at FilterGetDosName https://docs.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filtergetdosname
I’m in kernel not in user mode
The documentation also refers to the various calls that can be made in the kernel. But in general use C:.. in the kernel is a poor idea, since a user can reassign the drive mapping.
Should i go for ZwOpenSymbolicLinkObject+ZwQuerySymbolicLinkObject and convert the C: path to NT path to compare them in a proper way¿
I think that the best way is to have your user mode app convert the path you want to monitor from WIN32 to NT and have the app supply the NT path to the driver.
Using ZwOpenSymbolic link will work.
Bill Wandel
Finally I solve it with ZwOpenFile + ObReferenceObjectByHandle + IoQueryFileDosDeviceName (in this order). If some one has the same problem there u have the answer.