Hi, we have a minifilter driver that is successfully reading and monitoring full file paths for opened files using CreateFile called in user land . We’re now trying to figure out how to detect paths opened using the raw device path (Sysmon does this somehow, so we know its possible). For example
\.\HarddiskVolume3\windows\temp\devicepath.tst
\.\C:\windows\temp\devicepath2.tst
Users could attempt to get around auditing tools using these paths which are valid but unusual.
Unfortunately, by the time the callback for IRP_MJ_CREATE gets called the paths have been normalized to \device\harddiskvolumeX\windows\temp\devicepath.tst. The original asked for path does not appear in any of the structures (Data or FltObjects). We’ve tried calling FltGetFileNameInformation without the FLT_FILE_NAME_NORMALIZED parameter but I think that just will get you a relative path not the original path.
ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &fileNameInformation);
We’ve reviewed the following thread but that deals with \.\PhysicalDriveX paths which I believe gives you access to the volume’s partition table and geometry info.
https://community.osr.com/discussion/252484/intercept-raw-disk-access
Any ideas would be much appreciated. Thanks!