Hi,
I’m having two FILE_OBJECT pointers received by (1) ZwCreateFile and ObReferenceObjectByHandle,
and (2) IMAGE_INFO_EX from image load callback.
I tried to compare the two pointers, but they are always different.
Can’t I compare between the two pointers ?
Comparing its SectionObjectPointer is good enough ?
Of course you can compare two FILE_OBJECT pointers. If they’re different, that means there are two different File Objects, right? So, you have two different open instances of the file that are being referenced. Note that “Flags” value is different between the two.
What are you trying to determine?? That the calls are for the same file? That would not be done using the File Object, because you get a new one for each successful “open” operation. If you’re trying to determine if this is the “same file” (actually, the same STREAM) this is what Mr @Ak87 is referring to when he mentions using the SectionObjectPointers field in the File Object.
Peter