I have read many posts and articles from this site and it has helped me tremendously.
I am a new mini filter (mf) developer writing a mf driver which filters requests to read or write files within specific folders on non-network volumes and makes a decision to allow or not. Since an open can result in a file being modified (truncated), I have a PreCreate (IRP_MJ_CREATE) callback. Hardlink creation and renames do not come through PreCreate so I filter those with a PreSetInformation (IRP_MJ_SET_INFORMATION) callback .
So I am only filtering on PreCreate and PreSetInformation on requests that can either lead to a read or write of the file contents -or- a write of security info such as the DAC or owner (read of file attributes is always allowed). I use PFLT_CALLBACK_DATA->Iopb->Parameters.Create.SecurityContext->DesiredAccess to check what access is being requested and FltGetFileNameInformation, FltGetDestinationFileNameInformation (PreSetInformation only) to get the normalized path being accessed.
My general concern is, are there cases that I am missing.
Specific questions:
- Other than hardlink creation and renames, must a request to read or write a file be preceded by an open and so I will see it in my PreCreate callback?
- I have read on some old posts that the FltGetFileNameInformation and FltGetDestinationFileNameInformation functions may be unreliable. If this is still the case, what scenarios may I not obtain a valid filename?
- Can I rely on the DesiredAccess field on PreCreate to determine the level of access being requested?
- I know this is a complex area so is there anything beyond what I've asked that you think I should be aware of?
Any feedback is appreciated.