I’m looking at mini filters. I’ve also built TCP client sockets with mini filters and WSK.H, communicating with Python servers. (The reason for this is the agent-based security system implementation project.) Anyway, can mini filters find out the process ID of the browser or downloader program when downloading files through a specific browser or downloader program from the endpoint where the Windows kernel is installed and saved in the file system?
With heuristics, yes. Almost with certainty.
By any generalization - no.
thankssssssss so, how ?!!! What API should I build with? ( could you please explain moreeeee)
Do you know what “heuristics” is?
There is no one API, you need to track a lot of I/O and deduce yourself.
So the Python server can receive a mini-filter event from the kernel agent and construct a logic that the server handles comprehensively!. I thought there was a special API…@@@
Yes, but that would be an extremely vague “yes”.
You need to make a minifilter, and some events cannot be receiced
synchronously, but IMO PostOpen/PreCleanup is enough and those can.
Dejan.
So the Python server can receive a mini-filter event from the kernel agent
thanks you for reply!!@@ i will write the code soon in this thread
Ok i got solved this problem… API is " FltGetRequestorProcessId() " this api is return to Process id of ULONG size and finally, i know which process downloaded the file when i download the file on Edge browser, this API let me know Edge browser process id
LET’s CHECK@#!@#!@#
( When i download the “ppt.zip” on Edge
And i can check more on Python Server
https://ibb.co/D44GCjz
< when i DOWNLOAD some file from Browser Process >
- if TRUE? → " Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess & FILE_WRITE_DATA "?
- if TRUE? → “.crdownload” ? or FILE?
- if TRUE? → process id( FltGetRequestorProcessId(Data) ) is Browser Process ?
all TRUE? -(so, i can guess → )-> This " FILE " is " DOWNLOADED(WRITE) " from " Browser "
Oh, that you meant
I overthought the question too much
i love U!!!