Hi all,
I’m trying to write a minifilter that will track file i/o for a specific directory. The directory will be passed in via either a ioctl (IRP_MJ_DEVICE_CONTROL) or via a communications port. My question is in the minifilter code, how would I parse that directory that’s passed in? I assume that the user-mode code will first convert the DOS directory name (e.g. C:\myDirectory) to a form such as ??\C:\myDirectory. I’m hoping to be able to canonicalize the name somehow to a format like \Device\HardDisk1\myDirectory. Then, on creates, i can canonicalize the path given to the creation to ensure I catch symlinks and hardlinks, etc.
But, from IRP_MJ_DEVICE_CONTROL, it seems that I can’t use FltGetFileNameInformation. I’m passing in the path as part of the payload in the ioctl as a UNICODE_STRING, and FltGetFileNameInformation needs a FLT_CALLBACK_DATA structure in order to work. Is there a different function I can call to canonicalize the path?
Finally – I’m still pretty bewildered/confused by the sheer number of ways to refer to a directory in Windows. Am I going to be writing a ton of convoluted code to determine if a path really refers to the directory, or is there a way to truly canonicalize a local path unambiguously?
Thanks!