Hi people,
I’m would like to create a file monitoring fs filter / minifilter
driver; my problem is, that I would need to monitor the changes
(writes) to a file and I don’t know how to do this in the case of
memory-mapped file access; I found the following in the IFS Kit docs:
“Memory Mapped Files in a File System Filter Driver
A file system filter driver must be cognizant of the fact that files may
be accessed via virtual memory mappings of the files,
rather than via the read and write paths. A file system filter driver
monitoring changes in the file will miss changes to such files.
A number of techniques for dealing with this are discussed in the IFS
documentation in the WDK.”
maybe just I am ignorant, but I couldn’t find those techniques and their
discussion; could somebody tell me where to
look for them? some tips / ideas how could I accomplish write monitoring
on memory mapped file I/O ?
thank you very much,
have a nice day,
Sandor LUKACS
jr. Virus Analyst, SOFTWIN
–
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/
It is not that difficult. While the file is closed, the Memory Manager
retains a handle to the file that can be written to via paging IOs. You
have to remember the FsContext or filename. I haven’t looked at this is a
while, but using minispy to see how it works when you write a test app to do
the same thing or just use Notepad. A lot of this is not documented except
in a general way and you have to experiment and test to find out how it will
work. Don’t forget that Vista will have a transactional file system that
will make this even more difficult because changes could be undone at any
time before a commit has been made.
“Sandor LUKACS” wrote in message
news:xxxxx@ntfsd…
> Hi people,
>
> I’m would like to create a file monitoring fs filter / minifilter driver;
> my problem is, that I would need to monitor the changes
> (writes) to a file and I don’t know how to do this in the case of
> memory-mapped file access; I found the following in the IFS Kit docs:
>
> “Memory Mapped Files in a File System Filter Driver
> A file system filter driver must be cognizant of the fact that files may
> be accessed via virtual memory mappings of the files,
> rather than via the read and write paths. A file system filter driver
> monitoring changes in the file will miss changes to such files.
> A number of techniques for dealing with this are discussed in the IFS
> documentation in the WDK.”
>
> maybe just I am ignorant, but I couldn’t find those techniques and their
> discussion; could somebody tell me where to
> look for them? some tips / ideas how could I accomplish write monitoring
> on memory mapped file I/O ?
>
> thank you very much,
> have a nice day,
>
> Sandor LUKACS
> jr. Virus Analyst, SOFTWIN
>
>
> –
> This message was scanned for spam and viruses by BitDefender.
> For more information please visit http://www.bitdefender.com/
>
>