I am writing my first filter driver. I have been using TFILTER as a model,
with sideways glances at FileMon.
TFILTER uses the undoc’d API IoRegisterFsRegistrationChange() to find out
when a file system [un]registers itself, then filters traffic to that
system.
I have noticed that I am unable to detect registration of network file
systems - in fact, I am unsure what to be looking for (I do get the MUP
registration). This means I never filter network drives(yes I did take out
the trap for FILE_DEVICE_DISK_FILE_SYSTEM in TFILTER).
NtFileMon takes the approach of loading relatively late, searching for
partition info for all existing drives, getting the driver, then filtering
traffic through the driver. That is fine IF you have a network drive
mapped : FILMON will find the logical partition in the registry, fetch a
pointer to the driver, and trap all changes passing through that driver.
Fair enuf UNLESS you do not have ANY net drives mapped when you start
FILEMON, in which case network drives mapped later are not detected. This
would seem to be a bug in FILEMON.
So, how do I detect and filter network drives without fail?
Pointers to examples gratefully acknowledged.