I need the filename of the file being opened on the volume in the application calling the mini filter driver. The mini filter driver is being used almost as is from the WinDDK sample. I added two new fields to the SCANNER_NOTIFICATION structure :
wchar_t FileName[100] and ULONG FileNameSize;
I used FltGetFileNameInformation to get the nameInfo.
Then I did the following:
As has been said on this newsgroup many times, the file name areas of a
create are only valid in pre-create. No guarantees at any other time or for
any other request.
wrote in message news:xxxxx@ntfsd… >I need the filename of the file being opened on the volume in the >application calling the mini filter driver. The mini filter driver is being >used almost as is from the WinDDK sample. I added two new fields to the >SCANNER_NOTIFICATION structure : > wchar_t FileName[100] and ULONG FileNameSize; > > I used FltGetFileNameInformation to get the nameInfo. > Then I did the following: > > notification.FileNameSize = nameInfo->Name.Length; > RtlCopyMemory(¬ification.FileName, > nameInfo->Name.Buffer,nameInfo->Name.Length) ; > > But when I print the file name and file name size in the user app, they > are both empty. > > What am I missing? > > I also tried to get the file name from the FltReadFile() call, but I see > similar results. >
I declared a global FileName and FileSize and used FltGetFileNameInformation in PreCreate() to populate this. Then, in post create function, I copied this value into my notification filename and
filesize field. However, I still dont get the correct filename or file size in the user space.
I am trying to copy the file to a USB drive(F:) and that is the file I am trying to capture and scan.
This is the output I get:
Received message, size 2076
Scanning the file of size -68052935
Replying message, SafeToOpen: 1
Replied message
Retrieve Message
Received message, size 2076
Scanning the file of size 0
Replying message, SafeToOpen: 1
Replied message
Get messages off the queue
Retrieve Message
Received message, size 2076
Scanning the file of size -68052935
Replying message, SafeToOpen: 1
Replied message
Get messages off the queue
Retrieve Message
Received message, size 2076
Scanning the file \Device\Harddisk1\DP(1)0-0+5???? of size 58
Replying message, SafeToOpen: 1
Replied message
Get messages off the queue
Retrieve Message
Received message, size 2076
Scanning the file \Device\Harddisk1\DP(1)0-0+5???? of size 58
Replying message, SafeToOpen: 1
Replied message
Get messages off the queue
Retrieve Message
Received message, size 2076
Scanning the file \Device\Harddisk1\DP(1)0-0+5???? of size 58
Why don’t you run windbg and see what is there and where you didn’t handle
it properly. Please add a few hundred more globals - NOT! No wonder this
doesn’t work.
wrote in message news:xxxxx@ntfsd…
Thanks for the reply, David.
I declared a global FileName and FileSize and used FltGetFileNameInformation in PreCreate() to populate this. Then, in post create function, I copied this value into my notification filename and filesize field. However, I still dont get the correct filename or file size in the user space.
I am trying to copy the file to a USB drive(F:) and that is the file I am trying to capture and scan.
This is the output I get:
Received message, size 2076 Scanning the file of size -68052935 Replying message, SafeToOpen: 1 Replied message
Retrieve Message Received message, size 2076 Scanning the file of size 0 Replying message, SafeToOpen: 1 Replied message Get messages off the queue Retrieve Message Received message, size 2076 Scanning the file of size -68052935 Replying message, SafeToOpen: 1 Replied message Get messages off the queue Retrieve Message Received message, size 2076 Scanning the file \Device\Harddisk1\DP(1)0-0+5???? of size 58 Replying message, SafeToOpen: 1 Replied message Get messages off the queue Retrieve Message Received message, size 2076 Scanning the file \Device\Harddisk1\DP(1)0-0+5???? of size 58 Replying message, SafeToOpen: 1 Replied message Get messages off the queue Retrieve Message Received message, size 2076 Scanning the file \Device\Harddisk1\DP(1)0-0+5???? of size 58
I need the filename of the file being opened on the volume in the application calling the mini filter driver. The mini filter driver is being used almost as is from the WinDDK sample. I added two new fields to the SCANNER_NOTIFICATION structure :
wchar_t FileName[100] and ULONG FileNameSize;
I used FltGetFileNameInformation to get the nameInfo.
Then I did the following:
But when I print the file name and file name size in the user app, they are both empty.
What am I missing?
I also tried to get the file name from the FltReadFile() call, but I see similar results
In addition to the other answers, I think that as the filename is a
UNICODE_STRING you should not expect it to be null terminated, and if
you use RtlCopyMemory to get a copy you should add a null on the end.
In case it is helpful, you can sprintf a UNICODE_STRING struct with %wZ:
Thanks for your feedback, David. I dont have administrative permissions to capture kernel logging on my machine which is why I am passing parameters up to the user land for debug.
Also the globals are again for test purposes.