I’m trying to write a simple spy-like minifilter that records the IP address of a user looking at a file. I think I remember reading that this can’t be done, but that’s never stopped me from trying before
I know in the IRP_MJ_CREATE we can get to the SID of the calling user via the ACCESS_STATE member. And SeQueryInformationToken can query for TokenSource type to get a hint of the source (“Session Manager”, “LAN Manager, “RPC Server”). That’s a hint, but not really what I’m after.
I’ve searched and haven’t found any sort of call that would give a calling context (other than process/thread/SID) which might be why it’s impossible. My assumption is that the only way this is possible at all would be to have a file system driver and some sort of network filter driver. The network filter driver would somehow store information about requests coming in (maybe by SID and threadID???) that the file system driver could use to lookup other info the network filter has recorded. Yuck! Is that the only way?
I’m interested in any opinions.
Thanks
Doug