reduced code
typedef struct _FILEFILTER_DATA {
PFILE_OBJECT bitmapFileObject;
PVOID sectionBitmapAdr;
HANDLE bitmapFileHandle;
RTL_BITMAP volumeBitmap;
HANDLE sectionHandle;
PFLT_FILTER Filter;
} FILEFILTER_DATA, *PFILEFILTER_DATA;
AAFILEFILTER_DATA filterData;
LARGE_INTEGER MySize = { 0x9000 };
SIZE_T mappedSize = 0; // will receive the actual page-aligned size
DriverEntry (…)
{
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&filterData.Filter);
const UNICODE_STRING Filename = RTL_CONSTANT_STRING(L"\Device\HarddiskVolume1\temp\ChangesBitmap.txt");
InitializeObjectAttributes(&objectAttributes,
&Filename,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
status = FltCreateFileEx(filterData.Filter,
NULL,
&filterData.bitmapFileHandle,
&filterData.bitmapFileObject,
FILE_WRITE_DATA | FILE_APPEND_DATA,
&objectAttributes,
&ioStatus,
(PLARGE_INTEGER)NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN_IF,
FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS,
(PVOID)NULL,
0L,
IO_IGNORE_SHARE_ACCESS_CHECK);
status = ZwCreateSection(&filterData.sectionHandle,
SECTION_ALL_ACCESS,
NULL,
&MySize, //Clusters in volume
PAGE_READWRITE,
SEC_COMMIT,
filterData.bitmapFileHandle);
status = ZwMapViewOfSection(filterData.sectionHandle,
ZwCurrentProcess(),
&filterData.sectionBitmapAdr,
0,
0,
0,
&mappedSize,
ViewUnmap,
0,
PAGE_READWRITE);
InitializeBitMap(&filterData.volumeBitmap, filterData.sectionBitmapAdr, (ULONG)mappedSize);
}
FLT_PREOP_CALLBACK_STATUS FileFilterPreOperation (…)
{
//If i move all initialization from Driver Entry Here - all works
RtlSetBits(&filterData.volumeBitmap, 0, 20);
}