Hi all,
I m writing a filter driver and want to trace which Application opened a specific file.
e.g: I have file in C:\my.txt and if anybody opens this file in notepad or MsWord, I just want to trace.
Let me know which IRP is to be filtered.
Thanks
In kernel level its quite not possible to find out which application opens a particular file…
I too was in need of that same… but unfortunately it was not possible in mini filters…
I am not sure… whether its possible in archiving this…
The following discussion that i had previously might help you…to understand why i said its not possible
>>In kernel level its quite not possible to find out which application opens a particular file…
That means you missed the point from a long distance, in specific thread you asked abt the user which is not possible but process you can check, start searching for IoThreadToProcess etc on internet, WDK samples or at OSR.
Thanks
Aditya
As Aditya said you did not understand the thread. A minifilter of filter
can catch create requests and they will be in the context of the process
wanting to create. What you asked for went beyond create and that is not
possible to always track. Now the OP should realize that determining the
creator is a lousy security mechanism if that is what is behind his query,
this can be easily spoofed there have been a number of discussions of this
on this newsgroup.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntfsd…
> The following discussion that i had previously might help you…to
> understand why i said its not possible
>
> http://www.osronline.com/showthread.cfm?link=161832
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4300 (20090803)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4300 (20090803)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
so, the answer to OP is that
-
in minifilter, you might want to hook IRP_MJ_CREATE
-
you can use ZwQueryProcessInformation() while passing ZwCurrentProcess() as first parameter (tricky, because there is quite a bit of special-casing for system process, and the function is undocumented) to figure out where you’re running.
-
if you’re a boot driver, you can track process start by subscribing to callbacks from operating system (http://msdn.microsoft.com/en-us/library/ms802952.aspx); store process information somewhere from your callback, and then in post- or pre-create use whatever PsGetCurrentProcessId() / PsGetCurrentProcess() returns to walk the above-mentioned somewhere…
… and this http://msdn.microsoft.com/en-us/library/aa488592.aspx will help you get the file names.
Of course you would need some means of communication to usermode to make that all useful. I guess the filespy sample in WDK is a good starting point.
Hello folks!
I?m new in filters and I work up to now only with legacy filters.
Well, and how about the IRP structure, the field Tail.Overlay.Thread ?
Isn?t it a pointer to the thread that originate the IRP or am I wrong ?
Using this, isn?t possible to get the information required ?
>Well, and how about the IRP structure, the field Tail.Overlay.Thread ?
Isn?t it a pointer to the thread that originate the IRP or am I wrong ?
I think there is a documented IoGetRequestorProcess
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Just use PsGetCurrentProcess. When your filter know the current read/write operation is on the file which you want to monitor, call PsGetCurrentProcess.The routine returns a pointer to the process of the current thread.