How to get File Context by File path

jack_jahan-2 · November 22, 2016, 8:11am

I want to get file context from type “FLT_FILE_CONTEXT” by file path.
FltGetFileContext required two parameter :
In PFLT_INSTANCE Instance,
In PFILE_OBJECT FileObject,

How I must generate these input parameters?
FltCreateFile/ZwCreateFile/ does not get these parameters in output parameters:

NTSTATUS FltCreateFile(
In PFLT_FILTER Filter,
In_opt PFLT_INSTANCE Instance,
Out PHANDLE FileHandle,
In ACCESS_MASK DesiredAccess,
In POBJECT_ATTRIBUTES ObjectAttributes,
Out PIO_STATUS_BLOCK IoStatusBlock,
In_opt PLARGE_INTEGER AllocationSize,
In ULONG FileAttributes,
In ULONG ShareAccess,
In ULONG CreateDisposition,
In ULONG CreateOptions,
In_opt PVOID EaBuffer,
In ULONG EaLength,
In ULONG Flags
);

tanks for any recommendation.

Slava_Imameev · November 22, 2016, 8:49am

FltCreateFile gets PFLT_INSTANCE as an input parameter so you have it if you are going to call FltCreateFile.

To retrieve file object from handle use ObReferenceObjectByHandle .

jack_jahan-2 · November 23, 2016, 3:26am

In another way, I want to generate these object only when having file path:
In PFLT_INSTANCE Instance,
In PFILE_OBJECT FileObject

ObReferenceObjectByHandle does not return these parameters! how i can get it from “*Object” by ObReferenceObjectByHandle

NTSTATUS ObReferenceObjectByHandle(
In HANDLE Handle,
In ACCESS_MASK DesiredAccess,
In_opt POBJECT_TYPE ObjectType,
In KPROCESSOR_MODE AccessMode,
Out PVOID *Object,
Out_opt POBJECT_HANDLE_INFORMATION HandleInformation
);

anatoly_mikhailov · November 23, 2016, 3:37am

As Slava already said,
ObReferenceObjectByHandle routine returns FILE_OBJECT pointer in Object
function argument.

23 нояб. 2016 г. 11:26 AM пользователь написал:
>
> In another way, I want to generate these object only when having file
path:
> In PFLT_INSTANCE Instance,
> In PFILE_OBJECT FileObject
>
> ObReferenceObjectByHandle does not return these parameters! how i can get
it from “*Object” by ObReferenceObjectByHandle
>
> NTSTATUS ObReferenceObjectByHandle(
> In HANDLE Handle,
> In ACCESS_MASK DesiredAccess,
> In_opt POBJECT_TYPE ObjectType,
> In KPROCESSOR_MODE AccessMode,
> Out PVOID *Object,
> Out_opt POBJECT_HANDLE_INFORMATION HandleInformation
> );
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
http://www.osronline.com/page.cfm?name=ListServer></http:>

jack_jahan-2 · November 23, 2016, 3:48am

tanks for yours replay
but PFLT_INSTANCE Instance?

anatoly_mikhailov · November 23, 2016, 3:55am

From FltObjects pointer of preoperation callback for example.

23 нояб. 2016 г. 11:47 AM пользователь написал:

> tanks for yours replay
> but PFLT_INSTANCE Instance?
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>