Hi all:
I’m quite new to the file system filter driver development. Part of my project is to monitor the file read/write operations to a volume.
Currently my filter is able to catch the IRP_MJ_READ packets and get the filename from the FILE_OBJECT; however, it seems both directories and files are FILE_OBJECTs.
Given a FILE_OBJECT, how can I tell which types of actual objects it refers to? Is it a file, directory or volume?
If this question has been posted before (and it’s likely to be), can just give me a link?
I have tried to explore the struct:
typedef struct _FILE_OBJECT {
CSHORT Type;
CSHORT Size;
PDEVICE_OBJECT DeviceObject;
PVPB Vpb;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
PVOID PrivateCacheMap;
NTSTATUS FinalStatus;
struct _FILE_OBJECT *RelatedFileObject;
BOOLEAN LockOperation;
BOOLEAN DeletePending;
BOOLEAN ReadAccess;
BOOLEAN WriteAccess;
BOOLEAN DeleteAccess;
BOOLEAN SharedRead;
BOOLEAN SharedWrite;
BOOLEAN SharedDelete;
ULONG Flags;
UNICODE_STRING FileName;
LARGE_INTEGER CurrentByteOffset;
ULONG Waiters;
ULONG Busy;
PVOID LastLock;
KEVENT Lock;
KEVENT Event;
PIO_COMPLETION_CONTEXT CompletionContext;
} FILE_OBJECT;
and print out a few elements inside. But obviously the Type element cannot help me because it is always 5… Am I wrong?
Thanks,
Cheng
this might not be a complet answer, but some hints/observations:
- you can’t just take FileName from FILE_OBJECT inside processing an IRP_MJ_READ, it might be invalid; you shall take it on processing IRP_MJ_CREATE, then keep it somewhere (maybe in a stream context)
- why are you writing a legacy filter and not a minifilter? (just a suggestion, you shall consider writing a minifilter)
- I don’t really know a clear method to detect the file / directory issue, but you can open the file, then use ZwQueryInformationFile with FileStandardInformation to detect if a file is a directory or not; also, you can / shall store this in a stream context, so you need to query this info only once
(but there might be better solutions)
Alex
> But obviously the Type element cannot help me because it is always 5… Am
I wrong?
No, you are correct. The “type” field does not tell enything about
file/directory,
it actually tells the type of the object (which is FILE_OBJECT, thus 5).
I’m quite new to the file system filter driver development. Part of my
project
is to monitor the file read/write operations to a volume.
There’s a complete project in the WDK, called FileSpy, which
does exactly the work you need.
Currently my filter is able to catch the IRP_MJ_READ packets and
get the filename from the FILE_OBJECT; however, it seems both
directories and files are FILE_OBJECTs.
Yes. Also volumes have their FILE_OBJECT.
L.
Thanks for your replies. I have just tried to use fastioquerystandardinfo to check the filestandardinfo->directory variable. It works…
there is a way,but I’m not sure it can work in NTFS.
pFileHeader = (PFSRTL_COMMON_FCB_HEADER) pFileObject->FsContext;
if (pFileHeader->NodeTypeCode == FAT_NTC_DCB) //Directory
if (pFileHeader->NodeTypeCode == FAT_NTC_FCB) //File
Only for the Microsoft’s FAT 32 FSD. Not portable.
Other FSDs use another code, some never initialize this field.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> there is a way,but I’m not sure it can work in NTFS.
> pFileHeader = (PFSRTL_COMMON_FCB_HEADER) pFileObject->FsContext;
> if (pFileHeader->NodeTypeCode == FAT_NTC_DCB) //Directory
> if (pFileHeader->NodeTypeCode == FAT_NTC_FCB) //File
>