We got a working filter driver (not a minifilter driver), already developed some years ago and handle IRP_MJ_CREATE as well as IRP_MJ_CLEANUP our own. IRP_MJ_WRITE, IRP_MJ_READ and IRP_MJ_CLOSE is hooked as well but currently not used as our needs are handled fine in CREATE and CLEANUP.
What we are looking for at the moment is getting informed when someone tries to open a physical device directly like with
HANDLE hDevice = CreateFileW(L"\\.\PhysicalDrive0",
0,
FILE_SHARE_READ |
FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
0);
or in general reads/writes disk sectors directly.
What I tried so far was using the FileObject obtained from the currentIrpStack IN MJ_IRP_CREATE callback and looking over its members for something usefull.
Unfortunately I was only able to get the name from the mounted device associated, by using the VPB->RealDevice giving me somthing like \Device\HarddiskVolume1 when querying with ObQueryNameString.
And the FileName contained in the UNICODE_STRING associated with the FileObject that gives me somethign like \Windows\system32\ f.e.:
NTSTATUS Irp_Mj_Create_CB( PDEVICE_OBJECT HookDevice, IN PIRP Irp,PIO_STACK_LOCATION currentIrpStack,PIO_STACK_LOCATION nextIrpStack)
{
PFILE_OBJECT fileObject = currentIrpStack->FileObject;
// …
}
Im still new to Windows File drivers but I thought IRP_MJ_CREATE should be send down also if someone opens a raw volume and also has a valid FileObject passed into containing the volumes path.
Interestingly when i openend \PhysicalDrive0 with my test program, our driver notified nothing about it, or at least the name of the FileName was empty.
So concerning my question:
Is there any change getting to know if PhysicalDrive0 was accessed direclty by examaning the FileObject in MJ_IRP_CREATE.
What would someone do in general to intercept raw disk access when being a filter driver (so not being at the bottom of the driver stack)?
Thanks for any suggestions.