memory mapped file tracking

I hook into ZwCreateSection, and use SectionHandle to get SectionObject by
ObReferenceObjectByHandle.
How do I get the FileObject for that SectionObject?.

Basically, I would like to track user generated memory mapped file objects.

Thanks for your suggestions
-Ramaraj

? FileHandle is an argument to ZwCreateSection, just dereference it.
Post-XP look for the filter callback PreAcquireForSectionSynchronization.

Ramaraj Pandian wrote:

I hook into ZwCreateSection, and use SectionHandle to get SectionObject by
ObReferenceObjectByHandle.
How do I get the FileObject for that SectionObject?.

Basically, I would like to track user generated memory mapped file objects.

Thanks for your suggestions
-Ramaraj


Nick Ryan (MVP for DDK)