I hook into ZwCreateSection, and use SectionHandle to get SectionObject by
ObReferenceObjectByHandle.
How do I get the FileObject for that SectionObject?.
Basically, I would like to track user generated memory mapped file objects.
Thanks for your suggestions
-Ramaraj
? FileHandle is an argument to ZwCreateSection, just dereference it.
Post-XP look for the filter callback PreAcquireForSectionSynchronization.
Ramaraj Pandian wrote:
I hook into ZwCreateSection, and use SectionHandle to get SectionObject by
ObReferenceObjectByHandle.
How do I get the FileObject for that SectionObject?.
Basically, I would like to track user generated memory mapped file objects.
Thanks for your suggestions
-Ramaraj
–
Nick Ryan (MVP for DDK)