hi,
i’m writing a filter fsd.
how can i tell if the file was mapped into memory by the user application.
thanks,
amir
hi,
i’m writing a filter fsd.
how can i tell if the file was mapped into memory by the user application.
thanks,
amir
In FILE_OBJECT->FsContext which points to the “common header
(FSRTL_COMMON_FCB_HEADER)”, you can check the Flags attribute for a
FSRTL_FLAG_USER_MAPPED (0x20) value. This is what I was using to see if the
file in question is memory mapped.
FSRTL_FLAG_USER_MAPPED is a #define in ntifs.h
mkr
hi,
i’m writing a filter fsd.
how can i tell if the file was mapped into memory by the user application.
thanks,
amir
b???m???>*??zf?-?%y??z??w~??
)b??(??(
>i’m writing a filter fsd.
how can i tell if the file was mapped into memory by the user application.
Check for FSRTL_FLAG_USER_MAPPED_FILE in FSRTL_COMMON_FCB_HEADER flags.
Max