Mini Filter IRP filter!

Driver_Developer · October 1, 2008, 7:09am

I am working with the file system mini filter ‘scanner’ sample which came with the DDK.

In this sample the FLT_OPERATION_REGISTRATION call back are registered for the following IRP:
a… IRP_MJ_CREATE
b… IRP_MJ_CLEANUP
c… IRP_MJ_WRITE
Incase of IRP_MJ_CREATE is there any way to filter out call which are made by:
1… Process Execution
2… File/Folder Creation
3… File Opened for Read
4… File Opened for Write
I guess by looking at this two attributes I can see the file is being accessed for Read and or Write Operation:
Data->Iopb->TargetFileObject->ReadAccess
Data->Iopb->TargetFileObject->WriteAccess

But not able to find a way to check if this file is being Created or Executed.

Will be grateful for any help!

OSR_Community_User · October 1, 2008, 7:16am

Have a look at the create disposition values

Data->Iopb->Parameters.Create.Options

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Darshan Singh
Virdi
Sent: 01 October 2008 12:08
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Mini Filter IRP filter!

*** WARNING ***

This mail has originated outside your organization,
either from an external partner or the Global Internet.
Keep this in mind if you answer this message.

I am working with the file system mini filter ‘scanner’ sample which
came with the DDK.

In this sample the FLT_OPERATION_REGISTRATION call back are registered
for the following IRP:

* IRP_MJ_CREATE
* IRP_MJ_CLEANUP
* IRP_MJ_WRITE

Incase of IRP_MJ_CREATE is there any way to filter out call which are
made by:

Process Execution
File/Folder Creation
File Opened for Read
File Opened for Write

I guess by looking at this two attributes I can see the file is being
accessed for Read and or Write Operation:
Data->Iopb->TargetFileObject->ReadAccess
Data->Iopb->TargetFileObject->WriteAccess

But not able to find a way to check if this file is being Created or
Executed.

Will be grateful for any help!

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************

Driver_Developer · October 1, 2008, 8:14am

Thank you Jonathan for your instant reply!
This is exactly what I was looking for!

Thank you!

Subramanyam_Gurajada · October 1, 2008, 8:27am

I tried to check for Data->IoStatus.Information in PostOperationCallback
function. Here, we will surely know what happened: whether the file is
created or opened.

Data->IoStatus.Information == FILE_CREATED, if new file gets created
Data->IoStatus.Information == FILE_OPENED, if existing file is opened.

-subbu

On Wed, Oct 1, 2008 at 5:44 PM, wrote:

> Thank you Jonathan for your instant reply!
> This is exactly what I was looking for!
>
> Thank you!
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Driver_Developer · October 1, 2008, 10:57am

Thank you Subramanyam,

Finally I got eveything I need using the following:

Data->Iopb->Parameters.Create.Options
Data->IoStatus.Information
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess

Thank you guys!

“Subramanyam GV” wrote in message news:xxxxx@ntfsd…
I tried to check for Data->IoStatus.Information in PostOperationCallback function. Here, we will surely know what happened: whether the file is created or opened.

Data->IoStatus.Information == FILE_CREATED, if new file gets created
Data->IoStatus.Information == FILE_OPENED, if existing file is opened.

-subbu

On Wed, Oct 1, 2008 at 5:44 PM, wrote:

Thank you Jonathan for your instant reply!
This is exactly what I was looking for!

Thank you!

—

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com