Hello Everyone,
I have a kernel driver where I have hooked the ZwCreateFile. After hooking, I receive all calls in my function for calls that are made by the hooked system.
But when I share a folder on the system where the driver is installed, and create a file into the shared folder from another machine, I don’t receive any calls in my hooked function.
Is there any other function that I need to monitor for files created using shared folders/across network?
Also, the same behavior is seen with NtCreateFile.
Any tip will be useful.
Thank you!
Well first you should only post in one forum at a time, and it should
have been NTFSD. Also be aware that hooking is a really bad idea, and
for what you want is unnecessary and in fact is the reason you are not
seeing the requests since the remote requests do not go through
NtCreateFile!
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> Hello Everyone,
>
> I have a kernel driver where I have hooked the ZwCreateFile. After hooking, I receive all calls in my function for calls that are made by the hooked system.
>
> But when I share a folder on the system where the driver is installed, and create a file into the shared folder from another machine, I don’t receive any calls in my hooked function.
>
> Is there any other function that I need to monitor for files created using shared folders/across network?
>
> Also, the same behavior is seen with NtCreateFile.
>
> Any tip will be useful.
>
> Thank you!
> I have a kernel driver where I have hooked the ZwCreateFile.
Hooking is evil, write the minifilter instead.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com