We are trying to capture file events with few tools. In procmon, I can see that fastio operations are getting capture with "FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION" , "FASTIO_ACQUIRE_FOR_CC_FLUSH" and "FASTIO_RELEASE_FOR_CC_FLUSH" operations. I want to capture these events in my minifilter driver also.
I have IRP_MJ_CREATE precreate callback registered in driver. I have checked if io is fastio and normal irp by using "FLT_IS_FASTIO_OPERATION" macro but not getting fastio io. Do I have to register fastio in my minifilter driver> and how can I register fastio in minifilter driver?
Its not clear, you have registered for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, IRP_MJ_ACQUIRE_FOR_CC_FLUSH and so on?
No..I see few fastio calls when I use a specific malware tool to delete files. I wanted to deny access to these tools when they try to delete. I could see these calls in procmon. But wondering how to see these fastio in my minifilter driver. which callback I should register for??currently I am not seeing this in my precreate callback.
If you see in screenshot you could see createfile comes with desired access delete. I set access_denied and return preop_complete in my precreate routine. But still the file gets deleted by that tool... was wondering if I have to stop fastio calls as well so that I can deny access. But couldnt see those in my precreate callback.
when I normally delete I always setrenameinformationfile. But when I use specific malware tools I dont see setrenameinformationfile. Hence checking whatelse the tool does by looking into procmon log.
Any inputs on this would be helpful.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.