Hi,
I’am trying to see which file is being written in Win2K. So I use these
following codes .
…
case IRP_MJ_WRITE:
{
#if DBG
ANSI_STRING filename;
RtlUnicodeStringToAnsiString( &filename,
&FileObject->FileName, TRUE );
DbgPrint((“Write file ‘%s’ !!\n”,filename.Buffer));
RtlFreeAnsiString(&filename);
#endif
…
But I find some FileObject has no name
( FileObject->FileName.Buffer=NULL).
Then I use ZwQueryInformationFile(…) to see the standard information
of this file , but it return STATUS_INVALID_PARAMETER
I don’t know what is the type of this file object, and why does NT
write this file which has no name???
And I try to see the stack from Soft ICE : it likes this:
FilterHookRountine+022E
FilterDispatch+0039
ntoskrnl!IoBuildSynchronousFsdResquest+008F
ntoskrnl!MmDisableModified WriteOfSection+0914
ntoskrnl!MmDisableModified WriteOfSection+0508
ntoskrnl!CcFlushCache+0353
ntoskrnl!CcSetDirtyPinnedData+0C25
ntoskrnl!CcWaitForCurrentLazyWriterActivity+05A9
ntoskrnl!ExQueueWorkItem+017D
ntoskrnl!PsSetCreateThreadNotifyRoutine+00AA
ntoskrnl!KiUnexpectedInterrupt+0180
Who can tell me why does the file object have no name, and what does the
Win2K want to do??
Thanks for advance
This question again.
The name is only valid before the file system has had the file object in the create path. You have to remember the file object that matches the file name(s) you are interested in. From the sound of it you are doing a logging type operation, so you'll have to have a table of all the names and matching file objects, then look them up.
It might be easiest to post-process your log - record file name and file object on the create, and just log the file object for all the other cases.
Andy
Sign-up for your own FREE Personalized E-mail at Mail.com
Free email accounts with mail.com | Log in here or register today