I have a mini-filter that protects certain files. Is there any way to determine what process is accessing the PFLT_FILE_NAME_INFORMATION&nameInfo->Name when the driver’s Data->RequestorMode == KernelMode?
When the driver’s Data->RequestorMode == UserMode, I can use ZwQueryInformationProcess to get the process accessing my protected file. However, if the mini-filter is in KernelMode the ZwQueryInformationProcess is null for the process.
Thanks,
Tim
You can confidently assume that this is a process returned by PsGetCurrentProcess. The only word of caution - if this is the SYSTEM process you will no be able to get some information as in case of a user process, for example executable file object doesn’t make sense for this process and NULL is returned.
If the request is coming from kernel mode then it’s not really coming from
any specific process (it’s coming from a specific driver or the OS).
You can use the current process for logging, but just note that the request
is not coming from that process but from a kernel mode requestor running
within that process. This means that, for example, the open may succeed even
though the current process does not actually have access to the particular
file.
-scott
OSR
@OSRDrivers
“Tim Kelly” wrote in message news:xxxxx@ntdev…
I have a mini-filter that protects certain files. Is there any way to
determine what process is accessing the
PFLT_FILE_NAME_INFORMATION&nameInfo->Name when the driver’s
Data->RequestorMode == KernelMode?
When the driver’s Data->RequestorMode == UserMode, I can use
ZwQueryInformationProcess to get the process accessing my protected file.
However, if the mini-filter is in KernelMode the ZwQueryInformationProcess
is null for the process.
Thanks,
Tim