You can’t capture these IO requests in a fs filter driver since these
requests are ‘below’ the file system. To intercept these requests you
need to implement either a volume or disk class filter driver.
You can use the IoGetCurrentIrpStackLocation() to extract the current
request information. There is a stack location allocated for each
layered driver when the Irp is allocated based on the StackSize field in
the device object.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 10/13/2016 8:52:47 AM
Subject: RE:[ntfsd] Re[2]: Reading a file only by using IofCallDriver
>Thank you for the help everyone.
>I’ve found the data that is used to find the file in the
>Overlay->CurrentStackLocation->Parameters field which contains a single
>pointer. It points to a structure that contains among other things the
>size of data to read. The rest I still need to figure out.
>
>Is there a way to catch file reads like that with FS filters or
>minifilters or does this method of reading files bypass these
>mechanisms?
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>