importing fltKernel in usera-mode application

Hello, I am new to the subject of minifilter development and i wanted to know if i can call functions from fltkernel.h, because i still want to use some of the functions in this api in order to analyze the fltcallbackdata struct. I understand that it is possible to analyze everything in the minifitler and then send it to the user-mode application but i still want the freedom of using this api also in the user-mode application.

I thought that maybe because minifilter usually runs at kernel mode and this library is meant to a driver development maybe i can’t access some of those funcitons but i still want to know if i can use it.

Mostly i want access to the structs (which i can build myself but it would be very hard), and FltQueryInformationFile function.

Another short question about the FltQueryInformationFile (I just don’t want to open an entire thread just for this question). I know that in order to find a fileobject full path i should access the data structure of a create operation, but in FltQueryInformationFile I can use it on any operation and i can ask for FileNameInformation. So is it possible to get the full path of a WRITE or READ operation with FltQueryInformationFile?

No you cannot use FltQueryInformationFile or any other FltXXX call in a user
space application. But you might want to look at
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/
nf-ntifs-ntqueryinformationfile since ZwQueryInformationFile can be called
from user space.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, June 08, 2018 6:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] importing fltKernel in usera-mode application

Hello, I am new to the subject of minifilter development and i wanted to
know if i can call functions from fltkernel.h, because i still want to use
some of the functions in this api in order to analyze the fltcallbackdata
struct. I understand that it is possible to analyze everything in the
minifitler and then send it to the user-mode application but i still want
the freedom of using this api also in the user-mode application.

I thought that maybe because minifilter usually runs at kernel mode and this
library is meant to a driver development maybe i can’t access some of those
funcitons but i still want to know if i can use it.

Mostly i want access to the structs (which i can build myself but it would
be very hard), and FltQueryInformationFile function.

Another short question about the FltQueryInformationFile (I just don’t want
to open an entire thread just for this question). I know that in order to
find a fileobject full path i should access the data structure of a create
operation, but in FltQueryInformationFile I can use it on any operation and
i can ask for FileNameInformation. So is it possible to get the full path of
a WRITE or READ operation with FltQueryInformationFile?


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>