Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 5  
14 Jun 18 07:39
omri aviasr
xxxxxx@gmail.com
Join Date: 25 May 2018
Posts To This List: 12
Getting full file path out of WRITE operation

hello, i am developing a minifilter and one of my goals is to know which file in the file system was changed and by which process and how. I am tracking only write operations and i wish to get as much knowledge as i can get about each operation, and send it to a user mode application. 1. One of my goals is finding the full path of the file which was changed and i am a little bit confused about how it could be done. I know it is possible to use FltQueryInformationFile but i couldn't understand if i can get the full path or only the file name. Then someone here in the forums told me about this version of this function in user-mode but still i can't tell if i can get the full path or only the file name. So my question is which is the easiest way of extracting the full path of target file from a WRITE operation passed to the minifilter? 2. Another problem - Can I use the pointer to an OBJECT_FILE given in the minifilter and pass it to the user application and use it there? Because it points only to someplace in the memory. 3. Another small issue if i use XXXQueryinformationFile i should pass the FILE_NAME_INFORMATION to the function but how can i know how much memory to allocate for the path
  Message 2 of 5  
14 Jun 18 08:54
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 1043
List Moderator
Getting full file path out of WRITE operation

You're at the edge of a cliff and about to walk right off. You need to step back and learn more about minifilters. Have you tried playing with MiniSpy? https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilte r/minispy Using it along with FileTest can be very enlightening: http://www.zezula.net/en/fstools/filetest.html I recommend adding a secondary volume to your system formatted with FAT. Then ONLY attach MiniSpy to the FAT volume, add some breakpoints, and start getting used to how things work. HTH, -scott OSR @OSRDrivers
  Message 3 of 5  
20 Jun 18 03:05
omri aviasr
xxxxxx@gmail.com
Join Date: 25 May 2018
Posts To This List: 12
Getting full file path out of WRITE operation

I understand that my question is about understanding few of the fundamentals of the minifilter. But i believe that my question, are simply issuing problems that are originating from lack of documentation. For instace, what is it a file object pointer?(question 2) does it point to a struct which is loaded to an individual process or it is a global pointer which every process can use it's address in order to access it? Another question was about implementation, how can i get the path without knowing it's length? I have to allocate enough memory for it. The first question was also a question which originated from lack of documentation, some pages claimed that the file object can only access the full path if it was created by a CREATE IRP, Although some other pages claimed it was possible to access it no matter what IRP was used to create it and it is very confusing so i would love if someone could just explain those few specific issuses.
  Message 4 of 5  
20 Jun 18 04:51
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 31
Getting full file path out of WRITE operation

Before you start with minifilters you must understand how kernel works in general. Start with Windows Internals book and kernel-mode architecture in msdn https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/ . No fast and easy way, you must understand kernel environment. On Wed, Jun 20, 2018 at 10:05 AM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > I understand that my question is about understanding few of the > fundamentals of the minifilter. > But i believe that my question, are simply issuing problems that are > originating from lack of documentation. > For instace, what is it a file object pointer?(question 2) does it point > to a struct which is loaded to an individual process or it is a global > pointer which every process can use it's address in order to access it? > Another question was about implementation, how can i get the path without > knowing it's length? I have to allocate enough memory for it. > The first question was also a question which originated from lack of <...excess quoted lines suppressed...> --
  Message 5 of 5  
20 Jun 18 10:36
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 1043
List Moderator
Getting full file path out of WRITE operation

A File Object represents a unique open instance of a device or a child of a device (e.g. stream, file, directory). This is not a minifilter concept, this is a fundamental operating system concept. So, what Sergey said. For your implementation questions, have you looked at the MiniSpy sample yet? -scott OSR @OSRDrivers "%%merge inmail_.HdrFrom_%%" wrote in message news:103642@ntfsd... I understand that my question is about understanding few of the fundamentals of the minifilter. But i believe that my question, are simply issuing problems that are originating from lack of documentation. For instace, what is it a file object pointer?(question 2) does it point to a struct which is loaded to an individual process or it is a global pointer which every process can use it's address in order to access it? Another question was about implementation, how can i get the path without knowing it's length? I have to allocate enough memory for it. The first question was also a question which originated from lack of documentation, some pages claimed that the file object can only access the full path if it was created by a CREATE IRP, Although some other pages claimed it was possible to access it no matter what IRP was used to create it and it is very confusing so i would love if someone could just explain those few specific issuses.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 11:16.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license