I have written a driver that hook the ZwCreateFile & ZwOpenFile api to
be able to monitor file access.
The hook work well, my problem is getting the full path of the file
opened. As it is I use ObReferenceObjectByHandle()
to get the path from the handle, I get the file object then I use the
FileName member of the structure to get the filename.
The problem is that it is not the full path, only the directory section,
not the drive letter
Example:
\Program Files instead of ??\C:\Program Files
How could I get the drive letter ?
Thanks,
Benjamin Lauzi?re
Please do this properly with a filesystem filter and not by hooking
system service APIs. 
Anyways, you can ask a file for its full
pathname with one of the query file info categories.
Benjamin Lauzière wrote:
I have written a driver that hook the ZwCreateFile & ZwOpenFile api to
be able to monitor file access.
The hook work well, my problem is getting the full path of the file
opened. As it is I use ObReferenceObjectByHandle()
to get the path from the handle, I get the file object then I use the
FileName member of the structure to get the filename.
The problem is that it is not the full path, only the directory section,
not the drive letter
Example:
\Program Files instead of ??\C:\Program Files
How could I get the drive letter ?
Thanks,
Benjamin Lauzière
–
Nick Ryan (MVP for DDK)
First: using api hooking to filter filesystems (or to do just about anything
else,) is generally a Bad Idea. If you want to do file system filtering in a
commercial product buy the IFS Kit a write afile system filter driver.
As for your question, you need to create a mapping of DeviceObjects to
Volume Names.
=====================
Mark Roddy
Hollis Technology Solutions
www.hollistech.com
xxxxx@hollistech.com
-----Original Message-----
From: Benjamin Lauzi?re [mailto:xxxxx@altern.org]
Sent: Monday, August 18, 2003 3:11 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Getting Drive Letter
I have written a driver that hook the ZwCreateFile & ZwOpenFile api to
be able to monitor file access.
The hook work well, my problem is getting the full path of the file
opened. As it is I use ObReferenceObjectByHandle()
to get the path from the handle, I get the file object then I use the
FileName member of the structure to get the filename.
The problem is that it is not the full path, only the directory section,
not the drive letter
Example:
\Program Files instead of ??\C:\Program Files
How could I get the drive letter ?
Thanks,
Benjamin Lauzi?re
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
After seeing Mark’s post I forgot to mention this won’t give you the
drive letter, but it will give you the rest of the path. But you cannot
rely on FileObject->FileName, it’s not guaranteed to be valid after the
create request has come back up from the filesystem.
Nick Ryan wrote:
Please do this properly with a filesystem filter and not by hooking
system service APIs. Anyways, you can ask a file for its full
pathname with one of the query file info categories.
Benjamin Lauzière wrote:
>
> I have written a driver that hook the ZwCreateFile & ZwOpenFile api to
> be able to monitor file access.
> The hook work well, my problem is getting the full path of the file
> opened. As it is I use ObReferenceObjectByHandle()
> to get the path from the handle, I get the file object then I use the
> FileName member of the structure to get the filename.
> The problem is that it is not the full path, only the directory
> section, not the drive letter
> Example:
> \Program Files instead of ??\C:\Program Files
>
> How could I get the drive letter ?
>
> Thanks,
>
> Benjamin Lauzière
>
>
>
>
–
Nick Ryan (MVP for DDK)
Nick Ryan wrote:
Please do this properly with a filesystem filter and not by hooking
system service APIs. Anyways, you can ask a file for its full
pathname with one of the query file info categories.
I am aware that it may not be the better way to do it, but this will be
used internally only and need to be done quickly.
I took a look at ZwQueryInformationFile() and it have the same problem
than the method that I am currently using,
it dont include the drive letter in the path:
“If the full path and file name are returned, the string will begin with
a single backslash, regardless of its location. Thus the file
/C:\dir1\dir2\filename.ext/ will appear as /\dir1\dir2\filename.ext/,
while the file /\server\share\dir1\dir2\filename.ext/ will appear as
/\server\share\dir1\dir2\filename.ext/.” (From the DDK documentation).
Any other suggestion ?
Thanks,
Benjamin Lauzi?re
How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
-prokash
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 7:36 PM
Subject: [ntdev] Re: Getting Drive Letter
Nick Ryan wrote:
> Please do this properly with a filesystem filter and not by hooking
> system service APIs. Anyways, you can ask a file for its full
> pathname with one of the query file info categories.
I am aware that it may not be the better way to do it, but this will be
used internally only and need to be done quickly.
I took a look at ZwQueryInformationFile() and it have the same problem
than the method that I am currently using,
it dont include the drive letter in the path:
“If the full path and file name are returned, the string will begin with
a single backslash, regardless of its location. Thus the file
/C:\dir1\dir2\filename.ext/ will appear as /\dir1\dir2\filename.ext/,
while the file /\server\share\dir1\dir2\filename.ext/ will appear as
/\server\share\dir1\dir2\filename.ext/.” (From the DDK documentation).
Any other suggestion ?
Thanks,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Prokash Sinha wrote:
How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
-prokash
I have never heard of this function, I have not found anything on it on
the web and NTOSKRNL.EXE dont
seem to export it (On Win2k SP4). Am I missing something ?
Regards,
Benjamin Lauzi?re
I might have a spell error ( or may be it is on ifs kit ). There is such a
thing though.
-prokash
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 8:46 PM
Subject: [ntdev] Re: Getting Drive Letter
Prokash Sinha wrote:
>How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
>
>-prokash
>
I have never heard of this function, I have not found anything on it on
the web and NTOSKRNL.EXE dont
seem to export it (On Win2k SP4). Am I missing something ?
Regards,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
ObQueryNameString
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 8:46 PM
Subject: [ntdev] Re: Getting Drive Letter
Prokash Sinha wrote:
>How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
>
>-prokash
>
I have never heard of this function, I have not found anything on it on
the web and NTOSKRNL.EXE dont
seem to export it (On Win2k SP4). Am I missing something ?
Regards,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
AFAIK, this is an IFS kit macro.
Mat
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@garlic.com]
Sent: Tuesday, August 19, 2003 12:01 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Getting Drive Letter
ObQueryNameString
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 8:46 PM
Subject: [ntdev] Re: Getting Drive Letter
Prokash Sinha wrote:
>How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
>
>-prokash
>
I have never heard of this function, I have not found anything on it on
the web and NTOSKRNL.EXE dont
seem to export it (On Win2k SP4). Am I missing something ?
Regards,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@guillemot.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Have you tried this, or are you just floating suggestions for Benjamin to
waste his time on?
As far as I know, you get the volume name by building a map of volume names
to device objects and searching this map using the the DeviceObject
associated with the FileObject.
=====================
Mark Roddy
Hollis Technology Solutions
www.hollistech.com
xxxxx@hollistech.com
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@garlic.com]
Sent: Monday, August 18, 2003 11:01 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Getting Drive Letter
How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
-prokash
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 7:36 PM
Subject: [ntdev] Re: Getting Drive Letter
Nick Ryan wrote:
> Please do this properly with a filesystem filter and not by hooking
> system service APIs. Anyways, you can ask a file for its full
> pathname with one of the query file info categories.
I am aware that it may not be the better way to do it, but this will be used
internally only and need to be done quickly.
I took a look at ZwQueryInformationFile() and it have the same problem than
the method that I am currently using, it dont include the drive letter in
the path:
“If the full path and file name are returned, the string will begin with a
single backslash, regardless of its location. Thus the file
/C:\dir1\dir2\filename.ext/ will appear as /\dir1\dir2\filename.ext/, while
the file /\server\share\dir1\dir2\filename.ext/ will appear as
/\server\share\dir1\dir2\filename.ext/.” (From the DDK documentation).
Any other suggestion ?
Thanks,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
Actually it is an exported function in the ntoskrnl, and defined in the IFS
kit,
definitely not a macro.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Mathieu Routhier”
To: “Windows System Software Developers Interest List”
Sent: Tuesday, August 19, 2003 9:11 AM
Subject: [ntdev] Re: Getting Drive Letter
AFAIK, this is an IFS kit macro.
Mat
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@garlic.com]
Sent: Tuesday, August 19, 2003 12:01 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Getting Drive Letter
ObQueryNameString
----- Original Message -----
From: “Benjamin Lauzière”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 8:46 PM
Subject: [ntdev] Re: Getting Drive Letter
Prokash Sinha wrote:
>How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
>
>-prokash
>
I have never heard of this function, I have not found anything on it on
the web and NTOSKRNL.EXE dont
seem to export it (On Win2k SP4). Am I missing something ?
Regards,
Benjamin Lauzière
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@guillemot.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@acm.org
To unsubscribe send a blank email to xxxxx@lists.osr.com
Damn, my mistake. Sorry.
-----Original Message-----
From: Don Burn [mailto:xxxxx@acm.org]
Sent: Tuesday, August 19, 2003 9:35 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Getting Drive Letter
Actually it is an exported function in the ntoskrnl, and defined in the IFS
kit,
definitely not a macro.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Mathieu Routhier”
To: “Windows System Software Developers Interest List”
Sent: Tuesday, August 19, 2003 9:11 AM
Subject: [ntdev] Re: Getting Drive Letter
AFAIK, this is an IFS kit macro.
Mat
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@garlic.com]
Sent: Tuesday, August 19, 2003 12:01 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Getting Drive Letter
ObQueryNameString
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 8:46 PM
Subject: [ntdev] Re: Getting Drive Letter
Prokash Sinha wrote:
>How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
>
>-prokash
>
I have never heard of this function, I have not found anything on it on
the web and NTOSKRNL.EXE dont
seem to export it (On Win2k SP4). Am I missing something ?
Regards,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@guillemot.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@acm.org
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@guillemot.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Sorry, my mistake for the bad (non existing) ddk function.
But the other one works fine. Regmon src uses it, I used it also. And the
new version (if I could recall) takes slightly different param. As Don and
Mathieu said, the hdr define is in the ifs kit, but it exported from
ntoskrnl.exe…
But he needs to check pObjects->RootDirectory for non-null then call to get
the unicode version, then he needs to put them together to get something
like
??<driverletter:>\filename.
My memory is highly volatile, and I apologizze for that, if he can wait
until tomorrow, I will send me some code that
I know works…
-prokash
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Developers Interest List”
Sent: Tuesday, August 19, 2003 6:27 AM
Subject: [ntdev] Re: Getting Drive Letter
Have you tried this, or are you just floating suggestions for Benjamin to
waste his time on?
As far as I know, you get the volume name by building a map of volume names
to device objects and searching this map using the the DeviceObject
associated with the FileObject.
=====================
Mark Roddy
Hollis Technology Solutions
www.hollistech.com
xxxxx@hollistech.com
-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@garlic.com]
Sent: Monday, August 18, 2003 11:01 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Getting Drive Letter
How about ObQueryObjectName(), you get the ObjectAttribute, don’t you !!!
-prokash
----- Original Message -----
From: “Benjamin Lauzi?re”
To: “Windows System Software Developers Interest List”
Sent: Monday, August 18, 2003 7:36 PM
Subject: [ntdev] Re: Getting Drive Letter
Nick Ryan wrote:
> Please do this properly with a filesystem filter and not by hooking
> system service APIs. Anyways, you can ask a file for its full
> pathname with one of the query file info categories.
I am aware that it may not be the better way to do it, but this will be used
internally only and need to be done quickly.
I took a look at ZwQueryInformationFile() and it have the same problem than
the method that I am currently using, it dont include the drive letter in
the path:
“If the full path and file name are returned, the string will begin with a
single backslash, regardless of its location. Thus the file
/C:\dir1\dir2\filename.ext/ will appear as /\dir1\dir2\filename.ext/, while
the file /\server\share\dir1\dir2\filename.ext/ will appear as
/\server\share\dir1\dir2\filename.ext/.” (From the DDK documentation).
Any other suggestion ?
Thanks,
Benjamin Lauzi?re
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</driverletter:>
Roddy, Mark wrote:
Have you tried this, or are you just floating suggestions for Benjamin to
waste his time on?
As far as I know, you get the volume name by building a map of volume names
to device objects and searching this map using the the DeviceObject
associated with the FileObject.
=====================
Mark Roddy
Hollis Technology Solutions
www.hollistech.com
xxxxx@hollistech.com
Thanks for your answer. Could you give me more detail on how to map a
DeviceObject to a drive letter ?
Regards,
Benjamin Lauzi?re
IoVolumeDeviceToDosName.
Benjamin Lauzière wrote:
Roddy, Mark wrote:
> Have you tried this, or are you just floating suggestions for Benjamin to
> waste his time on?
>
> As far as I know, you get the volume name by building a map of volume
> names
> to device objects and searching this map using the the DeviceObject
> associated with the FileObject.
>
> =====================
> Mark Roddy
> Hollis Technology Solutions
> www.hollistech.com
> xxxxx@hollistech.com
>
Thanks for your answer. Could you give me more detail on how to map a
DeviceObject to a drive letter ?
Regards,
Benjamin Lauzière
–
Nick Ryan (MVP for DDK)
Nick Ryan wrote:
IoVolumeDeviceToDosName.
Thanks, it’s exactly what I wanted.
Benjamin Lauzi?re