I need to monitor the files whose contents are being changed. I tried to modify the minispy driver provided with ddk.
I added few lines to SpyPreOperationCallback function.
below is the added code.
if (FltObjects->FileObject != NULL && Data != NULL)
{
FileObject = Data->Iopb->TargetFileObject;
if(FileObject != NULL && Data->Iopb->MajorFunction == IRP_MJ_WRITE && CurProcID != 4 )
{
DbgPrint(“process=%d : File name %ws”, CurProcID,FileObject->FileName.Buffer);
}
}
I am getting some logs in in filename “Mft,Bitmap,Directory”
process=2020 : File name $Mft
process=2020 : File name $BitMap
process=2020 : File name $Directory
How can I avoid logging this data?
Also I want to know if the file contents have been modified or not. How should I achive this?
Hello abhijit ,
If I was to track file modifications this is how I would have proceeded.
- For every create request, register a post callback where I create a stream Handle context where you keep the file name.
- Track registered contexts In Read, Write, SetInfo callback and just create a log record for each operations.
Wilfried.
Thanks Wilfried. I 'll try to work on your suggestion.I am new to driver programming. Any other suggestions?
Besides what others have to say about this, I think I’ll mostly stick to that if you just want to monitor file changes. Maybe the read callback isn’t really necessary here so: Context tracking in POST Create callback and checking them in IRP_MJ_SET_INFO along with IRP_MJ_WRITE callback would be fine I think.
Ctx and Change sample mini filters can help.
Wilfried.
Thanks Wilfried. I was able to do it.