Getting full file path out of WRITE operation

hello, i am developing a minifilter and one of my goals is to know which file in the file system was changed and by which process and how. I am tracking only write operations and i wish to get as much knowledge as i can get about each operation, and send it to a user mode application.

  1. One of my goals is finding the full path of the file which was changed and i am a little bit confused about how it could be done. I know it is possible to use FltQueryInformationFile but i couldn’t understand if i can get the full path or only the file name. Then someone here in the forums told me about this version of this function in user-mode but still i can’t tell if i can get the full path or only the file name. So my question is which is the easiest way of extracting the full path of target file from a WRITE operation passed to the minifilter?

  2. Another problem - Can I use the pointer to an OBJECT_FILE given in the minifilter and pass it to the user application and use it there? Because it points only to someplace in the memory.

  3. Another small issue if i use XXXQueryinformationFile i should pass the FILE_NAME_INFORMATION to the function but how can i know how much memory to allocate for the path

You’re at the edge of a cliff and about to walk right off. You need to step
back and learn more about minifilters.

Have you tried playing with MiniSpy?

https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy

Using it along with FileTest can be very enlightening:

http://www.zezula.net/en/fstools/filetest.html

I recommend adding a secondary volume to your system formatted with FAT.
Then ONLY attach MiniSpy to the FAT volume, add some breakpoints, and start
getting used to how things work.

HTH,

-scott
OSR
@OSRDrivers

I understand that my question is about understanding few of the fundamentals of the minifilter.
But i believe that my question, are simply issuing problems that are originating from lack of documentation.
For instace, what is it a file object pointer?(question 2) does it point to a struct which is loaded to an individual process or it is a global pointer which every process can use it’s address in order to access it?
Another question was about implementation, how can i get the path without knowing it’s length? I have to allocate enough memory for it.
The first question was also a question which originated from lack of documentation, some pages claimed that the file object can only access the full path if it was created by a CREATE IRP, Although some other pages claimed it was possible to access it no matter what IRP was used to create it and it is very confusing so i would love if someone could just explain those few specific issuses.

Before you start with minifilters you must understand how kernel works in
general. Start with Windows Internals book and kernel-mode architecture in
msdn
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/ . No fast
and easy way, you must understand kernel environment.

On Wed, Jun 20, 2018 at 10:05 AM, xxxxx@gmail.com
wrote:

> I understand that my question is about understanding few of the
> fundamentals of the minifilter.
> But i believe that my question, are simply issuing problems that are
> originating from lack of documentation.
> For instace, what is it a file object pointer?(question 2) does it point
> to a struct which is loaded to an individual process or it is a global
> pointer which every process can use it’s address in order to access it?
> Another question was about implementation, how can i get the path without
> knowing it’s length? I have to allocate enough memory for it.
> The first question was also a question which originated from lack of
> documentation, some pages claimed that the file object can only access the
> full path if it was created by a CREATE IRP, Although some other pages
> claimed it was possible to access it no matter what IRP was used to create
> it and it is very confusing so i would love if someone could just explain
> those few specific issuses.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

A File Object represents a unique open instance of a device or a child of a
device (e.g. stream, file, directory). This is not a minifilter concept,
this is a fundamental operating system concept. So, what Sergey said.

For your implementation questions, have you looked at the MiniSpy sample
yet?

-scott
OSR
@OSRDrivers

“%%merge inmail_.HdrFrom_%%” wrote in message news:xxxxx@ntfsd…

I understand that my question is about understanding few of the fundamentals
of the minifilter.
But i believe that my question, are simply issuing problems that are
originating from lack of documentation.
For instace, what is it a file object pointer?(question 2) does it point to
a struct which is loaded to an individual process or it is a global pointer
which every process can use it’s address in order to access it?
Another question was about implementation, how can i get the path without
knowing it’s length? I have to allocate enough memory for it.
The first question was also a question which originated from lack of
documentation, some pages claimed that the file object can only access the
full path if it was created by a CREATE IRP, Although some other pages
claimed it was possible to access it no matter what IRP was used to create
it and it is very confusing so i would love if someone could just explain
those few specific issuses.