File MiniFilter Part1: Process name and ID in File Filter driver callbacks

Getting process name and process id is pretty easy in the file filter scanner callbacks.

Scanner callbacks contains a parameter PFLT_CALLBACK_DATA which has a pointer to thread which initiated the current I/O request.

Using this thread we can get process id in file filter as follows

PFLT_CALLBACK_DATA Data; //passed by file filter module
PEPROCESS objCurProcess = IoThreadToProcess( Data->Thread );
int iCurProcID    = PsGetProcessId(objCurProcess);

To get Process name

CHAR*  pStrProcessName = PsGetProcessImageFileName(objCurProcess);

 

So if you want to monitor I/O requests from some particular process you can do it on the basis of process name or process id. The following code will bypass all the subsequent File Filter Scanner callbacks from all the processes except explorer

if(_stricmp(pStrProcessName,"explorer.exe")==0 )
      return FLT_PREOP_SUCCESS_WITH_CALLBACK;
else
     return FLT_PREOP_SUCCESS_NO_CALLBACK;  // no more callbacks i.e. for postCreate, Pre/post Writes, Reads, setinfo and others.

Explore posts in the same categories: Programming

Tags: file mini filter driver, windows kernel

You can comment below, or link to this permanent URL from your own site.