-1

I am a beginner in driver development. I am developing a filter driver(Kernel Mode). I want to get the full path of every file which is opened. I have a file object and an IRP. I am using &pFileObject->fileName to display the path. It shows the complete path but dose not show drive letter. Kindly provide a kernel level routine which tells the drive letter. below is the code

#include "StdAfx.h"
#include "drv_common.h"
#include "ntddk.h"
#include "FsFilter.h"


///////////////////////////////////////////////////////////////////////////////////////////    ////////
// PassThrough IRP Handler

NTSTATUS FsFilterDispatchPassThrough( __in PDEVICE_OBJECT DeviceObject, __in PIRP Irp )
{
    PFSFILTER_DEVICE_EXTENSION pDevExt = (PFSFILTER_DEVICE_EXTENSION)DeviceObject-    >DeviceExtension;

    IoSkipCurrentIrpStackLocation(Irp);
    return IoCallDriver(pDevExt->AttachedToDeviceObject, Irp);
}

///////////////////////////////////////////////////////////////////////////////////////////    ////////
// IRP_MJ_CREATE IRP Handler

NTSTATUS FsFilterDispatchCreate(
    __in PDEVICE_OBJECT DeviceObject,
    __in PIRP           Irp
    )
{
    PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;

    DbgPrint("%wZ\n", &pFileObject->FileName);

    return FsFilterDispatchPassThrough(DeviceObject, Irp);
}
Muhammad Irfan
  • 735
  • 1
  • 11
  • 17

1 Answers1

1

As @sergmat suggested you can use IoVolumeDeviceToDosName routine to get the volume name. But be sure that you call that route only at PASSIVE_LEVEL, which might be what you are experiencing.

Also, using pFileObject->FileName in dispatch routine is not recommended. The memory may come from paged pool which is not accessible in DISPATCH_LEVEL or higher.

Rohan
  • 52,392
  • 12
  • 90
  • 87