-1

I'm currently working on a minifilter driver, and I need to intercept this kind of events :

  • Listing files inside a folder
  • Opening a file in an application
  • Closing this file
  • Modify and save the file

From what I read, I guess I need to filter IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE, but I need somethings better than a guess.

How can I know precisely which IRP will be send for each events ?

Krag
  • 79
  • 1
  • 9
  • Use the minifilter driver to have any hope for surviving this. https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/i-o-requests-generated-by-the-minifilter-driver – Hans Passant Nov 20 '17 at 11:46

1 Answers1

0
  1. Listing file inside folder: IRP_MJ_DIRECTORY_CONTROL . Check this for more information.
  2. Opening a file in an application: IRP_MJ_CREATE . Check this for more information.
  3. Closing the file: IRP_MJ_CLEANUP and IRP_MJ_CLOSE
  4. Modifying the file: IRP_MJ_WRITE, IRP_MJ_SET_INFORMATION ( specifically the FileEndOfFileInformation and FileValidDataLengthInformation information classes), IRP_MJ_FILE_SYSTEM_CONTROL ( specifically FSCTL_OFFLOAD_WRITE, FSCTL_WRITE_RAW_ENCRYPTED and FSCTL_SET_ZERO_DATA fsctl codes).

Good luck.

Gabriel Bercea
  • 1,191
  • 1
  • 10
  • 21