I want to extract the contents before file write.
For example, when I open "C:\test\test.txt" and I perform write operating 'aaa'.
When I Save the file, IRP MJ WRITE packet will be transmitted User to Kernel.
So, I made minifilter and interrupt IRP packet before the write operation is accessed.
Now I want to get "aaa" string on kernel level minifilter.
I can get the file name "test.txt".But I can't get the contents of buffer "aaa".
This is my PFLT_PRE_OPERATION_CALLBACK callback function on IRP MJ WRITE.
`
FLT_PREOP_CALLBACK_STATUS
MinifltWritePreRoutine(
_Inout_ PFLT_CALLBACK_DATA data,
_In_ PCFLT_RELATED_OBJECTS flt_object,
_Out_ PVOID* completion_context
)
{
UNREFERENCED_PARAMETER(flt_object);
UNREFERENCED_PARAMETER(completion_context);
NTSTATUS status = STATUS_SUCCESS;
PFLT_FILE_NAME_INFORMATION name_info = NULL;
UNICODE_STRING test_pdf_pattern, file_path;
status = FltGetFileNameInformation(data,
FLT_FILE_NAME_NORMALIZED
| FLT_FILE_NAME_QUERY_DEFAULT,
&name_info);
if (!NT_SUCCESS(status)) {
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
status = FltParseFileNameInformation(name_info);
if (!NT_SUCCESS(status)) {
FltReleaseFileNameInformation(name_info);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
// check that file name has .txt string
RtlInitUnicodeString(&test_pdf_pattern, L"*.TXT");
RtlInitUnicodeString(&file_path, name_info->Name.Buffer);
if (!FsRtlIsNameInExpression(&test_pdf_pattern, &file_path, TRUE, NULL)) {
goto EXIT_OF_CREATE_POST_OPERATION;
}
// print the file name on dbgview
KdPrint(("===== Write for [%wZ] =====\n\n", &name_info->FinalComponent));
FltReleaseFileNameInformation(name_info);
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
EXIT_OF_CREATE_POST_OPERATION:
if (name_info) {
FltReleaseFileNameInformation(name_info);
}
return FLT_POSTOP_FINISHED_PROCESSING;
}
`
I can see "test.txt" on dbgview. But I want to see "aaa" on dbgview.
Please help me. . .
