I am writing a windows minifilter driver for Win7 and later.
My goal is to capture the PathFileExists API,both in minifilter pre-callback and post-callback.
The PathFileExists API will call QueryOpen in kernel space(I found this by procmon.exe),but my minifilter driver can NOT aware the QueryOpen's operation ,so sad :K .
After much more googling work, I improve my driver code, adding the following code to the FLT_OPERATION_REGISTRATION structure.
{
IRP_MJ_QUERY_OPEN,
0,
mnflt_PreOperation,
mnflt_PostOperation
},
But.....It's still NOT work. The callback function mnflt_PreOperation and mnflt_PostOperation had not been called when the PathFileExists API running.
Do I miss something or completely NOT in the right way?
Thanks for any help that can be given!
you need use IRP_MJ_NETWORK_QUERY_OPEN instead IRP_MJ_QUERY_OPEN. so you need
{
IRP_MJ_NETWORK_QUERY_OPEN,
0,
mnflt_PreOperation,
mnflt_PostOperation
},
IRP_MJ_NETWORK_QUERY_OPENis a fast I/O operation. It is the equivalent of theFastIoQueryOpen(notFastIoQueryNetworkOpenInfo) operation.
read also Handling IRP_MJ_NETWORK_QUERY_OPEN in a Minifilter