I am Working on a minifilter to detect files write by some process in the PreWrite callback of IRP_MJ_WRITE. It works great when some files content is modified. But not getting PreWrite callback when the file content is modified and made to zero sizes. i.e select all then clear out the content and finally save the file. it is also kind of writing so why not getting a PreWrite callback?
How to prevent File writing(clear all content & save the file)? or what callback do we get when file content is cleared(i.e becomes empty) and the file is saved?
As a beginner in minifilter, am I missing something or unaware of some concept?
Please guide/help me.
I will be very thankful to the Stackoverflow community.
exist 2 ways (how i know) for empty file (set it size to 0)
NtSetInformationFile with
FileEndOfFileInformationin this case IRP_MJ_SET_INFORMATION callback will be invoked. you need check that
Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileEndOfFileInformation. in this case InfoBuffer will point to FILE_END_OF_FILE_INFORMATION where new EndOfFile value
NtCreateFile or IoCreateFilewith CreateDisposition equal to
FILE_OVERWRITE or FILE_OVERWRITE_IF or FILE_SUPERSEDE (in this case file will be deleted and new empty file created with same name). the IRP_MJ_CREATE callback will be invoked. you need check:
PFLT_PARAMETERS Parameters = &Data->Iopb->Parameters;
ULONG Options = Parameters->Create.Options;
ULONG CreateDisposition = Options >> 24;
Options &= 0x00ffffff;
CreateDisposition value for FILE_OVERWRITE or FILE_OVERWRITE_IF or FILE_SUPERSEDE