Minifilter and IRP_MJ_DIRECTORY_CONTROL post op

  • Thread starter Thread starter Dato0011
  • Start date Start date
D

Dato0011

Guest
Hello

I'm trying to intercept calls to FindFirstFile/ZwQueryDirectoryFile from a specific application from Minifilter. The goal is for the application to see a folder that doesn't exist. So if the app enumerates files and folders from an empty folder C:\Temp, that application shouldn't see that the folder is empty, instead it should see a folder in that directory (that I will provide in output result).

Now I understand that I need to modify DirectoryBuffer or Mdl buffer pointed by MdlAddress. Basically I need to return one more FILE_BOTH_DIR_INFORMATION structure instance to the caller. Problem is that those buffers comes with fixed size, so I can not add anything in them.

So my question is:

1. What options do I have. Should I allocate a larger memory from non-paged pool and replace the DirectoryBuffer pointer in post operation (same with Mdl)? Will the caller be able to access that memory?

2. If so, what should I do with original buffer, should I free it?

3. If not how can I return a larger buffer to the caller in user mode?


Thanks

Continue reading...
 
You must log in or register to reply here.

Similar threads

N
Unlock business potential with new 5G and Copilot+ PCs from Surface
Replies
0
Views
6
Nancie Gaskill, General Manager, Surface
N
B
Releasing Windows 11 Builds 22621.2787 and 22631.2787 to the Release Preview Channel
Replies
0
Views
10
Brandon LeBlanc
B
B
Announcing Windows 11 Insider Preview Build 22621.2338 and 22631.2338 (Beta Channel)
Replies
0
Views
30
Brandon LeBlanc
B
B
Announcing Windows 11 Insider Preview Build 22621.1680 and 22624.1680
Replies
0
Views
18
Brandon LeBlanc
B
B
Announcing Windows 11 Insider Preview Build 22621.1537 and 22624.1537
Replies
0
Views
8
Brandon LeBlanc
B
Back
Top