TechQA.

how can I get referenced original file name at minifilter When I did 'save as'?

195 views Asked by At

I made solution that block save & saveas by file name using minifilter driver.

save blocking is OK, but I can't block saveas by file name.

I expected to get the original name from 'PFLT_CALLBACK_DATA' or 'PFLT_CALLBACK_DATA' at IRP_MJ_WRITE.

how can I get referenced original file name at minifilter When I did 'save as'?

windows kernel minifilter filter-driver
Original Q&A
1

There are 1 answers

1
Michael Kim On BEST ANSWER

No way to get original file name directly, but you can try ways below.

  1. Track IRP_MJ_READ of original file per process.

    Once a process read your original file, the process can't not write any file until it's terminated.

  2. Moniter [Save as] Dialog in User Mode like below.

    • Find [Save as] dialog by

      HWND hWnd = ::FindWindow("#32770", "Save As");

    • Enumerate sub windows and check class name and get original file path from their window name.

      Text of window whose class name is 'ToolbarWindow32' contains a parent directory path of original file.

      Text of window whose class name is 'Edit' contains a name of original file.

    • Cancel [Save As] dialog by

      ::PostMessage(hWnd, WM_COMMAND, MAKEWPARAM(IDCANCEL, BN_CLICKED), NULL);

Related Questions in WINDOWS

Related Questions in KERNEL

Related Questions in MINIFILTER

Related Questions in FILTER-DRIVER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions