How to attach a minifilter to newly mounted USB drives?

Discussion in 'Windows Vista Drivers' started by Rasuka, Oct 18, 2005.

  1. Rasuka

    Rasuka Guest

    Hi,

    I'm developing a minifilter that logs certain activities on attached
    volumes. So far it's working fine if I manually attach it to C:, D:,
    any drives from fltmc, but I don't know how to do the same thing
    automatically... I want to detect newly mounted USB drives and then
    attach the minifilter to them.

    I've tried to do this by creating a post IRP_MJ_FILE_SYSTEM_CONTROL
    callback function that queries the name string for the RealDevice in
    PFLT_CALLBACK_DATA, but no luck. Although I can see several
    IRP_MJ_FILE_SYSTEM_CONTROLs receiving when I plug a USB thumbdrive, the
    following code returns the device name for C:
    (\Device\HarddiskVolume1), not the one for the usb drive mounted
    (\Device\Harddisk1\DP(1)0-0+3).

    The minifilter is attached to C:.

    -----
    FLT_POSTOP_CALLBACK_STATUS PostMount(IN OUT PFLT_CALLBACK_DATA Data, IN
    PCFLT_RELATED_OBJECTS FltObjects, IN PVOID CompletionContext, IN
    FLT_POST_OPERATION_FLAGS Flags)
    {
    .....
    status =
    ObQueryNameString(Data->Iopb->TargetFileObject->Vpb->RealDevice,
    pNameInfo, sizeof(nameInfo2), &nLength);
    if (!NT_SUCCESS(status)) {
    DbgPrint("[HideFilter] Failed to RtlVolumeDeviceToDosName():
    0x%08X\n", status);
    return FLT_POSTOP_FINISHED_PROCESSING;
    }
    DbgPrint("[HideFilter] IRP_MJ_FILE_SYSTEM_CONTROL Device Name: %wZ\n",
    &pNameInfo->Name );
    -----

    Could anyone give pointers?

    Thanks in advance.

    Rasuka
     
    Rasuka, Oct 18, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.