How to filter read calls using minifilter driver?

Question

I'm completely new to minifilter drivers. In fact new to windows development as such. I want to create a minifilter driver, attach it to one of my local disk( say D drive) and filter the READ calls coming from the files in that drive.

After so much effort, I somehow installed Visual Studio 2013 and then installed WDK 8. Then I took the minispy example. After changing some settings for that project, I was able to successfully build the project.

The problem is, whenever I run minispy.exe, it is filtering only the IRP_MJ_CREATE calls and logging it either on the terminal or in a file. I couldn't find any place in the code where it is mentioned to filter only the IRP_MJ_CREATE calls.

It will be really useful if someone can help in coming up with a minifilter for filtering out the IRP_MJ_CREATE calls from one particular drive.

Thanks in advance !

Answer 1

In the minispy sample code, the file Registration Data.c defines a callback structure that tells filter manager what to call for what operations. For minispy, this is set to call SpyPreOperationCallback for every pre-operation, including IRP_MJ_CREATE.

It should be logging much more than just the create operations. Perhaps it's not attached to the volume you're interested in?

If you want to filter only calls from one drive, there are a few ways you can do that. You can only attach your filter to the drives you are interested in (see fltmc attach command-line options. You can also code your filter to attach automatically to certain volumes, and you could also do the filtering yourself by getting the file name with FltGetFileNameInformation and deciding whether or not to log it.

Which is right for you will very much depend on how you want to use it.