2011-11-20 12:53:54 UTC
I have been stuck on this a while now. I have found many suggestions
on the internet that almost work, but I have not been able to find
something that does what I need.
I am writing a driver that needs to take certain actions (such as deny
access, log the event) when certain files are accessed. To achieve
this it "hooks" functions such as ZwOpenFile. It can execute code just
before ZwOpenFile is called, as well as just after. It also has access
to the parameters in each case. A list of file names is kept
internally by the driver. On each attempt to access a file, it
searches for the file name in the internal list of files, and looks up
the appropriate action to take.
Now for the part I am stuck on. I am having trouble determining if two
strings point to the same file. For example, internally the string \??
\C:\WINDOWS\System32\event.log is kept, while \SystemRoot\event.log is
being passed as parameter to ZwOpenFile. A simple string compare will
I need a way to compare the string kept internally and the string
passed as parameter no matter what the format is, and to see if they
point to the same file. The method also needs to work across different
I would greatly appreciate any help in this regard.