Bennie
2011-11-20 12:53:54 UTC
Hello,
I have been stuck on this a while now. I have found many suggestions
on the internet that almost work, but I have not been able to find
something that does what I need.
I am writing a driver that needs to take certain actions (such as deny
access, log the event) when certain files are accessed. To achieve
this it "hooks" functions such as ZwOpenFile. It can execute code just
before ZwOpenFile is called, as well as just after. It also has access
to the parameters in each case. A list of file names is kept
internally by the driver. On each attempt to access a file, it
searches for the file name in the internal list of files, and looks up
the appropriate action to take.
Now for the part I am stuck on. I am having trouble determining if two
strings point to the same file. For example, internally the string \??
\C:\WINDOWS\System32\event.log is kept, while \SystemRoot\event.log is
being passed as parameter to ZwOpenFile. A simple string compare will
not suffice.
I need a way to compare the string kept internally and the string
passed as parameter no matter what the format is, and to see if they
point to the same file. The method also needs to work across different
drives.
I would greatly appreciate any help in this regard.
Bennie
I have been stuck on this a while now. I have found many suggestions
on the internet that almost work, but I have not been able to find
something that does what I need.
I am writing a driver that needs to take certain actions (such as deny
access, log the event) when certain files are accessed. To achieve
this it "hooks" functions such as ZwOpenFile. It can execute code just
before ZwOpenFile is called, as well as just after. It also has access
to the parameters in each case. A list of file names is kept
internally by the driver. On each attempt to access a file, it
searches for the file name in the internal list of files, and looks up
the appropriate action to take.
Now for the part I am stuck on. I am having trouble determining if two
strings point to the same file. For example, internally the string \??
\C:\WINDOWS\System32\event.log is kept, while \SystemRoot\event.log is
being passed as parameter to ZwOpenFile. A simple string compare will
not suffice.
I need a way to compare the string kept internally and the string
passed as parameter no matter what the format is, and to see if they
point to the same file. The method also needs to work across different
drives.
I would greatly appreciate any help in this regard.
Bennie