minifilter driver | tracking changes in files

Question

What I'm trying to achieve is to intercept every write to a file and track the changes within the file. I want to track how much different the file content before and after the write.

So far in my minifilter driver I registered to IRP_MJ_WRITE callbacks and can now intercept writes to file. However I'm still not sure how can I obtain the content of the file before [preoperation] and the content after [postoperation]. The parameters that I have within the callback functions are: PCFLT_RELATED_OBJECTS, PFLT_CALLBACK_DATA and I could not find anything related to the content of the file itself within these.

Answer 1

These are the operations that could change data in a file:

1. Modifying the file: IRP_MJ_WRITE, IRP_MJ_SET_INFORMATION ( specifically the FileEndOfFileInformation and FileValidDataLengthInformation information classes), IRP_MJ_FILE_SYSTEM_CONTROL ( specifically FSCTL_OFFLOAD_WRITE, FSCTL_WRITE_RAW_ENCRYPTED and FSCTL_SET_ZERO_DATA fsctl codes).

As for the content of the file itself that you just need to read it yourself. If you mean the buffers as they are being written for example, check this out to find out more about the parameters of IRP_MJ_WRITE in the callback data. Esentially the buffer is at Data->Iopb->Parameters.Write.WriteBuffer/MdlAddress

Make sure you handle that memory correctly otherwise it will result a BSODs.

Good luck.