Search code examples
windowsfilesystemsminifilterirp

Windows IRP function call for opening and saving files

I'm currently working on a minifilter driver, and I need to intercept this kind of events :

  • Listing files inside a folder
  • Opening a file in an application
  • Closing this file
  • Modify and save the file

From what I read, I guess I need to filter IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE, but I need somethings better than a guess.

How can I know precisely which IRP will be send for each events ?

Solution
    1. Listing file inside folder: IRP_MJ_DIRECTORY_CONTROL . Check this for more information.
    2. Opening a file in an application: IRP_MJ_CREATE . Check this for more information.
    3. Closing the file: IRP_MJ_CLEANUP and IRP_MJ_CLOSE
    4. Modifying the file: IRP_MJ_WRITE, IRP_MJ_SET_INFORMATION ( specifically the FileEndOfFileInformation and FileValidDataLengthInformation information classes), IRP_MJ_FILE_SYSTEM_CONTROL ( specifically FSCTL_OFFLOAD_WRITE, FSCTL_WRITE_RAW_ENCRYPTED and FSCTL_SET_ZERO_DATA fsctl codes).

    Good luck.