I am writing a windows filesystem minifilter driver that must fail I/O Request Packets (IRP's) in a preoperation callback based on their type (read/write).
How can I find out from the callback parameters (or elsewhere?) if the operation is read-like ( only reads data ) or it's write-like ( modifies data on the disk - write, delete, format etc ) ?
Here is a list of major IRP codes.
I'm thinking on stuff like:
Data->Iopb->TargetFileObject->ReadAccess
Data->Iopb->TargetFileObject->WriteAccess
But I'm not sure, I think these are available only in postoperation callback. The documentation is really cumbersome.
Code sample for further clarification:
FLT_PREOP_CALLBACK_STATUS
Fail (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
FLT_PREOP_CALLBACK_STATUS status = FLT_PREOP_SUCCESS_NO_CALLBACK;
//********************************************************************
if ( IS_WRITE_LIKE(Data, FltObjects) ) { // ??? HOW DO I FIND OUT ???
//********************************************************************
if( FLT_IS_FASTIO_OPERATION(Data) ){
status = FLT_PREOP_DISALLOW_FASTIO;
} else {
status = FLT_PREOP_COMPLETE;
}
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
return status;
}
return status;
}