Open umarfarook882 opened 4 years ago
tklengyel
commented
4 years ago Your best bet is look at the WRK source-code to see when does the FileName string get freed. Looks like this happens during calls to NtClose, so I would assume Windows is already closing all the resources related to that _FILE_OBJECT and the FileName string already got freed. But that's just my guess.
skvl
commented
4 years ago From MSDN:
FileName
A UNICODE_STRING structure whose Buffer member points to a read-only Unicode string that holds the name of the file opened on the volume. If the volume is being opened, the Length member of the UNICODE_STRING structure will be zero. Note that the file name in this string is valid only during the initial processing of an IRP_MJ_CREATE request. This file name should not be considered valid after the file system starts to process the IRP_MJ_CREATE request. The storage for the string pointed to by the Buffer member of the UNICODE_STRING structure is allocated in paged system memory. For more information about obtaining a file name, see FltGetFileNameInformation.
can anyone point me why filename is empty ?
Function: https://github.com/tklengyel/drakvuf/blob/a6a6f302afbcb7535b7d9adaf0348a588152f43a/src/plugins/filedelete/filedelete.cpp#L192
Filename https://github.com/tklengyel/drakvuf/blob/a6a6f302afbcb7535b7d9adaf0348a588152f43a/src/plugins/filedelete/filedelete.cpp#L208
Reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-_file_object