diff --git a/GilRan/GilRan.vcxproj b/GilRan/GilRan.vcxproj
index fd4f6a3..88e908a 100644
--- a/GilRan/GilRan.vcxproj
+++ b/GilRan/GilRan.vcxproj
@@ -36,6 +36,7 @@
+
@@ -193,6 +194,7 @@
+
diff --git a/GilRan/GilRan.vcxproj.filters b/GilRan/GilRan.vcxproj.filters
index 9fb218f..d383e0d 100644
--- a/GilRan/GilRan.vcxproj.filters
+++ b/GilRan/GilRan.vcxproj.filters
@@ -30,6 +30,9 @@
Source Files
+
+ Source Files
+
@@ -40,5 +43,8 @@
Header Files
+
+ Header Files
+
\ No newline at end of file
diff --git a/GilRan/PreCreate.c b/GilRan/PreCreate.c
index 42b03df..f852ffc 100644
--- a/GilRan/PreCreate.c
+++ b/GilRan/PreCreate.c
@@ -1,4 +1,10 @@
+#include
+#include
+#include
+#include
+
#include "PreCreate.h"
+#include "Utils.h"
FLT_PREOP_CALLBACK_STATUS
PreCreate(
@@ -7,50 +13,19 @@ PreCreate(
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
{
- UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
NTSTATUS status;
- PFLT_FILE_NAME_INFORMATION pFileNameInformation;
- status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &pFileNameInformation);
-
- UNICODE_STRING FileName, VolumeName;
- if (NT_SUCCESS(status)) {
- status = FltParseFileNameInformation(pFileNameInformation);
-
- if (NT_SUCCESS(status)) {
- FileName.Length = 0;
- FileName.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
- FileName.Buffer = ExAllocatePoolWithTag(NonPagedPool, FileName.MaximumLength, 'FLIG');
-
- if (FileName.Buffer != NULL) {
- RtlUnicodeStringCopy(&FileName, &(pFileNameInformation->Name));
-
- VolumeName.Length = 0;
- VolumeName.MaximumLength = FltObjects->FileObject->FileName.MaximumLength + 2;
-
- ULONG BufferSizeNeeded;
- status = FltGetVolumeName(FltObjects->Volume, NULL, &BufferSizeNeeded);
-
- if (status == STATUS_BUFFER_TOO_SMALL) {
- VolumeName.MaximumLength += (USHORT)BufferSizeNeeded;
- }
-
- VolumeName.Buffer = ExAllocatePoolWithTag(NonPagedPool, VolumeName.MaximumLength, 'VLIG');
- if (VolumeName.Buffer != NULL) {
- status = FltGetVolumeName(FltObjects->Volume, &VolumeName, &BufferSizeNeeded);
-
- if (NT_SUCCESS(status)) {
- DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_INFO_LEVEL, "FilePath: %ws%ws\n", VolumeName.Buffer, FileName.Buffer);
- }
- ExFreePoolWithTag(VolumeName.Buffer, 'VLIG');
- }
- ExFreePoolWithTag(FileName.Buffer, 'FLIG');
- }
- }
- FltReleaseFileNameInformation(pFileNameInformation);
- }
+ WCHAR FilePath[1024], VolumeName[1024];
+
+ status = GetFilePath(Data, FilePath);
+ if (!NT_SUCCESS(status)) return FLT_PREOP_COMPLETE;
+
+ status = GetVolumeName(FltObjects, VolumeName);
+ if (!NT_SUCCESS(status)) return FLT_PREOP_COMPLETE;
+
+ DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_INFO_LEVEL, "FilePath: %ws%ws\n", VolumeName, FilePath);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
\ No newline at end of file
diff --git a/GilRan/PreCreate.h b/GilRan/PreCreate.h
index 86438d8..3b602ff 100644
--- a/GilRan/PreCreate.h
+++ b/GilRan/PreCreate.h
@@ -1,9 +1,4 @@
#pragma once
-#include
-#include
-#include
-#include
-
FLT_PREOP_CALLBACK_STATUS
PreCreate(
_Inout_ PFLT_CALLBACK_DATA Data,
diff --git a/GilRan/Utils.c b/GilRan/Utils.c
new file mode 100644
index 0000000..fa21873
--- /dev/null
+++ b/GilRan/Utils.c
@@ -0,0 +1,54 @@
+#include
+#include
+#include
+#include
+#include "Utils.h"
+
+NTSTATUS GetFilePath(
+ _In_ PFLT_CALLBACK_DATA Data,
+ _Out_ PWCHAR pFilePath
+)
+{
+ PFLT_FILE_NAME_INFORMATION pFileNameInformation;
+ NTSTATUS status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &pFileNameInformation);
+ if (!NT_SUCCESS(status)) return status;
+
+ status = FltParseFileNameInformation(pFileNameInformation);
+ if (!NT_SUCCESS(status)) return status;
+
+ wcscpy_s(pFilePath, pFileNameInformation->ParentDir.Length, pFileNameInformation->ParentDir.Buffer);
+
+ FltReleaseFileNameInformation(pFileNameInformation);
+
+ return STATUS_SUCCESS;
+}
+
+NTSTATUS GetVolumeName(
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _Out_ PWCHAR pVolumeName
+)
+{
+ NTSTATUS status;
+
+ UNICODE_STRING VolumeName;
+ VolumeName.Length = 0;
+ VolumeName.MaximumLength = FltObjects->FileObject->FileName.MaximumLength + 2;
+
+ ULONG szBufferNeeded;
+ status = FltGetVolumeName(FltObjects->Volume, NULL, &szBufferNeeded);
+
+ if (status == STATUS_BUFFER_TOO_SMALL) {
+ VolumeName.MaximumLength += (USHORT)szBufferNeeded;
+ }
+
+ VolumeName.Buffer = ExAllocatePoolWithTag(NonPagedPool, VolumeName.MaximumLength, 'vLIG');
+ if (VolumeName.Buffer == NULL) return STATUS_UNSUCCESSFUL;
+
+ status = FltGetVolumeName(FltObjects->Volume, &VolumeName, &szBufferNeeded);
+ if (NT_SUCCESS(status)) {
+ wcscpy_s(pVolumeName, VolumeName.Length, VolumeName.Buffer);
+ }
+
+ ExFreePoolWithTag(VolumeName.Buffer, 'vLIG');
+ return status;
+}
\ No newline at end of file
diff --git a/GilRan/Utils.h b/GilRan/Utils.h
new file mode 100644
index 0000000..66cbfdc
--- /dev/null
+++ b/GilRan/Utils.h
@@ -0,0 +1,10 @@
+#pragma once
+NTSTATUS GetFilePath(
+ _In_ PFLT_CALLBACK_DATA Data,
+ _Out_ PWCHAR pFilePath
+);
+
+NTSTATUS GetVolumeName(
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _Out_ PWCHAR pVolumeName
+);
\ No newline at end of file