drakvuf icon indicating copy to clipboard operation
drakvuf copied to clipboard

Published 20 hours ago verified publisher icon tklengyel

[Filedelete] Filename is empty

Open umarfarook882 opened this issue 5 years ago • 2 comments

can anyone point me why filename is empty ?

Function: https://github.com/tklengyel/drakvuf/blob/a6a6f302afbcb7535b7d9adaf0348a588152f43a/src/plugins/filedelete/filedelete.cpp#L192

Filename https://github.com/tklengyel/drakvuf/blob/a6a6f302afbcb7535b7d9adaf0348a588152f43a/src/plugins/filedelete/filedelete.cpp#L208

Reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-_file_object

fileextractor_filename

umarfarook882 avatar Oct 15 '19 15:10 umarfarook882

Your best bet is look at the WRK source-code to see when does the FileName string get freed. Looks like this happens during calls to NtClose, so I would assume Windows is already closing all the resources related to that _FILE_OBJECT and the FileName string already got freed. But that's just my guess.

tklengyel avatar Oct 21 '19 15:10 tklengyel

From MSDN:

FileName

A UNICODE_STRING structure whose Buffer member points to a read-only Unicode string that holds the name of the file opened on the volume. If the volume is being opened, the Length member of the UNICODE_STRING structure will be zero. Note that the file name in this string is valid only during the initial processing of an IRP_MJ_CREATE request. This file name should not be considered valid after the file system starts to process the IRP_MJ_CREATE request. The storage for the string pointed to by the Buffer member of the UNICODE_STRING structure is allocated in paged system memory. For more information about obtaining a file name, see FltGetFileNameInformation.

skvl avatar Nov 28 '19 16:11 skvl