Monitor File System with Process ID and Thread ID using minifilter

 In windows driver sample code.
we can found a minifilter driver code.
It can help us do some security work like antivirus
It's name: minispy
Compare to sfilter, sfilter is more complex
traditional file system is not so clearify and complex
minifilter is more clearify to do the work.

compile with viusal studio and install with fltmc:
fltmc install minispy

it's work now.

1. fill call back of file system minifiter
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
    { IRP_MJ_CREATE,
      0,
      SpyPreOperationCallback,
      SpyPostOperationCallback },

    // ........

    { IRP_MJ_OPERATION_END }
};

const FLT_CONTEXT_REGISTRATION Contexts[] = {

#if MINISPY_VISTA

    { FLT_TRANSACTION_CONTEXT,
      0,
      SpyDeleteTxfContext,
      sizeof(MINISPY_TRANSACTION_CONTEXT),
      'ypsM' },

#endif // MINISPY_VISTA

    { FLT_CONTEXT_END }
};

//
//  This defines what we want to filter with FltMgr
//

CONST FLT_REGISTRATION FilterRegistration = {

    sizeof(FLT_REGISTRATION),               //  Size
    FLT_REGISTRATION_VERSION,               //  Version  
#if MINISPY_WIN8
    FLTFL_REGISTRATION_SUPPORT_NPFS_MSFS,   //  Flags
#else
    0,                                      //  Flags
#endif // MINISPY_WIN8

    Contexts,                               //  Context
    Callbacks,                              //  Operation callbacks

    SpyFilterUnload,                        //  FilterUnload

    NULL,                                   //  InstanceSetup
    SpyQueryTeardown,                       //  InstanceQueryTeardown
    NULL,                                   //  InstanceTeardownStart
    NULL,                                   //  InstanceTeardownComplete

    NULL,                                   //  GenerateFileName
    NULL,                                   //  GenerateDestinationFileName
    NULL                                    //  NormalizeNameComponent

#if MINISPY_VISTA

    ,
    SpyKtmNotificationCallback              //  KTM notification callback

#endif // MINISPY_VISTA

};

and customize data structure
...
MiniSpyData.DriverObject = DriverObject;
...
most import part is fill in the DriverObject

2. Registration of file system minifilter
status = FltRegisterFilter( DriverObject,
                                    &FilterRegistration,
                                    &MiniSpyData.Filter );
3. Registration of CommunicationPort to communicate with user mode program
status = FltCreateCommunicationPort( MiniSpyData.Filter,
                                             &MiniSpyData.ServerPort,
                                             &oa,
                                             NULL,
                                             SpyConnect,
                                             SpyDisconnect,
                                             SpyMessage,
                                             1 );
4. User mode Program communicate with minifilter:
hResult = FilterSendMessage( context->Port,
                                     &commandMessage,
                                     sizeof( COMMAND_MESSAGE ),
                                     buffer,
                                     sizeof(alignedBuffer),
                                     &bytesReturned );



[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/file-system-minifilter-drivers
[2] https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy