Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there a way to hook disk writes by a specific application and get the data being written, aside from reading the data after the write or reading process memory and searching for data? It’s important for me to get the data before it can be tampered with on the disk. Thanks in advance!
Too little reputation to comment, sorry.
I would have said (to echo Raymond) mini filters would fit your requirements nicely.
Microsoft docs
FltGetRequestorProcessId should allow you to filter by process.
You will still see every request come through, just match the pid you are interested in. If it is not your process return FLT_PREOP_SUCCESS_NO_CALLBACK and you will not worry about that request again.