How to get the source path of the copied file on IRP_Create in minifilter

Question

I am trying to create a minifilter to monitor all file operation.while copying a file from one location to another I am getting a file name .but I need to find the source path and destination path. following code block is used for getting file name.

FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects , PVOID * CompletionContext){
PFLT_FILE_NAME_INFORMATION FileNameInfos;
NTSTATUS status;
WCHAR Name[200] = {0};
status=FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED|FLT_FILE_NAME_QUERY_DEFAULT,&FileNameInfos);
if(NT_SUCCESS(status))
{
    status = FltParseFileNameInformation(FileNameInfos);
    if(NT_SUCCESS(status))
    {
        if(FileNameInfos->Name.MaximumLength<260)
        {
            RtlCopyMemory(Name,FileNameInfos->Name.Buffer,FileNameInfos->Name.MaximumLength);
            DbgPrint("Minifilter ::File Name %ws  \n",Name);

        }
    }
    FltReleaseFileNameInformation(FileNameInfos);
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;                                     
} 

Answer 1

CopyFile is not a file-system primitive function. What you will see in your filter is multiple IRP_MJ_CREATE calls for opening the source and the destination, as well as IRP_MJ_READ and IRP_MJ_WRITE for copying the data. You will likely see many more of these than you expect, even for a simple operation.