Long description

The figure shows two parts. Part a: Win32 CreateFile(C: backward slash foo backward slash bar) block is pointing an arrow toward the NtCreateFile(backward slash double question mark backward slash C: backward slash foo backward slash bar) block. This block is pointing an arrow toward the OpenObjectByName(backward slash double question mark backward slash C: backward slash foo backward slash bar) block and the arrow is labeled 1 and I bar O manager. This block is pointing an arrow toward the IopParseDevice(DeviceObject, backward slash foo backward slash bar) block, and the arrow is labeled 3 and Object manager. This block is pointing an arrow toward the File system filters block and the arrow is labeled 5 and IoCallDriver, a dotted block which is placed near this arrow and labeled IRP and an arrow is connecting from this bock and pointed toward other dotted block labeled file object. This block is pointing an arrow toward the NTFS NtfsCreateFile()block and the arrow is labeled 5 and IoCallDriver. The one-sided upward arrows are connected to each block and labeled 8,9 and 10. A line is placed in between the first and second block which is marked user mode on top of the dotted line and kernel-mode below the dotted line.

Part b: An arrow is pointing toward the Devices block and labeled 2. This block is pointing an arrow toward the C block and hard disk block. This block is pointing an arrow toward the SYMLINK backward slash Devices backward slash Harddisk1 and DEVICE OBJECT: for C: Volume