[Carlbyte]

pBuffer = ExAllocatePoolWithTag(PagedPool, PAGE_SIZE, 0);
pMdl = IoAllocateMdl(pBuffer, PAGE_SIZE, FALSE, FALSE, NULL);
MmBuildMdlForNonPagedPool(pMdl);
pMappedFileName = (PUNICODE_STRING) MmMapLockedPagesSpecifyCache(pMdl, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
ntStatus = ZWQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, pMappedFileName, PAGE_SIZE, &ReturnSize);

it should work ???

[Vrtule]

pBuffer = ExAllocatePoolWithTag(PagedPool, PAGE_SIZE, 0);
pMdl = IoAllocateMdl(pBuffer, PAGE_SIZE, FALSE, FALSE, NULL);
MmBuildMdlForNonPagedPool(pMdl);
pMappedFileName = (PUNICODE_STRING) MmMapLockedPagesSpecifyCache(pMdl, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
ntStatus = ZWQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, pMappedFileName, PAGE_SIZE, &ReturnSize);

it should work ???

It should not. I see several problems here:
1) Using MmBuildMdlForNonPagedPool on a paged buffer is not a good idea. Since the buffer is paged, it can move to different place in physical memory (or even disappear to a paging file), so the MDL starts to point to a random data.
2) You are still passing a kernel buffer to the NtQueryVirtualMemory call. Have a look at the last parameter.
3) When you call a routine that can fail, you MUST verify this before continuing and expecting that it never fails.

I don't know why your approach with system threads behaves as you described because you did not show any code. Well, I don't think it is a good idea to create a system thread in a minifilter preoperation callback. If you want to perform something asynchronously, create the thread earlier (in your DriverEntry for example) and pass necessary information to it in the preoperation callback (you can use several types of synchronization primitives to do this).

[Carlbyte]

"Have a look at the last parameter."
This can be NULL. So, according to your knowledge and with the scenario, there is no chance of that call for ZWqueryvirtualmemory work?

" create the thread earlier (in your DriverEntry for example) and pass necessary information to it in the preoperation callback (you can use several types of synchronization primitives to do this)."

I'm just trying to get a better results. I have already done this by accessing LDR, but I thought about using the ZW functions.

thanks for the help

[SomeUnusedName]

Not sure if this helps, aren't you in the context of the calling process in your minifilter (no clue about mini filters, but that's what I did when I was using SSDT hooks)?

That means you can simply check for the current process, if that's all you want. Your original post sounded like this, rather than needing the exact call site.