Posted on 2010-02-18 22:51
S.l.e!ep.¢% 阅读(999)
评论(0) 编辑 收藏 引用 所属分类:
Windows WDM
sfilter(一) sfilter的DriverEntry()
的代码
1. 如果系统版本号 WINVER >= 0x0501 则动态加载如下的函数, 并保存到 gSfDynamicFunctions 这个结构(当然,这个结构是自定义的)
FsRtlRegisterFileSystemFilterCallbacks (详见
sfilter(二) - 01 注册FsFilter回调例程 )
IoAttachDeviceToDeviceStackSafe 可以将
我们创建的设备对象 附加 到 目标文件系统或卷的过滤设备堆栈之中,这样发到目标设备的IRP,都先发到我们的设备对象,实现过滤 IoEnumerateDeviceObjectList
IoGetLowerDeviceObject
IoGetDeviceAttachmentBaseRef
IoGetDiskDeviceObject
IoGetAttachedDeviceReference
RtlGetVersion
(使用的函数是 MmGetSystemRoutineAddress()
它会从Ntoskrnl.exe 或 HAL 动态获取到函数地址)
2. 保存 DriverObject 到 gSFilterDriverObject
(暂不知道用来干嘛...)
3. 如果系统版本号 WINVER >= 0x0501 且 IoEnumerateDeviceObjectList 这个函数指针不为空...
执行 gSFilterDriverObject->DriverUnload = DriverUnload; (这里郁闷,干嘛不直接 DriverObject->DriverUnload = DriverUnload; ...)
4. 初始化一个资源变量 gRulesResource (使用的是 ExInitializeResourceLite() 函数)ExInitializeResourceLite()
5. 初始化一个Mutex - gSfilterAttachLock (使用的是 ExInitializeFastMutex() 函数)
6. 初始化 gFsCtxLookAsideList、gFileNameLookAsideList、gReadWriteCompletionCtxLookAsideList (使用的是 ExInitializeNPagedLookasideList() 函数) (不知道这三个用来放什么?)
7. 创建一个控制设备对象(这个对象代表这个驱动。注意它没有设备扩展) (用于与应用层通信?)
路径是 file://FileSystem//Filters//SFilterCDO
如果创建失败,原因是路径不在,那么就尝试在 file://FileSystem//SFilterCDO 下创建
8. DriverObject的MajorFunction 都使用 SfPassThrough() 这个函数来过滤,而
(1) 下列 IRP 使用 SfCreate() 来过滤
IRP_MJ_CREATE
IRP_MJ_CREATE_NAMED_PIPE
IRP_MJ_CREATE_MAILSLOT
(2) IRP_MJ_FILE_SYSTEM_CONTROL 使用 SfFsControl() 来过滤
(3) IRP_MJ_CLEANUP = SfCleanup;
(4) IRP_MJ_CLOSE = SfClose;
(5) IRP_MJ_READ = SfRead;
(6) IRP_MJ_WRITE = SfWrite;
(7) IRP_MJ_DIRECTORY_CONTROL = SfDirectoryControl;
(8) IRP_MJ_SET_INFORMATION = SfSetInformation;
9、填充 FastIoDispatch 结构,并赋给 DriverObject
FastIoDispatch->FastIoCheckIfPossible = SfFastIoCheckIfPossible;
FastIoDispatch->FastIoRead = SfFastIoRead;
FastIoDispatch->FastIoWrite = SfFastIoWrite;
FastIoDispatch->FastIoQueryBasicInfo = SfFastIoQueryBasicInfo;
FastIoDispatch->FastIoQueryStandardInfo = SfFastIoQueryStandardInfo;
FastIoDispatch->FastIoLock = SfFastIoLock;
FastIoDispatch->FastIoUnlockSingle = SfFastIoUnlockSingle;
FastIoDispatch->FastIoUnlockAll = SfFastIoUnlockAll;
FastIoDispatch->FastIoUnlockAllByKey = SfFastIoUnlockAllByKey;
FastIoDispatch->FastIoDeviceControl = SfFastIoDeviceControl;
FastIoDispatch->FastIoDetachDevice = SfFastIoDetachDevice;
FastIoDispatch->FastIoQueryNetworkOpenInfo = SfFastIoQueryNetworkOpenInfo;
FastIoDispatch->MdlRead = SfFastIoMdlRead;
FastIoDispatch->MdlReadComplete = SfFastIoMdlReadComplete;
FastIoDispatch->PrepareMdlWrite = SfFastIoPrepareMdlWrite;
FastIoDispatch->MdlWriteComplete = SfFastIoMdlWriteComplete;
FastIoDispatch->FastIoReadCompressed = SfFastIoReadCompressed;
FastIoDispatch->FastIoWriteCompressed = SfFastIoWriteCompressed;
FastIoDispatch->MdlReadCompleteCompressed = SfFastIoMdlReadCompleteCompressed;
FastIoDispatch->MdlWriteCompleteCompressed = SfFastIoMdlWriteCompleteCompressed;
FastIoDispatch->FastIoQueryOpen = SfFastIoQueryOpen;
10、如果系统版本 WINVER >= 0x0501 且 RegisterFileSystemFilterCallbacks 这个函数指针不为空
那么通过 RegisterFileSystemFilterCallbacks() 这个函数设置一些 callback (具体做什么还不知道。。。)
FsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(FS_FILTER_CALLBACKS);
FsFilterCallbacks.PreAcquireForSectionSynchronization = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForSectionSynchronization = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForSectionSynchronization = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForSectionSynchronization = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreAcquireForCcFlush = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForCcFlush = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForCcFlush = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForCcFlush = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreAcquireForModifiedPageWriter = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostAcquireForModifiedPageWriter = SfPostFsFilterPassThrough;
FsFilterCallbacks.PreReleaseForModifiedPageWriter = SfPreFsFilterPassThrough;
FsFilterCallbacks.PostReleaseForModifiedPageWriter = SfPostFsFilterPassThrough;
11、当一个新的文件系统被装入或者当任何文件系统被卸载时,注册的回调函数 SfFsNotification将被调用
通过 tatus = IoRegisterFsRegistrationChange(DriverObject, SfFsNotification); 这一句来实现
12、试图附着到合适的RAW文件系统设备对象 \\Device\\RawDisk 和 \\Device\\RawCdRom,因为他们没有被IoRegisterFsRegistrationChange枚举
(通过 IoGetDeviceObjectPointer() 函数)
13、清除控制设备对象上的初始化标志,因为我们现在成功完成初始化
14、调用 IoRegisterDriverReinitialization
15、打完收工!!