[資料]
http://m.shnenglu.com/Files/sleepwom/Windows%20File%20Filters%20Driver%20StudyII.rar看的資料是狂人的 Windows File Filter Driver II
1. NTSTATUS
??? DriverEntry(
??? IN PDRIVER_OBJECT DriverObject,
??? IN PUNICODE_STRING RegistryPath
??? );? 函數(shù)是每個驅動的入口函數(shù)
2. DriverObject?簡稱 DO
??? DriverObject 是我們所寫的驅動對應的 DriverObject, 在加載驅動時,由系統(tǒng)分配的一個對象
??? DriverObject?有一組函數(shù)指針,稱為 dispatch functions, 開發(fā)驅動的任務就是撰寫這些 dispatch function
3. RegistryPath 是專門用于記錄本驅動相關參數(shù)的注冊表路徑,也是由系統(tǒng)分配的
4. 小試牛刀
#ifdef?__cplusplus
extern?"C"
{
#endif
#include?"ntddk.h"
#ifdef?__cplusplus
}
#endif
PDEVICE_OBJECT?gSFilterControlDeviceObject;
VOID?OnUnLoad(IN?PDRIVER_OBJECT?pDriverObject)?
{
????DbgPrint(("Enter?DriverUnload\n"));
????
????IoDeleteDevice(?gSFilterControlDeviceObject?);
????DbgPrint(("Leave?DriverUnload\n"));
}
extern?"C"?NTSTATUS?
DriverEntry(
IN?PDRIVER_OBJECT??DriverObject,
IN?PUNICODE_STRING?RegistryPath)
{
????DbgPrint("Entry?DriverEntry?Function!\n");
????DriverObject->DriverUnload?=?OnUnLoad;
????//?define?a?unicode?string
????UNICODE_STRING?nameString;
????RtlInitUnicodeString(&nameString,?L"\\FileSystem\\MyFilter");
????
????//?create?a?control?driver
????NTSTATUS?status;
????status?=?IoCreateDevice(DriverObject,?
????????????????????????????0,?//?has?no?device?extension
????????????????????????????&nameString,
????????????????????????????FILE_DEVICE_DISK_FILE_SYSTEM,
????????????????????????????FILE_DEVICE_SECURE_OPEN,
????????????????????????????FALSE,
????????????????????????????&gSFilterControlDeviceObject);
????if(?!NT_SUCCESS(?status?)?)
????{
????????DbgPrint(("DriverEntry:Error?Creating?Control?Device?Object?%wZ?status?=?%08x?\n"),
?????????????????&nameString,?status);
????????return?status;
????}
????DbgPrint("Leave?DriverEntry!\n");
????return?STATUS_SUCCESS;
}?
保存為 testwdm.cpp
#
#?DO?NOT?EDIT?THIS?FILE!!!?Edit?.\sources.?If?you?want?to?add?a?new?source
#?file?to?this?component.?This?file?merely?indirects?to?the?real?make?file
#?that?is?shared?by?all?the?driver?components?of?the?Windows?NT?DDK
#
!INCLUDE?$(NTMAKEENV)\makefile.def
保存為 MAKEFILE
TARGETNAME=testwdm
TARGETPATH=.\sys
TARGETTYPE=DRIVER
SOURCES=testwdm.cpp
保存為 SOURCE
三個文件,然后就可以BUILD了
使用 DriverMonitor 加載驅動后,然后使用 WinObj.exe 查看
在 \FileSystem 下面就會多一個 MyFilter 的驅動
使用 DriverMonitor Stop Driver, 并刪除 Driver
\FileSystem 下面的 'MyFilter' 就會消失
FastIo:FastIo 是獨立于普通的IRP的分發(fā)函數(shù)之外的另一組接口,但是他們的作用是一樣的, 就是由驅動處理外部給予的請求,
而且所處理的請求也基本相同
FastIo例程返回 FALSE 表示不做任何事,這樣這些請求都會通過IRP重新發(fā)送到 普通分發(fā)函數(shù).
Q1.? NTSTATUS
???? DriverEntry(
??? IN PDRIVER_OBJECT DriverObject,
??? IN PUNICODE_STRING RegistryPath
??? );
?? 函數(shù)無疑是驅動的入口函數(shù),但操作系統(tǒng)加載驅動 至 system 線程調用 DriverEntry() 函數(shù)的過程是如何的?Q2.在本例中,IoCreateDevice() 函數(shù)創(chuàng)建的設備是什么設備?假如我想過濾某個物理設備的IRP,是不是需要使用
????? IoCreateDevice()?函數(shù)去創(chuàng)建一個設備,并綁定到物理設備上面?
Q3: FastIo 接口位于 普通的 Driver分派函數(shù)之上?系統(tǒng)會先調用 FastIo 接口再調用 Driver的分派函數(shù)?