Posted on 2010-02-18 22:51
S.l.e!ep.¢% 閱讀(1011)
評論(0) 編輯 收藏 引用 所屬分類:
Windows WDM
sfilter(一) sfilter的DriverEntry()??
?的代碼
1. 如果系統版本號 WINVER >= 0x0501 ?則動態加載如下的函數, 并保存到 gSfDynamicFunctions?這個結構(當然,這個結構是自定義的)
??? FsRtlRegisterFileSystemFilterCallbacks???? (詳見
sfilter(二) - 01 注冊FsFilter回調例程?)?
??? IoAttachDeviceToDeviceStackSafe?? 可以將
我們創建的設備對象 附加 到 目標文件系統或卷的過濾設備堆棧之中,這樣發到目標設備的IRP,都先發到我們的設備對象,實現過濾??? IoEnumerateDeviceObjectList
??? IoGetLowerDeviceObject
??? IoGetDeviceAttachmentBaseRef
??? IoGetDiskDeviceObject
??? IoGetAttachedDeviceReference
??? RtlGetVersion
??? (使用的函數是 MmGetSystemRoutineAddress()
它會從Ntoskrnl.exe 或 HAL 動態獲取到函數地址)
2. 保存 DriverObject? 到 gSFilterDriverObject
(暫不知道用來干嘛...)
3. 如果系統版本號 WINVER >= 0x0501??且?IoEnumerateDeviceObjectList 這個函數指針不為空...
??? 執行 gSFilterDriverObject->DriverUnload = DriverUnload;?? (這里郁悶,干嘛不直接 DriverObject->DriverUnload = DriverUnload;??? ...)
4. 初始化一個資源變量 gRulesResource (使用的是 ExInitializeResourceLite() 函數)ExInitializeResourceLite()
5. 初始化一個Mutex - gSfilterAttachLock (使用的是 ExInitializeFastMutex() 函數)
6. 初始化 gFsCtxLookAsideList、gFileNameLookAsideList、gReadWriteCompletionCtxLookAsideList (使用的是 ExInitializeNPagedLookasideList() 函數) (不知道這三個用來放什么?)
7. 創建一個控制設備對象(這個對象代表這個驅動。注意它沒有設備擴展) (用于與應用層通信?)
??? 路徑是 file://FileSystem//Filters//SFilterCDO
??? 如果創建失敗,原因是路徑不在,那么就嘗試在 file://FileSystem//SFilterCDO?下創建
8. DriverObject的MajorFunction? 都使用 SfPassThrough() 這個函數來過濾,而
??? (1) 下列 IRP 使用 SfCreate() 來過濾
??? IRP_MJ_CREATE
??? IRP_MJ_CREATE_NAMED_PIPE
??? IRP_MJ_CREATE_MAILSLOT?
????
??? (2) IRP_MJ_FILE_SYSTEM_CONTROL 使用 SfFsControl() 來過濾
????
?? ?(3) IRP_MJ_CLEANUP = SfCleanup;
????
??? (4)?IRP_MJ_CLOSE = SfClose;
?
??? (5) IRP_MJ_READ = SfRead;
????(6)?IRP_MJ_WRITE = SfWrite;
???
??? (7)?IRP_MJ_DIRECTORY_CONTROL = SfDirectoryControl;
?
??? (8) IRP_MJ_SET_INFORMATION = SfSetInformation;
????
9、填充 FastIoDispatch 結構,并賦給 DriverObject
???????FastIoDispatch->FastIoCheckIfPossible = SfFastIoCheckIfPossible;
?????? FastIoDispatch->FastIoRead = SfFastIoRead;
?????? FastIoDispatch->FastIoWrite = SfFastIoWrite;
?????? FastIoDispatch->FastIoQueryBasicInfo = SfFastIoQueryBasicInfo;
???????FastIoDispatch->FastIoQueryStandardInfo = SfFastIoQueryStandardInfo;
???????FastIoDispatch->FastIoLock = SfFastIoLock;
???????FastIoDispatch->FastIoUnlockSingle = SfFastIoUnlockSingle;
???????FastIoDispatch->FastIoUnlockAll = SfFastIoUnlockAll;
???????FastIoDispatch->FastIoUnlockAllByKey = SfFastIoUnlockAllByKey;
???????FastIoDispatch->FastIoDeviceControl = SfFastIoDeviceControl;
???????FastIoDispatch->FastIoDetachDevice = SfFastIoDetachDevice;
???????FastIoDispatch->FastIoQueryNetworkOpenInfo = SfFastIoQueryNetworkOpenInfo;
???????FastIoDispatch->MdlRead = SfFastIoMdlRead;
???????FastIoDispatch->MdlReadComplete = SfFastIoMdlReadComplete;
???????FastIoDispatch->PrepareMdlWrite = SfFastIoPrepareMdlWrite;
???????FastIoDispatch->MdlWriteComplete = SfFastIoMdlWriteComplete;
???????FastIoDispatch->FastIoReadCompressed = SfFastIoReadCompressed;
???????FastIoDispatch->FastIoWriteCompressed = SfFastIoWriteCompressed;
???????FastIoDispatch->MdlReadCompleteCompressed = SfFastIoMdlReadCompleteCompressed;
???????FastIoDispatch->MdlWriteCompleteCompressed = SfFastIoMdlWriteCompleteCompressed;
???????FastIoDispatch->FastIoQueryOpen = SfFastIoQueryOpen;
10、如果系統版本 WINVER >= 0x0501 且 RegisterFileSystemFilterCallbacks 這個函數指針不為空
??????? 那么通過 RegisterFileSystemFilterCallbacks() 這個函數設置一些 callback (具體做什么還不知道。。。)
???FsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(FS_FILTER_CALLBACKS);
???FsFilterCallbacks.PreAcquireForSectionSynchronization = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostAcquireForSectionSynchronization = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreReleaseForSectionSynchronization = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostReleaseForSectionSynchronization = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreAcquireForCcFlush = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostAcquireForCcFlush = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreReleaseForCcFlush = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostReleaseForCcFlush = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreAcquireForModifiedPageWriter = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostAcquireForModifiedPageWriter = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreReleaseForModifiedPageWriter = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostReleaseForModifiedPageWriter = SfPostFsFilterPassThrough;
11、當一個新的文件系統被裝入或者當任何文件系統被卸載時,注冊的回調函數 SfFsNotification將被調用
????????通過? tatus = IoRegisterFsRegistrationChange(DriverObject, SfFsNotification); 這一句來實現
12、試圖附著到合適的RAW文件系統設備對象 \\Device\\RawDisk?和 \\Device\\RawCdRom,因為他們沒有被IoRegisterFsRegistrationChange枚舉
????? (通過 IoGetDeviceObjectPointer() 函數)
???????
13、清除控制設備對象上的初始化標志,因為我們現在成功完成初始化
14、調用 IoRegisterDriverReinitialization
15、打完收工!!