Posted on 2010-02-18 22:51
S.l.e!ep.¢% 閱讀(1017)
評(píng)論(0) 編輯 收藏 引用 所屬分類:
Windows WDM
sfilter(一) sfilter的DriverEntry()??
?的代碼
1. 如果系統(tǒng)版本號(hào) WINVER >= 0x0501 ?則動(dòng)態(tài)加載如下的函數(shù), 并保存到 gSfDynamicFunctions?這個(gè)結(jié)構(gòu)(當(dāng)然,這個(gè)結(jié)構(gòu)是自定義的)
??? FsRtlRegisterFileSystemFilterCallbacks???? (詳見(jiàn)
sfilter(二) - 01 注冊(cè)FsFilter回調(diào)例程?)?
??? IoAttachDeviceToDeviceStackSafe?? 可以將
我們創(chuàng)建的設(shè)備對(duì)象 附加 到 目標(biāo)文件系統(tǒng)或卷的過(guò)濾設(shè)備堆棧之中,這樣發(fā)到目標(biāo)設(shè)備的IRP,都先發(fā)到我們的設(shè)備對(duì)象,實(shí)現(xiàn)過(guò)濾??? IoEnumerateDeviceObjectList
??? IoGetLowerDeviceObject
??? IoGetDeviceAttachmentBaseRef
??? IoGetDiskDeviceObject
??? IoGetAttachedDeviceReference
??? RtlGetVersion
??? (使用的函數(shù)是 MmGetSystemRoutineAddress()
它會(huì)從Ntoskrnl.exe 或 HAL 動(dòng)態(tài)獲取到函數(shù)地址)
2. 保存 DriverObject? 到 gSFilterDriverObject
(暫不知道用來(lái)干嘛...)
3. 如果系統(tǒng)版本號(hào) WINVER >= 0x0501??且?IoEnumerateDeviceObjectList 這個(gè)函數(shù)指針不為空...
??? 執(zhí)行 gSFilterDriverObject->DriverUnload = DriverUnload;?? (這里郁悶,干嘛不直接 DriverObject->DriverUnload = DriverUnload;??? ...)
4. 初始化一個(gè)資源變量 gRulesResource (使用的是 ExInitializeResourceLite() 函數(shù))ExInitializeResourceLite()
5. 初始化一個(gè)Mutex - gSfilterAttachLock (使用的是 ExInitializeFastMutex() 函數(shù))
6. 初始化 gFsCtxLookAsideList、gFileNameLookAsideList、gReadWriteCompletionCtxLookAsideList (使用的是 ExInitializeNPagedLookasideList() 函數(shù)) (不知道這三個(gè)用來(lái)放什么?)
7. 創(chuàng)建一個(gè)控制設(shè)備對(duì)象(這個(gè)對(duì)象代表這個(gè)驅(qū)動(dòng)。注意它沒(méi)有設(shè)備擴(kuò)展) (用于與應(yīng)用層通信?)
??? 路徑是 file://FileSystem//Filters//SFilterCDO
??? 如果創(chuàng)建失敗,原因是路徑不在,那么就嘗試在 file://FileSystem//SFilterCDO?下創(chuàng)建
8. DriverObject的MajorFunction? 都使用 SfPassThrough() 這個(gè)函數(shù)來(lái)過(guò)濾,而
??? (1) 下列 IRP 使用 SfCreate() 來(lái)過(guò)濾
??? IRP_MJ_CREATE
??? IRP_MJ_CREATE_NAMED_PIPE
??? IRP_MJ_CREATE_MAILSLOT?
????
??? (2) IRP_MJ_FILE_SYSTEM_CONTROL 使用 SfFsControl() 來(lái)過(guò)濾
????
?? ?(3) IRP_MJ_CLEANUP = SfCleanup;
????
??? (4)?IRP_MJ_CLOSE = SfClose;
?
??? (5) IRP_MJ_READ = SfRead;
????(6)?IRP_MJ_WRITE = SfWrite;
???
??? (7)?IRP_MJ_DIRECTORY_CONTROL = SfDirectoryControl;
?
??? (8) IRP_MJ_SET_INFORMATION = SfSetInformation;
????
9、填充 FastIoDispatch 結(jié)構(gòu),并賦給 DriverObject
???????FastIoDispatch->FastIoCheckIfPossible = SfFastIoCheckIfPossible;
?????? FastIoDispatch->FastIoRead = SfFastIoRead;
?????? FastIoDispatch->FastIoWrite = SfFastIoWrite;
?????? FastIoDispatch->FastIoQueryBasicInfo = SfFastIoQueryBasicInfo;
???????FastIoDispatch->FastIoQueryStandardInfo = SfFastIoQueryStandardInfo;
???????FastIoDispatch->FastIoLock = SfFastIoLock;
???????FastIoDispatch->FastIoUnlockSingle = SfFastIoUnlockSingle;
???????FastIoDispatch->FastIoUnlockAll = SfFastIoUnlockAll;
???????FastIoDispatch->FastIoUnlockAllByKey = SfFastIoUnlockAllByKey;
???????FastIoDispatch->FastIoDeviceControl = SfFastIoDeviceControl;
???????FastIoDispatch->FastIoDetachDevice = SfFastIoDetachDevice;
???????FastIoDispatch->FastIoQueryNetworkOpenInfo = SfFastIoQueryNetworkOpenInfo;
???????FastIoDispatch->MdlRead = SfFastIoMdlRead;
???????FastIoDispatch->MdlReadComplete = SfFastIoMdlReadComplete;
???????FastIoDispatch->PrepareMdlWrite = SfFastIoPrepareMdlWrite;
???????FastIoDispatch->MdlWriteComplete = SfFastIoMdlWriteComplete;
???????FastIoDispatch->FastIoReadCompressed = SfFastIoReadCompressed;
???????FastIoDispatch->FastIoWriteCompressed = SfFastIoWriteCompressed;
???????FastIoDispatch->MdlReadCompleteCompressed = SfFastIoMdlReadCompleteCompressed;
???????FastIoDispatch->MdlWriteCompleteCompressed = SfFastIoMdlWriteCompleteCompressed;
???????FastIoDispatch->FastIoQueryOpen = SfFastIoQueryOpen;
10、如果系統(tǒng)版本 WINVER >= 0x0501 且 RegisterFileSystemFilterCallbacks 這個(gè)函數(shù)指針不為空
??????? 那么通過(guò) RegisterFileSystemFilterCallbacks() 這個(gè)函數(shù)設(shè)置一些 callback (具體做什么還不知道。。。)
???FsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(FS_FILTER_CALLBACKS);
???FsFilterCallbacks.PreAcquireForSectionSynchronization = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostAcquireForSectionSynchronization = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreReleaseForSectionSynchronization = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostReleaseForSectionSynchronization = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreAcquireForCcFlush = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostAcquireForCcFlush = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreReleaseForCcFlush = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostReleaseForCcFlush = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreAcquireForModifiedPageWriter = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostAcquireForModifiedPageWriter = SfPostFsFilterPassThrough;
???FsFilterCallbacks.PreReleaseForModifiedPageWriter = SfPreFsFilterPassThrough;
???FsFilterCallbacks.PostReleaseForModifiedPageWriter = SfPostFsFilterPassThrough;
11、當(dāng)一個(gè)新的文件系統(tǒng)被裝入或者當(dāng)任何文件系統(tǒng)被卸載時(shí),注冊(cè)的回調(diào)函數(shù) SfFsNotification將被調(diào)用
????????通過(guò)? tatus = IoRegisterFsRegistrationChange(DriverObject, SfFsNotification); 這一句來(lái)實(shí)現(xiàn)
12、試圖附著到合適的RAW文件系統(tǒng)設(shè)備對(duì)象 \\Device\\RawDisk?和 \\Device\\RawCdRom,因?yàn)樗麄儧](méi)有被IoRegisterFsRegistrationChange枚舉
????? (通過(guò) IoGetDeviceObjectPointer() 函數(shù))
???????
13、清除控制設(shè)備對(duì)象上的初始化標(biāo)志,因?yàn)槲覀儸F(xiàn)在成功完成初始化
14、調(diào)用 IoRegisterDriverReinitialization
15、打完收工!!