2012年7月5日星期四

minifilter.c


/*
最简单的minifilter.
修改自wdk的nullFilter.c.
安装的办法可以用.inf 
也可以编程操作注册表的办法,但我还没有实现.
*/
#include <fltKernel.h>
PFLT_FILTER FilterHandle;
NTSTATUS NullUnload (__in FLT_FILTER_UNLOAD_FLAGS Flags)
{ //这个也可以不要的.
    DbgPrint("minifilter stop");//方便net stop或者fltmc load或者sc stop查询.
    FltUnregisterFilter( FilterHandle );
    return STATUS_SUCCESS;
}
FLT_REGISTRATION FilterRegistration = {sizeof(FLT_REGISTRATION),FLT_REGISTRATION_VERSION,0,0,0,NullUnload,0,0,0,0,0,0,0};
NTSTATUS DriverEntry (__in PDRIVER_OBJECT DriverObject,__in PUNICODE_STRING RegistryPath)
{
    DbgPrint("minifilter entry");//方便net start或者fltmc unload或者sc stop查询.
    FltRegisterFilter( DriverObject,&FilterRegistration,&FilterHandle );
    FltStartFiltering( FilterHandle );
    return 0;
}
//made at 2012.05.20
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//下面的精简自wdk的passThrough.c
#include <fltKernel.h>
PFLT_FILTER gFilterHandle;
ULONG_PTR OperationStatusCtx = 1;
ULONG gTraceFlags = 1;
#define PT_DBG_PRINT( _dbgLevel, _string )          (FlagOn(gTraceFlags,(_dbgLevel)) ?  DbgPrint _string :  ((int)0))
VOID PtOperationStatusCallback (__in PCFLT_RELATED_OBJECTS FltObjects,__in PFLT_IO_PARAMETER_BLOCK ParameterSnapshot,__in NTSTATUS OperationStatus,__in PVOID RequesterContext)
{
    PT_DBG_PRINT( 1,("PassThrough!PtOperationStatusCallback: Entered\n") );
    PT_DBG_PRINT( 2,("PassThrough!PtOperationStatusCallback: Status=%08x ctx=%p IrpMj=%02x.%02x \"%s\"\n",
        OperationStatus,RequesterContext,ParameterSnapshot->MajorFunction,ParameterSnapshot->MinorFunction,
        FltGetIrpName(ParameterSnapshot->MajorFunction)) );
}
BOOLEAN PtDoRequestOperationStatus(__in PFLT_CALLBACK_DATA Data)
{
    PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb;
    return (BOOLEAN)(((iopb->MajorFunction == IRP_MJ_FILE_SYSTEM_CONTROL) &&
        ((iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_FILTER_OPLOCK)  ||
        (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_BATCH_OPLOCK)   ||
        (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_1) ||
        (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_2))) ||
        ((iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL) && (iopb->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY)));
}
FLT_PREOP_CALLBACK_STATUS PtPreOperationPassThrough (__inout PFLT_CALLBACK_DATA Data,__in PCFLT_RELATED_OBJECTS FltObjects,__deref_out_opt PVOID *CompletionContext)
{
    NTSTATUS status;
    PT_DBG_PRINT( 1,("PassThrough!PtPreOperationPassThrough: Entered\n") );
    if (PtDoRequestOperationStatus( Data )) 
    {
        status = FltRequestOperationStatusCallback( Data,PtOperationStatusCallback,(PVOID)(++OperationStatusCtx) );
        if (!NT_SUCCESS(status)) 
        {
            PT_DBG_PRINT( 2,("PassThrough!PtPreOperationPassThrough: FltRequestOperationStatusCallback Failed, status=%08x\n",status) );
        }
    }
    return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS PtPostOperationPassThrough (__inout PFLT_CALLBACK_DATA Data,__in PCFLT_RELATED_OBJECTS FltObjects,
                                                       __in_opt PVOID CompletionContext,__in FLT_POST_OPERATION_FLAGS Flags)
{
    PT_DBG_PRINT( 1,("PassThrough!PtPostOperationPassThrough: Entered\n") );
    return FLT_POSTOP_FINISHED_PROCESSING;
}
FLT_PREOP_CALLBACK_STATUS PtPreOperationNoPostOperationPassThrough (__inout PFLT_CALLBACK_DATA Data,__in PCFLT_RELATED_OBJECTS FltObjects,__deref_out_opt PVOID *CompletionContext)
{
    PT_DBG_PRINT( 1,("PassThrough!PtPreOperationNoPostOperationPassThrough: Entered\n") );
    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {//用编程的办法,实现,只有一处是特殊的.
    { IRP_MJ_CREATE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_CREATE_NAMED_PIPE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_CLOSE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_READ, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_WRITE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_QUERY_INFORMATION, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_SET_INFORMATION, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_QUERY_EA, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_SET_EA, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_FLUSH_BUFFERS, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_QUERY_VOLUME_INFORMATION, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_SET_VOLUME_INFORMATION, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_DIRECTORY_CONTROL, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_FILE_SYSTEM_CONTROL, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_DEVICE_CONTROL, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_INTERNAL_DEVICE_CONTROL, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_SHUTDOWN, 0, PtPreOperationNoPostOperationPassThrough, NULL },   //post operations not supported
    { IRP_MJ_LOCK_CONTROL, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_CLEANUP, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_CREATE_MAILSLOT, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_QUERY_SECURITY, 0, PtPreOperationPassThrough,  PtPostOperationPassThrough },
    { IRP_MJ_SET_SECURITY, 0, PtPreOperationPassThrough,  PtPostOperationPassThrough },
    { IRP_MJ_QUERY_QUOTA, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_SET_QUOTA, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_PNP, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0, PtPreOperationPassThrough,  PtPostOperationPassThrough },
    { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_NETWORK_QUERY_OPEN, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_MDL_READ, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_MDL_READ_COMPLETE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_PREPARE_MDL_WRITE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_MDL_WRITE_COMPLETE, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_VOLUME_MOUNT, 0, PtPreOperationPassThrough,  PtPostOperationPassThrough },
    { IRP_MJ_VOLUME_DISMOUNT, 0, PtPreOperationPassThrough, PtPostOperationPassThrough },
    { IRP_MJ_OPERATION_END }
};
#pragma PAGEDCODE
NTSTATUS PtInstanceSetup (__in PCFLT_RELATED_OBJECTS FltObjects,__in FLT_INSTANCE_SETUP_FLAGS Flags,__in DEVICE_TYPE VolumeDeviceType,__in FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
    PT_DBG_PRINT( 1,("PassThrough!PtInstanceSetup: Entered\n") );
    return STATUS_SUCCESS;
}
#pragma PAGEDCODE
NTSTATUS PtInstanceQueryTeardown (__in PCFLT_RELATED_OBJECTS FltObjects,__in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags)
{
    PT_DBG_PRINT( 1,("PassThrough!PtInstanceQueryTeardown: Entered\n") );
    return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID PtInstanceTeardownStart (__in PCFLT_RELATED_OBJECTS FltObjects,__in FLT_INSTANCE_TEARDOWN_FLAGS Flags)
{
    PT_DBG_PRINT( 1, ("PassThrough!PtInstanceTeardownStart: Entered\n") );
}
#pragma PAGEDCODE
VOID PtInstanceTeardownComplete (__in PCFLT_RELATED_OBJECTS FltObjects,__in FLT_INSTANCE_TEARDOWN_FLAGS Flags)
{
    PT_DBG_PRINT( 1,("PassThrough!PtInstanceTeardownComplete: Entered\n") );
}
#pragma PAGEDCODE
NTSTATUS PtUnload (__in FLT_FILTER_UNLOAD_FLAGS Flags)
{
    PT_DBG_PRINT( 1,("PassThrough!PtUnload: Entered\n") );
    FltUnregisterFilter( gFilterHandle );
    return STATUS_SUCCESS;
}
CONST FLT_REGISTRATION FilterRegistration = {
    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    0,                                  //  Flags
    NULL,                               //  Context
    Callbacks,                          //  Operation callbacks
    PtUnload,                           //  MiniFilterUnload
    PtInstanceSetup,                    //  InstanceSetup
    PtInstanceQueryTeardown,            //  InstanceQueryTeardown
    PtInstanceTeardownStart,            //  InstanceTeardownStart
    PtInstanceTeardownComplete,         //  InstanceTeardownComplete
    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent
};
#pragma INITCODE
NTSTATUS DriverEntry (__in PDRIVER_OBJECT DriverObject,__in PUNICODE_STRING RegistryPath)
{
    PT_DBG_PRINT( 1,("PassThrough!DriverEntry: Entered\n") );
    FltRegisterFilter( DriverObject, &FilterRegistration,&gFilterHandle );
    FltStartFiltering( gFilterHandle );
    return 0;
}
//made by correy

发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)