2013年10月23日星期三

枚举系统注册的所有的minifilter驱动及其信息

/*
文件名:FltEnumerateFilters.C

微软不建议使用:IoEnumerateRegisteredFiltersList.

功能:enumerates all registered minifilter drivers in the system及其一些信息的显示.
目的:示例一些minifilter的一些枚举函数的用法,理解,区别.

可能要连接fltMgr.lib.
加载的方式可用一般的驱动(nt服务).

参考资料:
http://hi.baidu.com/kernelkit/item/95dab957bf115711aaf6d743
http://www.inreverse.net/?p=1334
http://blogs.msdn.com/b/alexcarp/archive/2009/08/11/issuing-io-in-minifilters-part-1-fltcreatefile.aspx 
http://blogs.msdn.com/b/alexcarp/archive/2009/09/01/issuing-io-in-minifilters-part-2-flt-vs-zw.aspx
http://blogs.msdn.com/b/alexcarp/archive/2009/06/16/filter-manager-concepts-part-3-flt-filter.aspx
http://blogs.msdn.com/b/alexcarp/archive/2009/06/24/filter-manager-concepts-part-4-flt-instance.aspx
等. 

不足之处,敬请指出.
made by correy
made at 2013.10.23
email:kouleguan at hotmail dot com
homepage:http://correy.webs.com

个人感觉FltEnumerateInstances和FltEnumerateVolumes差不多.
区别是前者能获取所有的minifilter的所有的实例的信息,后者只获取某个minifilter的所有的卷设备的信息.
相信有转换和联系的函数.

开始以为:FltEnumerateVolumes是获取的一个PFLT_FILTER过滤的卷设备的对象,不是全部的磁盘上的卷.
经测试是:获取本地计算机上的可用的卷.一下是获取不到的:
1.光驱里面没有光盘.
2.虚拟磁盘软件虚拟出来的卷设备.
3.网络映射的盘符.
4.subst命令搞出的驱动器号.
5.软盘没有测试.
这个函数的缺点是第一个参数,而且还不能是0,个人建议是去掉这个参数.
不过在minifilter驱动里面是有这个参数的.
*/

#include <fltKernel.h>

#define TAG 'tset' //test
#define _In_ //WDK8不需要.

void PrintFilterFullInformation(PFLT_FILTER pf)
{
    //另一个思路是使用:FltEnumerateFilterInformation

    NTSTATUS status = STATUS_SUCCESS;
    PVOID  Buffer = 0;
    ULONG  BufferSize = 0;
    ULONG  BytesReturned = 0;
    PFILTER_FULL_INFORMATION pfi = 0;
    UNICODE_STRING FilterName;

    status = FltGetFilterInformation(pf, FilterFullInformation, Buffer, BufferSize, &BytesReturned);
    if (!NT_SUCCESS( status )) 
    {
        if (status != STATUS_BUFFER_TOO_SMALL)
        {
            return;
        }
    }

    BufferSize = sizeof (PFLT_FILTER) * BytesReturned * 2;//多申请一倍.

    Buffer = (PFLT_FILTER *)ExAllocatePoolWithTag(NonPagedPool, BufferSize, TAG);
    if (Buffer == NULL) {
        return;
    }
    RtlZeroMemory(Buffer,BufferSize);

    status = FltGetFilterInformation(pf, FilterFullInformation, Buffer, BufferSize, &BytesReturned);
    if (!NT_SUCCESS( status )) 
    {
        ExFreePoolWithTag(Buffer, TAG);
        return;
    }

    pfi = (PFILTER_FULL_INFORMATION)Buffer;

    FilterName.Buffer = pfi->FilterNameBuffer;
    FilterName.Length = pfi->FilterNameLength;
    FilterName.MaximumLength = pfi->FilterNameLength;//不再加2.

    //DbgPrint("FrameID:%d\n", pfi->FrameID);
    //DbgPrint("NumberOfInstances:%d\n", pfi->NumberOfInstances);
    DbgPrint("FilterName:%wZ\n",&FilterName);

    /*
    打印的内容如下:
    FrameID:0
    NumberOfInstances:5
    FilterName:TFsFlt
    FrameID:0
    NumberOfInstances:6
    FilterName:QQSysMonX64
    FrameID:0
    NumberOfInstances:1
    FilterName:luafv 注释:微软的LUA文件虚拟化筛选器驱动程序.
    */
    
    ExFreePoolWithTag(Buffer, TAG);
}

void PrintVolumeStandardInformation(PFLT_VOLUME pv)
{
    NTSTATUS status = STATUS_SUCCESS;
    PVOID  Buffer = 0;
    ULONG  BufferSize = 0;
    ULONG  BytesReturned = 0;
    PFILTER_VOLUME_STANDARD_INFORMATION pvsi = 0;
    UNICODE_STRING VolumeName;

    status = FltGetVolumeInformation(pv, FilterVolumeStandardInformation, Buffer, BufferSize, &BytesReturned);
    if (!NT_SUCCESS( status )) 
    {
        if (status != STATUS_BUFFER_TOO_SMALL)
        {
            return;
        }
    }

    BufferSize = sizeof (PFLT_FILTER) * BytesReturned * 2;//多申请一倍.

    Buffer = (PFLT_FILTER *)ExAllocatePoolWithTag(NonPagedPool, BufferSize, TAG);
    if (Buffer == NULL) {
        return;
    }
    RtlZeroMemory(Buffer,BufferSize);

    status = FltGetVolumeInformation(pv, FilterVolumeStandardInformation, Buffer, BufferSize, &BytesReturned);
    if (!NT_SUCCESS( status )) 
    {
        ExFreePoolWithTag(Buffer, TAG);
        return;
    }

    pvsi = (PFILTER_VOLUME_STANDARD_INFORMATION)Buffer;

    VolumeName.Buffer = pvsi->FilterVolumeName;
    VolumeName.Length = pvsi->FilterVolumeNameLength;
    VolumeName.MaximumLength = pvsi->FilterVolumeNameLength;//不再加2.

    //DbgPrint("Flags:%d\n", pvsi->Flags);
    //DbgPrint("FrameID:%d\n", pvsi->FrameID);
    DbgPrint("VolumeName:%wZ\n",&VolumeName);

    switch(pvsi->FileSystemType) 
    {
    case FLT_FSTYPE_UNKNOWN:
        DbgPrint("FileSystemType :%ls\n",L"Unknown file system type.");
        break;
    case FLT_FSTYPE_RAW: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\RAW.");
        break;
    case FLT_FSTYPE_NTFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\Ntfs.");
        break;
    case FLT_FSTYPE_FAT: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\Fat.");
        break;
    case FLT_FSTYPE_CDFS:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\Cdfs.");
        break;
    case FLT_FSTYPE_UDFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\Udfs.");
        break;
    case FLT_FSTYPE_LANMAN: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\MRxSmb.");
        break;
    case FLT_FSTYPE_WEBDAV: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\MRxDav.");
        break;
    case FLT_FSTYPE_RDPDR:
        DbgPrint("FileSystemType :%ls\n",L"\\Driver\\rdpdr.");
        break;
    case FLT_FSTYPE_NFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\NfsRdr.");
        break;
    case FLT_FSTYPE_MS_NETWARE: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\nwrdr.");
        break;
    case FLT_FSTYPE_NETWARE: 
        DbgPrint("FileSystemType :%ls\n",L"Novell NetWare redirector.");
        break;
    case FLT_FSTYPE_BSUDF:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\BsUDF.");
        break;
    case FLT_FSTYPE_MUP:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\Mup.");
        break;
    case FLT_FSTYPE_RSFX: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\RsFxDrv.");
        break;
    case FLT_FSTYPE_ROXIO_UDF1:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\cdudf_xp.");
        break;
    case FLT_FSTYPE_ROXIO_UDF2:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\UdfReadr_xp.");
        break;
    case FLT_FSTYPE_ROXIO_UDF3: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\DVDVRRdr_xp.");
        break;
    case FLT_FSTYPE_TACIT: 
        DbgPrint("FileSystemType :%ls\n",L"\\Device\\TCFSPSE.");
        break;
    case FLT_FSTYPE_FS_REC: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\Fs_rec.");
        break;
    case FLT_FSTYPE_INCD:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\InCDfs.");
        break;
    case FLT_FSTYPE_INCD_FAT: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\InCDFat.");
        break;
    case FLT_FSTYPE_EXFAT: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\exfat.");
        break;
    case FLT_FSTYPE_PSFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\psfs.");
        break;
    case FLT_FSTYPE_GPFS:
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\gpfs.");
        break;
    case FLT_FSTYPE_NPFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\npfs.");
        break;
    case FLT_FSTYPE_MSFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\msfs.");
        break;
    case FLT_FSTYPE_CSVFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\csvfs.");
        break;
    case FLT_FSTYPE_REFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\refs.");
        break;
    case FLT_FSTYPE_OPENAFS: 
        DbgPrint("FileSystemType :%ls\n",L"\\FileSystem\\AFSRedirector.");
        break;
    default: 
        DbgPrint("FileSystemType :%ls\n",L"发生错误!");
        break;
    }

    //这里也要用FltObjectDereference再释放一下?
    FltObjectDereference(pv);

    ExFreePoolWithTag(Buffer, TAG);
}

void EnumerateInstances(PFLT_FILTER pf)
{
    //FltEnumerateInstances
    //FltGetInstanceInformation 这个获取的全是数字,所以放弃使用.
    //FltEnumerateInstanceInformationByFilter 这个获取的全是数字,所以放弃使用.
    //FltEnumerateInstanceInformationByVolume 这个获取的全是数字,所以放弃使用.

    NTSTATUS status = STATUS_SUCCESS;
    PFLT_INSTANCE  * InstanceList = 0;
    ULONG  InstanceListSize = 0;
    ULONG  NumberInstancesReturned = 0;
    ULONG i;

    status = FltEnumerateInstances(0, pf, InstanceList, InstanceListSize, &NumberInstancesReturned);
    if (!NT_SUCCESS( status )) 
    {
        if (status != STATUS_BUFFER_TOO_SMALL)
        {
            return;
        }
    }

    InstanceListSize = sizeof (PFLT_INSTANCE) * NumberInstancesReturned * 2;//多申请一倍.

    InstanceList = (PFLT_INSTANCE *)ExAllocatePoolWithTag(NonPagedPool, InstanceListSize, TAG);
    if (InstanceList == NULL) {
        return;
    }
    RtlZeroMemory(InstanceList,InstanceListSize);

    status = FltEnumerateInstances(0, pf, InstanceList, InstanceListSize, &NumberInstancesReturned);
    if (!NT_SUCCESS( status )) 
    {
        ExFreePoolWithTag(InstanceList, TAG);
        return;
    }

    for (i = 0; i< NumberInstancesReturned; i++)
    {
        //打印每个实例的信息.
        //相信和卷设备是一样的,转换为卷设备再打印,这里就不打印详细信息的,只打印实例的地址.
        DbgPrint("PFLT_FILTER:%p\tInstances:%p\n", pf, InstanceList[i]);

        FltObjectDereference(InstanceList[i]);
    }

    //这里也要用FltObjectDereference再释放一下?
    FltObjectDereference(pf);

    ExFreePoolWithTag(InstanceList, TAG);
}

void EnumerateVolumes(PFLT_FILTER pf)
{
    //FltEnumerateVolumes这个获取全了,要枚举.
    //FltGetVolumeInformation
    //FltEnumerateVolumeInformation这个不用,是获取单个的,要循环.

    NTSTATUS status = STATUS_SUCCESS;
    PFLT_VOLUME  * VolumeList = 0;
    ULONG  VolumeListSize = 0;
    ULONG  NumberVolumesReturned = 0;
    ULONG i;

    status = FltEnumerateVolumes(pf, VolumeList, VolumeListSize, &NumberVolumesReturned);
    if (!NT_SUCCESS( status )) 
    {
        if (status != STATUS_BUFFER_TOO_SMALL)
        {
            return;
        }
    }

    VolumeListSize = sizeof (PFLT_VOLUME) * NumberVolumesReturned * 2;//多申请一倍.

    VolumeList = (PFLT_VOLUME  *)ExAllocatePoolWithTag(NonPagedPool, VolumeListSize, TAG);
    if (VolumeList == NULL) {
        return;
    }
    RtlZeroMemory(VolumeList,VolumeListSize);

    status = FltEnumerateVolumes(pf, VolumeList, VolumeListSize, &NumberVolumesReturned);
    if (!NT_SUCCESS( status )) 
    {
        ExFreePoolWithTag(VolumeList, TAG);
        return;
    }

    for (i = 0; i< NumberVolumesReturned; i++)
    {
        //打印每个卷设备的信息.
        PrintVolumeStandardInformation(VolumeList[i]);

        FltObjectDereference(VolumeList[i]);
    }

    //这里也要用FltObjectDereference再释放一下?
    FltObjectDereference(pf);

    ExFreePoolWithTag(VolumeList, TAG);
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
    /*
    没有此函数是停止不了此驱动的,但是可以删除驱动.
    在别的地方设置一下,如注册表回调保护驱动入口的第二个参数,可以让本驱动删除不了.
    如果这样,就在一个消息中卸载了:恢复回调入口和删除注册表的保护.
    然后应用层再卸载,上面的消息中还可以加密码验证.
    */
}

DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)//#pragma INITCODE
NTSTATUS DriverEntry (_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
    NTSTATUS status = STATUS_SUCCESS;
    PFLT_FILTER * FilterList;
    ULONG FilterListSize = 0;
    ULONG NumberFiltersReturned = 0;
    ULONG i;

    UNREFERENCED_PARAMETER( RegistryPath );

    KdBreakPoint();//DbgBreakPoint() 

    DriverObject->DriverUnload = DriverUnload;

    //Because filters can register at any time, two calls to FltEnumerateFilters are not guaranteed to return the same result.
    //确保两次调用FltEnumerateFilters期间不要加载或者卸载minifilter.建议使用rundown机制.
    status = FltEnumerateFilters(0,FilterListSize,&NumberFiltersReturned);
    if (!NT_SUCCESS( status )) //#define STATUS_BUFFER_TOO_SMALL          ((NTSTATUS)0xC0000023L)
    {
        if (status != STATUS_BUFFER_TOO_SMALL)
        {
            return status;
        }
    }    

    //建议每次成功的调用之后都调用:VOID FltObjectDereference(_Inout_  PVOID FltObject);

    FilterListSize = sizeof (PFLT_FILTER) * NumberFiltersReturned * 2;//多申请一倍.

    FilterList = (PFLT_FILTER *)ExAllocatePoolWithTag(NonPagedPool, FilterListSize, TAG);
    if (FilterList == NULL) {
        return status;
    }
    RtlZeroMemory(FilterList,FilterListSize);

    status = FltEnumerateFilters(FilterList,FilterListSize,&NumberFiltersReturned);
    if (!NT_SUCCESS( status )) 
    {
        ExFreePoolWithTag(FilterList, TAG);
        return status;
    }

    //卸载所有已经注册的minifilter.理论上比抹去未公开的结构好.这里暂时注释掉.
    //for (i = 0;i < NumberFiltersReturned;i++)
    //{
    //    FltUnregisterFilter(FilterList[i]);//有的驱动会永远停止在这里.
    //}

    /*
    在这里可以列举一些minifilter的信息
    甚至每个minifilter过滤的每个卷设备的信息.

    PFLT_FILTER是个为公开的数据结构,各个版本的结构不一.

    0: kd> vertarget
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
    Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533
    Machine Name:
    Kernel base = 0xfffff800`0185f000 PsLoadedModuleList = 0xfffff800`01aa26d0
    Debug session time: Wed Oct 23 16:25:06.039 2013 (UTC + 8:00)
    System Uptime: 0 days 0:04:08.664
    0: kd> dt _FLT_FILTER fffffa80`04306c60
    fltmgr!_FLT_FILTER
    +0x000 Base             : _FLT_OBJECT
    +0x020 Frame            : 0xfffffa80`03f30630 _FLTP_FRAME
    +0x028 Name             : _UNICODE_STRING "TFsFlt"
    +0x038 DefaultAltitude  : _UNICODE_STRING "389700"
    +0x048 Flags            : 2 ( FLTFL_FILTERING_INITIATED )
    +0x050 DriverObject     : 0xfffffa80`042fde70 _DRIVER_OBJECT
    +0x058 InstanceList     : _FLT_RESOURCE_LIST_HEAD
    +0x0d8 VerifierExtension : (null) 
    +0x0e0 VerifiedFiltersLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
    +0x0f0 FilterUnload     : 0xfffff880`0245f320     long  +0
    +0x0f8 InstanceSetup    : 0xfffff880`0248d0ec     long  +0
    +0x100 InstanceQueryTeardown : 0xfffff880`0248d118     long  +0
    +0x108 InstanceTeardownStart : (null) 
    +0x110 InstanceTeardownComplete : 0xfffff880`0248d138     void  +0
    +0x118 SupportedContextsListHead : 0xfffffa80`04306890 _ALLOCATE_CONTEXT_HEADER
    +0x120 SupportedContexts : [6] (null) 
    +0x150 PreVolumeMount   : (null) 
    +0x158 PostVolumeMount  : (null) 
    +0x160 GenerateFileName : (null) 
    +0x168 NormalizeNameComponent : (null) 
    +0x170 NormalizeNameComponentEx : (null) 
    +0x178 NormalizeContextCleanup : (null) 
    +0x180 KtmNotification  : (null) 
    +0x188 Operations       : 0xfffffa80`04306ef0 _FLT_OPERATION_REGISTRATION
    +0x190 OldDriverUnload  : (null) 
    +0x198 ActiveOpens      : _FLT_MUTEX_LIST_HEAD
    +0x1e8 ConnectionList   : _FLT_MUTEX_LIST_HEAD
    +0x238 PortList         : _FLT_MUTEX_LIST_HEAD
    +0x288 PortLock         : _EX_PUSH_LOCK   

    再附加两个结构:
    1: kd> dt _FLT_INSTANCE
    fltmgr!_FLT_INSTANCE
    +0x000 Base             : _FLT_OBJECT
    +0x020 OperationRundownRef : Ptr64 _EX_RUNDOWN_REF_CACHE_AWARE
    +0x028 Volume           : Ptr64 _FLT_VOLUME
    +0x030 Filter           : Ptr64 _FLT_FILTER
    +0x038 Flags            : _FLT_INSTANCE_FLAGS
    +0x040 Altitude         : _UNICODE_STRING
    +0x050 Name             : _UNICODE_STRING
    +0x060 FilterLink       : _LIST_ENTRY
    +0x070 ContextLock      : _EX_PUSH_LOCK
    +0x078 Context          : Ptr64 _CONTEXT_NODE
    +0x080 TransactionContexts : _CONTEXT_LIST_CTRL
    +0x088 TrackCompletionNodes : Ptr64 _TRACK_COMPLETION_NODES
    +0x090 CallbackNodes    : [50] Ptr64 _CALLBACK_NODE
    1: kd> dt _FLT_VOLUME
    fltmgr!_FLT_VOLUME
    +0x000 Base             : _FLT_OBJECT
    +0x020 Flags            : _FLT_VOLUME_FLAGS
    +0x024 FileSystemType   : _FLT_FILESYSTEM_TYPE
    +0x028 DeviceObject     : Ptr64 _DEVICE_OBJECT
    +0x030 DiskDeviceObject : Ptr64 _DEVICE_OBJECT
    +0x038 FrameZeroVolume  : Ptr64 _FLT_VOLUME
    +0x040 VolumeInNextFrame : Ptr64 _FLT_VOLUME
    +0x048 Frame            : Ptr64 _FLTP_FRAME
    +0x050 DeviceName       : _UNICODE_STRING
    +0x060 GuidName         : _UNICODE_STRING
    +0x070 CDODeviceName    : _UNICODE_STRING
    +0x080 CDODriverName    : _UNICODE_STRING
    +0x090 InstanceList     : _FLT_RESOURCE_LIST_HEAD
    +0x110 Callbacks        : _CALLBACK_CTRL
    +0x4f8 ContextLock      : _EX_PUSH_LOCK
    +0x500 VolumeContexts   : _CONTEXT_LIST_CTRL
    +0x508 StreamListCtrls  : _FLT_RESOURCE_LIST_HEAD
    +0x588 FileListCtrls    : _FLT_RESOURCE_LIST_HEAD
    +0x608 NameCacheCtrl    : _NAME_CACHE_VOLUME_CTRL
    +0x6b8 MountNotifyLock  : _ERESOURCE
    +0x720 TargetedOpenActiveCount : Int4B
    +0x728 TxVolContextListLock : _EX_PUSH_LOCK
    +0x730 TxVolContexts    : _TREE_ROOT

    不过建议使用:FltEnumerateFilterInformation或者FltGetFilterInformation获取各种信息.
    */

    //打印每个驱动的信息,这里选择FilterFullInformation类型.
    for (i = 0;i < NumberFiltersReturned;i++)
    {
        PrintFilterFullInformation(FilterList[i]);//打印系统的所有的minifilter 驱动.
        EnumerateInstances(FilterList[i]);//枚举每个minifilter驱动的每个过滤设备的实例,里面可以获取更多的信息.
        EnumerateVolumes(FilterList[i]);//枚举每个minifilter驱动的每个卷设备的信息,里面可以获取更多的信息,其实和上面的差不多.

        DbgPrint("\n\n");
    }

    /*
    FltEnumerateFilters adds a rundown reference to each of the opaque filter pointers returned in the array that the FilterList parameter points to. 
    When these pointers are no longer needed, the caller must release them by calling FltObjectDereference on each one. 
    Thus every successful call to FltEnumerateFilters must be matched by a subsequent call to FltObjectDereference for each returned filter pointer. 
    */
    for (i = 0;i < NumberFiltersReturned;i++)
    {
        FltObjectDereference(FilterList[i]);
    }    

    ExFreePoolWithTag(FilterList, TAG);

    return status;
}

/*
效果如下:
0: kd> g
FilterName:TFsFlt
PFLT_FILTER:FFFFFA800433E010 Instances:FFFFFA8004432C60
PFLT_FILTER:FFFFFA800433E010 Instances:FFFFFA8004346C60
PFLT_FILTER:FFFFFA800433E010 Instances:FFFFFA80047D3C60
PFLT_FILTER:FFFFFA800433E010 Instances:FFFFFA80047B9C60
PFLT_FILTER:FFFFFA800433E010 Instances:FFFFFA80040DF7F0
VolumeName:\Device\Mup
FileSystemType :\FileSystem\Mup.
VolumeName:\Device\HarddiskVolume1
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume2
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume5
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume3
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume4
FileSystemType :\FileSystem\Ntfs.


FilterName:QQSysMonX64
PFLT_FILTER:FFFFFA8004A8B160 Instances:FFFFFA8004A9A760
PFLT_FILTER:FFFFFA8004A8B160 Instances:FFFFFA8004A9D760
PFLT_FILTER:FFFFFA8004A8B160 Instances:FFFFFA8004AA0C50
PFLT_FILTER:FFFFFA8004A8B160 Instances:FFFFFA8004AA0170
PFLT_FILTER:FFFFFA8004A8B160 Instances:FFFFFA8004AA34F0
PFLT_FILTER:FFFFFA8004A8B160 Instances:FFFFFA8004AA4C50
VolumeName:\Device\Mup
FileSystemType :\FileSystem\Mup.
VolumeName:\Device\HarddiskVolume1
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume2
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume5
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume3
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume4
FileSystemType :\FileSystem\Ntfs.


FilterName:luafv
PFLT_FILTER:FFFFFA8004A8A010 Instances:FFFFFA8004A8C010
VolumeName:\Device\Mup
FileSystemType :\FileSystem\Mup.
VolumeName:\Device\HarddiskVolume1
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume2
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume5
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume3
FileSystemType :\FileSystem\Ntfs.
VolumeName:\Device\HarddiskVolume4
FileSystemType :\FileSystem\Ntfs.

验证一下:
0: kd> !fltkd.filters

Filter List: fffffa8003e690c0 "Frame 0" 
   FLT_FILTER: fffffa800433e010 "TFsFlt" "389700"
      FLT_INSTANCE: fffffa8004432c60 "TFsFlt Instance" "389700"
      FLT_INSTANCE: fffffa8004346c60 "TFsFlt Instance" "389700"
      FLT_INSTANCE: fffffa80047d3c60 "TFsFlt Instance" "389700"
      FLT_INSTANCE: fffffa80047b9c60 "TFsFlt Instance" "389700"
      FLT_INSTANCE: fffffa80040df7f0 "TFsFlt Instance" "389700"
   FLT_FILTER: fffffa8004a8b160 "QQSysMonX64" "327125"
      FLT_INSTANCE: fffffa8004a9a760 "QQSysMonx64 Instance" "327125"
      FLT_INSTANCE: fffffa8004a9d760 "QQSysMonx64 Instance" "327125"
      FLT_INSTANCE: fffffa8004aa0c50 "QQSysMonx64 Instance" "327125"
      FLT_INSTANCE: fffffa8004aa0170 "QQSysMonx64 Instance" "327125"
      FLT_INSTANCE: fffffa8004aa34f0 "QQSysMonx64 Instance" "327125"
      FLT_INSTANCE: fffffa8004aa4c50 "QQSysMonx64 Instance" "327125"
   FLT_FILTER: fffffa8004a8a010 "luafv" "135000"
      FLT_INSTANCE: fffffa8004a8c010 "luafv" "135000"

0: kd> !fltkd.instance fffffa8004432c60

FLT_INSTANCE: fffffa8004432c60 "TFsFlt Instance" "389700"
   FLT_OBJECT: fffffa8004432c60  [01000000] Instance
      RundownRef               : 0x0000000000000000 (0)
      PointerCount             : 0x00000002 
      PrimaryLink              : [fffffa8004a9d770-fffffa800404d108] 
   OperationRundownRef      : fffffa80044310b0 
Could not read field "Number" of fltmgr!_EX_RUNDOWN_REF_CACHE_AWARE from address: fffffa80044310b0
   Flags                    : [00000000]
   Volume                   : fffffa800404d010 "\Device\HarddiskVolume1"
   Filter                   : fffffa800433e010 "TFsFlt"
   TrackCompletionNodes     : fffffa8004432a20 
   ContextLock              : (fffffa8004432cd0)
   Context                  : fffffa800433a770 
   CallbackNodes            : (fffffa8004432cf0)
   VolumeLink               : [fffffa8004a9d770-fffffa800404d108] 
   FilterLink               : [fffffa8004346cc0-fffffa800433e0d0] 

*/

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

#include <ntifs.h>
#include <windef.h>

#define TAG 'tset' //test

/*
IoEnumerateRegisteredFiltersList enumerates only file system filter drivers (also called "legacy filters"). 
It does not enumerate minifilters. 
To enumerate both minifilters and legacy filters, or only minifilters, call FltEnumerateFilterInformation.

此代码在Windows 7上测试成功。
不当之处,请指正。

made by correy
made at 2014.07.01
homepage:http://correy.webs.com
*/


VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{

}


DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)//#pragma INITCODE
NTSTATUS DriverEntry (_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
    NTSTATUS status = STATUS_SUCCESS;
    PDRIVER_OBJECT * DriverObjectList = 0;//*
    ULONG DriverObjectListSize = 0;
    ULONG ActualNumberDriverObjects = 0;
    ULONG i = 0;

    UNREFERENCED_PARAMETER( RegistryPath );

    KdBreakPoint();

    DriverObject->DriverUnload = DriverUnload;

    //XP下调用此函数没有反应。就是各个参数及返回值依旧是原来的样子。
    status = IoEnumerateRegisteredFiltersList(DriverObjectList, DriverObjectListSize, &ActualNumberDriverObjects);
    if (!NT_SUCCESS( status )) 
    {
        if (status != STATUS_BUFFER_TOO_SMALL)
        {
            return status;
        }
    }

    //XP下申请大小为0的内存竟然成功,而且还可以读写。
    DriverObjectListSize = ActualNumberDriverObjects * sizeof(DRIVER_OBJECT);
    DriverObjectList = (PDRIVER_OBJECT *)ExAllocatePoolWithTag(NonPagedPool, DriverObjectListSize, TAG);
    if (DriverObjectList == NULL) {
        return STATUS_UNSUCCESSFUL ;
    }
    RtlZeroMemory(DriverObjectList, DriverObjectListSize);

    //XP下调用此函数仍然没有反应。就是各个参数及返回值依旧是原来的样子。
    status = IoEnumerateRegisteredFiltersList(DriverObjectList, DriverObjectListSize, &ActualNumberDriverObjects);
    if (!NT_SUCCESS( status )) 
    {
        return status;
    }

    for (i = 0;i < ActualNumberDriverObjects;i++)
    {
        DbgPrint("DriverName:%wZ\n",&DriverObjectList[i]->DriverName);
        ObDereferenceObject(DriverObjectList[i]);
    }    

    ExFreePoolWithTag(DriverObjectList, TAG);

    return status;
}

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

/*WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/io/iomgr/iosubs.c
NTSTATUS
IoEnumerateRegisteredFiltersList(
    IN  PDRIVER_OBJECT  *DriverObjectList,
    IN  ULONG           DriverObjectListSize,
    OUT PULONG          ActualNumberDriverObjects
    )
++

Routine Description:

    This routine retrieves a list of driver objects associated with all of the
    filters which have registered with the system.

Parameters:

    DriverObjectList - Pointer to an array where driver  object lists will be stored.

    DriverObjectListSize - Size in bytes of the DriverObjectList array

    ActualNumberDriverObjects - The actual number of driver objects returned.

ReturnValue:

    If size is not sufficient it will return STATUS_BUFFER_TOO_SMALL.

Notes:

--*//*
{
    PNOTIFICATION_PACKET nPacket;
    PLIST_ENTRY entry;
    ULONG   numListEntries;
    ULONG   numDriverObjects = 0;
    NTSTATUS status = STATUS_SUCCESS;

    //
    //  Lock the list shared
    //

    ExAcquireResourceSharedLite( &IopDatabaseResource, TRUE );

    //
    //  Calculate how many entries can be returned
    //

    numListEntries = DriverObjectListSize / sizeof(PDRIVER_OBJECT);

    //
    //  Calculate how many entries are on the list
    //

    entry = IopFsNotifyChangeQueueHead.Flink;
    while (entry != &IopFsNotifyChangeQueueHead) {

        numDriverObjects++;
        entry = entry->Flink;
    }

    //
    //  Return total number of entries on the list
    //

    *ActualNumberDriverObjects = numDriverObjects;

    //
    //  If we don't have room for all of the entries, tell them about this
    //

    if (numDriverObjects > numListEntries) {
        status = STATUS_BUFFER_TOO_SMALL;
    }

    //
    //  Return what entries we can
    //

    entry = IopFsNotifyChangeQueueHead.Flink;

    while ((numListEntries > 0) && (entry != &IopFsNotifyChangeQueueHead)) {

        nPacket = CONTAINING_RECORD( entry, NOTIFICATION_PACKET, ListEntry );

        ObReferenceObject(nPacket->DriverObject);

        *DriverObjectList = nPacket->DriverObject;
        DriverObjectList++;

        entry = entry->Flink;
        numListEntries--;
    }

    ExReleaseResourceLite( &IopDatabaseResource );

    return status;
}
*/

没有评论:

发表评论