S.l.e!ep.￠%

像打了激速一樣，以四倍的速度運(yùn)轉(zhuǎn)，開心的工作
簡單、開放、平等的公司文化；尊重個(gè)性、自由與個(gè)人價(jià)值；

posts - 1098, comments - 335, trackbacks - 0, articles - 1

C++博客 :: 首頁 :: 新隨筆 :: 聯(lián)系 :: 聚合

:: 管理

FileMon源碼學(xué)習(xí)筆記（二）

Posted on 2010-02-18 15:11 S.l.e!ep.￠% 閱讀(1761) 評(píng)論(0) 編輯收藏引用所屬分類: Windows WDM

FileMon源碼學(xué)習(xí)筆記（二）

2008-11-24 10:41

FileMon源碼中另一個(gè)比較疑惑的地方，F(xiàn)ileMon創(chuàng)建了兩類設(shè)備，一個(gè)是用于和ring3通信的GUI設(shè)備，另一個(gè)是hook的過濾設(shè)備，但在代碼中，當(dāng)收到發(fā)向GUI設(shè)備的IRP_MJ_DEVICE_CONTROL時(shí)，代碼竟是去調(diào)用屬于hook設(shè)備的功能函數(shù)，而在這個(gè)功能函數(shù)里面通過條件判斷是否是GUI設(shè)備來分別處理，而對(duì)于發(fā)給GUI設(shè)備的其他IRP都在直接在GUI的處理函數(shù)中直接處理的，不知道作者這樣寫是否有什么深層的含義，不過對(duì)于我這種初學(xué)者來說，這樣的寫法倒是容易引起混亂，還是不同設(shè)備的功能函數(shù)，分開來寫好一點(diǎn)。下面附上相關(guān)代碼：

//=========================================================

//GUI設(shè)備的功能函數(shù)，注意IRP_MJ_DEVICE_CONTROL的實(shí)現(xiàn)

//=========================================================

NTSTATUS
FilemonDeviceRoutine(
??? IN PDEVICE_OBJECT DeviceObject,
??? IN PIRP Irp
??? )
{
??? PIO_STACK_LOCATION irpStack;
??? PVOID?????????????? inputBuffer;
??? PVOID?????????????? outputBuffer;
??? ULONG?????????????? inputBufferLength;
??? ULONG?????????????? outputBufferLength;
??? ULONG?????????????? ioControlCode;

??? //
??? // Go ahead and set the request up as successful
??? //
??? Irp->IoStatus.Status????? = STATUS_SUCCESS;
??? Irp->IoStatus.Information = 0;

??? //
??? // Get a pointer to the current location in the Irp. This is where
??? // the function codes and parameters are located.
??? //
??? irpStack = IoGetCurrentIrpStackLocation (Irp);

??? //
??? // Get the pointer to the input/output buffer and its length
??? //
??? inputBuffer??????? = Irp->AssociatedIrp.SystemBuffer;
??? inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
??? outputBuffer?????? = Irp->AssociatedIrp.SystemBuffer;
??? outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
??? ioControlCode????? = irpStack->Parameters.DeviceIoControl.IoControlCode;

??? switch (irpStack->MajorFunction) {
??? case IRP_MJ_CREATE:

??????? DbgPrint(("Filemon: IRP_MJ_CREATE\n"));

??????? //
??????? // Start the sequence number at 0
??????? //
??????? Sequence = 0;
??????? break;

??? case IRP_MJ_CLOSE:

??????? DbgPrint(("Filemon: IRP_MJ_CLOSE\n"));

??????? //
??????? // A GUI is closing communication
??????? //
??????? FilterOn = FALSE;

??????? //
??????? // If the GUI has no more references to us, reset the output
??????? // buffers and hash table.
??????? //
??????? FilemonResetLog();
??????? FilemonHashCleanup();

??????? //
??????? // Stop capturing drives
??????? //
??????? HookDriveSet( 0, DeviceObject->DriverObject );
??????? UnhookSpecialFs( NPFS );
??????? UnhookSpecialFs( MSFS );
??????? break;

??? case IRP_MJ_DEVICE_CONTROL:

??????? //
??????? // This path will never execute because we have registered a
??????? // fast I/O path for device control. That means that the fast I/O entry
??????? // point will ALWAYS be called for Device Control operations
??????? //
??????? DbgPrint (("Filemon: IRP_MJ_DEVICE_CONTROL\n"));

??????? //
??????? // Get output buffer if its passed as an MDL
??????? //
??????? if( Irp->MdlAddress ) {

??????????? outputBuffer = MmGetSystemAddressForMdl( Irp->MdlAddress );
??????? }

??????? //
??????? // Its a request from the GUI. Simply call our fast handler.
??????? //
??????? FilemonFastIoDeviceControl( irpStack->FileObject, TRUE,
??????????????????????????????????? inputBuffer, inputBufferLength,
??????????????????????????????????? outputBuffer, outputBufferLength,
??????????????????????????????????? ioControlCode, &Irp->IoStatus, DeviceObject );
??????? break;
??? }

??? //
??? // Complete the IRP
??? //
??? IoCompleteRequest( Irp, IO_NO_INCREMENT );
??? return STATUS_SUCCESS;??
}

//=========================================================

//hook設(shè)備的功能函數(shù)，在里面夾雜了處理GUI設(shè)備的IRP_MJ_DEVICE_CONTROL的代碼

//=========================================================
BOOLEAN
FilemonFastIoDeviceControl(
??? IN PFILE_OBJECT FileObject,
??? IN BOOLEAN Wait,
??? IN PVOID InputBuffer,
??? IN ULONG InputBufferLength,
??? OUT PVOID OutputBuffer,
??? IN ULONG OutputBufferLength,
??? IN ULONG IoControlCode,
??? OUT PIO_STATUS_BLOCK IoStatus,
??? IN PDEVICE_OBJECT DeviceObject
??? )
{
??? BOOLEAN???????????? retval = FALSE;
??? BOOLEAN???????????? logMutexReleased;
??? PHOOK_EXTENSION???? hookExt;
??? PLOG_BUF??????????? oldLog, savedCurrentLog;
??? CHAR??????????????? fullPathName[MAXPATHLEN], name[PROCNAMELEN], errorBuf[ERRORLEN];
??? KIRQL?????????????? oldirql;
??? LARGE_INTEGER?????? timeStampStart, timeStampComplete, timeResult;
??? LARGE_INTEGER?????? dateTime;

??? hookExt = DeviceObject->DeviceExtension;
??? if( hookExt->Type == GUIINTERFACE ) {

??????? //
??????? // Its a message from our GUI!
??????? //
??????? IoStatus->Status????? = STATUS_SUCCESS; // Assume success
??????? IoStatus->Information = 0;????? // Assume nothing returned

??????? switch ( IoControlCode ) {

??????? case IOCTL_FILEMON_VERSION:

??????????? //
??????????? // Version #
??????????? //
??????????? if( OutputBufferLength >= sizeof(ULONG)) {

??????????????? *(ULONG *)OutputBuffer = FILEMONVERSION;
??????????????? IoStatus->Information = sizeof(ULONG);

??????????? } else {

??????????????? IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
??????????? }???????????
??????????? break;

??????? case IOCTL_FILEMON_SETDRIVES:

??????????? //
??????????? // Hook and/or unhook drives
??????????? //
??????????? DbgPrint (("Filemon: set drives\n"));

??????????? if( InputBufferLength >= sizeof(ULONG) &&
???????????????? OutputBufferLength >= sizeof(ULONG)) {

??????????????? *(ULONG *)OutputBuffer = HookDriveSet( *(ULONG *)InputBuffer, DeviceObject->DriverObject );
??????????????? IoStatus->Information = sizeof(ULONG);

??????????? } else {

??????????????? IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
??????????? }
??????????? break;

??????? case IOCTL_FILEMON_HOOKSPECIAL:

??????????? if( InputBufferLength >= sizeof(FILE_SYSTEM_TYPE )) {

??????????????? if( !HookSpecialFs( DeviceObject->DriverObject, *(PFILE_SYSTEM_TYPE) InputBuffer )) {
???????????????
??????????????????? IoStatus->Status = STATUS_UNSUCCESSFUL;
??????????????? }
??????????? } else {

??????????????? IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
??????????? }
??????????? break;

??????? case IOCTL_FILEMON_UNHOOKSPECIAL:

??????????? if( InputBufferLength >= sizeof(FILE_SYSTEM_TYPE )) {

??????????????? UnhookSpecialFs( *(PFILE_SYSTEM_TYPE) InputBuffer );

??????????? } else {

??????????????? IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
??????????? }
??????????? break;

??????? case IOCTL_FILEMON_STOPFILTER:
???????????
??????????? //
??????????? // Turn off logging
??????????? //
??????????? DbgPrint(("Filemon: stop logging\n"));
??????????? FilterOn = FALSE;
??????????? break;

??????? case IOCTL_FILEMON_STARTFILTER:
?????????
??????????? //
??????????? // Turn on logging
??????????? //
??????????? DbgPrint(("Filemon: start logging\n"));
??????????? FilterOn = TRUE;
??????????? break;

??????? case IOCTL_FILEMON_SETFILTER:

??????????? //
??????????? // Gui is updating the filter functions
??????????? //
??????????? DbgPrint(("Filemon: set filter\n"));

??????????? if( InputBufferLength >= sizeof(FILTER) ) {

??????????????? FilterDef = *(PFILTER) InputBuffer;
??????????????? FilemonUpdateFilters();

??????????? } else {

??????????????? IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
??????????? }
??????????? break;

??????? case IOCTL_FILEMON_UNLOADQUERY:
#if DBG
??????????? //
??????????? // Is it possible to unload?
??????????? //
??????????? KeAcquireSpinLock( &CountMutex, &oldirql );
??????????? IoStatus->Information = OutstandingIRPCount;

??????????? //
??????????? // Any outstanding Irps?
??????????? //
??????????? if( !OutstandingIRPCount ) {

??????????????? //
??????????????? // Nope, so don't process anymore
??????????????? //
??????????????? UnloadInProgress = TRUE;

??????????????? KeReleaseSpinLock( &CountMutex, oldirql );

??????????????? //
??????????????? // Stop capturing drives
??????????????? //
??????????????? HookDriveSet( 0, DeviceObject->DriverObject );
??????????????? UnhookSpecialFs( NPFS );
??????????????? UnhookSpecialFs( MSFS );

??????????????? //
??????????????? // Detach from all devices
??????????????? //
??????????????? UnloadDetach();

??????????? } else {

??????????????? KeReleaseSpinLock( &CountMutex, oldirql );
??????????? }
#else // DBG
??????????? IoStatus->Information = 1;
#endif // DBG
??????????? break;

??????? case IOCTL_FILEMON_ZEROSTATS:

??????????? //
??????????? // Reset all output buffers
??????????? //
??????????? DbgPrint (("Filemon: zero stats\n"));

??????????? ExAcquireFastMutex( &LogMutex );

??????????? while( CurrentLog->Next ) {

??????????????? //
??????????????? // Free all but the first output buffer
??????????????? //
??????????????? oldLog = CurrentLog->Next;
??????????????? CurrentLog->Next = oldLog->Next;

??????????????? ExFreePool( oldLog );
??????????????? NumLog--;
??????????? }

??????????? //
??????????? // Set the output pointer to the start of the output buffer
??????????? //
??????????? CurrentLog->Len = 0;
??????????? Sequence = 0;

??????????? ExReleaseFastMutex( &LogMutex );
??????????? break;

??????? case IOCTL_FILEMON_GETSTATS:

??????????? //
??????????? // Copy the oldest output buffer to the caller
??????????? //
??????????? DbgPrint (("Filemon: get stats\n"));

??? //
??????????? // If the output buffer is too large to fit into the caller's buffer
??????????? //
??????????? if( LOGBUFSIZE > OutputBufferLength ) {

??????????????? IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
??????????????? return FALSE;
??????????? }

??????????? //
??????????? // Probe the output buffer
??????????? //
??????????? try {????????????????

??????????????? ProbeForWrite( OutputBuffer,
?????????????????????????????? OutputBufferLength,
?????????????????????????????? sizeof( UCHAR ));

??????????? } except( EXCEPTION_EXECUTE_HANDLER ) {

??????????????? IoStatus->Status = STATUS_INVALID_PARAMETER;
??????????????? return FALSE;
??????????? }???????????

??????????? //
??????????? // We're okay, lock the buffer pool
??????????? //
??????????? ExAcquireFastMutex( &LogMutex );
??????????? if( CurrentLog->Len || CurrentLog->Next ) {

??????????????? //
??????????????? // Start output to a new output buffer
??????????????? //
??????????????? FilemonAllocateLog();

??????????????? //
??????????????? // Fetch the oldest to give to user
??????????????? //
??????????????? oldLog = FilemonGetOldestLog();

??????????????? if( oldLog != CurrentLog ) {

??????????????????? logMutexReleased = TRUE;
??????????????????? ExReleaseFastMutex( &LogMutex );

??????????????? } else {

??????????????????? logMutexReleased = FALSE;
??????????????? }

??????????????? //
??????????????? // Copy it to the caller's buffer
??????????????? //
??????????????? memcpy( OutputBuffer, oldLog->Data, oldLog->Len );

??????????????? //
??????????????? // Return length of copied info
??????????????? //
??????????????? IoStatus->Information = oldLog->Len;

??????????????? //
??????????????? // Deallocate buffer - unless its the last one
??????????????? //
??????????????? if( logMutexReleased ) {
???????????????????
??????????????????? ExFreePool( oldLog );

??????????????? } else {

??????????????????? CurrentLog->Len = 0;
??????????????????? ExReleaseFastMutex( &LogMutex );???????????????????
??????????????? }

??????????? } else {

??????????????? //
??????????????? // There is no unread data
??????????????? //
??????????????? ExReleaseFastMutex( &LogMutex );
???? IoStatus->Information = 0;
??????????? }
??????????? break;

??????? default:

??????????? //
??????????? // Unknown control
??????????? //
??????????? DbgPrint (("Filemon: unknown IRP_MJ_DEVICE_CONTROL\n"));
??????????? IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
??????????? break;
??????? }

??????? retval = TRUE;

??? } else {

??????? //
??????? // Its a call for a file system, so pass it through
??????? //
??????? if( FASTIOPRESENT( hookExt, FastIoDeviceControl ) ) {
???????
??????????? FilemonGetFullPath( FALSE, FileObject, hookExt, fullPathName );
??????????? TIMESTAMPSTART();

??????????? retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoDeviceControl(
??????????????? FileObject, Wait, InputBuffer, InputBufferLength, OutputBuffer,
??????????????? OutputBufferLength, IoControlCode, IoStatus, hookExt->FileSystem );

??????????? if(hookExt->Hooked) {

??????????????? TIMESTAMPSTOP();
??????????????? LogRecord( TRUE, NULL, &dateTime, &timeResult,
?????????????????????????? "%s\tFASTIO_DEVICE_CONTROL\t%s\tIOCTL: 0x%X\t%s",
?????????????????????????? FilemonGetProcess( name ), fullPathName,
?????????????????????????? IoControlCode,
?????????????????????????? retval ? ErrorString( IoStatus->Status, errorBuf ) : "FAILURE" );
??????????? }
??????? }
??? }

??? return retval;
}

只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。


相關(guān)文章: inside windows 【轉(zhuǎn)載】WRK簡單介紹 Understanding IRQL 中斷請(qǐng)求級(jí)別(IRQL) 什么是中斷請(qǐng)求(IRQ)? 中斷請(qǐng)求分頁內(nèi)存和非分頁內(nèi)存驅(qū)動(dòng)中的幾種內(nèi)存分配和釋放的用法 ExInitializeResourceLite() Windows 文件過濾驅(qū)動(dòng)經(jīng)驗(yàn)總結(jié)

網(wǎng)站導(dǎo)航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.￠%

FileMon源碼學(xué)習(xí)筆記（二）

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊(cè)

收藏夾(3)

DataStruct

搜索

積分與排名

最新評(píng)論

閱讀排行榜

評(píng)論排行榜