S.l.e!ep.￠%

NTSTATUS
DriverEntry(
????IN?PDRIVER_OBJECT?DriverObject,
????IN?PUNICODE_STRING?RegistryPath
????)
/* ++

Routine?Description:

????//?創(chuàng)建設(shè)備對(duì)象且登記它監(jiān)視所有的活動(dòng)文件系統(tǒng)
????This?is?the?initialization?routine?for?the?SFILTER?file?system?filter
????driver.??This?routine?creates?the?device?object?that?represents?this
????driver?in?the?system?and?registers?it?for?watching?all?file?systems?that
????register?or?unregister?themselves?as?active?file?systems.

Arguments:

????DriverObject?-?Pointer?to?driver?object?created?by?the?system.

Return?Value:

????The?function?value?is?the?final?status?from?the?initialization?operation.

-- */
{
????PFAST_IO_DISPATCH?FastIoDispatch;
????UNICODE_STRING?NameString;
????NTSTATUS?Status;
????ULONG?i;

????UNREFERENCED_PARAMETER(RegistryPath);

#if ?WINVER?>=?0x0501
???? // ?
???? // ?Try?to?load?the?dynamic?functions?that?may?be?available?for?our?use.
???? // ?試圖載入動(dòng)態(tài)函數(shù)
???? // ?
????SfLoadDynamicFunctions();

???? // ?
???? // ?Now?get?the?current?OS?version?that?we?will?use?to?determine?what?logic
???? // ?paths?to?take?when?this?driver?is?built?to?run?on?various?OS?version.
???? // ?得到OS版本
???? // ?
????SfGetCurrentVersion();
#endif

???? // ?
???? // ?Save?our?Driver?Object,?set?our?UNLOAD?routine
???? // ?保存我們的驅(qū)動(dòng)對(duì)象，設(shè)置我們的UNLOAD例程
???? // ?

????gSFilterDriverObject? = ?DriverObject;

#if ?DBG?&&?WINVER?>=?0x0501

???? // ?
???? // ?MULTIVERSION?NOTE:
???? // ?
???? // ?We?can?only?support?unload?for?testing?environments?if?we?can?enumerate
???? // ?the?outstanding?device?objects?that?our?driver?has.
???? // ?如果我們可以枚舉我們驅(qū)動(dòng)擁有的顯著的設(shè)備對(duì)象，僅支持測(cè)試環(huán)境的卸載
???? // ?
????
???? // ?
???? // ?Unload?is?useful?for?development?purposes.?It?is?not?recommended?for
???? // ?production?versions
???? // ?卸載只用于開發(fā)環(huán)境
???? // ?
???? if ?(NULL? != ?gSfDynamicFunctions.EnumerateDeviceObjectList)????????
????????gSFilterDriverObject -> DriverUnload? = ?DriverUnload;
#endif

???? // ?初始化一個(gè)資源變量，可被用于同步一線程集合，
???? // ?在釋放資源占用內(nèi)存前調(diào)用ExDeleteResourceLite
???? //
????Status? = ?ExInitializeResourceLite( & gRulesResource);
???? if ?( ! NT_SUCCESS(Status))
????{
????????KdPrint(( " SFilter!DriverEntry:?ExInitializeResourceLite?failed,?Status=%08x\n " ,?Status));
???????? return ?Status;
????}

???? // ?
???? // ?Setup?other?global?variables
???? // ?設(shè)置其它全局變量
???? // ?
????ExInitializeFastMutex( & gSfilterAttachLock);

????ExInitializePagedLookasideList(
???????? & gFsCtxLookAsideList,
????????NULL,
????????NULL,
???????? 0 ,
????????FSCTX_GENERIC_TABLE_POOL_SIZE,
????????SFLT_POOL_TAG,
???????? 0
????????);
????????
????ExInitializePagedLookasideList(
???????? & gFileNameLookAsideList,
????????NULL,
????????NULL,
???????? 0 ,
????????MAX_PATH? * ? sizeof (WCHAR),
????????SFLT_POOL_TAG,
???????? 0
????????);

????ExInitializeNPagedLookasideList(
???????? & gReadWriteCompletionCtxLookAsideList,
????????NULL,
????????NULL,
???????? 0 ,
???????? sizeof (READ_WRITE_COMPLETION_CONTEXT),
????????SFLT_POOL_TAG,
???????? 0
????????);

???? // ?
???? // ?Create?the?Control?Device?Object?(CDO).??This?object?represents?this?
???? // ?driver.??Note?that?it?does?not?have?a?device?extension.
???? // ?創(chuàng)建控制設(shè)備對(duì)象，這個(gè)對(duì)象代表這個(gè)驅(qū)動(dòng)。注意它沒有設(shè)備擴(kuò)展。
???? // ?
????RtlInitUnicodeString( & NameString,?L " \\FileSystem\\Filters\\SFilterCDO " );

????Status? = ?IoCreateDevice(
????????DriverObject,
???????? 0 ,?????????????????????? // ?has?no?device?extension
???????? & NameString,
????????FILE_DEVICE_DISK_FILE_SYSTEM,
????????FILE_DEVICE_SECURE_OPEN,
????????FALSE,
???????? & gSFilterControlDeviceObject
????????);
???? if ?(Status? == ?STATUS_OBJECT_PATH_NOT_FOUND)
????{
???????? // ?
???????? // ?This?must?be?a?version?of?the?OS?that?doesn't?have?the?Filters
???????? // ?path?in?its?namespace.??This?was?added?in?Windows?XP.
???????? // ?
???????? // ?We?will?try?just?putting?our?control?device?object?in?the?\FileSystem
???????? // ?portion?of?the?object?name?space.
???????? // ?XP以前的版本名字空間中未加入Filters路徑，所以將我們的控制設(shè)備對(duì)象放入
???????? // ?對(duì)象名字空間的\FileSystem部分
???????? // ?

????????RtlInitUnicodeString( & NameString,?L " \\FileSystem\\SFilterCDO " );

????????Status? = ?IoCreateDevice(
????????????DriverObject,
???????????? 0 ,?????????????????????? // ?has?no?device?extension
???????????? & NameString,
????????????FILE_DEVICE_DISK_FILE_SYSTEM,
????????????FILE_DEVICE_SECURE_OPEN,
????????????FALSE,
???????????? & gSFilterControlDeviceObject
????????????);
???????? if ?( ! NT_SUCCESS(Status))
????????{
????????????KdPrint(( " SFilter!DriverEntry:?Error?creating?control?device?object?\ " % wZ\ " ,?Status=%08x\n " ,? & NameString,?Status));
????????????ExDeleteResourceLite( & gRulesResource);
???????????? return ?Status;
????????}
????}
???? else ? if ?( ! NT_SUCCESS(Status))
????{
????????KdPrint(( " SFilter!DriverEntry:?Error?creating?control?device?object?\ " % wZ\ " ,?Status=%08x\n " ,? & NameString,?Status));
????????ExDeleteResourceLite( & gRulesResource);
???????? return ?Status;
????}

???? // ?
???? // ?Initialize?the?driver?object?with?this?device?driver's?entry?points.
???? // ?
???? for ?(i? = ? 0 ;?i? <= ?IRP_MJ_MAXIMUM_FUNCTION;?i ++ )
????{
????????DriverObject -> MajorFunction[i]? = ?SfPassThrough;
????}

???? // ?
???? // ?We?will?use?SfCreate?for?all?the?create?operations
???? // ?
????DriverObject -> MajorFunction[IRP_MJ_CREATE]? = ?SfCreate;
????DriverObject -> MajorFunction[IRP_MJ_CREATE_NAMED_PIPE]? = ?SfCreate;
????DriverObject -> MajorFunction[IRP_MJ_CREATE_MAILSLOT]? = ?SfCreate;
????
????DriverObject -> MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL]? = ?SfFsControl;
????DriverObject -> MajorFunction[IRP_MJ_CLEANUP]? = ?SfCleanup;
????DriverObject -> MajorFunction[IRP_MJ_CLOSE]? = ?SfClose;
????DriverObject -> MajorFunction[IRP_MJ_READ]? = ?SfRead;
????DriverObject -> MajorFunction[IRP_MJ_WRITE]? = ?SfWrite;
????DriverObject -> MajorFunction[IRP_MJ_DIRECTORY_CONTROL]? = ?SfDirectoryControl;
????DriverObject -> MajorFunction[IRP_MJ_SET_INFORMATION]? = ?SfSetInformation;

???? // ?
???? // ?Allocate?fast?I/O?data?structure?and?fill?it?in.
???? // ?分配快速I/O數(shù)據(jù)結(jié)構(gòu)且填入它
???? // ?
???? // ?NOTE:??The?following?FastIo?Routines?are?not?supported:
???? // ????AcquireFileForNtCreateSection
???? // ????ReleaseFileForNtCreateSection
???? // ????AcquireForModWrite
???? // ????ReleaseForModWrite
???? // ????AcquireForCcFlush
???? // ????ReleaseForCcFlush
???? // ?
???? // ?For?historical?reasons?these?FastIO's?have?never?been?sent?to?filters
???? // ?by?the?NT?I/O?system.??Instead,?they?are?sent?directly?to?the?base?
???? // ?file?system.??On?Windows?XP?and?later?OS?releases,?you?can?use?the?new?
???? // ?system?routine?"FsRtlRegisterFileSystemFilterCallbacks"?if?you?need?to?
???? // ?intercept?these?callbacks?(see?below).
???? // ?由于歷史的原因，這些快速IO不發(fā)送到過濾驅(qū)動(dòng)，而是直接發(fā)送到基礎(chǔ)文件系統(tǒng)。
???? // ?在WINXP及以后版本，如果你想攔截這些回調(diào)，你可以使用新的系
???? // ?統(tǒng)例程FsRtlRegisterFileSystemFilterCallbacks
???? // ?

????FastIoDispatch? = ?ExAllocatePoolWithTag(NonPagedPool,? sizeof (FAST_IO_DISPATCH),?SFLT_POOL_TAG);
???? if ?( ! FastIoDispatch)
????{
????????IoDeleteDevice(gSFilterControlDeviceObject);
????????ExDeleteResourceLite( & gRulesResource);
???????? return ?STATUS_INSUFFICIENT_RESOURCES;
????}

????RtlZeroMemory(FastIoDispatch,? sizeof (FAST_IO_DISPATCH));

????FastIoDispatch -> SizeOfFastIoDispatch? = ? sizeof (FAST_IO_DISPATCH);
????FastIoDispatch -> FastIoCheckIfPossible? = ?SfFastIoCheckIfPossible;
????FastIoDispatch -> FastIoRead? = ?SfFastIoRead;
????FastIoDispatch -> FastIoWrite? = ?SfFastIoWrite;
????FastIoDispatch -> FastIoQueryBasicInfo? = ?SfFastIoQueryBasicInfo;
????FastIoDispatch -> FastIoQueryStandardInfo? = ?SfFastIoQueryStandardInfo;
????FastIoDispatch -> FastIoLock? = ?SfFastIoLock;
????FastIoDispatch -> FastIoUnlockSingle? = ?SfFastIoUnlockSingle;
????FastIoDispatch -> FastIoUnlockAll? = ?SfFastIoUnlockAll;
????FastIoDispatch -> FastIoUnlockAllByKey? = ?SfFastIoUnlockAllByKey;
????FastIoDispatch -> FastIoDeviceControl? = ?SfFastIoDeviceControl;
????FastIoDispatch -> FastIoDetachDevice? = ?SfFastIoDetachDevice;
????FastIoDispatch -> FastIoQueryNetworkOpenInfo? = ?SfFastIoQueryNetworkOpenInfo;
????FastIoDispatch -> MdlRead? = ?SfFastIoMdlRead;
????FastIoDispatch -> MdlReadComplete? = ?SfFastIoMdlReadComplete;
????FastIoDispatch -> PrepareMdlWrite? = ?SfFastIoPrepareMdlWrite;
????FastIoDispatch -> MdlWriteComplete? = ?SfFastIoMdlWriteComplete;
????FastIoDispatch -> FastIoReadCompressed? = ?SfFastIoReadCompressed;
????FastIoDispatch -> FastIoWriteCompressed? = ?SfFastIoWriteCompressed;
????FastIoDispatch -> MdlReadCompleteCompressed? = ?SfFastIoMdlReadCompleteCompressed;
????FastIoDispatch -> MdlWriteCompleteCompressed? = ?SfFastIoMdlWriteCompleteCompressed;
????FastIoDispatch -> FastIoQueryOpen? = ?SfFastIoQueryOpen;

????DriverObject -> FastIoDispatch? = ?FastIoDispatch;

// ?
// ?VERSION?NOTE:
// ?
// ?There?are?6?FastIO?routines?for?which?file?system?filters?are?bypassed?as
// ?the?requests?are?passed?directly?to?the?base?file?system.??These?6?routines
// ?are?AcquireFileForNtCreateSection,?ReleaseFileForNtCreateSection,
// ?AcquireForModWrite,?ReleaseForModWrite,?AcquireForCcFlush,?and?
// ?ReleaseForCcFlush.
// ?
// ?In?Windows?XP?and?later,?the?FsFilter?callbacks?were?introduced?to?allow
// ?filters?to?safely?hook?these?operations.??See?the?IFS?Kit?documentation?for
// ?more?details?on?how?these?new?interfaces?work.
// ?
// ?MULTIVERSION?NOTE:
// ?
// ?If?built?for?Windows?XP?or?later,?this?driver?is?built?to?run?on?
// ?multiple?versions.??When?this?is?the?case,?we?will?test
// ?for?the?presence?of?FsFilter?callbacks?registration?API.??If?we?have?it,
// ?then?we?will?register?for?those?callbacks,?otherwise,?we?will?not.
// ?

#if ?WINVER?>=?0x0501

????{
????????FS_FILTER_CALLBACKS?FsFilterCallbacks;

???????? if ?(NULL? != ?gSfDynamicFunctions.RegisterFileSystemFilterCallbacks)
????????{
???????????? // ?
???????????? // ?Setup?the?callbacks?for?the?operations?we?receive?through
???????????? // ?the?FsFilter?interface.
???????????? // ?為我們通過FsFilter接口接收的操作設(shè)置回調(diào)
???????????? // ?
???????????? // ?NOTE:??You?only?need?to?register?for?those?routines?you?really?need
???????????? // ????????to?handle.??SFilter?is?registering?for?all?routines?simply?to
???????????? // ????????give?an?example?of?how?it?is?done.
???????????? // ?
????????????FsFilterCallbacks.SizeOfFsFilterCallbacks? = ? sizeof (FS_FILTER_CALLBACKS);
????????????FsFilterCallbacks.PreAcquireForSectionSynchronization? = ?SfPreFsFilterPassThrough;
????????????FsFilterCallbacks.PostAcquireForSectionSynchronization? = ?SfPostFsFilterPassThrough;
????????????FsFilterCallbacks.PreReleaseForSectionSynchronization? = ?SfPreFsFilterPassThrough;
????????????FsFilterCallbacks.PostReleaseForSectionSynchronization? = ?SfPostFsFilterPassThrough;
????????????FsFilterCallbacks.PreAcquireForCcFlush? = ?SfPreFsFilterPassThrough;
????????????FsFilterCallbacks.PostAcquireForCcFlush? = ?SfPostFsFilterPassThrough;
????????????FsFilterCallbacks.PreReleaseForCcFlush? = ?SfPreFsFilterPassThrough;
????????????FsFilterCallbacks.PostReleaseForCcFlush? = ?SfPostFsFilterPassThrough;
????????????FsFilterCallbacks.PreAcquireForModifiedPageWriter? = ?SfPreFsFilterPassThrough;
????????????FsFilterCallbacks.PostAcquireForModifiedPageWriter? = ?SfPostFsFilterPassThrough;
????????????FsFilterCallbacks.PreReleaseForModifiedPageWriter? = ?SfPreFsFilterPassThrough;
????????????FsFilterCallbacks.PostReleaseForModifiedPageWriter? = ?SfPostFsFilterPassThrough;

????????????Status? = ?(gSfDynamicFunctions.RegisterFileSystemFilterCallbacks)(DriverObject,? & FsFilterCallbacks);
???????????? if ?( ! NT_SUCCESS(Status))
????????????{
????????????????DriverObject -> FastIoDispatch? = ?NULL;
????????????????ExFreePool(FastIoDispatch);
????????????????IoDeleteDevice(gSFilterControlDeviceObject);
????????????????ExDeleteResourceLite( & gRulesResource);
???????????????? return ?Status;
????????????}
????????}
????}
#endif

???? // ?
???? // ?The?registered?callback?routine?"SfFsNotification"?will?be?called
???? // ?whenever?a?new?file?systems?is?loaded?or?when?any?file?system?is
???? // ?unloaded.
???? // ?當(dāng)一個(gè)新的文件系統(tǒng)被裝入或者當(dāng)任何文件系統(tǒng)被卸載時(shí)，注冊(cè)的回調(diào)函數(shù)
???? // ?SfFsNotification將被調(diào)用
???? // ?
???? // ?VERSION?NOTE:
???? // ?
???? // ?On?Windows?XP?and?later?this?will?also?enumerate?all?existing?file
???? // ?systems?(except?the?RAW?file?systems).??On?Windows?2000?this?does?not
???? // ?enumerate?the?file?systems?that?were?loaded?before?this?filter?was
???? // ?loaded.
???? // ?
????Status? = ?IoRegisterFsRegistrationChange(DriverObject,?SfFsNotification);
???? if ?( ! NT_SUCCESS(Status))
????{
????????KdPrint(( " SFilter!DriverEntry:?Error?registering?FS?change?notification,?Status=%08x\n " ,?Status));

????????DriverObject -> FastIoDispatch? = ?NULL;
????????ExFreePool(FastIoDispatch);
????????IoDeleteDevice(gSFilterControlDeviceObject);
????????ExDeleteResourceLite( & gRulesResource);
???????? return ?Status;
????}

???? // ?
???? // ?Attempt?to?attach?to?the?appropriate?RAW?file?system?device?objects
???? // ?since?they?are?not?enumerated?by?IoRegisterFsRegistrationChange.
???? // ?試圖附著到合適的RAW文件系統(tǒng)設(shè)備對(duì)象，因?yàn)樗麄儧]有被IoRegisterFsRegistrationChange枚舉
???? // ?
????{
????????PDEVICE_OBJECT?RawDeviceObject;
????????PFILE_OBJECT?FileObject;

???????? // ?
???????? // ?Attach?to?RawDisk?device
???????? // ?附著到RawDisk設(shè)備
???????? // ?
????????RtlInitUnicodeString( & NameString,?L " \\Device\\RawDisk " );
????????Status? = ?IoGetDeviceObjectPointer(
???????????? & NameString,
????????????FILE_READ_ATTRIBUTES,
???????????? & FileObject,
???????????? & RawDeviceObject
????????????);
???????? if ?(NT_SUCCESS(Status))
????????{
????????????SfFsNotification(RawDeviceObject,?TRUE);
????????????ObDereferenceObject(FileObject);
????????}

???????? // ?
???????? // ?Attach?to?the?RawCdRom?device
???????? // ?附著到RawCdRom設(shè)備
???????? // ?
????????RtlInitUnicodeString( & NameString,?L " \\Device\\RawCdRom " );
????????Status? = ?IoGetDeviceObjectPointer(
???????????? & NameString,
????????????FILE_READ_ATTRIBUTES,
???????????? & FileObject,
???????????? & RawDeviceObject
????????????);
???????? if ?(NT_SUCCESS(Status))
????????{
????????????SfFsNotification(RawDeviceObject,?TRUE);
????????????ObDereferenceObject(FileObject);
????????}
????}

???? // ?
???? // ?Clear?the?initializing?flag?on?the?control?device?object?since?we
???? // ?have?now?successfully?initialized?everything.
???? // ?清除控制設(shè)備對(duì)象上的初始化標(biāo)志，因?yàn)槲覀儸F(xiàn)在成功完成初始化
???? // ?
????ClearFlag(gSFilterControlDeviceObject -> Flags,?DO_DEVICE_INITIALIZING);

????IoRegisterDriverReinitialization(DriverObject,?SfDriverReinitialization,?NULL);

???? return ?STATUS_SUCCESS;
}