编程框架
FltRegisterFilter 注册Minifilter驱动;使用结束后用FltUnregisterFilter卸载。
注册时,第二参数传入构建的FLT_REGISTRATION结构,主要是操作回调函数集和驱动卸载函数。FltBuildDefaultSecurityDescriptor 生成默认安全描述符。FltCreateCommunicationPort 创建通信服务器端口;使用结束后用FltCloseCommunicationPort关闭。FltStartFiltering开始过滤。- 当有I/O操作发生时,执行流会进入操作回调函数集。
FLT_REGISTRATION
typedef struct _FLT_REGISTRATION {
USHORT Size;
USHORT Version;
FLT_REGISTRATION_FLAGS Flags;
const FLT_CONTEXT_REGISTRATION *ContextRegistration;
const FLT_OPERATION_REGISTRATION *OperationRegistration;
PFLT_FILTER_UNLOAD_CALLBACK FilterUnloadCallback;
PFLT_INSTANCE_SETUP_CALLBACK InstanceSetupCallback;
PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK InstanceQueryTeardownCallback;
PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownStartCallback;
PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownCompleteCallback;
PFLT_GENERATE_FILE_NAME GenerateFileNameCallback;
PFLT_NORMALIZE_NAME_COMPONENT NormalizeNameComponentCallback;
PFLT_NORMALIZE_CONTEXT_CLEANUP NormalizeContextCleanupCallback;
PFLT_TRANSACTION_NOTIFICATION_CALLBACK TransactionNotificationCallback;
PFLT_NORMALIZE_NAME_COMPONENT_EX NormalizeNameComponentExCallback;
PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK SectionNotificationCallback;
} FLT_REGISTRATION, *PFLT_REGISTRATION;
操作回调函数集
typedef struct _FLT_OPERATION_REGISTRATION {
UCHAR MajorFunction;
FLT_OPERATION_REGISTRATION_FLAGS Flags;
PFLT_PRE_OPERATION_CALLBACK PreOperation;
PFLT_POST_OPERATION_CALLBACK PostOperation;
PVOID Reserved1;
} FLT_OPERATION_REGISTRATION, *PFLT_OPERATION_REGISTRATION;
static
CONST
FLT_OPERATION_REGISTRATION
OperationRegistration[] = {
{
IRP_MJ_CREATE,
0,
PrevCreate,
PostCreate,
},
{
IRP_MJ_OPERATION_END
},
};
预操作回调函数
FLT_PREOP_CALLBACK_STATUS PfltPreOperationCallback(
[in, out] PFLT_CALLBACK_DATA Data,
[in] PCFLT_RELATED_OBJECTS FltObjects,
[out] PVOID *CompletionContext
回调数据包(FLT_CALLBACK_DATA)
typedef struct _FLT_CALLBACK_DATA {
FLT_CALLBACK_DATA_FLAGS Flags;
PETHREAD Thread;
PFLT_IO_PARAMETER_BLOCK Iopb;
IO_STATUS_BLOCK IoStatus;
struct _FLT_TAG_DATA_BUFFER *TagData;
union {
struct {
LIST_ENTRY QueueLinks;
PVOID QueueContext[2];
};
PVOID FilterContext[4];
};
KPROCESSOR_MODE RequestorMode;
} FLT_CALLBACK_DATA, *PFLT_CALLBACK_DATA;
参数(FLT_IO_PARAMETER_BLOCK)
typedef struct _FLT_IO_PARAMETER_BLOCK {
ULONG IrpFlags;
UCHAR MajorFunction;
UCHAR MinorFunction;
UCHAR OperationFlags;
UCHAR Reserved;
PFILE_OBJECT TargetFileObject;
PFLT_INSTANCE TargetInstance;
FLT_PARAMETERS Parameters;
} FLT_IO_PARAMETER_BLOCK, *PFLT_IO_PARAMETER_BLOCK;
typedef union _FLT_PARAMETERS {
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT FileAttributes;
USHORT ShareAccess;
ULONG POINTER_ALIGNMENT EaLength;
PVOID EaBuffer;
LARGE_INTEGER AllocationSize;
} Create;
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT Reserved;
USHORT ShareAccess;
PVOID Parameters;
} CreatePipe;
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT Reserved;
USHORT ShareAccess;
PVOID Parameters;
} CreateMailslot;
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
PVOID ReadBuffer;
PMDL MdlAddress;
} Read;
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
PVOID WriteBuffer;
PMDL MdlAddress;
} Write;
struct {
ULONG Length;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
PVOID InfoBuffer;
} QueryFileInformation;
struct {
ULONG Length;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
PFILE_OBJECT ParentOfTarget;
union {
struct {
BOOLEAN ReplaceIfExists;
BOOLEAN AdvanceOnly;
};
ULONG ClusterCount;
HANDLE DeleteHandle;
};
PVOID InfoBuffer;
} SetFileInformation;
struct {
ULONG Length;
PVOID EaList;
ULONG EaListLength;
ULONG POINTER_ALIGNMENT EaIndex;
PVOID EaBuffer;
PMDL MdlAddress;
} QueryEa;
struct {
ULONG Length;
PVOID EaBuffer;
PMDL MdlAddress;
} SetEa;
struct {
ULONG Length;
FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;
PVOID VolumeBuffer;
} QueryVolumeInformation;
struct {
ULONG Length;
FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;
PVOID VolumeBuffer;
} SetVolumeInformation;
union {
struct {
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS FileInformationClass;
ULONG POINTER_ALIGNMENT FileIndex;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} QueryDirectory;
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT CompletionFilter;
ULONG POINTER_ALIGNMENT Spare1;
ULONG POINTER_ALIGNMENT Spare2;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} NotifyDirectory;
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT CompletionFilter;
DIRECTORY_NOTIFY_INFORMATION_CLASS POINTER_ALIGNMENT DirectoryNotifyInformationClass;
ULONG POINTER_ALIGNMENT Spare2;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} NotifyDirectoryEx;
} DirectoryControl;
union {
struct {
PVPB Vpb;
PDEVICE_OBJECT DeviceObject;
} VerifyVolume;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT FsControlCode;
} Common;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT FsControlCode;
PVOID InputBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Neither;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT FsControlCode;
PVOID SystemBuffer;
} Buffered;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT FsControlCode;
PVOID InputSystemBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Direct;
} FileSystemControl;
union {
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
} Common;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
PVOID InputBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Neither;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
PVOID SystemBuffer;
} Buffered;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
PVOID InputSystemBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Direct;
struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
PVOID InputBuffer;
PVOID OutputBuffer;
} FastIo;
} DeviceIoControl;
struct {
PLARGE_INTEGER Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
PEPROCESS ProcessId;
BOOLEAN FailImmediately;
BOOLEAN ExclusiveLock;
} LockControl;
struct {
SECURITY_INFORMATION SecurityInformation;
ULONG POINTER_ALIGNMENT Length;
PVOID SecurityBuffer;
PMDL MdlAddress;
} QuerySecurity;
struct {
SECURITY_INFORMATION SecurityInformation;
PSECURITY_DESCRIPTOR SecurityDescriptor;
} SetSecurity;
struct {
ULONG_PTR ProviderId;
PVOID DataPath;
ULONG BufferSize;
PVOID Buffer;
} WMI;
struct {
ULONG Length;
PSID StartSid;
PFILE_GET_QUOTA_INFORMATION SidList;
ULONG SidListLength;
PVOID QuotaBuffer;
PMDL MdlAddress;
} QueryQuota;
struct {
ULONG Length;
PVOID QuotaBuffer;
PMDL MdlAddress;
} SetQuota;
union {
struct {
PCM_RESOURCE_LIST AllocatedResources;
PCM_RESOURCE_LIST AllocatedResourcesTranslated;
} StartDevice;
struct {
DEVICE_RELATION_TYPE Type;
} QueryDeviceRelations;
struct {
const GUID *InterfaceType;
USHORT Size;
USHORT Version;
PINTERFACE Interface;
PVOID InterfaceSpecificData;
} QueryInterface;
struct {
PDEVICE_CAPABILITIES Capabilities;
} DeviceCapabilities;
struct {
PIO_RESOURCE_REQUIREMENTS_LIST IoResourceRequirementList;
} FilterResourceRequirements;
struct {
ULONG WhichSpace;
PVOID Buffer;
ULONG Offset;
ULONG POINTER_ALIGNMENT Length;
} ReadWriteConfig;
struct {
BOOLEAN Lock;
} SetLock;
struct {
BUS_QUERY_ID_TYPE IdType;
} QueryId;
struct {
DEVICE_TEXT_TYPE DeviceTextType;
LCID POINTER_ALIGNMENT LocaleId;
} QueryDeviceText;
struct {
BOOLEAN InPath;
BOOLEAN Reserved[3];
DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type;
} UsageNotification;
} Pnp;
struct {
FS_FILTER_SECTION_SYNC_TYPE SyncType;
ULONG PageProtection;
PFS_FILTER_SECTION_SYNC_OUTPUT OutputInformation;
ULONG Flags;
ULONG AllocationAttributes;
} AcquireForSectionSynchronization;
struct {
PLARGE_INTEGER EndingOffset;
PERESOURCE *ResourceToRelease;
} AcquireForModifiedPageWriter;
struct {
PERESOURCE ResourceToRelease;
} ReleaseForModifiedPageWriter;
struct {
PIRP Irp;
PVOID FileInformation;
PULONG Length;
FILE_INFORMATION_CLASS FileInformationClass;
} QueryOpen;
struct {
LARGE_INTEGER FileOffset;
ULONG Length;
ULONG POINTER_ALIGNMENT LockKey;
BOOLEAN POINTER_ALIGNMENT CheckForReadOperation;
} FastIoCheckIfPossible;
struct {
PIRP Irp;
PFILE_NETWORK_OPEN_INFORMATION NetworkInformation;
} NetworkQueryOpen;
struct {
LARGE_INTEGER FileOffset;
ULONG POINTER_ALIGNMENT Length;
ULONG POINTER_ALIGNMENT Key;
PMDL *MdlChain;
} MdlRead;
struct {
PMDL MdlChain;
} MdlReadComplete;
struct {
LARGE_INTEGER FileOffset;
ULONG POINTER_ALIGNMENT Length;
ULONG POINTER_ALIGNMENT Key;
PMDL *MdlChain;
} PrepareMdlWrite;
struct {
LARGE_INTEGER FileOffset;
PMDL MdlChain;
} MdlWriteComplete;
struct {
ULONG DeviceType;
} MountVolume;
struct {
PVOID Argument1;
PVOID Argument2;
PVOID Argument3;
PVOID Argument4;
PVOID Argument5;
LARGE_INTEGER Argument6;
} Others;
} FLT_PARAMETERS, *PFLT_PARAMETERS;
状态和信息(IO_STATUS_BLOCK)
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
关联对象
typedef struct _FLT_RELATED_OBJECTS {
USHORT Size;
USHORT TransactionContext;
PFLT_FILTER Filter;
PFLT_VOLUME Volume;
PFLT_INSTANCE Instance;
PFILE_OBJECT FileObject;
PKTRANSACTION Transaction;
} FLT_RELATED_OBJECTS, *PFLT_RELATED_OBJECTS;