ifsddk.inc

WIN2000下利用汇编做文件过滤驱动程序

OFF	equ	offset
L	equ	large
D	equ	dword
W	equ	word
TRUE	equ	01
FALSE	equ	00

FILE_DEVICE_DISK_FILE_SYSTEM    equ 008h
IRP_MJ_CREATE                   equ 000h
IRP_MJ_CLOSE                    equ 002h
IRP_MJ_DEVICE_CONTROL           equ 00eh
IRP_MJ_MAXIMUM_FUNCTION         equ 01bh
IO_NO_INCREMENT                 equ 000h
FAST_IO_MAX_FUNCTION		equ 0027
STATUS_INVALID_PARAMETER        equ 0C000000Dh
STATUS_INVALID_DEVICE_REQUEST   equ 0C0000010h
FILE_ANY_ACCESS			equ 0
SYNCHRONIZE                     equ 00100000h
FILE_SHARE_READ                 equ 00000001 
FILE_SHARE_WRITE                equ 00000002
FILE_OPEN                       equ 00000001
FILE_SYNCHRONOUS_IO_NONALERT    equ 00000020h
FILE_DIRECTORY_FILE             equ 00000001
FILE_READ_DATA			equ 01
OBJ_CASE_INSENSITIVE		equ 00000040h

OBJECT_ATTRIB struc
   ;ULONG Length;
    oaLength dd ?
   ;HANDLE RootDirectory;
    oaRootDirectory dd ?
   ;PUNICODE_STRING ObjectName;
    oaObjectName dd ?
   ;ULONG Attributes;
    oaAttrib dd ?
   ;PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
   ;PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
    oaSecurityDescriptor dd ?
    oaSecurityQualityOfService dd ?
OBJECT_ATTRIB ends

UNICODE_STRING struc
    ;USHORT Length;
    ;USHORT MaximumLength;

    usLength dw ?
    usMaximumLength dw ?

;#ifdef MIDL_PASS
;    [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
;#else // MIDL_PASS
;    PWSTR  Buffer;
;#endif // MIDL_PASS

     usBuffer dd ?

UNICODE_STRING ends

ANSI_STRING struc
    ;USHORT Length;
    ;USHORT MaximumLength;

    asLength dw ?
    asMaximumLength dw ?

;#ifdef MIDL_PASS
;    [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
;#else // MIDL_PASS
;    PWSTR  Buffer;
;#endif // MIDL_PASS

     asBuffer dd ?

ANSI_STRING ends

DEVICE_OBJECT struc

    ;CSHORT Type;
    ;USHORT Size;

    doType dw ?
    doSize dw ?

    ;LONG ReferenceCount;

    doReferenceCount dd ?

    ;struct _DRIVER_OBJECT *DriverObject;
    ;struct _DEVICE_OBJECT *NextDevice;
    ;struct _DEVICE_OBJECT *AttachedDevice;
    ;struct _IRP *CurrentIrp;

    doDriverObject dd ?
    doNextDevice dd ?
    doAttachedDevice dd ?
    doCurrentIrp dd ?

    ;PIO_TIMER Timer;
    ;ULONG Flags;                                // See above:  DO_...
    ;ULONG Characteristics;                      // See ntioapi:  FILE_...

    doTimer dd ?
    doFlags dd ?
    doCharacteristics dd ?

    ;PVPB Vpb;
    ;PVOID DeviceExtension;

    doVpb dd ?
    doDeviceExtension dd ?

    ;DEVICE_TYPE DeviceType;

    doDeviceType dd ?

    ;CCHAR StackSize;

    doStackSize db ?

    ;union {
    ;    LIST_ENTRY ListEntry;
    ;    WAIT_CONTEXT_BLOCK Wcb;
    ;} Queue;

    doListEntry dd 2 dup(?)

    ;ULONG AlignmentRequirement;

    doAlignmentReq dd ?

    ;KDEVICE_QUEUE DeviceQueue;

    ;KDPC Dpc;

    ;//
    ;//  The following field is for exclusive use by the filesystem to keep
   ; //  track of the number of Fsp threads currently using the device
    ;//

    ;ULONG ActiveThreadCount;
    ;PSECURITY_DESCRIPTOR SecurityDescriptor;
    ;KEVENT DeviceLock;

    ;USHORT SectorSize;
   ; USHORT Spare1;

    ;struct _DEVOBJ_EXTENSION  *DeviceObjectExtension;
    ;PVOID  Reserved;

DEVICE_OBJECT ends


FILE_OBJECT struc

    ;CSHORT Type;
    ;CSHORT Size;

    foType dw ?
    foSize dw ?

    ;PDEVICE_OBJECT DeviceObject;
    ;PVPB Vpb;    
    ;PVOID FsContext;
    ;PVOID FsContext2;
    ;PSECTION_OBJECT_POINTERS SectionObjectPointer;
    ;PVOID PrivateCacheMap;

    foDeviceObject dd ?    
    foVpb dd ?
    foFsContext dd ?
    foFsContext2 dd ?
    foSectionObjectPointer dd ?
    foPrivateCacheMap dd ?

    ;NTSTATUS FinalStatus;

    foFinalStatus dd ?

    ;struct _FILE_OBJECT *RelatedFileObject;
    RelatedFileObject dd ?

    ;BOOLEAN LockOperation;
    ;BOOLEAN DeletePending;
    ;BOOLEAN ReadAccess;
    ;BOOLEAN WriteAccess;
    ;BOOLEAN DeleteAccess;
    ;BOOLEAN SharedRead;
    ;BOOLEAN SharedWrite;
    ;BOOLEAN SharedDelete;

    foLockOperation db ?
    foDeletePending db ?
    foReadAccess db ?
    WrtieAcess db ?
    DeleteAccess db ?
    shateRead db ?
    ShareWrite db ?
    ShareDelete db ?

    ;ULONG Flags;

    foFlags dd ?

    ;UNICODE_STRING FileName;

    foFileName UNICODE_STRING <>

    ;LARGE_INTEGER CurrentByteOffset;
    CurrentByteOffsetL dd ?
    CurrentByteOffsetH dd ?

    ;ULONG Waiters;
    ;ULONG Busy;
    ;PVOID LastLock;

    foWaiters dd ?
    foBusy dd ?
    foLastLock dd ?

    ;KEVENT Lock;
    ;KEVENT Event;

    foLock dd 4 dup(?)
    foEvent dd 4 dup(?)

    ;PIO_COMPLETION_CONTEXT CompletionContext;

    foCompletionContext dd ?

FILE_OBJECT ends

PDRIVER_OBJECT struc

    ;CSHORT Type;   
    ;CSHORT Size;

     doType dw ?
     doSize dw ?

    ;//
    ;// The following links all of the devices created by a single driver
    ;// together on a list, and the Flags word provides an extensible flag
    ;// location for driver objects.
    ;//

    ;PDEVICE_OBJECT DeviceObject;
    ;ULONG Flags;

    doDeviceObject dd ?
    DrvObjFlags dd ?

    ;//
    ;// The following section describes where the driver is loaded.  The count
    ;// field is used to count the number of times the driver has had its
    ;// registered reinitialization routine invoked.
    ;//

    ;PVOID DriverStart;
    ;ULONG DriverSize;
    ;PVOID DriverSection;
    ;PDRIVER_EXTENSION DriverExtension;

    doDriverStart dd ? ;驱动程序文件头"MZ"标志
    doDriverSize  dd ?
    doDriverSection dd ?
    doDriverExtension dd ?

    ;//
    ;// The driver name field is used by the error log thread
    ;// determine the name of the driver that an I/O request is/was bound.
    ;//

    ;UNICODE_STRING DriverName;

    doDriverName UNICODE_STRING<>

    ;//
    ;// The following section is for registry support.  Thise is a pointer
    ;// to the path to the hardware information in the registry
    ;//

    ;PUNICODE_STRING HardwareDatabase;

    doHardwareDatabase dd ?

    ;//
    ;// The following section contains the optional pointer to an array of
    ;// alternate entry points to a driver for "fast I/O" support.  Fast I/O
    ;// is performed by invoking the driver routine directly with separate
    ;// parameters, rather than using the standard IRP call mechanism.  Note
    ;// that these functions may only be used for synchronous I/O, and when
    ;// the file is cached.
    ;//

    ;PFAST_IO_DISPATCH FastIoDispatch;

    doFastIoDispatch dd ?

    ;//
    ;// The following section describes the entry points to this particular
    ;// driver.  Note that the major function dispatch table must be the last
    ;// field in the object so that it remains extensible.
    ;//

    ;PDRIVER_INITIALIZE DriverInit;
    ;PDRIVER_STARTIO DriverStartIo;
    ;PDRIVER_UNLOAD DriverUnload;
    ;PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

    doDriverInit dd ?
    doDriverStartIo dd ?
    doDriverUnload dd ?
    doMajorFunction dd IRP_MJ_MAXIMUM_FUNCTION+1 dup(?)

PDRIVER_OBJECT ends

IO_STATUS_BLOCK struc

    ;union {
    ;    NTSTATUS Status;
    ;    PVOID Pointer;
    ;};

    iosbStatus dd ?

    ;ULONG_PTR Information;

    iosbInformation dd ?

IO_STATUS_BLOCK ends

;IRP struc 太复杂

;IO_STACK_LOCATION依然复杂,忽略联合结构
IO_STACK_LOCATION struc ;At device io control

    ioslMajorFunction db ?
    ioslMinorFunction db ?
    ioslFlags db ?
    ioslControl db ?
    ioslOutputBufferLength dd ?
    ioslInputBufferLength dd ?
    ioslIoControlCode dd ?
    ioslType3InputBuffer dd ?
    ioslDeviceObject dd ?
    ioslFileObject dd ?
    ioslCompletionRoutine dd ?
    ioslContext dd ?

IO_STACK_LOCATION ends