mspylog.c
来自「文件系统过滤驱动程序的框架」· C语言 代码 · 共 1,042 行 · 第 1/2 页
C
1,042 行
case IRP_MJ_SYSTEM_CONTROL:
irpMajorString = IRP_MJ_SYSTEM_CONTROL_STRING;
switch (MinorCode) {
case IRP_MN_QUERY_ALL_DATA:
irpMinorString = IRP_MN_QUERY_ALL_DATA_STRING;
break;
case IRP_MN_QUERY_SINGLE_INSTANCE:
irpMinorString = IRP_MN_QUERY_SINGLE_INSTANCE_STRING;
break;
case IRP_MN_CHANGE_SINGLE_INSTANCE:
irpMinorString = IRP_MN_CHANGE_SINGLE_INSTANCE_STRING;
break;
case IRP_MN_CHANGE_SINGLE_ITEM:
irpMinorString = IRP_MN_CHANGE_SINGLE_ITEM_STRING;
break;
case IRP_MN_ENABLE_EVENTS:
irpMinorString = IRP_MN_ENABLE_EVENTS_STRING;
break;
case IRP_MN_DISABLE_EVENTS:
irpMinorString = IRP_MN_DISABLE_EVENTS_STRING;
break;
case IRP_MN_ENABLE_COLLECTION:
irpMinorString = IRP_MN_ENABLE_COLLECTION_STRING;
break;
case IRP_MN_DISABLE_COLLECTION:
irpMinorString = IRP_MN_DISABLE_COLLECTION_STRING;
break;
case IRP_MN_REGINFO:
irpMinorString = IRP_MN_REGINFO_STRING;
break;
case IRP_MN_EXECUTE_METHOD:
irpMinorString = IRP_MN_EXECUTE_METHOD_STRING;
break;
default :
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_DEVICE_CHANGE:
irpMajorString = IRP_MJ_DEVICE_CHANGE_STRING;
break;
case IRP_MJ_QUERY_QUOTA:
irpMajorString = IRP_MJ_QUERY_QUOTA_STRING;
break;
case IRP_MJ_SET_QUOTA:
irpMajorString = IRP_MJ_SET_QUOTA_STRING;
break;
case IRP_MJ_PNP:
irpMajorString = IRP_MJ_PNP_STRING;
switch (MinorCode) {
case IRP_MN_START_DEVICE:
irpMinorString = IRP_MN_START_DEVICE_STRING;
break;
case IRP_MN_QUERY_REMOVE_DEVICE:
irpMinorString = IRP_MN_QUERY_REMOVE_DEVICE_STRING;
break;
case IRP_MN_REMOVE_DEVICE:
irpMinorString = IRP_MN_REMOVE_DEVICE_STRING;
break;
case IRP_MN_CANCEL_REMOVE_DEVICE:
irpMinorString = IRP_MN_CANCEL_REMOVE_DEVICE_STRING;
break;
case IRP_MN_STOP_DEVICE:
irpMinorString = IRP_MN_STOP_DEVICE_STRING;
break;
case IRP_MN_QUERY_STOP_DEVICE:
irpMinorString = IRP_MN_QUERY_STOP_DEVICE_STRING;
break;
case IRP_MN_CANCEL_STOP_DEVICE:
irpMinorString = IRP_MN_CANCEL_STOP_DEVICE_STRING;
break;
case IRP_MN_QUERY_DEVICE_RELATIONS:
irpMinorString = IRP_MN_QUERY_DEVICE_RELATIONS_STRING;
break;
case IRP_MN_QUERY_INTERFACE:
irpMinorString = IRP_MN_QUERY_INTERFACE_STRING;
break;
case IRP_MN_QUERY_CAPABILITIES:
irpMinorString = IRP_MN_QUERY_CAPABILITIES_STRING;
break;
case IRP_MN_QUERY_RESOURCES:
irpMinorString = IRP_MN_QUERY_RESOURCES_STRING;
break;
case IRP_MN_QUERY_RESOURCE_REQUIREMENTS:
irpMinorString = IRP_MN_QUERY_RESOURCE_REQUIREMENTS_STRING;
break;
case IRP_MN_QUERY_DEVICE_TEXT:
irpMinorString = IRP_MN_QUERY_DEVICE_TEXT_STRING;
break;
case IRP_MN_FILTER_RESOURCE_REQUIREMENTS:
irpMinorString = IRP_MN_FILTER_RESOURCE_REQUIREMENTS_STRING;
break;
case IRP_MN_READ_CONFIG:
irpMinorString = IRP_MN_READ_CONFIG_STRING;
break;
case IRP_MN_WRITE_CONFIG:
irpMinorString = IRP_MN_WRITE_CONFIG_STRING;
break;
case IRP_MN_EJECT:
irpMinorString = IRP_MN_EJECT_STRING;
break;
case IRP_MN_SET_LOCK:
irpMinorString = IRP_MN_SET_LOCK_STRING;
break;
case IRP_MN_QUERY_ID:
irpMinorString = IRP_MN_QUERY_ID_STRING;
break;
case IRP_MN_QUERY_PNP_DEVICE_STATE:
irpMinorString = IRP_MN_QUERY_PNP_DEVICE_STATE_STRING;
break;
case IRP_MN_QUERY_BUS_INFORMATION:
irpMinorString = IRP_MN_QUERY_BUS_INFORMATION_STRING;
break;
case IRP_MN_DEVICE_USAGE_NOTIFICATION:
irpMinorString = IRP_MN_DEVICE_USAGE_NOTIFICATION_STRING;
break;
case IRP_MN_SURPRISE_REMOVAL:
irpMinorString = IRP_MN_SURPRISE_REMOVAL_STRING;
break;
case IRP_MN_QUERY_LEGACY_BUS_INFORMATION:
irpMinorString = IRP_MN_QUERY_LEGACY_BUS_INFORMATION_STRING;
break;
default :
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION:
irpMajorString = IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION_STRING;
break;
case IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION:
irpMajorString = IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION_STRING;
break;
case IRP_MJ_ACQUIRE_FOR_MOD_WRITE:
irpMajorString = IRP_MJ_ACQUIRE_FOR_MOD_WRITE_STRING;
break;
case IRP_MJ_RELEASE_FOR_MOD_WRITE:
irpMajorString = IRP_MJ_RELEASE_FOR_MOD_WRITE_STRING;
break;
case IRP_MJ_ACQUIRE_FOR_CC_FLUSH:
irpMajorString = IRP_MJ_ACQUIRE_FOR_CC_FLUSH_STRING;
break;
case IRP_MJ_RELEASE_FOR_CC_FLUSH:
irpMajorString = IRP_MJ_RELEASE_FOR_CC_FLUSH_STRING;
break;
case IRP_MJ_NOTIFY_STREAM_FO_CREATION:
irpMajorString = IRP_MJ_NOTIFY_STREAM_FO_CREATION_STRING;
break;
case IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE:
irpMajorString = IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE_STRING;
break;
case IRP_MJ_NETWORK_QUERY_OPEN:
irpMajorString = IRP_MJ_NETWORK_QUERY_OPEN_STRING;
break;
case IRP_MJ_MDL_READ:
irpMajorString = IRP_MJ_MDL_READ_STRING;
break;
case IRP_MJ_MDL_READ_COMPLETE:
irpMajorString = IRP_MJ_MDL_READ_COMPLETE_STRING;
break;
case IRP_MJ_PREPARE_MDL_WRITE:
irpMajorString = IRP_MJ_PREPARE_MDL_WRITE_STRING;
break;
case IRP_MJ_MDL_WRITE_COMPLETE:
irpMajorString = IRP_MJ_MDL_WRITE_COMPLETE_STRING;
break;
case IRP_MJ_VOLUME_MOUNT:
irpMajorString = IRP_MJ_VOLUME_MOUNT_STRING;
break;
case IRP_MJ_VOLUME_DISMOUNT:
irpMajorString = IRP_MJ_VOLUME_DISMOUNT_STRING;
break;
default:
sprintf(errorBuf,"Unknown Irp major function (%d)",MajorCode);
irpMajorString = errorBuf;
}
if (OutputFile) {
if (irpMinorString) {
sprintf(formatBuf,"%s %s",irpMajorString, irpMinorString);
fprintf(OutputFile, "\t%-50s", formatBuf);
} else {
fprintf(OutputFile, "\t%-50s", irpMajorString);
}
} else {
if (PrintMajorCode) {
printf("%-32s ", irpMajorString);
} else {
if (irpMinorString) {
printf(" %-35s\n",
irpMinorString);
}
}
}
}
ULONG
FormatSystemTime( SYSTEMTIME *SystemTime,
CHAR *Buffer,
ULONG BufferLength
)
/*++
Routine Description:
Formats the values in a SystemTime struct into the buffer
passed in. The resulting string is NULL terminated. The format
for the time is:
hours:minutes:seconds:milliseconds
Arguments:
SystemTime - the struct to format
Buffer - the buffer to place the formatted time in
BufferLength - the size of the buffer
Return Value:
The length of the string returned in Buffer.
--*/
{
CHAR *writePosition;
ULONG returnLength = 0;
writePosition = Buffer;
if (BufferLength < TIME_BUFFER_LENGTH) {
//
// Buffer is too short so exit
//
return 0;
}
returnLength = sprintf( Buffer,
"%02d:%02d:%02d:%03d",
SystemTime->wHour,
SystemTime->wMinute,
SystemTime->wSecond,
SystemTime->wMilliseconds );
return returnLength;
}
VOID
FileDump( ULONG SequenceNumber,
WCHAR *Name,
PRECORD_DATA RecordData,
FILE *File
)
/*++
Routine Description:
Prints a Data log record to the specified file. The output is in a tab
delimited format with the fields in the following order:
SequenceNumber, OriginatingTime, CompletionTime, CallbackMajorId, CallbackMinorId,
Flags, NoCache, Paging I/O, Synchronous, Synchronous paging, FileName,
ReturnStatus, FileName
Arguments:
SequenceNumber - the sequence number for this log record
Name - the name of the file that this Irp relates to
RecordData - the Data record to print
File - the file to print to
Return Value:
None.
--*/
{
FILETIME localTime;
SYSTEMTIME systemTime;
CHAR time[TIME_BUFFER_LENGTH];
//
// Is this an Irp or a FastIo?
//
if (RecordData->Flags & FLT_CALLBACK_DATA_IRP_OPERATION) {
fprintf( File, "IRP");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FAST_IO_OPERATION) {
fprintf( File, "FIO");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FS_FILTER_OPERATION) {
fprintf( File, "FSF");
} else {
fprintf( File, "ERR");
}
//
// Print the sequence number
//
fprintf( File, "\t0x%08X", SequenceNumber );
//
// Convert originating time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->OriginatingTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
fprintf( File, "\t%-12s", time );
} else {
fprintf( File, "\t%-12s", TIME_ERROR );
}
//
// Convert completion time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->CompletionTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
fprintf( File, "\t%-12s", time );
} else {
fprintf( File, "\t%-12s", TIME_ERROR );
}
fprintf(File, "\t%8x.%-4x ", RecordData->ProcessId, RecordData->ThreadId);
PrintIrpCode( RecordData->CallbackMajorId,
RecordData->CallbackMinorId,
File,
TRUE );
//
// Interpret set IrpFlags
//
fprintf( File, "\t0x%08lx ", RecordData->IrpFlags );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_NOCACHE) ? "N":"-" );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_PAGING_IO) ? "P":"-" );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_SYNCHRONOUS_API) ? "S":"-" );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) ? "Y":"-" );
fprintf( File, "\t%08p", (PVOID) RecordData->FileObject );
fprintf( File, "\t0x%08lx:0x%p", RecordData->Status, (PVOID)RecordData->Information );
fprintf( File, "\t0x%p", RecordData->Arg1 );
fprintf( File, "\t0x%p", RecordData->Arg2 );
fprintf( File, "\t0x%p", RecordData->Arg3 );
fprintf( File, "\t0x%p", RecordData->Arg4 );
fprintf( File, "\t0x%p", RecordData->Arg5 );
fprintf( File, "\t0x%I64x", RecordData->Arg6.QuadPart );
fprintf( File, "\t%S", Name );
fprintf( File, "\n" );
}
VOID
ScreenDump( ULONG SequenceNumber,
WCHAR *Name,
PRECORD_DATA RecordData
)
/*++
Routine Description:
Prints a Irp log record to the screen in the following order:
SequenceNumber, OriginatingTime, CompletionTime, IrpMajor, IrpMinor,
Flags, IrpFlags, NoCache, Paging I/O, Synchronous, Synchronous paging,
FileName, ReturnStatus, FileName
Arguments:
SequenceNumber - the sequence number for this log record
Name - the file name to which this Irp relates
RecordData - the Irp record to print
Return Value:
None.
--*/
{
FILETIME localTime;
SYSTEMTIME systemTime;
CHAR time[TIME_BUFFER_LENGTH];
//
// Is this an Irp or a FastIo?
//
if (RecordData->Flags & FLT_CALLBACK_DATA_IRP_OPERATION) {
printf( "IRP ");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FAST_IO_OPERATION) {
printf( "FIO ");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FS_FILTER_OPERATION) {
printf( "FSF " );
} else {
printf( "ERR ");
}
printf( "%08X ", SequenceNumber );
//
// Convert originating time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->OriginatingTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
printf( "%-12s ", time );
} else {
printf( "%-12s ", TIME_ERROR );
}
//
// Convert completion time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->CompletionTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
printf( "%-12s ", time );
} else {
printf( "%-12s ", TIME_ERROR );
}
printf("%8x.%-4x ", RecordData->ProcessId, RecordData->ThreadId);
PrintIrpCode( RecordData->CallbackMajorId,
RecordData->CallbackMinorId,
NULL,
TRUE );
//
// Interpret set IrpFlags
//
printf( "%08lx ", RecordData->IrpFlags );
printf( "%s", (RecordData->IrpFlags & IRP_NOCACHE) ? "N":"-" );
printf( "%s", (RecordData->IrpFlags & IRP_PAGING_IO) ? "P":"-" );
printf( "%s", (RecordData->IrpFlags & IRP_SYNCHRONOUS_API) ? "S":"-" );
printf( "%s ", (RecordData->IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) ? "Y":"-" );
printf( "%08p ", (PVOID) RecordData->FileObject );
printf( "%08lx:%08lx ", RecordData->Status, RecordData->Information );
printf( "%S", Name );
printf( "\n" );
PrintIrpCode( RecordData->CallbackMajorId,
RecordData->CallbackMinorId,
NULL,
FALSE );
printf( " (0x%p,0x%p,0x%p,0x%p,0x%p,0x%I64x)\n",
RecordData->Arg1,
RecordData->Arg2,
RecordData->Arg3,
RecordData->Arg4,
RecordData->Arg5,
RecordData->Arg6.QuadPart );
}
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?