mspylog.h

文件系统过滤驱动程序的框架

/*++

Copyright (c) 1989-2002  Microsoft Corporation

Module Name:

    mspyLog.h

Abstract:

    This module contains the structures and prototypes used by the user 
    program to retrieve and see the log records recorded by MiniSpy.sys.

Environment:

    User mode

--*/
#ifndef __MSPYLOG_H__
#define __MSPYLOG_H__

#include <stdio.h>
#include <fltUser.h>
#include "minispy.h"

#define BUFFER_SIZE     4096

//
//  Structure for managing current state.
//

typedef struct _LOG_CONTEXT {

    HANDLE Port;
    BOOLEAN LogToScreen;
    BOOLEAN LogToFile;
    FILE   *OutputFile;

    BOOLEAN NextLogToScreen;

    //
    // For synchronizing shutting down of both threads
    //

    BOOLEAN CleaningUp;
    HANDLE  ShutDown;

} LOG_CONTEXT, *PLOG_CONTEXT;

//
//  Function prototypes
//

DWORD WINAPI 
RetrieveLogRecords(
    LPVOID lpParameter
    );
                
VOID
FileDump ( 
    ULONG SequenceNumber,
    WCHAR *Name,
    PRECORD_DATA RecordData,
    FILE *File
    );

VOID
ScreenDump( 
    ULONG SequenceNumber,
    WCHAR *Name,
    PRECORD_DATA RecordData
    );

//
//  Values set for the Flags field in a RECORD_DATA structure.
//  These flags come from the FLT_CALLBACK_DATA structure.
//

#define FLT_CALLBACK_DATA_IRP_OPERATION         0x00000001  //  Set for Irp operations
#define FLT_CALLBACK_DATA_FAST_IO_OPERATION     0x00000002  //  Set for Fast Io operations
#define FLT_CALLBACK_DATA_FS_FILTER_OPERATION   0x00000004  //  Set for FsFilter operations

//
// standard IRP_MJ string definitions
//

#define IRP_MJ_CREATE_STRING                   "IRP_MJ_CREATE"
#define IRP_MJ_CREATE_NAMED_PIPE_STRING        "IRP_MJ_CREATE_NAMED_PIPE"
#define IRP_MJ_CLOSE_STRING                    "IRP_MJ_CLOSE"
#define IRP_MJ_READ_STRING                     "IRP_MJ_READ"
#define IRP_MJ_WRITE_STRING                    "IRP_MJ_WRITE"
#define IRP_MJ_QUERY_INFORMATION_STRING        "IRP_MJ_QUERY_INFORMATION"
#define IRP_MJ_SET_INFORMATION_STRING          "IRP_MJ_SET_INFORMATION"
#define IRP_MJ_QUERY_EA_STRING                 "IRP_MJ_QUERY_EA"
#define IRP_MJ_SET_EA_STRING                   "IRP_MJ_SET_EA"
#define IRP_MJ_FLUSH_BUFFERS_STRING            "IRP_MJ_FLUSH_BUFFERS"
#define IRP_MJ_QUERY_VOLUME_INFORMATION_STRING "IRP_MJ_QUERY_VOLUME_INFORMATION"
#define IRP_MJ_SET_VOLUME_INFORMATION_STRING   "IRP_MJ_SET_VOLUME_INFORMATION"
#define IRP_MJ_DIRECTORY_CONTROL_STRING        "IRP_MJ_DIRECTORY_CONTROL"
#define IRP_MJ_FILE_SYSTEM_CONTROL_STRING      "IRP_MJ_FILE_SYSTEM_CONTROL"
#define IRP_MJ_DEVICE_CONTROL_STRING           "IRP_MJ_DEVICE_CONTROL"
#define IRP_MJ_INTERNAL_DEVICE_CONTROL_STRING  "IRP_MJ_INTERNAL_DEVICE_CONTROL"
#define IRP_MJ_SHUTDOWN_STRING                 "IRP_MJ_SHUTDOWN"
#define IRP_MJ_LOCK_CONTROL_STRING             "IRP_MJ_LOCK_CONTROL"
#define IRP_MJ_CLEANUP_STRING                  "IRP_MJ_CLEANUP"
#define IRP_MJ_CREATE_MAILSLOT_STRING          "IRP_MJ_CREATE_MAILSLOT"
#define IRP_MJ_QUERY_SECURITY_STRING           "IRP_MJ_QUERY_SECURITY"
#define IRP_MJ_SET_SECURITY_STRING             "IRP_MJ_SET_SECURITY"
#define IRP_MJ_POWER_STRING                    "IRP_MJ_POWER"
#define IRP_MJ_SYSTEM_CONTROL_STRING           "IRP_MJ_SYSTEM_CONTROL"
#define IRP_MJ_DEVICE_CHANGE_STRING            "IRP_MJ_DEVICE_CHANGE"
#define IRP_MJ_QUERY_QUOTA_STRING              "IRP_MJ_QUERY_QUOTA"
#define IRP_MJ_SET_QUOTA_STRING                "IRP_MJ_SET_QUOTA"
#define IRP_MJ_PNP_STRING                      "IRP_MJ_PNP"
#define IRP_MJ_MAXIMUM_FUNCTION_STRING         "IRP_MJ_MAXIMUM_FUNCTION"

//
//  FSFilter string definitions
//

#define IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION_STRING   "IRP_MJ_ACQUIRE_FOR_SECTION_SYNC"
#define IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION_STRING   "IRP_MJ_RELEASE_FOR_SECTION_SYNC"
#define IRP_MJ_ACQUIRE_FOR_MOD_WRITE_STRING   "IRP_MJ_ACQUIRE_FOR_MOD_WRITE"
#define IRP_MJ_RELEASE_FOR_MOD_WRITE_STRING   "IRP_MJ_RELEASE_FOR_MOD_WRITE"
#define IRP_MJ_ACQUIRE_FOR_CC_FLUSH_STRING    "IRP_MJ_ACQUIRE_FOR_CC_FLUSH"
#define IRP_MJ_RELEASE_FOR_CC_FLUSH_STRING    "IRP_MJ_RELEASE_FOR_CC_FLUSH"
#define IRP_MJ_NOTIFY_STREAM_FO_CREATION_STRING "IRP_MJ_NOTIFY_STREAM_FO_CREATION"

//
//  FAST_IO and other string definitions
//

#define IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE_STRING "IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE"
#define IRP_MJ_DETACH_DEVICE_STRING           "IRP_MJ_DETACH_DEVICE"
#define IRP_MJ_NETWORK_QUERY_OPEN_STRING      "IRP_MJ_NETWORK_QUERY_OPEN"
#define IRP_MJ_MDL_READ_STRING                "IRP_MJ_MDL_READ"
#define IRP_MJ_MDL_READ_COMPLETE_STRING       "IRP_MJ_MDL_READ_COMPLETE"
#define IRP_MJ_PREPARE_MDL_WRITE_STRING       "IRP_MJ_PREPARE_MDL_WRITE"
#define IRP_MJ_MDL_WRITE_COMPLETE_STRING      "IRP_MJ_MDL_WRITE_COMPLETE"
#define IRP_MJ_VOLUME_MOUNT_STRING            "IRP_MJ_VOLUME_MOUNT"
#define IRP_MJ_VOLUME_DISMOUNT_STRING         "IRP_MJ_VOLUME_DISMOUNT"

//
// Strings for the Irp minor codes
//

#define IRP_MN_QUERY_DIRECTORY_STRING          "IRP_MN_QUERY_DIRECTORY"
#define IRP_MN_NOTIFY_CHANGE_DIRECTORY_STRING  "IRP_MN_NOTIFY_CHANGE_DIRECTORY"
#define IRP_MN_USER_FS_REQUEST_STRING          "IRP_MN_USER_FS_REQUEST"
#define IRP_MN_MOUNT_VOLUME_STRING             "IRP_MN_MOUNT_VOLUME"
#define IRP_MN_VERIFY_VOLUME_STRING            "IRP_MN_VERIFY_VOLUME"
#define IRP_MN_LOAD_FILE_SYSTEM_STRING         "IRP_MN_LOAD_FILE_SYSTEM"
#define IRP_MN_TRACK_LINK_STRING               "IRP_MN_TRACK_LINK"
#define IRP_MN_LOCK_STRING                     "IRP_MN_LOCK"
#define IRP_MN_UNLOCK_SINGLE_STRING            "IRP_MN_UNLOCK_SINGLE"
#define IRP_MN_UNLOCK_ALL_STRING               "IRP_MN_UNLOCK_ALL"
#define IRP_MN_UNLOCK_ALL_BY_KEY_STRING        "IRP_MN_UNLOCK_ALL_BY_KEY"
#define IRP_MN_NORMAL_STRING                   "IRP_MN_NORMAL"
#define IRP_MN_DPC_STRING                      "IRP_MN_DPC"
#define IRP_MN_MDL_STRING                      "IRP_MN_MDL"
#define IRP_MN_COMPLETE_STRING                 "IRP_MN_COMPLETE"
#define IRP_MN_COMPRESSED_STRING               "IRP_MN_COMPRESSED"
#define IRP_MN_MDL_DPC_STRING                  "IRP_MN_MDL_DPC"
#define IRP_MN_COMPLETE_MDL_STRING             "IRP_MN_COMPLETE_MDL"
#define IRP_MN_COMPLETE_MDL_DPC_STRING         "IRP_MN_COMPLETE_MDL_DPC"
#define IRP_MN_SCSI_CLASS_STRING               "IRP_MN_SCSI_CLASS"
#define IRP_MN_START_DEVICE_STRING                 "IRP_MN_START_DEVICE"
#define IRP_MN_QUERY_REMOVE_DEVICE_STRING          "IRP_MN_QUERY_REMOVE_DEVICE"
#define IRP_MN_REMOVE_DEVICE_STRING                "IRP_MN_REMOVE_DEVICE"
#define IRP_MN_CANCEL_REMOVE_DEVICE_STRING         "IRP_MN_CANCEL_REMOVE_DEVICE"
#define IRP_MN_STOP_DEVICE_STRING                  "IRP_MN_STOP_DEVICE"
#define IRP_MN_QUERY_STOP_DEVICE_STRING            "IRP_MN_QUERY_STOP_DEVICE"
#define IRP_MN_CANCEL_STOP_DEVICE_STRING           "IRP_MN_CANCEL_STOP_DEVICE"
#define IRP_MN_QUERY_DEVICE_RELATIONS_STRING       "IRP_MN_QUERY_DEVICE_RELATIONS"
#define IRP_MN_QUERY_INTERFACE_STRING              "IRP_MN_QUERY_INTERFACE"
#define IRP_MN_QUERY_CAPABILITIES_STRING           "IRP_MN_QUERY_CAPABILITIES"
#define IRP_MN_QUERY_RESOURCES_STRING              "IRP_MN_QUERY_RESOURCES"
#define IRP_MN_QUERY_RESOURCE_REQUIREMENTS_STRING  "IRP_MN_QUERY_RESOURCE_REQUIREMENTS"
#define IRP_MN_QUERY_DEVICE_TEXT_STRING            "IRP_MN_QUERY_DEVICE_TEXT"
#define IRP_MN_FILTER_RESOURCE_REQUIREMENTS_STRING "IRP_MN_FILTER_RESOURCE_REQUIREMENTS"
#define IRP_MN_READ_CONFIG_STRING                  "IRP_MN_READ_CONFIG"
#define IRP_MN_WRITE_CONFIG_STRING                 "IRP_MN_WRITE_CONFIG"
#define IRP_MN_EJECT_STRING                        "IRP_MN_EJECT"
#define IRP_MN_SET_LOCK_STRING                     "IRP_MN_SET_LOCK"