📄 fspykern.h
字号:
// Structure used to pass context information from dispatch routines to
// completion routines for FSCTRL operations. We need a different structures
// for Windows 2000 from what we can use on Windows XP and later because
// we handle the completion processing differently.
//
typedef struct _SPY_COMPLETION_CONTEXT {
PRECORD_LIST RecordList;
} SPY_COMPLETION_CONTEXT, *PSPY_COMPLETION_CONTEXT;
typedef struct _SPY_COMPLETION_CONTEXT_W2K {
SPY_COMPLETION_CONTEXT;
WORK_QUEUE_ITEM WorkItem;
PDEVICE_OBJECT DeviceObject;
PIRP Irp;
PDEVICE_OBJECT NewDeviceObject;
} SPY_COMPLETION_CONTEXT_W2K, *PSPY_COMPLETION_CONTEXT_W2K;
#if WINVER >= 0x0501
typedef struct _SPY_COMPLETION_CONTEXT_WXP_OR_LATER {
SPY_COMPLETION_CONTEXT;
KEVENT WaitEvent;
} SPY_COMPLETION_CONTEXT_WXP_OR_LATER,
*PSPY_COMPLETION_CONTEXT_WXP_OR_LATER;
#endif
//
// The context used to send getting the DOS device name off to a worker
// thread.
//
typedef struct _DOS_NAME_COMPLETION_CONTEXT {
WORK_QUEUE_ITEM WorkItem;
//
// The device object to get the DOS name of.
//
PDEVICE_OBJECT DeviceObject;
} DOS_NAME_COMPLETION_CONTEXT, *PDOS_NAME_COMPLETION_CONTEXT;
#ifndef FORCEINLINE
#define FORCEINLINE __inline
#endif
FORCEINLINE
VOID
SpyCopyFileNameToLogRecord (
PLOG_RECORD LogRecord,
PUNICODE_STRING FileName
)
/*++
Routine Description:
Inline function to copy the file name into the log record. The routine
only copies as much of the file name into the log record as the log
record allows. Therefore, if the name is too long for the record, it will
be truncated. Also, the name is always NULL-terminated.
Arguments:
LogRecord - The log record for which the name should be set.
FileName - The file name to be set in the log record.
Return Value:
None.
--*/
{
//
// Include space for NULL when copying the name
//
ULONG toCopy = min( MAX_NAME_SPACE,
(ULONG)FileName->Length + sizeof( WCHAR ) );
RtlCopyMemory( LogRecord->Name,
FileName->Buffer,
toCopy - sizeof( WCHAR ) );
//
// NULL terminate
//
LogRecord->Name[toCopy/sizeof( WCHAR ) - 1] = L'\0';
LogRecord->Length += toCopy ;
}
////////////////////////////////////////////////////////////////////////
//
// Prototypes for the routines this driver uses to filter the
// the data that is being seen by this file systems.
//
// implemented in filespy.c
//
////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
VOID
DriverUnload (
IN PDRIVER_OBJECT DriverObject
);
NTSTATUS
SpyDispatch (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
SpyPassThrough (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
SpyPassThroughCompletion (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
);
NTSTATUS
SpyCreate (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
SpyClose (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
BOOLEAN
SpyFastIoCheckIfPossible (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN BOOLEAN CheckForReadOperation,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoRead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoWrite (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoQueryBasicInfo (
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_BASIC_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoQueryStandardInfo (
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_STANDARD_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoLock (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
PEPROCESS ProcessId,
ULONG Key,
BOOLEAN FailImmediately,
BOOLEAN ExclusiveLock,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoUnlockSingle (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
PEPROCESS ProcessId,
ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoUnlockAll (
IN PFILE_OBJECT FileObject,
PEPROCESS ProcessId,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoUnlockAllByKey (
IN PFILE_OBJECT FileObject,
PVOID ProcessId,
ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoDeviceControl (
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
VOID
SpyFastIoDetachDevice (
IN PDEVICE_OBJECT SourceDevice,
IN PDEVICE_OBJECT TargetDevice
);
BOOLEAN
SpyFastIoQueryNetworkOpenInfo (
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_NETWORK_OPEN_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoMdlRead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoMdlReadComplete (
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoPrepareMdlWrite (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoMdlWriteComplete (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoReadCompressed (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
OUT struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoWriteCompressed (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoMdlReadCompleteCompressed (
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoMdlWriteCompleteCompressed (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
BOOLEAN
SpyFastIoQueryOpen (
IN PIRP Irp,
OUT PFILE_NETWORK_OPEN_INFORMATION NetworkInformation,
IN PDEVICE_OBJECT DeviceObject
);
#if WINVER >= 0x0501 /* See comment in DriverEntry */
NTSTATUS
SpyPreFsFilterOperation (
IN PFS_FILTER_CALLBACK_DATA Data,
OUT PVOID *CompletionContext
);
VOID
SpyPostFsFilterOperation (
IN PFS_FILTER_CALLBACK_DATA Data,
IN NTSTATUS OperationStatus,
IN PVOID CompletionContext
);
#endif
NTSTATUS
SpyCommonDeviceIoControl (
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus
);
//-----------------------------------------------------
//
// These routines are only used if Filespy is attaching
// to all volumes in the system instead of attaching to
// volumes on demand.
//
//-----------------------------------------------------
NTSTATUS
SpyFsControl (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
SpyFsControlMountVolume (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
SpyFsControlMountVolumeCompleteWorker (
IN PSPY_COMPLETION_CONTEXT_W2K Context
);
NTSTATUS
SpyFsControlMountVolumeComplete (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PDEVICE_OBJECT NewDeviceObject
);
NTSTATUS
SpyFsControlLoadFileSystem (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
SpyFsControlLoadFileSystemComplete (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
SpyFsControlLoadFileSystemCompleteWorker (
IN PSPY_COMPLETION_CONTEXT_W2K Context
);
VOID
SpyFsNotification (
IN PDEVICE_OBJECT DeviceObject,
IN BOOLEAN FsActive
);
NTSTATUS
SpyMountCompletion (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
);
NTSTATUS
SpyLoadFsCompletion (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
);
////////////////////////////////////////////////////////////////////////
//
// Library support routines
// implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////
VOID
SpyReadDriverParameters (
IN PUNICODE_STRING RegistryPath
);
#if WINVER >= 0x0501
VOID
SpyLoadDynamicFunctions (
VOID
);
VOID
SpyGetCurrentVersion (
VOID
);
#endif
////////////////////////////////////////////////////////////////////////
//
// Memory allocation routines
// implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////
PVOID
SpyAllocateBuffer (
IN OUT PLONG Counter,
IN LONG MaxCounterValue,
OUT PULONG RecordType
);
VOID
SpyFreeBuffer (
PVOID Buffer,
PLONG Counter
);
////////////////////////////////////////////////////////////////////////
//
// Logging routines
// implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////
PRECORD_LIST
SpyNewRecord (
ULONG AssignedSequenceNumber
);
VOID
SpyFreeRecord (
PRECORD_LIST Record
);
PRECORD_LIST
SpyLogFastIoStart (
IN FASTIO_TYPE FastIoType,
IN PDEVICE_OBJECT DeviceObject,
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait
);
VOID
SpyLogFastIoComplete (
IN PIO_STATUS_BLOCK ReturnStatus,
IN PRECORD_LIST RecordList
);
#if WINVER >= 0x0501 /* See comment in DriverEntry */
VOID
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -