fspykern.h

winddk src目录下的文件系统驱动源码压缩!

SpyLogPreFsFilterOperation (
    IN PFS_FILTER_CALLBACK_DATA Data,
    OUT PRECORD_LIST RecordList
    );

VOID
SpyLogPostFsFilterOperation (
    IN NTSTATUS OperationStatus,
    OUT PRECORD_LIST RecordList
    );

#endif

NTSTATUS
SpyAttachDeviceToDeviceStack (
    IN PDEVICE_OBJECT SourceDevice,
    IN PDEVICE_OBJECT TargetDevice,
    IN OUT PDEVICE_OBJECT *AttachedToDeviceObject
    );

NTSTATUS
SpyLog (
    IN PRECORD_LIST NewRecord
    );

////////////////////////////////////////////////////////////////////////
//
//                    FileName cache routines
//                    implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////


NTSTATUS
SpyQueryInformationFile (
    IN PDEVICE_OBJECT NextDeviceObject,
    IN PFILE_OBJECT FileObject,
    OUT PVOID FileInformation,
    IN ULONG Length,
    IN FILE_INFORMATION_CLASS FileInformationClass,
    OUT PULONG LengthReturned OPTIONAL
    );


NTSTATUS
SpyQueryCompletion (
    IN PDEVICE_OBJECT DeviceObject,
    IN PIRP Irp,
    IN PKEVENT SynchronizingEvent
    );

////////////////////////////////////////////////////////////////////////
//
//         Common attachment and detachment routines
//              implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

NTSTATUS
SpyIsAttachedToDeviceByName (
    IN PNAME_CONTROL DeviceName,
    IN OUT PBOOLEAN IsAttached,
    IN OUT PDEVICE_OBJECT *StackDeviceObject,
    IN OUT PDEVICE_OBJECT *OurAttachedDeviceObject
    );

BOOLEAN
SpyIsAttachedToDevice (
    PDEVICE_OBJECT DeviceObject,
    PDEVICE_OBJECT *AttachedDeviceObject
    );

BOOLEAN
SpyIsAttachedToDeviceW2K (
    PDEVICE_OBJECT DeviceObject,
    PDEVICE_OBJECT *AttachedDeviceObject
    );

#if WINVER >= 0x0501
BOOLEAN
SpyIsAttachedToDeviceWXPAndLater (
    PDEVICE_OBJECT DeviceObject,
    PDEVICE_OBJECT *AttachedDeviceObject
    );
#endif

NTSTATUS
SpyAttachToMountedDevice (
    IN PDEVICE_OBJECT DeviceObject,
    IN PDEVICE_OBJECT FilespyDeviceObject
    );

VOID
SpyCleanupMountedDevice (
    IN PDEVICE_OBJECT DeviceObject
    );

////////////////////////////////////////////////////////////////////////
//
//           Helper routine for turning on/off logging on demand
//                  implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

NTSTATUS
SpyGetDeviceObjectFromName (
    IN PUNICODE_STRING DeviceName,
    OUT PDEVICE_OBJECT *DeviceObject
    );

////////////////////////////////////////////////////////////////////////
//
//                 Start/stop logging routines and helper functions
//                  implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

NTSTATUS
SpyAttachToDeviceOnDemand (
    IN PDEVICE_OBJECT DeviceObject,
    IN PNAME_CONTROL UserDeviceName,
    IN OUT PDEVICE_OBJECT *FileSpyDeviceObject
    );

NTSTATUS
SpyAttachToDeviceOnDemandW2K (
    IN PDEVICE_OBJECT DeviceObject,
    IN PNAME_CONTROL UserDeviceName,
    IN OUT PDEVICE_OBJECT *FileSpyDeviceObject
    );

#if WINVER >= 0x0501
NTSTATUS
SpyAttachToDeviceOnDemandWXPAndLater (
    IN PDEVICE_OBJECT DeviceObject,
    IN PNAME_CONTROL UserDeviceName,
    IN OUT PDEVICE_OBJECT *FileSpyDeviceObject
    );
#endif

NTSTATUS
SpyStartLoggingDevice (
    PWSTR UserDeviceName
    );

NTSTATUS
SpyStopLoggingDevice (
    PWSTR deviceName
    );

////////////////////////////////////////////////////////////////////////
//
//       Attaching/detaching to all volumes in system routines
//                  implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

NTSTATUS
SpyAttachToFileSystemDevice (
    IN PDEVICE_OBJECT DeviceObject,
    IN PNAME_CONTROL Name
    );

VOID
SpyDetachFromFileSystemDevice (
    IN PDEVICE_OBJECT DeviceObject
    );

#if WINVER >= 0x0501
NTSTATUS
SpyEnumerateFileSystemVolumes (
    IN PDEVICE_OBJECT FSDeviceObject
    );
#endif

////////////////////////////////////////////////////////////////////////
//
//             Private Filespy IOCTLs helper routines
//                  implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

NTSTATUS
SpyGetAttachList (
    PVOID buffer,
    ULONG bufferSize,
    PULONG_PTR returnLength
    );

VOID
SpyGetLog (
    OUT PVOID OutputBuffer,
    IN ULONG OutputBufferLength,
    OUT PIO_STATUS_BLOCK IoStatus
    );

VOID
SpyCloseControlDevice (
    VOID
    );

////////////////////////////////////////////////////////////////////////
//
//               Device name tracking helper routines
//                  implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

NTSTATUS
SpyGetBaseDeviceObjectName (
    IN PDEVICE_OBJECT DeviceObject,
    IN OUT PNAME_CONTROL Name
    );

VOID
SpyCacheDeviceName (
    IN PDEVICE_OBJECT DeviceObject
    );

BOOLEAN
SpyFindSubString (
    IN PUNICODE_STRING String,
    IN PUNICODE_STRING SubString
    );

VOID
SpyStoreUserName (
    IN PFILESPY_DEVICE_EXTENSION DeviceExtension,
    IN PNAME_CONTROL UserName
    );

////////////////////////////////////////////////////////////////////////
//
//                       Debug support routines
//                       implemented in fspylib.c
//
////////////////////////////////////////////////////////////////////////

VOID
SpyDumpIrpOperation (
    IN BOOLEAN InOriginatingPath,
    IN PIRP Irp
    );

VOID
SpyDumpFastIoOperation (
    IN BOOLEAN InPreOperation,
    IN FASTIO_TYPE FastIoOperation
    );

#if WINVER >= 0x0501 /* See comment in DriverEntry */

VOID
SpyDumpFsFilterOperation (
    IN BOOLEAN InPreOperationCallback,
    IN PFS_FILTER_CALLBACK_DATA Data
    );

#endif

////////////////////////////////////////////////////////////////////////
//
//                      COMMON Naming Routines
//
//  Common named routines implemented differently between name Context
//  and name Hashing
//
////////////////////////////////////////////////////////////////////////

VOID
SpyInitNamingEnvironment (
    VOID
    );

VOID
SpyInitDeviceNamingEnvironment (
    IN PDEVICE_OBJECT DeviceObject
    );

VOID
SpyCleanupDeviceNamingEnvironment (
    IN PDEVICE_OBJECT DeviceObject
    );

VOID
SpySetName (
    IN PRECORD_LIST RecordList,
    IN PDEVICE_OBJECT DeviceObject,
    IN PFILE_OBJECT FileObject,
    IN ULONG LookupFlags,
    IN PVOID Context OPTIONAL
);

VOID
SpyNameDeleteAllNames (
    VOID
    );

VOID
SpyLogIrp (
    IN PIRP Irp,
    OUT PRECORD_LIST RecordList
    );

VOID
SpyLogIrpCompletion (
    IN PIRP Irp,
    PRECORD_LIST RecordList
    );


#if USE_STREAM_CONTEXTS

////////////////////////////////////////////////////////////////////////
//
//                  Stream Context name routines
//                    implemented in fspyCtx.c
//
////////////////////////////////////////////////////////////////////////

//
//  Context specific flags
//

typedef enum _CTX_FLAGS {

    //
    //  If set, then we are currently linked into the device extension linked
    //  list.
    //

    CTXFL_InExtensionList       = 0x00000001,

    //
    //  If set, then we are linked into the stream list.  Note that there is
    //  a small period of time when we might be unlinked with this flag still
    //  set (when the file system is calling SpyDeleteContextCallback).  This is
    //  fine because we still handle not being found in the list when we do
    //  the search.  This flag handles the case when the file has been
    //  completely closed (and the memory freed) on us.
    //

    CTXFL_InStreamList          = 0x00000002,


    //
    //  If set, this is a temporary context and should not be linked into
    //  any of the context lists.  It will be freed as soon as the user is
    //  done with this operation.
    //

    CTXFL_Temporary             = 0x00000100,

    //
    //  If set, we are performing a significant operation that affects the state
    //  of this context so we should not use it.  If someone tries to get this
    //  context then create a temporary context and return it.  Cases where this
    //  occurs:
    //  - Source file of a rename.
    //  - Source file for the creation of a hardlink
    //

    CTXFL_DoNotUse              = 0x00000200

} CTX_FLAGS, *PCTX_FLAGS;

//
//  Structure for tracking an individual stream context.  Note that the buffer
//  for the FileName is allocated as part of this structure and follows
//  immediately after it.
//

typedef struct _SPY_STREAM_CONTEXT
{

    //
    //  OS Structure used to track contexts per stream.  Note how we use
    //  the following fields:
    //      OwnerID     -> Holds pointer to our DeviceExtension
    //      InstanceId  -> Holds Pointer to FsContext associated
    //                     with this structure
    //  We use these values to get back to these structures
    //

    FSRTL_PER_STREAM_CONTEXT ContextCtrl;

    //
    //  Linked list used to track contexts per device (in our device
    //  extension).
    //

    LIST_ENTRY ExtensionLink;

    //
    //  This is a counter of how many threads are currently using this
    //  context.  The count is used in this way:
    //  - It is set to 1 when it is created.
    //  - It is incremented every time it is returned to a thread
    //  - It is decremented when the thread is done with it.
    //  - It is decremented when the underlying stream that is using it is freed
    //  - The context is deleted when this count goes to zero
    //

    LONG UseCount;

    //
    //  Holds the name of the file
    //

    UNICODE_STRING Name;

    //
    //  Flags for this context.  All flags are set or cleared via
    //  the interlocked bit routines except when the entry is being
    //  created, at this time we know nobody is using this entry.
    //

    CTX_FLAGS Flags;

    //
    //  Contains the FsContext value for the stream we are attached to.  We
    //  track this so we can delete this entry at any time.
    //

    PFSRTL_ADVANCED_FCB_HEADER Stream;

} SPY_STREAM_CONTEXT, *PSPY_STREAM_CONTEXT;

//
//  Macros for locking the context lock
//

#define SpyAcquireContextLockShared(_devext) \
            SpyAcquireResourceShared( &(_devext)->CtxLock, TRUE )

#define SpyAcquireContextLockExclusive(_devext) \
            SpyAcquireResourceExclusive( &(_devext)->CtxLock, TRUE )

#define SpyReleaseContextLock(_devext) \
            SpyReleaseResource( &(_devext)->CtxLock )


VOID
SpyDeleteAllContexts (
    IN PDEVICE_OBJECT DeviceObject
    );

VOID
SpyDeleteContext (
    IN PDEVICE_OBJECT DeviceObject,
    IN PSPY_STREAM_CONTEXT pContext
    );

VOID
SpyLinkContext (
    IN PDEVICE_OBJECT DeviceObject,
    IN PFILE_OBJECT FileObject,
    IN OUT PSPY_STREAM_CONTEXT *ppContext
    );

NTSTATUS
SpyCreateContext (
    IN PDEVICE_OBJECT DeviceObject,
    IN PFILE_OBJECT FileObject,
    IN NAME_LOOKUP_FLAGS LookupFlags,
    OUT PSPY_STREAM_CONTEXT *pRetContext
    );

#define SpyFreeContext( pCtx ) \
    (ASSERT((pCtx)->UseCount == 0), \
     ExFreePool( (pCtx) ))

NTSTATUS
SpyGetContext (
    IN PDEVICE_OBJECT DeviceObject,
    IN PFILE_OBJECT pFileObject,
    IN NAME_LOOKUP_FLAGS LookupFlags,
    OUT PSPY_STREAM_CONTEXT *pRetContext
    );

PSPY_STREAM_CONTEXT
SpyFindExistingContext (
    IN PDEVICE_OBJECT DeviceObject,
    IN PFILE_OBJECT FileObject
    );

VOID
SpyReleaseContext (
    IN PSPY_STREAM_CONTEXT pContext
    );
#endif


#if !USE_STREAM_CONTEXTS
////////////////////////////////////////////////////////////////////////
//
//                  Name Hash support routines
//                  implemented in fspyHash.c
//
////////////////////////////////////////////////////////////////////////

typedef struct _HASH_ENTRY {

    LIST_ENTRY List;
    PFILE_OBJECT FileObject;
    UNICODE_STRING Name;

} HASH_ENTRY, *PHASH_ENTRY;


PHASH_ENTRY
SpyHashBucketLookup (
    PLIST_ENTRY ListHead,
    PFILE_OBJECT FileObject
);

VOID
SpyNameLookup (
    IN PRECORD_LIST RecordList,
    IN PFILE_OBJECT FileObject,
    IN ULONG LookupFlags,
    IN PFILESPY_DEVICE_EXTENSION DeviceExtension
    );

VOID
SpyNameDelete (
    IN PFILE_OBJECT FileObject
    );

#endif

//
//  Include definitions
//

#include "fspydef.h"

#endif /* __FSPYKERN_H__ */