📄 mspylog.h
字号:
/*++
Copyright (c) 1989-2002 Microsoft Corporation
Module Name:
mspyLog.h
Abstract:
This module contains the structures and prototypes used by the user
program to retrieve and see the log records recorded by MiniSpy.sys.
Environment:
User mode
--*/
#ifndef __MSPYLOG_H__
#define __MSPYLOG_H__
#include <stdio.h>
#include <fltUser.h>
#include "minispy.h"
#define BUFFER_SIZE 4096
//
// Structure for managing current state.
//
typedef struct _LOG_CONTEXT {
HANDLE Port;
BOOLEAN LogToScreen;
BOOLEAN LogToFile;
FILE *OutputFile;
BOOLEAN NextLogToScreen;
//
// For synchronizing shutting down of both threads
//
BOOLEAN CleaningUp;
HANDLE ShutDown;
} LOG_CONTEXT, *PLOG_CONTEXT;
//
// Function prototypes
//
DWORD WINAPI
RetrieveLogRecords(
__in LPVOID lpParameter
);
VOID
FileDump (
__in ULONG SequenceNumber,
__in WCHAR *Name,
__in PRECORD_DATA RecordData,
__in FILE *File
);
VOID
ScreenDump(
__in ULONG SequenceNumber,
__in WCHAR *Name,
__in PRECORD_DATA RecordData
);
//
// Values set for the Flags field in a RECORD_DATA structure.
// These flags come from the FLT_CALLBACK_DATA structure.
//
#define FLT_CALLBACK_DATA_IRP_OPERATION 0x00000001 // Set for Irp operations
#define FLT_CALLBACK_DATA_FAST_IO_OPERATION 0x00000002 // Set for Fast Io operations
#define FLT_CALLBACK_DATA_FS_FILTER_OPERATION 0x00000004 // Set for FsFilter operations
//
// standard IRP_MJ string definitions
//
#define IRP_MJ_CREATE_STRING "IRP_MJ_CREATE"
#define IRP_MJ_CREATE_NAMED_PIPE_STRING "IRP_MJ_CREATE_NAMED_PIPE"
#define IRP_MJ_CLOSE_STRING "IRP_MJ_CLOSE"
#define IRP_MJ_READ_STRING "IRP_MJ_READ"
#define IRP_MJ_WRITE_STRING "IRP_MJ_WRITE"
#define IRP_MJ_QUERY_INFORMATION_STRING "IRP_MJ_QUERY_INFORMATION"
#define IRP_MJ_SET_INFORMATION_STRING "IRP_MJ_SET_INFORMATION"
#define IRP_MJ_QUERY_EA_STRING "IRP_MJ_QUERY_EA"
#define IRP_MJ_SET_EA_STRING "IRP_MJ_SET_EA"
#define IRP_MJ_FLUSH_BUFFERS_STRING "IRP_MJ_FLUSH_BUFFERS"
#define IRP_MJ_QUERY_VOLUME_INFORMATION_STRING "IRP_MJ_QUERY_VOLUME_INFORMATION"
#define IRP_MJ_SET_VOLUME_INFORMATION_STRING "IRP_MJ_SET_VOLUME_INFORMATION"
#define IRP_MJ_DIRECTORY_CONTROL_STRING "IRP_MJ_DIRECTORY_CONTROL"
#define IRP_MJ_FILE_SYSTEM_CONTROL_STRING "IRP_MJ_FILE_SYSTEM_CONTROL"
#define IRP_MJ_DEVICE_CONTROL_STRING "IRP_MJ_DEVICE_CONTROL"
#define IRP_MJ_INTERNAL_DEVICE_CONTROL_STRING "IRP_MJ_INTERNAL_DEVICE_CONTROL"
#define IRP_MJ_SHUTDOWN_STRING "IRP_MJ_SHUTDOWN"
#define IRP_MJ_LOCK_CONTROL_STRING "IRP_MJ_LOCK_CONTROL"
#define IRP_MJ_CLEANUP_STRING "IRP_MJ_CLEANUP"
#define IRP_MJ_CREATE_MAILSLOT_STRING "IRP_MJ_CREATE_MAILSLOT"
#define IRP_MJ_QUERY_SECURITY_STRING "IRP_MJ_QUERY_SECURITY"
#define IRP_MJ_SET_SECURITY_STRING "IRP_MJ_SET_SECURITY"
#define IRP_MJ_POWER_STRING "IRP_MJ_POWER"
#define IRP_MJ_SYSTEM_CONTROL_STRING "IRP_MJ_SYSTEM_CONTROL"
#define IRP_MJ_DEVICE_CHANGE_STRING "IRP_MJ_DEVICE_CHANGE"
#define IRP_MJ_QUERY_QUOTA_STRING "IRP_MJ_QUERY_QUOTA"
#define IRP_MJ_SET_QUOTA_STRING "IRP_MJ_SET_QUOTA"
#define IRP_MJ_PNP_STRING "IRP_MJ_PNP"
#define IRP_MJ_MAXIMUM_FUNCTION_STRING "IRP_MJ_MAXIMUM_FUNCTION"
//
// FSFilter string definitions
//
#define IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION_STRING "IRP_MJ_ACQUIRE_FOR_SECTION_SYNC"
#define IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION_STRING "IRP_MJ_RELEASE_FOR_SECTION_SYNC"
#define IRP_MJ_ACQUIRE_FOR_MOD_WRITE_STRING "IRP_MJ_ACQUIRE_FOR_MOD_WRITE"
#define IRP_MJ_RELEASE_FOR_MOD_WRITE_STRING "IRP_MJ_RELEASE_FOR_MOD_WRITE"
#define IRP_MJ_ACQUIRE_FOR_CC_FLUSH_STRING "IRP_MJ_ACQUIRE_FOR_CC_FLUSH"
#define IRP_MJ_RELEASE_FOR_CC_FLUSH_STRING "IRP_MJ_RELEASE_FOR_CC_FLUSH"
#define IRP_MJ_NOTIFY_STREAM_FO_CREATION_STRING "IRP_MJ_NOTIFY_STREAM_FO_CREATION"
//
// FAST_IO and other string definitions
//
#define IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE_STRING "IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE"
#define IRP_MJ_DETACH_DEVICE_STRING "IRP_MJ_DETACH_DEVICE"
#define IRP_MJ_NETWORK_QUERY_OPEN_STRING "IRP_MJ_NETWORK_QUERY_OPEN"
#define IRP_MJ_MDL_READ_STRING "IRP_MJ_MDL_READ"
#define IRP_MJ_MDL_READ_COMPLETE_STRING "IRP_MJ_MDL_READ_COMPLETE"
#define IRP_MJ_PREPARE_MDL_WRITE_STRING "IRP_MJ_PREPARE_MDL_WRITE"
#define IRP_MJ_MDL_WRITE_COMPLETE_STRING "IRP_MJ_MDL_WRITE_COMPLETE"
#define IRP_MJ_VOLUME_MOUNT_STRING "IRP_MJ_VOLUME_MOUNT"
#define IRP_MJ_VOLUME_DISMOUNT_STRING "IRP_MJ_VOLUME_DISMOUNT"
//
// Strings for the Irp minor codes
//
#define IRP_MN_QUERY_DIRECTORY_STRING "IRP_MN_QUERY_DIRECTORY"
#define IRP_MN_NOTIFY_CHANGE_DIRECTORY_STRING "IRP_MN_NOTIFY_CHANGE_DIRECTORY"
#define IRP_MN_USER_FS_REQUEST_STRING "IRP_MN_USER_FS_REQUEST"
#define IRP_MN_MOUNT_VOLUME_STRING "IRP_MN_MOUNT_VOLUME"
#define IRP_MN_VERIFY_VOLUME_STRING "IRP_MN_VERIFY_VOLUME"
#define IRP_MN_LOAD_FILE_SYSTEM_STRING "IRP_MN_LOAD_FILE_SYSTEM"
#define IRP_MN_TRACK_LINK_STRING "IRP_MN_TRACK_LINK"
#define IRP_MN_LOCK_STRING "IRP_MN_LOCK"
#define IRP_MN_UNLOCK_SINGLE_STRING "IRP_MN_UNLOCK_SINGLE"
#define IRP_MN_UNLOCK_ALL_STRING "IRP_MN_UNLOCK_ALL"
#define IRP_MN_UNLOCK_ALL_BY_KEY_STRING "IRP_MN_UNLOCK_ALL_BY_KEY"
#define IRP_MN_NORMAL_STRING "IRP_MN_NORMAL"
#define IRP_MN_DPC_STRING "IRP_MN_DPC"
#define IRP_MN_MDL_STRING "IRP_MN_MDL"
#define IRP_MN_COMPLETE_STRING "IRP_MN_COMPLETE"
#define IRP_MN_COMPRESSED_STRING "IRP_MN_COMPRESSED"
#define IRP_MN_MDL_DPC_STRING "IRP_MN_MDL_DPC"
#define IRP_MN_COMPLETE_MDL_STRING "IRP_MN_COMPLETE_MDL"
#define IRP_MN_COMPLETE_MDL_DPC_STRING "IRP_MN_COMPLETE_MDL_DPC"
#define IRP_MN_SCSI_CLASS_STRING "IRP_MN_SCSI_CLASS"
#define IRP_MN_START_DEVICE_STRING "IRP_MN_START_DEVICE"
#define IRP_MN_QUERY_REMOVE_DEVICE_STRING "IRP_MN_QUERY_REMOVE_DEVICE"
#define IRP_MN_REMOVE_DEVICE_STRING "IRP_MN_REMOVE_DEVICE"
#define IRP_MN_CANCEL_REMOVE_DEVICE_STRING "IRP_MN_CANCEL_REMOVE_DEVICE"
#define IRP_MN_STOP_DEVICE_STRING "IRP_MN_STOP_DEVICE"
#define IRP_MN_QUERY_STOP_DEVICE_STRING "IRP_MN_QUERY_STOP_DEVICE"
#define IRP_MN_CANCEL_STOP_DEVICE_STRING "IRP_MN_CANCEL_STOP_DEVICE"
#define IRP_MN_QUERY_DEVICE_RELATIONS_STRING "IRP_MN_QUERY_DEVICE_RELATIONS"
#define IRP_MN_QUERY_INTERFACE_STRING "IRP_MN_QUERY_INTERFACE"
#define IRP_MN_QUERY_CAPABILITIES_STRING "IRP_MN_QUERY_CAPABILITIES"
#define IRP_MN_QUERY_RESOURCES_STRING "IRP_MN_QUERY_RESOURCES"
#define IRP_MN_QUERY_RESOURCE_REQUIREMENTS_STRING "IRP_MN_QUERY_RESOURCE_REQUIREMENTS"
#define IRP_MN_QUERY_DEVICE_TEXT_STRING "IRP_MN_QUERY_DEVICE_TEXT"
#define IRP_MN_FILTER_RESOURCE_REQUIREMENTS_STRING "IRP_MN_FILTER_RESOURCE_REQUIREMENTS"
#define IRP_MN_READ_CONFIG_STRING "IRP_MN_READ_CONFIG"
#define IRP_MN_WRITE_CONFIG_STRING "IRP_MN_WRITE_CONFIG"
#define IRP_MN_EJECT_STRING "IRP_MN_EJECT"
#define IRP_MN_SET_LOCK_STRING "IRP_MN_SET_LOCK"
#define IRP_MN_QUERY_ID_STRING "IRP_MN_QUERY_ID"
#define IRP_MN_QUERY_PNP_DEVICE_STATE_STRING "IRP_MN_QUERY_PNP_DEVICE_STATE"
#define IRP_MN_QUERY_BUS_INFORMATION_STRING "IRP_MN_QUERY_BUS_INFORMATION"
#define IRP_MN_DEVICE_USAGE_NOTIFICATION_STRING "IRP_MN_DEVICE_USAGE_NOTIFICATION"
#define IRP_MN_SURPRISE_REMOVAL_STRING "IRP_MN_SURPRISE_REMOVAL"
#define IRP_MN_QUERY_LEGACY_BUS_INFORMATION_STRING "IRP_MN_QUERY_LEGACY_BUS_INFORMATION"
#define IRP_MN_WAIT_WAKE_STRING "IRP_MN_WAIT_WAKE"
#define IRP_MN_POWER_SEQUENCE_STRING "IRP_MN_POWER_SEQUENCE"
#define IRP_MN_SET_POWER_STRING "IRP_MN_SET_POWER"
#define IRP_MN_QUERY_POWER_STRING "IRP_MN_QUERY_POWER"
#define IRP_MN_QUERY_ALL_DATA_STRING "IRP_MN_QUERY_ALL_DATA"
#define IRP_MN_QUERY_SINGLE_INSTANCE_STRING "IRP_MN_QUERY_SINGLE_INSTANCE"
#define IRP_MN_CHANGE_SINGLE_INSTANCE_STRING "IRP_MN_CHANGE_SINGLE_INSTANCE"
#define IRP_MN_CHANGE_SINGLE_ITEM_STRING "IRP_MN_CHANGE_SINGLE_ITEM"
#define IRP_MN_ENABLE_EVENTS_STRING "IRP_MN_ENABLE_EVENTS"
#define IRP_MN_DISABLE_EVENTS_STRING "IRP_MN_DISABLE_EVENTS"
#define IRP_MN_ENABLE_COLLECTION_STRING "IRP_MN_ENABLE_COLLECTION"
#define IRP_MN_DISABLE_COLLECTION_STRING "IRP_MN_DISABLE_COLLECTION"
#define IRP_MN_REGINFO_STRING "IRP_MN_REGINFO"
#define IRP_MN_EXECUTE_METHOD_STRING "IRP_MN_EXECUTE_METHOD"
//
// Transaction notification string definitions.
//
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -