📄 fspyhash.c
字号:
//
// If the operation was successful and it was a rename, always
// remove the name. They can re-get it next time.
//
if (NT_SUCCESS(Irp->IoStatus.Status) &&
(FileRenameInformation ==
pIrpStack->Parameters.SetFile.FileInformationClass)) {
SpyNameDelete(pIrpStack->FileObject);
}
break;
}
}
////////////////////////////////////////////////////////////////////////
//
// FileName cache routines
//
////////////////////////////////////////////////////////////////////////
PHASH_ENTRY
SpyHashBucketLookup (
IN PLIST_ENTRY ListHead,
IN PFILE_OBJECT FileObject
)
/*++
Routine Description:
This routine looks up the FileObject in the give hash bucket. This routine
does NOT lock the hash bucket; it must be locked by the caller.
Arguments:
ListHead - hash list to search
FileObject - the FileObject to look up.
Return Value:
A pointer to the hash table entry. NULL if not found
--*/
{
PHASH_ENTRY pHash;
PLIST_ENTRY pList;
pList = ListHead->Flink;
while (pList != ListHead){
pHash = CONTAINING_RECORD( pList, HASH_ENTRY, List );
if (FileObject == pHash->FileObject) {
return pHash;
}
pList = pList->Flink;
}
return NULL;
}
VOID
SpySetName (
IN PRECORD_LIST RecordList,
IN PDEVICE_OBJECT DeviceObject,
IN PFILE_OBJECT FileObject,
IN ULONG LookupFlags,
IN PVOID Context OPTIONAL
)
/*++
Routine Description:
This routine looks up the FileObject in the hash table. If the FileObject
is found in the hash table, copy the associated file name to RecordList.
Otherwise, calls NLGetFullPathName to try to get the name of the FileObject.
If successful, copy the file name to the RecordList and insert into hash
table.
Arguments:
RecordList - RecordList to copy name to.
FileObject - the FileObject to look up.
LookInFileObject - see routine description
DeviceExtension - contains the volume name (e.g., "c:") and
the next device object which may be needed.
Return Value:
None.
--*/
{
PFILESPY_DEVICE_EXTENSION devExt = DeviceObject->DeviceExtension;
UINT_PTR hashIndex;
KIRQL oldIrql;
PHASH_ENTRY pHash;
PHASH_ENTRY newHash;
PLIST_ENTRY listHead;
PNAME_CONTROL newName = NULL;
PCHAR buffer = NULL;
NTSTATUS status;
BOOLEAN cacheName;
UNREFERENCED_PARAMETER( Context );
try {
if (FileObject == NULL) {
SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &gEmptyUnicode );
leave;
}
hashIndex = HASH_FUNC(FileObject);
INC_STATS(TotalContextSearches);
listHead = &gHashTable[hashIndex];
//
// Don't bother checking the hash if we are in create, we must always
// generate a name.
//
if (!FlagOn(LookupFlags, NLFL_IN_CREATE)) {
//
// Acquire the hash lock
//
KeAcquireSpinLock( &gHashLockTable[hashIndex], &oldIrql );
pHash = SpyHashBucketLookup( &gHashTable[hashIndex], FileObject );
if (pHash != NULL) {
//
// Copy the found file name to the LogRecord
//
SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &pHash->Name );
KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql );
INC_STATS( TotalContextFound );
leave;
}
KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql );
}
#if WINVER >= 0x0501
//
// We can not allocate paged pool if this is a paging file. If it is
// a paging file set a default name and return
//
if (FsRtlIsPagingFile( FileObject )) {
SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &PagingFile );
leave;
}
#endif
//
// We did not find the name in the hash. Allocate name control buffer
// (for getting name) and a buffer for inserting this name into the
// hash.
//
buffer = SpyAllocateBuffer( &gNamesAllocated, gMaxNamesToAllocate, NULL );
status = NLAllocateNameControl( &newName, &gFileSpyNameBufferLookasideList );
if ((buffer != NULL) && NT_SUCCESS(status)) {
//
// Init the new hash entry in case we need to use it
//
newHash = (PHASH_ENTRY)buffer;
RtlInitEmptyUnicodeString( &newHash->Name,
(PWCHAR)(buffer + sizeof(HASH_ENTRY)),
RECORD_SIZE - sizeof(HASH_ENTRY) );
//
// Retrieve the name
//
status = NLGetFullPathName( FileObject,
newName,
&devExt->NLExtHeader,
LookupFlags | NLFL_USE_DOS_DEVICE_NAME,
&gFileSpyNameBufferLookasideList,
&cacheName );
if (NT_SUCCESS( status ) && cacheName) {
//
// We got a name and the name should be cached, save it in the
// log record and the hash buffer.
//
SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &newName->Name );
RtlCopyUnicodeString( &newHash->Name, &newName->Name );
newHash->FileObject = FileObject;
//
// Acquire the hash lock
//
KeAcquireSpinLock( &gHashLockTable[hashIndex], &oldIrql );
//
// Search again because it may have been stored in the hash table
// since we did our last search and dropped the lock.
//
pHash = SpyHashBucketLookup( &gHashTable[hashIndex], FileObject );
if (pHash != NULL) {
//
// We found it in the hash table this time, don't need to
// cache it again.
//
KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql );
leave;
}
//
// It not found in the hash, add the new entry.
//
InsertHeadList( listHead, &newHash->List );
gHashCurrentCounters[hashIndex]++;
if (gHashCurrentCounters[hashIndex] > gHashMaxCounters[hashIndex]) {
gHashMaxCounters[hashIndex] = gHashCurrentCounters[hashIndex];
}
//
// Since we inserted the new hash entry, mark the buffer as empty
// so we won't try and free it
//
buffer = NULL;
KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql );
} else {
//
// Either the name should not be cached or we couldn't get a
// name, return whatever name they gave us
//
SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &newName->Name );
INC_STATS( TotalContextTemporary );
}
} else {
//
// Set a default string even if there is no buffer.
//
SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &OutOfBuffers );
}
} finally {
//
// Free memory
//
if (buffer != NULL) {
SpyFreeBuffer( buffer, &gNamesAllocated );
}
if (newName != NULL) {
NLFreeNameControl( newName, &gFileSpyNameBufferLookasideList );
}
}
}
VOID
SpyNameDeleteAllNames (
VOID
)
/*++
Routine Description:
This will free all entries from the hash table
Arguments:
None
Return Value:
None
--*/
{
KIRQL oldIrql;
PHASH_ENTRY pHash;
PLIST_ENTRY pList;
ULONG i;
INC_STATS( TotalContextDeleteAlls );
for (i=0; i<HASH_SIZE; i++) {
KeAcquireSpinLock( &gHashLockTable[i], &oldIrql );
while (!IsListEmpty( &gHashTable[i] )) {
pList = RemoveHeadList( &gHashTable[i] );
pHash = CONTAINING_RECORD( pList, HASH_ENTRY, List );
SpyFreeBuffer( pHash, &gNamesAllocated );
}
gHashCurrentCounters[i] = 0;
KeReleaseSpinLock( &gHashLockTable[i], oldIrql );
}
}
VOID
SpyNameDelete (
IN PFILE_OBJECT FileObject
)
/*++
Routine Description:
This routine looks up the FileObject in the hash table. If it is found,
it deletes it and frees the memory.
Arguments:
FileObject - the FileObject to look up.
Return Value:
None
--*/
{
UINT_PTR hashIndex;
KIRQL oldIrql;
PHASH_ENTRY pHash;
PLIST_ENTRY pList;
PLIST_ENTRY listHead;
hashIndex = HASH_FUNC(FileObject);
KeAcquireSpinLock( &gHashLockTable[hashIndex], &oldIrql );
listHead = &gHashTable[hashIndex];
pList = listHead->Flink;
while (pList != listHead) {
pHash = CONTAINING_RECORD( pList, HASH_ENTRY, List );
if (FileObject == pHash->FileObject) {
INC_STATS( TotalContextNonDeferredFrees );
gHashCurrentCounters[hashIndex]--;
RemoveEntryList( pList );
SpyFreeBuffer( pHash, &gNamesAllocated );
break;
}
pList = pList->Flink;
}
KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql );
}
#endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -