📄 filespy.h
字号:
/*++
Copyright (c) 1989-1999 Microsoft Corporation
Module Name:
filespy.h
Abstract:
Header file which contains the structures, type definitions,
and constants that are shared between the kernel mode driver,
filespy.sys, and the user mode executable, filespy.exe.
Author:
Environment:
Kernel mode
Revision History:
--*/
#ifndef __FILESPY_H__
#define __FILESPY_H__
#define FILESPY_DEVICE_TYPE 0x1235
#define FILESPY_Reset (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x00, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_Attach (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x01, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_Detach (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x02, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_GetLog (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x03, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_GetVer (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x04, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_ListDevices (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x05, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_GetStats (ULONG) CTL_CODE( FILESPY_DEVICE_TYPE, 0x06, METHOD_BUFFERED, FILE_ANY_ACCESS )
#define FILESPY_DRIVER_NAME L"FILESPY.SYS"
#define FILESPY_DEVICE_NAME L"FileSpy"
#define FILESPY_W32_DEVICE_NAME L"\\\\.\\FileSpy"
#define FILESPY_DOSDEVICE_NAME L"\\DosDevices\\FileSpy"
#define FILESPY_FULLDEVICE_NAME L"\\Device\\FileSpy"
#define FILESPY_MAJ_VERSION 1
#define FILESPY_MIN_VERSION 0
typedef struct _FILESPYVER {
USHORT Major;
USHORT Minor;
} FILESPYVER, *PFILESPYVER;
typedef ULONG_PTR FILE_ID; // To allow passing up PFILE_OBJECT as
// unique file identifier in user-mode
typedef LONG NTSTATUS; // To allow status values to be passed up
// to user-mode
// An array of these structures are returned when the attached device list is
// returned.
#define DEVICE_NAME_SZ 64
typedef struct _ATTACHED_DEVICE {
BOOLEAN LogState;
WCHAR DeviceName[DEVICE_NAME_SZ];
} ATTACHED_DEVICE, *PATTACHED_DEVICE;
#define MAX_BUFFERS 100
#define RECORD_TYPE_STATIC 0x80000000
#define RECORD_TYPE_NORMAL 0X00000000
#define RECORD_TYPE_IRP 0x00000001
#define RECORD_TYPE_FASTIO 0x00000002
#define RECORD_TYPE_OUT_OF_MEMORY 0x10000000
#define RECORD_TYPE_EXCEED_MEMORY_ALLOWANCE 0x20000000
//
// The following macros are used to establish the semantics needed
// to do a return from within a try-finally clause. As a rule every
// try clause must end with a label call try_exit. For example,
//
// try {
// :
// :
//
// try_exit: NOTHING;
// } finally {
//
// :
// :
// }
//
#define try_return(S) { S; goto try_exit; }
#ifndef NOTHING
#define NOTHING
#endif
//
// Macro to return the lower byte of RecordType
//
#define GET_RECORD_TYPE(pLogRecord) ((pLogRecord)->RecordType & 0x0000FFFF)
#define LOG_ORIGINATING_IRP 0x0001
#define LOG_COMPLETION_IRP 0x0002
/* The types FASTIO that are available for the Type field of the
RECORD_FASTIO structure. */
typedef enum {
CHECK_IF_POSSIBLE = 1,
READ,
WRITE,
QUERY_BASIC_INFO,
QUERY_STANDARD_INFO,
LOCK,
UNLOCK_SINGLE,
UNLOCK_ALL,
UNLOCK_ALL_BY_KEY,
DEVICE_CONTROL,
ACQUIRE_FILE,
RELEASE_FILE,
DETACH_DEVICE,
QUERY_NETWORK_OPEN_INFO,
ACQUIRE_FOR_MOD_WRITE,
MDL_READ,
MDL_READ_COMPLETE,
MDL_WRITE,
MDL_WRITE_COMPLETE,
READ_COMPRESSED,
WRITE_COMPRESSED,
MDL_READ_COMPLETE_COMPRESSED,
PREPARE_MDL_WRITE,
MDL_WRITE_COMPLETE_COMPRESSED,
QUERY_OPEN,
RELEASE_FOR_MOD_WRITE,
ACQUIRE_FOR_CC_FLUSH,
RELEASE_FOR_CC_FLUSH
} FASTIO_TYPE, *PFASTIO_TYPE;
typedef struct _RECORD_IRP {
LARGE_INTEGER OriginatingTime; // The time the IRP orginated
LARGE_INTEGER CompletionTime; // The time the IRP was completed
UCHAR IrpMajor; // From _IO_STACK_LOCATION
UCHAR IrpMinor; // From _IO_STACK_LOCATION
ULONG IrpFlags; // From _IRP (no cache, paging i/o, sync.
// api, assoc. irp, buffered i/o, etc.)
FILE_ID FileObject; // From _IO_STACK_LOCATION (This is the
// PFILE_OBJECT, but this isn't
// available in user-mode)
NTSTATUS ReturnStatus; // From _IRP->IoStatus.Status
ULONG_PTR ReturnInformation; // From _IRP->IoStatus.Information
FILE_ID ProcessId;
FILE_ID ThreadId;
} RECORD_IRP, *PRECORD_IRP;
typedef struct _RECORD_FASTIO {
LARGE_INTEGER StartTime; // Time Fast I/O request begins processing
LARGE_INTEGER CompletionTime;// Time Fast I/O request completes processing
FASTIO_TYPE Type; // Type of FASTIO operation
FILE_ID FileObject; // Parameter to FASTIO call, should be
// unique identifier in user space
LARGE_INTEGER FileOffset; // Offset into the file where the I/O is
// taking place
ULONG Length; // The length of data for the I/O operation
BOOLEAN Wait; // Parameter to most FASTIO calls, signifies
// if this operation can wait
NTSTATUS ReturnStatus; // From IO_STATUS_BLOCK
ULONG Reserved; // Reserved space
FILE_ID ProcessId;
FILE_ID ThreadId;
} RECORD_FASTIO, *PRECORD_FASTIO;
typedef union _RECORD_IO {
RECORD_IRP RecordIrp;
RECORD_FASTIO RecordFastIo;
} RECORD_IO, *PRECORD_IO;
typedef struct _LOG_RECORD {
ULONG Length; // Length of record including header
ULONG SequenceNumber;
ULONG RecordType;
RECORD_IO Record;
WCHAR Name[];
} LOG_RECORD, *PLOG_RECORD;
typedef struct _RECORD_LIST {
LIST_ENTRY List;
LOG_RECORD LogRecord;
} RECORD_LIST, *PRECORD_LIST;
typedef struct _HASH_STATISTICS {
ULONG Lookups;
ULONG LookupHits;
ULONG DeleteLookups;
ULONG DeleteLookupHits;
} HASH_STATISTICS, *PHASH_STATISTICS;
#ifndef MAX_PATH
#define MAX_PATH 260
#endif
#define RECORD_SIZE ((MAX_PATH*sizeof(WCHAR))+sizeof(RECORD_LIST))
// Uncomment this to make it a boot driver
// #define SPY_BOOT_DRIVER
#endif /* __FILESPY_H__ */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -