📄 filespy.c
字号:
DBGSTATIC
BOOLEAN
SpyFastIoUnlockAllByKey(
IN PFILE_OBJECT FileObject,
IN PVOID ProcessId,
IN ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
/*++
Routine Description:
This routine is the fast I/O "pass through" routine for unlocking all
locks within a file based on a specified key.
This function simply invokes the next driver's cooresponding routine, or
returns FALSE if the next driver does not implement the function.
Arguments:
FileObject - Pointer to the file object to be unlocked.
ProcessId - ID of the process requesting the unlock operation.
Key - Lock key associated with the locks on the file to be released.
IoStatus - Pointer to a variable to receive the I/O status of the
operation.
DeviceObject - Pointer to this driver's device object, the device on
which the operation is to occur.
Return Value:
The function value is TRUE or FALSE based on whether or not fast I/O
is possible for this file.
--*/
{
PDEVICE_OBJECT deviceObject;
PFAST_IO_DISPATCH fastIoDispatch;
PRECORD_LIST recordList;
BOOLEAN returnValue;
BOOLEAN shouldLog;
PAGED_CODE();
if (DeviceObject->DeviceExtension == NULL) {
return FALSE;
}
if (shouldLog = SHOULD_LOG(DeviceObject)) {
//
// Log the necessary information for the start of the Fast I/O
// operation
//
recordList = SpyLogFastIoStart(
UNLOCK_ALL_BY_KEY,
0,
FileObject,
NULL,
0,
0 );
}
//
// Pass through logic for this type of Fast I/O
//
deviceObject =
((PDEVICE_EXTENSION) (DeviceObject->DeviceExtension))->
NextDriverDeviceObject;
if (!deviceObject) {
returnValue = FALSE;
goto SpyFastIoUnlockAllByKey_Exit;
}
fastIoDispatch = deviceObject->DriverObject->FastIoDispatch;
if (VALID_FAST_IO_DISPATCH_HANDLER( fastIoDispatch, FastIoUnlockAllByKey )) {
returnValue = (fastIoDispatch->FastIoUnlockAllByKey)( FileObject,
ProcessId,
Key,
IoStatus,
deviceObject);
} else {
returnValue = FALSE;
}
SpyFastIoUnlockAllByKey_Exit:
if (shouldLog) {
//
// Log the necessary information for the end of the Fast I/O operation
// if we were able to allocate a RecordList to store this information
//
if (recordList) {
SpyLogFastIoComplete(
0,
FileObject,
IoStatus,
recordList);
}
}
return returnValue;
}
DBGSTATIC
BOOLEAN
SpyFastIoDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
/*++
Routine Description:
This routine is the fast I/O "pass through" routine for device I/O
control operations on a file.
If this I/O is directed to gControlDevice, then the parameters specify
control commands to FileSpy. These commands are interpreted and handled
appropriately.
If this is I/O directed at another DriverObject, this function simply
invokes the next driver's corresponding routine, or returns FALSE if
the next driver does not implement the function.
Arguments:
FileObject - Pointer to the file object representing the device to be
serviced.
Wait - Indicates whether or not the caller is willing to wait if the
appropriate locks, etc. cannot be acquired
InputBuffer - Optional pointer to a buffer to be passed into the driver.
InputBufferLength - Length of the optional InputBuffer, if one was
specified.
OutputBuffer - Optional pointer to a buffer to receive data from the
driver.
OutputBufferLength - Length of the optional OutputBuffer, if one was
specified.
IoControlCode - I/O control code indicating the operation to be performed
on the device.
IoStatus - Pointer to a variable to receive the I/O status of the
operation.
DeviceObject - Pointer to this driver's device object, the device on
which the operation is to occur.
Return Value:
The function value is TRUE or FALSE based on whether or not fast I/O
is possible for this file.
Notes:
This function does not check the validity of the input/output buffers because
the ioctl's are implemented as METHOD_BUFFERED. In this case, the I/O manager
does the buffer validation checks for us.
--*/
{
PDEVICE_OBJECT deviceObject;
PFAST_IO_DISPATCH fastIoDispatch;
PRECORD_LIST recordList;
BOOLEAN returnValue;
BOOLEAN shouldLog;
PWSTR deviceName = NULL;
FILESPYVER fileSpyVer;
PAGED_CODE();
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
if (DeviceObject == gControlDeviceObject) {
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
try {
switch (IoControlCode) {
case FILESPY_Reset:
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
//
// Attach to a specified device
//
case FILESPY_Attach:
if (InputBuffer == NULL || InputBufferLength <= 0)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
//
// Copy the device name and add a null to ensure that it is null terminated
//
deviceName = ExAllocatePool( NonPagedPool, InputBufferLength + sizeof(WCHAR) );
if (NULL == deviceName) {
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlCopyMemory( deviceName, InputBuffer, InputBufferLength );
deviceName[InputBufferLength / sizeof(WCHAR) - 1] = UNICODE_NULL;
IoStatus->Status = SpyAttachDevice(DeviceObject,deviceName);
break;
//
// Detach from a specified device
//
case FILESPY_Detach:
if (InputBuffer == NULL || InputBufferLength <= 0)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
//
// Copy the device name and add a null to ensure that it is null terminated
//
deviceName = ExAllocatePool( NonPagedPool, InputBufferLength + sizeof(WCHAR) );
if (NULL == deviceName) {
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
RtlCopyMemory( deviceName, InputBuffer, InputBufferLength );
deviceName[InputBufferLength / sizeof(WCHAR) - 1] = UNICODE_NULL;
IoStatus->Status = SpyDetachDevice(deviceName);
break;
//
// List all the devices that we are currently
// monitoring
//
case FILESPY_ListDevices:
if (OutputBuffer == NULL || OutputBufferLength <= 0)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
IoStatus->Status = SpyGetAttachList(
OutputBuffer,
OutputBufferLength,
&IoStatus->Information);
break;
//
// Return entries from the log buffer
//
case FILESPY_GetLog:
if (OutputBuffer == NULL || OutputBufferLength == 0) {
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
SpyGetLog(OutputBuffer, OutputBufferLength, IoStatus);
break;
//
// Return version of the FileSpy filter driver
//
case FILESPY_GetVer:
if ((OutputBufferLength < sizeof(FILESPYVER)) ||
(OutputBuffer == NULL)) {
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
fileSpyVer.Major = FILESPY_MAJ_VERSION;
fileSpyVer.Minor = FILESPY_MIN_VERSION;
RtlCopyMemory(OutputBuffer, &fileSpyVer, sizeof(FILESPYVER));
IoStatus->Information = sizeof (FILESPYVER);
break;
//
// Return hash table statistics
//
case FILESPY_GetStats:
if ((OutputBufferLength < sizeof(HASH_STATISTICS)) ||
(OutputBuffer == NULL)) {
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
RtlCopyMemory( OutputBuffer, &gHashStat, sizeof (HASH_STATISTICS) );
IoStatus->Information = sizeof (HASH_STATISTICS);
break;
default:
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
} except(EXCEPTION_EXECUTE_HANDLER) {
//
// An exception was incurred while attempting to access
// one of the caller's parameters. Simply return an appropriate
// error status code.
//
IoStatus->Status = GetExceptionCode();
}
returnValue = TRUE;
goto SpyFastIoDeviceControl_Exit;
}
else
{
if (shouldLog = SHOULD_LOG(DeviceObject)) {
//
//
// Log the necessary information for the start of the Fast I/O
// operation
//
recordList = SpyLogFastIoStart(
DEVICE_CONTROL,
0,
FileObject,
NULL,
0,
Wait );
}
deviceObject =
((PDEVICE_EXTENSION) (DeviceObject->DeviceExtension))->
NextDriverDeviceObject;
if (!deviceObject) {
returnValue = FALSE;
goto SpyFastIoDeviceControl_LogExit;
}
fastIoDispatch = deviceObject->DriverObject->FastIoDispatch;
if (VALID_FAST_IO_DISPATCH_HANDLER( fastIoDispatch, FastIoDeviceControl )) {
returnValue = (fastIoDispatch->FastIoDeviceControl)( FileObject,
Wait,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength,
IoControlCode,
IoStatus,
deviceObject);
} else {
returnValue = FALSE;
IoStatus->Status = STATUS_SUCCESS;
}
SpyFastIoDeviceControl_LogExit:
if (shouldLog) {
//
// Log the necessary information for the end of the Fast I/O
// operation if we were able to allocate a RecordList to store
// this information
//
if (recordList) {
SpyLogFastIoComplete(
0,
FileObject,
IoStatus,
recordList);
}
}
}
SpyFastIoDeviceControl_Exit:
if (NULL != deviceName) {
ExFreePool( deviceName );
}
return returnValue;
}
DBGSTATIC
VOID
SpyFastIoDetachDevice(
IN PDEVICE_OBJECT SourceDevice,
IN PDEVICE_OBJECT TargetDevice
)
/*++
Routine Description:
This routine is invoked on the fast path to detach from a device that
is being deleted. This occu⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -