📄 fspylog.c
字号:
/*++
Copyright (c) 1989-1999 Microsoft Corporation
Module Name:
fspyLog.c
Abstract:
This module contains functions used to retrieve and see the log records
recorded by filespy.sys.
Author:
Molly Brown (MollyBro) 21-Apr-1999
Environment:
User mode
Revision History:
--*/
#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <winioctl.h>
#include "fspyLog.h"
#include "filespy.h"
#define TIME_BUFFER_LENGTH 20
#define TIME_ERROR "time error"
DWORD WINAPI
RetrieveLogRecords(
LPVOID lpParameter
)
{
PLOG_CONTEXT context = (PLOG_CONTEXT)lpParameter;
CHAR buffer[BUFFER_SIZE];
DWORD bytesReturned = 0;
BOOL bResult;
DWORD result;
PLOG_RECORD pLogRecord;
printf("Log: Starting up\n");
while(TRUE){
//
// Check to see if we should shut down
//
if (context->CleaningUp) {
break;
}
//
// Request log data from filespy
//
bResult = DeviceIoControl( context->Device,
FILESPY_GetLog,
NULL,
0,
buffer,
BUFFER_SIZE,
&bytesReturned,
NULL);
if (!bResult) {
result = GetLastError();
printf("ERROR controlling device: 0x%x\n", result);
}
//
// buffer is filled with a series of LOG_RECORD structures, one
// right after another. Each LOG_RECORD says how long it is, so
// we know where the next LOG_RECORD begins.
//
pLogRecord = (PLOG_RECORD) buffer;
// Logic to write record to screen and/or file
while((BYTE *) pLogRecord < buffer + bytesReturned){
PRECORD_IRP pRecordIrp;
PRECORD_FASTIO pRecordFastIo;
//
// A LOG_RECORD could have Irp or FastIo data in it. This
// is denoted in the low-order byte of the RecordType flag.
//
switch (GET_RECORD_TYPE(pLogRecord)) {
case RECORD_TYPE_IRP:
//
// We've got an Irp record, so output this data correctly.
//
pRecordIrp = &(pLogRecord->Record.RecordIrp);
if (context->LogToScreen) {
IrpScreenDump(
pLogRecord->SequenceNumber,
pLogRecord->Name,
pRecordIrp);
}
if (context->LogToFile) {
IrpFileDump(
pLogRecord->SequenceNumber,
pLogRecord->Name,
pRecordIrp,
context->OutputFile);
}
break;
case RECORD_TYPE_FASTIO:
//
// We've got a FastIo record, so output this data correctly.
//
pRecordFastIo = &(pLogRecord->Record.RecordFastIo);
if (context->LogToScreen) {
FastIoScreenDump(
pLogRecord->SequenceNumber,
pLogRecord->Name,
pRecordFastIo);
}
if (context->LogToFile) {
FastIoFileDump(
pLogRecord->SequenceNumber,
pLogRecord->Name,
pRecordFastIo,
context->OutputFile);
}
break;
default:
printf("Filmon: Unknown log record type\n");
}
//
// The RecordType could also designate that we are out of memory
// or hit our program defined memory limit, so check for these
// cases.
//
if (pLogRecord->RecordType & RECORD_TYPE_OUT_OF_MEMORY) {
if (context->LogToScreen) {
printf("M %08X SYSTEM OUT OF MEMORY\n",
pLogRecord->SequenceNumber);
}
if (context->LogToFile) {
fprintf(context->OutputFile,
"M:\t%u",
pLogRecord->SequenceNumber);
}
} else if (pLogRecord->RecordType &
RECORD_TYPE_EXCEED_MEMORY_ALLOWANCE) {
if (context->LogToScreen) {
printf("M %08X EXCEEDED MEMORY ALLOWANCE\n",
pLogRecord->SequenceNumber);
}
if (context->LogToFile) {
fprintf(context->OutputFile,
"M:\t%u",
pLogRecord->SequenceNumber);
}
}
//
// Move to next LOG_RECORD
//
pLogRecord =
(PLOG_RECORD) (((BYTE *) pLogRecord) + pLogRecord->Length);
}
if (bytesReturned == 0) {
Sleep( 500 );
}
}
printf("Log: Shutting down\n");
ReleaseSemaphore(context->ShutDown, 1, NULL);
printf("Log: All done\n");
return 0;
}
VOID
PrintIrpCode(
UCHAR MajorCode,
UCHAR MinorCode,
FILE *OutputFile,
BOOLEAN PrintMajorCode
)
{
CHAR *irpMajorString, *irpMinorString = NULL;
CHAR formatBuf[128];
CHAR errorBuf[128];
switch (MajorCode) {
case IRP_MJ_CREATE:
irpMajorString = IRP_MJ_CREATE_STRING;
break;
case IRP_MJ_CREATE_NAMED_PIPE:
irpMajorString = IRP_MJ_CREATE_NAMED_PIPE_STRING;
break;
case IRP_MJ_CLOSE:
irpMajorString = IRP_MJ_CLOSE_STRING;
break;
case IRP_MJ_READ:
irpMajorString = IRP_MJ_READ_STRING;
switch (MinorCode) {
case IRP_MN_NORMAL:
irpMinorString = IRP_MN_NORMAL_STRING;
break;
case IRP_MN_DPC:
irpMinorString = IRP_MN_DPC_STRING;
break;
case IRP_MN_MDL:
irpMinorString = IRP_MN_MDL_STRING;
break;
case IRP_MN_COMPLETE:
irpMinorString = IRP_MN_COMPLETE_STRING;
break;
case IRP_MN_COMPRESSED:
irpMinorString = IRP_MN_COMPRESSED_STRING;
break;
case IRP_MN_MDL_DPC:
irpMinorString = IRP_MN_MDL_DPC_STRING;
break;
case IRP_MN_COMPLETE_MDL:
irpMinorString = IRP_MN_COMPLETE_MDL_STRING;
break;
case IRP_MN_COMPLETE_MDL_DPC:
irpMinorString = IRP_MN_COMPLETE_MDL_DPC_STRING;
break;
default:
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_WRITE:
irpMajorString = IRP_MJ_WRITE_STRING;
switch (MinorCode) {
case IRP_MN_NORMAL:
irpMinorString = IRP_MN_NORMAL_STRING;
break;
case IRP_MN_DPC:
irpMinorString = IRP_MN_DPC_STRING;
break;
case IRP_MN_MDL:
irpMinorString = IRP_MN_MDL_STRING;
break;
case IRP_MN_COMPLETE:
irpMinorString = IRP_MN_COMPLETE_STRING;
break;
case IRP_MN_COMPRESSED:
irpMinorString = IRP_MN_COMPRESSED_STRING;
break;
case IRP_MN_MDL_DPC:
irpMinorString = IRP_MN_MDL_DPC_STRING;
break;
case IRP_MN_COMPLETE_MDL:
irpMinorString = IRP_MN_COMPLETE_MDL_STRING;
break;
case IRP_MN_COMPLETE_MDL_DPC:
irpMinorString = IRP_MN_COMPLETE_MDL_DPC_STRING;
break;
default:
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_QUERY_INFORMATION:
irpMajorString = IRP_MJ_QUERY_INFORMATION_STRING;
break;
case IRP_MJ_SET_INFORMATION:
irpMajorString = IRP_MJ_SET_INFORMATION_STRING;
break;
case IRP_MJ_QUERY_EA:
irpMajorString = IRP_MJ_QUERY_EA_STRING;
break;
case IRP_MJ_SET_EA:
irpMajorString = IRP_MJ_SET_EA_STRING;
break;
case IRP_MJ_FLUSH_BUFFERS:
irpMajorString = IRP_MJ_FLUSH_BUFFERS_STRING;
break;
case IRP_MJ_QUERY_VOLUME_INFORMATION:
irpMajorString = IRP_MJ_QUERY_VOLUME_INFORMATION_STRING;
break;
case IRP_MJ_SET_VOLUME_INFORMATION:
irpMajorString = IRP_MJ_SET_VOLUME_INFORMATION_STRING;
break;
case IRP_MJ_DIRECTORY_CONTROL:
irpMajorString = IRP_MJ_DIRECTORY_CONTROL_STRING;
switch (MinorCode) {
case IRP_MN_QUERY_DIRECTORY:
irpMinorString = IRP_MN_QUERY_DIRECTORY_STRING;
break;
case IRP_MN_NOTIFY_CHANGE_DIRECTORY:
irpMinorString = IRP_MN_NOTIFY_CHANGE_DIRECTORY_STRING;
break;
default:
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_FILE_SYSTEM_CONTROL:
irpMajorString = IRP_MJ_FILE_SYSTEM_CONTROL_STRING;
switch (MinorCode) {
case IRP_MN_USER_FS_REQUEST:
irpMinorString = IRP_MN_USER_FS_REQUEST_STRING;
break;
case IRP_MN_MOUNT_VOLUME:
irpMinorString = IRP_MN_MOUNT_VOLUME_STRING;
break;
case IRP_MN_VERIFY_VOLUME:
irpMinorString = IRP_MN_VERIFY_VOLUME_STRING;
break;
case IRP_MN_LOAD_FILE_SYSTEM:
irpMinorString = IRP_MN_LOAD_FILE_SYSTEM_STRING;
break;
case IRP_MN_TRACK_LINK:
irpMinorString = IRP_MN_TRACK_LINK_STRING;
break;
default:
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_DEVICE_CONTROL:
irpMajorString = IRP_MJ_DEVICE_CONTROL_STRING;
switch (MinorCode) {
case IRP_MN_SCSI_CLASS:
irpMinorString = IRP_MN_SCSI_CLASS_STRING;
break;
default:
sprintf(errorBuf,"Unknown Irp minor code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
case IRP_MJ_INTERNAL_DEVICE_CONTROL:
irpMajorString = IRP_MJ_INTERNAL_DEVICE_CONTROL_STRING;
break;
case IRP_MJ_SHUTDOWN:
irpMajorString = IRP_MJ_SHUTDOWN_STRING;
break;
case IRP_MJ_LOCK_CONTROL:
irpMajorString = IRP_MJ_LOCK_CONTROL_STRING;
switch (MinorCode) {
case IRP_MN_LOCK:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -