📄 mspylog.c
字号:
break;
case TRANSACTION_NOTIFY_PROPAGATE_PULL:
irpMinorString = TRANSACTION_NOTIFY_PROPAGATE_PULL_STRING;
break;
case TRANSACTION_NOTIFY_PROPAGATE_PUSH:
irpMinorString = TRANSACTION_NOTIFY_PROPAGATE_PUSH_STRING;
break;
case TRANSACTION_NOTIFY_MARSHAL:
irpMinorString = TRANSACTION_NOTIFY_MARSHAL_STRING;
break;
case TRANSACTION_NOTIFY_ENLIST_MASK:
irpMinorString = TRANSACTION_NOTIFY_ENLIST_MASK_STRING;
break;
default:
sprintf_s(errorBuf,sizeof(errorBuf),"Unknown Transaction notication code (%u)",MinorCode);
irpMinorString = errorBuf;
}
break;
default:
sprintf_s(errorBuf,sizeof(errorBuf),"Unknown Irp major function (%d)",MajorCode);
irpMajorString = errorBuf;
break;
}
if (OutputFile) {
if (irpMinorString) {
fprintf(OutputFile, "\t%-35s\t%-35s", irpMajorString, irpMinorString);
} else {
fprintf(OutputFile, "\t%-35s\t ", irpMajorString);
}
} else {
if (PrintMajorCode) {
printf("%-35s ", irpMajorString);
} else {
if (irpMinorString) {
printf(" %-35s\n",
irpMinorString);
}
}
}
}
ULONG
FormatSystemTime(
__in SYSTEMTIME *SystemTime,
__in_bcount(BufferLength) CHAR *Buffer,
__in ULONG BufferLength
)
/*++
Routine Description:
Formats the values in a SystemTime struct into the buffer
passed in. The resulting string is NULL terminated. The format
for the time is:
hours:minutes:seconds:milliseconds
Arguments:
SystemTime - the struct to format
Buffer - the buffer to place the formatted time in
BufferLength - the size of the buffer
Return Value:
The length of the string returned in Buffer.
--*/
{
CHAR *writePosition;
ULONG returnLength = 0;
writePosition = Buffer;
if (BufferLength < TIME_BUFFER_LENGTH) {
//
// Buffer is too short so exit
//
return 0;
}
returnLength = sprintf_s( Buffer,
BufferLength,
"%02d:%02d:%02d:%03d",
SystemTime->wHour,
SystemTime->wMinute,
SystemTime->wSecond,
SystemTime->wMilliseconds );
return returnLength;
}
VOID
FileDump (
__in ULONG SequenceNumber,
__in WCHAR CONST *Name,
__in PRECORD_DATA RecordData,
__in FILE *File
)
/*++
Routine Description:
Prints a Data log record to the specified file. The output is in a tab
delimited format with the fields in the following order:
SequenceNumber, OriginatingTime, CompletionTime, CallbackMajorId, CallbackMinorId,
Flags, NoCache, Paging I/O, Synchronous, Synchronous paging, FileName,
ReturnStatus, FileName
Arguments:
SequenceNumber - the sequence number for this log record
Name - the name of the file that this Irp relates to
RecordData - the Data record to print
File - the file to print to
Return Value:
None.
--*/
{
FILETIME localTime;
SYSTEMTIME systemTime;
CHAR time[TIME_BUFFER_LENGTH];
static BOOLEAN didFileHeader = FALSE;
//
// Is this an Irp or a FastIo?
//
if (!didFileHeader) {
fprintf( File, "Opr\t SeqNum \t PreOp Time \tPostOp Time \t Process.Thrd\t Major Operation \t Minor Operation \t IrpFlags \t DevObj \t FileObj \tTransactn \t status:inform \t Arguments \tName\n");
fprintf( File, "---\t----------\t------------\t------------\t-------------\t-----------------------------------\t-----------------------------------\t---------------\t----------\t----------\t----------\t---------------------\t----------------------------------------------------------------------\t-----------------------------------\n");
didFileHeader = TRUE;
}
//
// Is this an Irp or a FastIo?
//
if (RecordData->Flags & FLT_CALLBACK_DATA_IRP_OPERATION) {
fprintf( File, "IRP");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FAST_IO_OPERATION) {
fprintf( File, "FIO");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FS_FILTER_OPERATION) {
fprintf( File, "FSF");
} else {
fprintf( File, "ERR");
}
//
// Print the sequence number
//
fprintf( File, "\t0x%08X", SequenceNumber );
//
// Convert originating time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->OriginatingTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
fprintf( File, "\t%-12s", time );
} else {
fprintf( File, "\t%-12s", TIME_ERROR );
}
//
// Convert completion time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->CompletionTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
fprintf( File, "\t%-12s", time );
} else {
fprintf( File, "\t%-12s", TIME_ERROR );
}
fprintf(File, "\t%8x.%-4x ", RecordData->ProcessId, RecordData->ThreadId);
PrintIrpCode( RecordData->CallbackMajorId,
RecordData->CallbackMinorId,
File,
TRUE );
//
// Interpret set IrpFlags
//
fprintf( File, "\t0x%08lx ", RecordData->IrpFlags );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_NOCACHE) ? "N":"-" );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_PAGING_IO) ? "P":"-" );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_SYNCHRONOUS_API) ? "S":"-" );
fprintf( File, "%s", (RecordData->IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) ? "Y":"-" );
fprintf( File, "\t0x%08p", (PVOID) RecordData->DeviceObject );
fprintf( File, "\t0x%08p", (PVOID) RecordData->FileObject );
fprintf( File, "\t0x%08p", (PVOID) RecordData->Transaction );
fprintf( File, "\t0x%08lx:0x%p", RecordData->Status, (PVOID)RecordData->Information );
fprintf( File, "\t0x%p", RecordData->Arg1 );
fprintf( File, "\t0x%p", RecordData->Arg2 );
fprintf( File, "\t0x%p", RecordData->Arg3 );
fprintf( File, "\t0x%p", RecordData->Arg4 );
fprintf( File, "\t0x%p", RecordData->Arg5 );
fprintf( File, "\t0x%08I64x", RecordData->Arg6.QuadPart );
fprintf( File, "\t%S", Name );
fprintf( File, "\n" );
}
VOID
ScreenDump(
__in ULONG SequenceNumber,
__in WCHAR CONST *Name,
__in PRECORD_DATA RecordData
)
/*++
Routine Description:
Prints a Irp log record to the screen in the following order:
SequenceNumber, OriginatingTime, CompletionTime, IrpMajor, IrpMinor,
Flags, IrpFlags, NoCache, Paging I/O, Synchronous, Synchronous paging,
FileName, ReturnStatus, FileName
Arguments:
SequenceNumber - the sequence number for this log record
Name - the file name to which this Irp relates
RecordData - the Irp record to print
Return Value:
None.
--*/
{
FILETIME localTime;
SYSTEMTIME systemTime;
CHAR time[TIME_BUFFER_LENGTH];
static BOOLEAN didScreenHeader = FALSE;
//
// Is this an Irp or a FastIo?
//
if (!didScreenHeader) {
printf("Opr SeqNum PreOp Time PostOp Time Process.Thrd Major/Minor Operation IrpFlags DevObj FileObj Transact status:inform Arguments Name\n");
printf("--- -------- ------------ ------------ ------------- ----------------------------------- ------------- -------- -------- -------- ----------------- ----------------------------------------------------------------- -----------------------------------\n");
didScreenHeader = TRUE;
}
//
// Display informatoin
//
if (RecordData->Flags & FLT_CALLBACK_DATA_IRP_OPERATION) {
printf( "IRP ");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FAST_IO_OPERATION) {
printf( "FIO ");
} else if (RecordData->Flags & FLT_CALLBACK_DATA_FS_FILTER_OPERATION) {
printf( "FSF " );
} else {
printf( "ERR ");
}
printf( "%08X ", SequenceNumber );
//
// Convert originating time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->OriginatingTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
printf( "%-12s ", time );
} else {
printf( "%-12s ", TIME_ERROR );
}
//
// Convert completion time
//
FileTimeToLocalFileTime( (FILETIME *)&(RecordData->CompletionTime),
&localTime );
FileTimeToSystemTime( &localTime,
&systemTime );
if (FormatSystemTime( &systemTime, time, TIME_BUFFER_LENGTH )) {
printf( "%-12s ", time );
} else {
printf( "%-12s ", TIME_ERROR );
}
printf("%8x.%-4x ", RecordData->ProcessId, RecordData->ThreadId);
PrintIrpCode( RecordData->CallbackMajorId,
RecordData->CallbackMinorId,
NULL,
TRUE );
//
// Interpret set IrpFlags
//
printf( "%08lx ", RecordData->IrpFlags );
printf( "%s", (RecordData->IrpFlags & IRP_NOCACHE) ? "N":"-" );
printf( "%s", (RecordData->IrpFlags & IRP_PAGING_IO) ? "P":"-" );
printf( "%s", (RecordData->IrpFlags & IRP_SYNCHRONOUS_API) ? "S":"-" );
printf( "%s ", (RecordData->IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) ? "Y":"-" );
printf( "%08p ", (PVOID) RecordData->DeviceObject );
printf( "%08p ", (PVOID) RecordData->FileObject );
printf( "%08p ", (PVOID) RecordData->Transaction );
printf( "%08lx:%08lx ", RecordData->Status, RecordData->Information );
printf( "1:%p 2:%p 3:%p 4:%p 5:%p 6:%08I64x ",
RecordData->Arg1,
RecordData->Arg2,
RecordData->Arg3,
RecordData->Arg4,
RecordData->Arg5,
RecordData->Arg6.QuadPart );
printf( "%S", Name );
printf( "\n" );
PrintIrpCode( RecordData->CallbackMajorId,
RecordData->CallbackMinorId,
NULL,
FALSE );
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -