sfilter.h

文件系统过滤驱动的详细代码,含有中文说明及注释

#include "ntifs.h"
#include "ntdddisk.h"

#pragma warning(error:4100)												//使能这两个错误码(当形参错误时发出警告)
#pragma warning(error:4101)												//当局部变量错误时发出警告

//============================== 条件编译 ============================
#ifndef Add2Ptr
#define Add2Ptr(P,I) ((PVOID)((PUCHAR)(P) + (I)))					//语法: PVOID  Add2Ptr(PUCHAR p,PUCHAR i);  含义:  连接两个字符串
#endif
//================ 条件编译(当OS版本是Win2000时编译下段代码) ===================
#if WINVER == 0x0500

#ifndef FlagOn	//当FlagOn未被#define定义过,编译下一句
#define FlagOn(_F,_SF)  ((_F) & (_SF))									//语法: FiagOn(a,b);  含义: a&b(a和b按位与操作)
#endif

#ifndef BooleanFlagOn
#define BooleanFlagOn(F,SF)  ((BOOLEAN)(((F) & (SF)) != 0))	//语法: BooleanFlagOn(a,b); 含义: a&b !=0
#endif

#ifndef SetFlag
#define SetFlag(_F,_SF)  ((_F) |= (_SF))									//语法: SetFlag(a,b);  含义: a |= b(a和b按位或操作,结果存入a)
#endif

#ifndef ClearFlag	
#define ClearFlag(_F,_SF)  ((_F) &= ~(_SF))							//语法: ClearFlag(a,b);  含义: a &= ~b(a和b非按位与操作,结果存入a)
#endif

#ifndef min
#define min(a,b)  (((a) < (b)) ? (a) : (b))								//语法: min(a,b); 含义: 返回a和b中的小者
#endif

#ifndef max
#define max(a,b)  (((a) > (b)) ? (a) : (b))								//语法: max(a,b); 含义: 返回a和b中的大者
#endif

#ifdef ASSERT
#undef ASSERT
#if DBG
#define ASSERT( exp ) ((!(exp)) ? (RtlAssert( #exp, __FILE__, __LINE__, NULL ),FALSE) : TRUE)
#else
#define ASSERT( exp ) ((void) 0)
#endif
#endif        

#define ExFreePoolWithTag( a, b )  ExFreePool( (a) )				//可看出,ExFreePoolWithTag是一个宏定义,实际上就是ExFreePool函数

#endif
//=================== 条件编译(WinXP及以上OS时编译下段代码) ====================
#if WINVER >= 0x0501

typedef  NTSTATUS (*PSF_REGISTER_FILE_SYSTEM_FILTER_CALLBACKS) ( IN PDRIVER_OBJECT DriverObject, IN PFS_FILTER_CALLBACKS Callbacks );
typedef  NTSTATUS (*PSF_ENUMERATE_DEVICE_OBJECT_LIST) ( IN  PDRIVER_OBJECT DriverObject, IN PDEVICE_OBJECT *DeviceObjectList, IN ULONG DeviceObjectListSize, OUT PULONG ActualNumberDeviceObjects );
typedef  NTSTATUS (*PSF_ATTACH_DEVICE_TO_DEVICE_STACK_SAFE) ( IN PDEVICE_OBJECT SourceDevice, IN PDEVICE_OBJECT TargetDevice, OUT PDEVICE_OBJECT *AttachedToDeviceObject );
typedef  NTSTATUS (*PSF_GET_DISK_DEVICE_OBJECT) ( IN PDEVICE_OBJECT FileSystemDeviceObject, OUT PDEVICE_OBJECT *DiskDeviceObject );
typedef  NTSTATUS (*PSF_GET_VERSION) ( IN OUT PRTL_OSVERSIONINFOW VersionInformation );

typedef  PDEVICE_OBJECT (*PSF_GET_LOWER_DEVICE_OBJECT) ( IN PDEVICE_OBJECT  DeviceObject );
typedef  PDEVICE_OBJECT (*PSF_GET_DEVICE_ATTACHMENT_BASE_REF) ( IN PDEVICE_OBJECT DeviceObject );
typedef  PDEVICE_OBJECT (*PSF_GET_ATTACHED_DEVICE_REFERENCE) ( IN PDEVICE_OBJECT DeviceObject );

#define IS_WINDOWS2000() ((gSfOsMajorVersion == 5) && (gSfOsMinorVersion == 0))
#define IS_WINDOWSXP() ((gSfOsMajorVersion == 5) && (gSfOsMinorVersion == 1))
#define IS_WINDOWSXP_OR_LATER() (((gSfOsMajorVersion == 5) && (gSfOsMinorVersion >= 1)) || (gSfOsMajorVersion > 5))
#define IS_WINDOWSSRV2003_OR_LATER() (((gSfOsMajorVersion == 5) && (gSfOsMinorVersion >= 2)) || (gSfOsMajorVersion > 5))

typedef struct _SF_DYNAMIC_FUNCTION_POINTERS {
    PSF_REGISTER_FILE_SYSTEM_FILTER_CALLBACKS RegisterFileSystemFilterCallbacks;	//
    PSF_ATTACH_DEVICE_TO_DEVICE_STACK_SAFE AttachDeviceToDeviceStackSafe;			//
    PSF_ENUMERATE_DEVICE_OBJECT_LIST EnumerateDeviceObjectList;							//
    PSF_GET_LOWER_DEVICE_OBJECT GetLowerDeviceObject;										//
    PSF_GET_DEVICE_ATTACHMENT_BASE_REF GetDeviceAttachmentBaseRef;					//
    PSF_GET_DISK_DEVICE_OBJECT GetDiskDeviceObject;												//
    PSF_GET_ATTACHED_DEVICE_REFERENCE GetAttachedDeviceReference;						//
    PSF_GET_VERSION GetVersion;																				//
} SF_DYNAMIC_FUNCTION_POINTERS, *PSF_DYNAMIC_FUNCTION_POINTERS;

SF_DYNAMIC_FUNCTION_POINTERS gSfDynamicFunctions = {0};									//定义该结构变量并初始化为0

ULONG gSfOsMajorVersion = 0;																					//操作系统主版本号
ULONG gSfOsMinorVersion = 0;																					//操作系统副版本号

#endif
//============================ 宏定义 =================================

#define MAX_DEVNAME_LENGTH 64										//定义常量值
#define DEVOBJ_LIST_SIZE 64
#define SFLT_POOL_TAG   'tlFS'												//内存块标签
ULONG SfDebug = 0;

#define DELAY_ONE_MICROSECOND   (-10)
#define DELAY_ONE_MILLISECOND   (DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND        (DELAY_ONE_MILLISECOND*1000)

// 宏定义: IS_MY_DEVICE_OBJECT(指向设备对象的指针); 意义: (指针≠NULL)且(设备对象的DriverObject是gSFilterDriverObject)且(设备对象的DeviceExtension≠NULL)
#define IS_MY_DEVICE_OBJECT(_devObj)  (((_devObj) != NULL) && ((_devObj)->DriverObject == gSFilterDriverObject) && ((_devObj)->DeviceExtension != NULL))

// 宏定义: 测试是不是我的"控制设备对象"
#define IS_MY_CONTROL_DEVICE_OBJECT(_devObj)  (((_devObj) == gSFilterControlDeviceObject) ? (ASSERT(((_devObj)->DriverObject == gSFilterDriverObject) && ((_devObj)->DeviceExtension == NULL)), TRUE) : FALSE)

// 宏定义: 测试是不是所需要的"设备类型"
#define IS_DESIRED_DEVICE_TYPE(_type)  (((_type) == FILE_DEVICE_DISK_FILE_SYSTEM) || ((_type) == FILE_DEVICE_CD_ROM_FILE_SYSTEM) || ((_type) == FILE_DEVICE_NETWORK_FILE_SYSTEM))

// 宏定义: 测试FAST_IO_DISPATCH中的处理函数合法
#define VALID_FAST_IO_DISPATCH_HANDLER(_FastIoDispatchPtr, _FieldName)  (((_FastIoDispatchPtr) != NULL) && (((_FastIoDispatchPtr)->SizeOfFastIoDispatch) >= (FIELD_OFFSET(FAST_IO_DISPATCH, _FieldName) + sizeof(void *))) && ((_FastIoDispatchPtr)->_FieldName != NULL))