sfilter.c

经典的文件透明加解密程序

	PSF_GET_ATTACHED_DEVICE_REFERENCE GetAttachedDeviceReference;
	PSF_GET_VERSION GetVersion;
} SF_DYNAMIC_FUNCTION_POINTERS, *PSF_DYNAMIC_FUNCTION_POINTERS;

SF_DYNAMIC_FUNCTION_POINTERS gSfDynamicFunctions = {NULL};

// 
// MULTIVERSION NOTE: For this version of the driver, we need to know the
// current OS version while we are running to make decisions regarding what
// logic to use when the logic cannot be the same for all platforms.  We
// will look up the OS version in DriverEntry and store the values
// in these global variables.
// 
// 在DriverEntry中查找OS版本且存储值在这些全局变量中

ULONG gSfOsMajorVersion = 0;
ULONG gSfOsMinorVersion = 0;

// 
// Here is what the major and minor versions should be for the various OS versions:
// 这里是各种OS对应的主次版本号 
// 
// OS Name								 MajorVersion	MinorVersion
// ---------------------------------------------------------------------
// Windows 2000							 5				 0
// Windows XP							 5				 1
// Windows Server 2003					 5				 2
// 

#define IS_WINDOWS2000() \
	((gSfOsMajorVersion == 5) && (gSfOsMinorVersion == 0))

#define IS_WINDOWSXP() \
	((gSfOsMajorVersion == 5) && (gSfOsMinorVersion == 1))

#define IS_WINDOWSXP_OR_LATER() \
	(((gSfOsMajorVersion == 5) && (gSfOsMinorVersion >= 1)) || \
	 (gSfOsMajorVersion > 5))

#define IS_WINDOWSSRV2003_OR_LATER() \
	(((gSfOsMajorVersion == 5) && (gSfOsMinorVersion >= 2)) || \
	 (gSfOsMajorVersion > 5))

#endif


// 
// TAG identifying memory SFilter allocates
// 标识SFilter分配内存的标记
// 

#define SFLT_POOL_TAG			'tlFS'

// 
// This structure and these routines are used to retrieve the name of a file
// object.  To prevent allocating memory every time we get a name this
// structure contains a small buffer (which should handle 90+% of all names).
// If we do overflow this buffer we will allocate a buffer big enough
// for the name.
// 

typedef struct _GET_NAME_CONTROL
{
	PCHAR allocatedBuffer;
	CHAR smallBuffer[256];
} GET_NAME_CONTROL, *PGET_NAME_CONTROL;


PUNICODE_STRING
SfGetFileName(
	IN PFILE_OBJECT FileObject,
	IN NTSTATUS CreateStatus,
	IN OUT PGET_NAME_CONTROL NameControl
	);

VOID
SfGetFileNameCleanup(
	IN OUT PGET_NAME_CONTROL NameControl
	);

// 
// Macros for SFilter DbgPrint levels.
// 用于SFilter DbgPrint级的宏
// 
#define SF_LOG_PRINT(_dbgLevel, _string)				  \
	(FlagOn(SfDebug,(_dbgLevel)) ?						  \
		DbgPrint _string  :								 \
		((void)0))

// 
// Delay values for KeDelayExecutionThread()
// (Values are negative to represent relative time)
// 用于KeDelayExecutionThread()的延迟值，（负值代表相对时间）
// 
#define DELAY_ONE_MICROSECOND	(-10)
#define DELAY_ONE_MILLISECOND	(DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND		(DELAY_ONE_MILLISECOND*1000)


// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /
// 
//					Global variables
// 
// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /

// 
// Holds pointer to the driver object for this driver
// 保持用于这个驱动的驱动对象的指针
// 
PDRIVER_OBJECT gSFilterDriverObject = NULL;

// 
// Holds pointer to the device object that represents this driver and is used
// by external programs to access this driver.  This is also known as the
// "control device object".
// 保持代表这个驱动的且由外部程序使用存取这个驱动的设备对象的指针。
// 这也就是所谓的"control device object"
// 
PDEVICE_OBJECT gSFilterControlDeviceObject = NULL;

// 
// This lock is used to synchronize our attaching to a given device object.
// This lock fixes a race condition where we could accidently attach to the
// same device object more then once.  This race condition only occurs if
// a volume is being mounted at the same time as this filter is being loaded.
// This problem will never occur if this filter is loaded at boot time before
// any file systems are loaded.
// 
// This lock is used to atomically test if we are already attached to a given
// device object and if not, do the attach.
// 
// 用于同步我们的附着到给定设备对象的锁
// 这个锁修正我们可能偶然附着到相同设备对象多次的竞争条件。这个竞争条件仅发生在
// 卷被安装的同时这个过滤器被载入。
// 这个问题当这个过滤器在任何文件系统被载入前就在启动时被载入的情况下不会发生
// 这个锁被用于自动测试是否我们已经附着到给定的设备对象且如果没有，执行附着。
FAST_MUTEX gSfilterAttachLock;

// Add content(增加内容)******
PAGED_LOOKASIDE_LIST gFileNameLookAsideList;
PAGED_LOOKASIDE_LIST gFsCtxLookAsideList;
NPAGED_LOOKASIDE_LIST gReadWriteCompletionCtxLookAsideList;

PRULE gRules = NULL;
ERESOURCE gRulesResource;
HANDLE gRuleFileHandle = NULL;

UCHAR gKey[128] = {0};

#define FSCTX_GENERIC_TABLE_POOL_SIZE		sizeof(FILE_CONTEXT) + 32
// Add content(增加内容)******

// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /
// 
//					Debug Definitions
// 
// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /

// 
// DEBUG display flags
// 

/*
#define SFDEBUG_DISPLAY_ATTACHMENT_NAMES    0x00000001  //display names of device objects we attach to
#define SFDEBUG_DISPLAY_CREATE_NAMES        0x00000002  //get and display names during create
#define SFDEBUG_GET_CREATE_NAMES            0x00000004  //get name (don't display) during create
#define SFDEBUG_DO_CREATE_COMPLETION        0x00000008  //do create completion routine, don't get names
#define SFDEBUG_ATTACH_TO_FSRECOGNIZER      0x00000010  //do attach to FSRecognizer device objects
#define SFDEBUG_ATTACH_TO_SHADOW_COPIES     0x00000020  //do attach to ShadowCopy Volume device objects -- they are only around on Windows XP and later

ULONG SfDebug = 0;
*/

// 显示我们附着到的设备对象的名字
// Display names of device objects we attach to.
//
#define SFDEBUG_DISPLAY_ATTACHMENT_NAMES	0x00000001  // display names of device objects we attach to

// 得到文件名（在创建期间）且显示他们（创建完成）
// Get file names (during create) and display them (create completion).
//
#define SFDEBUG_DISPLAY_CREATE_NAMES		0x00000002  // get and display names during create

// 得到文件名但不显示他们（在创建期间）
// Get file names but don't display them (during create).
//
#define SFDEBUG_GET_CREATE_NAMES			0x00000004  // get name (don't display) during create

// 执行创建完成例程，忽略名字显示
// Do create completion routine, regardless of name display.
//
#define SFDEBUG_DO_CREATE_COMPLETION		0x00000008  // do create completion routine, don't get names

// 执行附着到FSRecognizer设备对象
// Do attach to FSRecognizer device objects.
//
#define SFDEBUG_ATTACH_TO_FSRECOGNIZER		0x00000010  // do attach to FSRecognizer device objects

// 执行附着到ShadowCopy卷设备对象--他们仅在Windows XP及以后OS发生
// Do attach to ShadowCopy Volume device objects -- they are only around on
// Windows XP and later.
//
#define SFDEBUG_ATTACH_TO_SHADOW_COPIES		0x00000020  // do attach to ShadowCopy Volume device objects -- they are only around on Windows XP and later

// 执行得到和使用DOS设备名字用于文件名的显示
// Do get and use DOS device names for file name display.
//
//#define SFDEBUG_GET_DOS_NAMES               0x00000040


// 在清除/关闭时间显示信息
// Display information at cleanup/close time
//
//#define SFDEBUG_DISPLAY_CLEANUPCLOSE_NAMES  0x00000080

// 保持调试状态的全局变量
// Global which holds debug state
//
ULONG SfDebug = 0;


// 
// Given a device type, return a valid name
// 给出一个设备类型，返回一个有效名字
// 

#define GET_DEVICE_TYPE_NAME(_type) \
			((((_type) > 0) && ((_type) < (sizeof(DeviceTypeNames) / sizeof(PCHAR)))) ? \
				DeviceTypeNames[ (_type) ] : \
				"[Unknown]")

// 
// Known device type names
// 已知设备类名称
// 

static const PCHAR DeviceTypeNames[] = {
	"",
	"BEEP",
	"CD_ROM",
	"CD_ROM_FILE_SYSTEM",
	"CONTROLLER",
	"DATALINK",
	"DFS",
	"DISK",
	"DISK_FILE_SYSTEM",
	"FILE_SYSTEM",
	"INPORT_PORT",
	"KEYBOARD",
	"MAILSLOT",
	"MIDI_IN",
	"MIDI_OUT",
	"MOUSE",
	"MULTI_UNC_PROVIDER",
	"NAMED_PIPE",
	"NETWORK",
	"NETWORK_BROWSER",
	"NETWORK_FILE_SYSTEM",
	"NULL",
	"PARALLEL_PORT",
	"PHYSICAL_NETCARD",
	"PRINTER",
	"SCANNER",
	"SERIAL_MOUSE_PORT",
	"SERIAL_PORT",
	"SCREEN",
	"SOUND",
	"STREAMS",
	"TAPE",
	"TAPE_FILE_SYSTEM",
	"TRANSPORT",
	"UNKNOWN",
	"VIDEO",
	"VIRTUAL_DISK",
	"WAVE_IN",
	"WAVE_OUT",
	"8042_PORT",
	"NETWORK_REDIRECTOR",
	"BATTERY",
	"BUS_EXTENDER",
	"MODEM",
	"VDM",
	"MASS_STORAGE",
	"SMB",
	"KS",
	"CHANGER",
	"SMARTCARD",
	"ACPI",
	"DVD",
	"FULLSCREEN_VIDEO",
	"DFS_FILE_SYSTEM",
	"DFS_VOLUME",
	"SERENUM",
	"TERMSRV",
	"KSEC"
};


// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /
// 
//						Function Prototypes
// 
// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /


int __cdecl
swprintf(wchar_t *, const wchar_t *, ...);	// Add content(增加内容)

// 
// Define driver entry routine.
// 

NTSTATUS
DriverEntry(
	IN PDRIVER_OBJECT DriverObject,
	IN PUNICODE_STRING RegistryPath
	);

#if DBG && WINVER >= 0x0501
VOID
DriverUnload(
	IN PDRIVER_OBJECT DriverObject
	);
#endif

// 
// Define the local routines used by this driver module.  This includes a
// a sample of how to filter a create file operation, and then invoke an I/O
// completion routine when the file has successfully been created/opened.
// 
//  定义由这个驱动模块使用的局部例程。这包括一个如何过滤一个创建文件操作的例子，
//  且然后当文件已经成功被创建/打开时调用一个I/O完成例程


#if WINVER >= 0x0501
VOID
SfLoadDynamicFunctions(
	);

VOID
SfGetCurrentVersion(
	);
#endif

NTSTATUS
SfPassThrough(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS
SfCreate(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

// 缺少sfCreateCompletion(...)

NTSTATUS
SfCleanup(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

// 将 SfCleanupClose(...)分成SfCleanup(...)和SfClose(...).

NTSTATUS
SfClose(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS	// Add content(增加内容)
SfRead(			
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS	// Add content(增加内容)
SfReadCompletion(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp,
	IN PVOID Context
	);

NTSTATUS	// Add content(增加内容)
SfWrite(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS	// Add content(增加内容)
SfWriteCompletion(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp,
	IN PVOID Context
	);

NTSTATUS	// Add content(增加内容)
SfDirectoryControl (
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS	// Add content(增加内容)
SfSetInformation (
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS
SfFsControl(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS
SfFsControlMountVolume (
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

VOID
SfFsControlMountVolumeCompleteWorker (
	IN PFSCTRL_COMPLETION_CONTEXT Context
	);

NTSTATUS
SfFsControlMountVolumeComplete (
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp,
	IN PDEVICE_OBJECT NewDeviceObject
	);

NTSTATUS
SfFsControlLoadFileSystem (
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

VOID
SfFsControlLoadFileSystemCompleteWorker (
	IN PFSCTRL_COMPLETION_CONTEXT Context
	);

NTSTATUS
SfFsControlLoadFileSystemComplete (
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);