usbmon.h

这是一个对U盘读写等操作控制的过滤驱动程序

#ifndef __USB_MON_H__
#define __USB_MON_H__

#include <ntddk.h>
#include <srb.h>
#include "nttypes.h"

#define IoGetIrpStackLocation( Irp , Level) ((Irp)->Tail.Overlay.CurrentStackLocation + Level)

#define MAX_MDL_LIST			32						//并发IRP

typedef struct _CRYPT_FILE_DES
{
	PVOID			SystemAddress;
	ULONG			Length;
	PFILE_OBJECT	FileObject;
	ULONG			Ret;
}CRYPT_FILE_DES, *PCRYPT_FILE_DES;

typedef struct _GLOBALS 
{
	HANDLE			PnpHookHandle;
	HANDLE			ScsiHookHandle;
	HANDLE			fsdReadHookHandle;
	HANDLE			fsdWriteHookHandle;
	HANDLE			ScsiReadCompletionHandle;
	HANDLE			usbSection;
	PDRIVER_OBJECT	UsbStorDriver;
	PDRIVER_OBJECT	FastFatDriver;
	BYTE			Key[128];							//128BIT密钥
	CRYPT_FILE_DES	CryptMdlList[MAX_MDL_LIST];			//需加解密的MDL地址表
	ULONG			CryptMdlNum;
} GLOBALS;

NTSTATUS
HookPnpDevice(
	IN HANDLE OrgFunction,
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS
HookUsbScsi(
	IN HANDLE OrgFunction,
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS
HookFsdReadWrite(
	IN HANDLE OrgFunction,
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

VOID
UsbMonUnload(
	IN PDRIVER_OBJECT DriverObject
	);

NTSTATUS
HookIoCompletionRoutine(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp,
	IN PVOID Context
	);

NTSTATUS
InlineHookIoCompletionRoutine(
	IN HANDLE OrgFunction,
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp,
	IN PVOID Context
	);

PVOID
SetupIoCompletionRoutineHook(
	IN PIRP Irp,
	IN PIO_STACK_LOCATION irsp,
	IN PIO_COMPLETION_ROUTINE HookHandle
	);

NTKERNELAPI
BOOLEAN
NTAPI
CcPurgeCacheSection (
    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
    IN PLARGE_INTEGER           FileOffset OPTIONAL,
    IN ULONG                    Length,
    IN BOOLEAN                  UninitializeCacheMaps
);

extern GLOBALS Globals;
#endif