?? fspykern.h
字號:
/*++
Copyright (c) 1989-1999 Microsoft Corporation
Module Name:
fspyKern.h
Abstract:
Header file which contains the structures, type definitions,
constants, global variables and function prototypes that are
only visible within the kernel.
As of the Windows XP SP1 IFS Kit version of this sample and later, this
sample can be built for each build environment released with the IFS Kit
with no additional modifications. To provide this capability, additional
compile-time logic was added -- see the '#if WINVER' locations. Comments
tagged with the 'VERSION NOTE' header have also been added as appropriate to
describe how the logic must change between versions.
If this sample is built in the Windows XP environment or later, it will run
on Windows 2000 or later. This is done by dynamically loading the routines
that are only available on Windows XP or later and making run-time decisions
to determine what code to execute. Comments tagged with 'MULTIVERISON NOTE'
mark the locations where such logic has been added.
Environment:
Kernel mode
--*/
#ifndef __FSPYKERN_H__
#define __FSPYKERN_H__
#include "namelookup.h"
//
// VERSION NOTE:
//
// The following useful macros are defined in NTIFS.H in Windows XP and later.
// We will define them locally if we are building for the Windows 2000
// environment.
//
#if WINVER == 0x0500
//
// These macros are used to test, set and clear flags respectively
//
#ifndef FlagOn
#define FlagOn(_F,_SF) ((_F) & (_SF))
#endif
#ifndef BooleanFlagOn
#define BooleanFlagOn(F,SF) ((BOOLEAN)(((F) & (SF)) != 0))
#endif
#ifndef SetFlag
#define SetFlag(_F,_SF) ((_F) |= (_SF))
#endif
#ifndef ClearFlag
#define ClearFlag(_F,_SF) ((_F) &= ~(_SF))
#endif
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \
((_ucStr)->Buffer = (_buf), \
(_ucStr)->Length = 0, \
(_ucStr)->MaximumLength = (USHORT)(_bufSize))
#ifndef min
#define min(a,b) (((a) < (b)) ? (a) : (b))
#endif
#ifndef max
#define max(a,b) (((a) > (b)) ? (a) : (b))
#endif
#define ExFreePoolWithTag( a, b ) ExFreePool( (a) )
#endif /* WINVER == 0x0500 */
//
// This controls how FileSpy is built. It has 2 options:
// 0 - Build using NameHashing (old way, see fspyHash.c)
// 1 - Build using StreamContexts (new Way, see fspyCtx.c)
//
// VERSION NOTE:
//
// Filter stream contexts are only supported on Windows XP and later
// OS versions. This support was not available in Windows 2000 or NT 4.0.
//
#define USE_STREAM_CONTEXTS 0
#define FILE_BUFFER 512
#define MAX_PATH 260
#define FSCTX_GENERIC_TABLE_POOL_SIZE sizeof(FILE_CONTEXT) + 32
PAGED_LOOKASIDE_LIST gFsCtxLookAsideList;
#if USE_STREAM_CONTEXTS && WINVER < 0x0501
#error Stream contexts on only supported on Windows XP or later.
#endif
//
// POOL Tag definitions
//
#define FILESPY_POOL_TAG 'yPsF'
#define FILESPY_LOGRECORD_TAG 'rLsF'
#define FILESPY_CONTEXT_TAG 'xCsF'
#define FILESPY_NAME_BUFFER_TAG 'bNsF'
#define FILESPY_DEVNAME_TAG 'nDsF'
#define FILESPY_USERNAME_TAG 'nUsF'
#ifndef INVALID_HANDLE_VALUE
#define INVALID_HANDLE_VALUE ((HANDLE) -1)
#endif
#define CONSTANT_UNICODE_STRING(s) { sizeof( s ) - sizeof( WCHAR ), sizeof(s), s }
//
// Delay values for KeDelayExecutionThread()
// (Values are negative to represent relative time)
//
#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)
//
// Don't use look-aside-list in the debug versions.
//
#if DBG
#define MEMORY_DBG
#endif
//---------------------------------------------------------------------------
// Macros for FileSpy DbgPrint levels.
//---------------------------------------------------------------------------
#define SPY_LOG_PRINT( _dbgLevel, _string ) \
(FlagOn(gFileSpyDebugLevel,(_dbgLevel)) ? \
DbgPrint _string : \
((void)0))
//---------------------------------------------------------------------------
// Generic Resource acquire/release macros
//---------------------------------------------------------------------------
#define SpyAcquireResourceExclusive( _r, _wait ) \
(ASSERT( ExIsResourceAcquiredExclusiveLite((_r)) || \
!ExIsResourceAcquiredSharedLite((_r)) ), \
KeEnterCriticalRegion(), \
ExAcquireResourceExclusiveLite( (_r), (_wait) ))
#define SpyAcquireResourceShared( _r, _wait ) \
(KeEnterCriticalRegion(), \
ExAcquireResourceSharedLite( (_r), (_wait) ))
#define SpyReleaseResource( _r ) \
(ASSERT( ExIsResourceAcquiredSharedLite((_r)) || \
ExIsResourceAcquiredExclusiveLite((_r)) ), \
ExReleaseResourceLite( (_r) ), \
KeLeaveCriticalRegion())
//---------------------------------------------------------------------------
// Macro to test if we are logging for this device
//
// NOTE: We don't bother synchronizing to check the gControlDeviceState since
// we can tolerate a stale value here. We just look at it here to avoid
// doing the logging work if we can. We synchronize to check the
// gControlDeviceState before we add the log record to the gOutputBufferList
// and discard the log record if the ControlDevice is no longer OPENED.
//---------------------------------------------------------------------------
#define SHOULD_LOG(pDeviceObject) \
((gControlDeviceState == OPENED) && \
FlagOn(((PFILESPY_DEVICE_EXTENSION)(pDeviceObject)->DeviceExtension)->Flags,LogThisDevice))
#define IS_MY_CONTROL_DEVICE_OBJECT(_devObj) \
(((_devObj) == gControlDeviceObject) ? \
(ASSERT(((_devObj)->DriverObject == gFileSpyDriverObject) && \
((_devObj)->DeviceExtension == NULL)), TRUE) : \
FALSE)
//---------------------------------------------------------------------------
// Global variables
//---------------------------------------------------------------------------
//
// Debugger definitions
//
typedef enum _SPY_DEBUG_FLAGS {
SPYDEBUG_DISPLAY_ATTACHMENT_NAMES = 0x00000001,
SPYDEBUG_ERROR = 0x00000002,
SPYDEBUG_TRACE_NAME_REQUESTS = 0x00000004,
SPYDEBUG_TRACE_IRP_OPS = 0x00000010,
SPYDEBUG_TRACE_FAST_IO_OPS = 0x00000020,
SPYDEBUG_TRACE_FSFILTER_OPS = 0x00000040,
SPYDEBUG_TRACE_CONTEXT_OPS = 0x00000100,
SPYDEBUG_TRACE_DETAILED_CONTEXT_OPS = 0x00000200,
SPYDEBUG_TRACE_MISMATCHED_NAMES = 0x00001000,
SPYDEBUG_ASSERT_MISMATCHED_NAMES = 0x00002000,
SPYDEBUG_BREAK_ON_DRIVER_ENTRY = 0x80000000
} SPY_DEBUG_FLAGS;
//
// FileSpy global variables.
//
extern PAGED_LOOKASIDE_LIST gFileSpyNameBufferLookasideList;
extern SPY_DEBUG_FLAGS gFileSpyDebugLevel;
extern ULONG gFileSpyAttachMode;
extern PDEVICE_OBJECT gControlDeviceObject;
extern PDRIVER_OBJECT gFileSpyDriverObject;
extern FAST_MUTEX gSpyDeviceExtensionListLock;
extern LIST_ENTRY gSpyDeviceExtensionList;
extern KSPIN_LOCK gOutputBufferLock;
extern LIST_ENTRY gOutputBufferList;
extern NPAGED_LOOKASIDE_LIST gFreeBufferList;
extern ULONG gLogSequenceNumber;
extern KSPIN_LOCK gLogSequenceLock;
extern UNICODE_STRING gVolumeString;
extern UNICODE_STRING gOverrunString;
extern UNICODE_STRING gPagingIoString;
extern UNICODE_STRING gEmptyUnicode;
extern UNICODE_STRING gInsufficientUnicode;
extern LONG gStaticBufferInUse;
extern CHAR gOutOfMemoryBuffer[RECORD_SIZE];
//
// Statistics definitions. Note that we don't do interlocked operations
// because loosing a count once in a while isn't important enough vs the
// overhead.
//
extern FILESPY_STATISTICS gStats;
#define INC_STATS(field) (gStats.field++)
#define INC_LOCAL_STATS(var) ((var)++)
//
// Attachment lock.
//
extern FAST_MUTEX gSpyAttachLock;
//
// FileSpy Registry values.
//
#define DEFAULT_MAX_RECORDS_TO_ALLOCATE 100;
#define DEFAULT_MAX_NAMES_TO_ALLOCATE 100;
#define DEFAULT_FILESPY_DEBUG_LEVEL SPYDEBUG_ERROR;
#define MAX_RECORDS_TO_ALLOCATE L"MaxRecords"
#define MAX_NAMES_TO_ALLOCATE L"MaxNames"
#define DEBUG_LEVEL L"DebugFlags"
#define ATTACH_MODE L"AttachMode"
extern LONG gMaxRecordsToAllocate;
extern LONG gRecordsAllocated;
extern LONG gMaxNamesToAllocate;
extern LONG gNamesAllocated;
//
// Our Control Device State information.
//
typedef enum _CONTROL_DEVICE_STATE {
OPENED,
CLOSED,
CLEANING_UP
} CONTROL_DEVICE_STATE;
extern CONTROL_DEVICE_STATE gControlDeviceState;
extern KSPIN_LOCK gControlDeviceStateLock;
//
// Given a device type, return a valid name.
//
extern const PCHAR DeviceTypeNames[];
extern ULONG SizeOfDeviceTypeNames;
#define GET_DEVICE_TYPE_NAME( _type ) \
((((_type) > 0) && \
((_type) < (SizeOfDeviceTypeNames / sizeof(PCHAR)))) ? \
DeviceTypeNames[ (_type) ] : \
"[Unknown]")
//---------------------------------------------------------------------------
// Global defines
//---------------------------------------------------------------------------
//
// Macro to test for device types we want to attach to.
//
#define IS_SUPPORTED_DEVICE_TYPE(_type) \
(((_type) == FILE_DEVICE_DISK_FILE_SYSTEM) || \
((_type) == FILE_DEVICE_CD_ROM_FILE_SYSTEM) || \
((_type) == FILE_DEVICE_NETWORK_FILE_SYSTEM))
//
// Returns the number of BYTES unused in the RECORD_LIST structure.
//
#define REMAINING_NAME_SPACE(RecordList) \
(USHORT)(RECORD_SIZE - \
(((RecordList)->LogRecord.Length) + sizeof(LIST_ENTRY)))
//---------------------------------------------------------------------------
// Device Extension defines
//---------------------------------------------------------------------------
typedef enum _FSPY_DEV_FLAGS {
//
// If set, this is an attachment to a volume device object,
// If not set, this is an attachment to a file system control device
// object.
//
IsVolumeDeviceObject = 0x00000001,
//
// If set, logging is turned on for this device.
//
LogThisDevice = 0x00000002,
//
// If set, contexts are initialized.
//
ContextsInitialized = 0x00000004,
//
// If set, this is linked into the extension list.
//
ExtensionIsLinked = 0x00000008
} FSPY_DEV_FLAGS;
//
// Define the device extension structure that the FileSpy driver
// adds to each device object it is attached to. It stores
// the context FileSpy needs to perform its logging operations on
// a device.
//
typedef struct _FILESPY_DEVICE_EXTENSION {
//
// Include all fields in NL_EXTENSION. All these fields
// are used by the name lookup routines. With this syntax
// we can reference NL_EXTENSION fields on a
// FILESPY_DEVICE_EXTENSION object directly. For example:
// FILESPY_DEVICE_EXTENSION FilespyDevExt;
// PDEVICE_OBJECT foo;
// foo = FilespyDevExt->ThisDeviceObject;
//
NL_DEVICE_EXTENSION_HEADER NLExtHeader;
//
// Linked list of devices we are attached to.
//
LIST_ENTRY NextFileSpyDeviceLink;
//
// Flags for this device.
//
FSPY_DEV_FLAGS Flags;
//
// Linked list of contexts associated with this volume along with the
// lock.
//
LIST_ENTRY CtxList;
ERESOURCE CtxLock;
//
// When renaming a directory there is a window where the current names
// in the context cache may be invalid. To eliminate this window we
// increment this count every time we start doing a directory rename
// and decrement this count when it is completed. When this count is
// non-zero then we query for the name every time so we will get a
// correct name for that instance in time.
//
ULONG AllContextsTemporary;
//
// Names the user used to start logging this device. This is
// used for devices where the DeviceType field of the device
// object is FILE_DEVICE_NETWORK_FILE_SYSTEM. We cannot get
// a nice name (DOS device name, for example) for such devices,
// so we store the names the user has supplied and use them
// when constructing file names.
//
UNICODE_STRING UserNames;
RTL_GENERIC_TABLE FsCtxTable;
FAST_MUTEX FsCtxTableMutex;
} FILESPY_DEVICE_EXTENSION, *PFILESPY_DEVICE_EXTENSION;
NPAGED_LOOKASIDE_LIST gReadWriteCompletionCtxLookAsideList;
#define IS_FILESPY_DEVICE_OBJECT( _devObj ) \
(((_devObj) != NULL) && \
((_devObj)->DriverObject == gFileSpyDriverObject) && \
((_devObj)->DeviceExtension != NULL))
typedef struct _READ_WRITE_COMPLETION_CONTEXT
{
PMDL OldMdl;
PVOID OldUserBuffer;
PVOID OldSystemBuffer;
PMDL MdlForUserBuffer;
PVOID OldBuffer;
PVOID MyBuffer;
ULONG Length;
} READ_WRITE_COMPLETION_CONTEXT, *PREAD_WRITE_COMPLETION_CONTEXT;
typedef struct _FILE_CONTEXT_HDR
{
PVOID FsContext;
} FILE_CONTEXT_HDR, *PFILE_CONTEXT_HDR;
typedef struct _FILE_CONTEXT
{
FILE_CONTEXT_HDR;
ULONG RefCount;
BOOLEAN DecryptOnRead;
BOOLEAN EncryptOnWrite;
BOOLEAN EncryptFlagExist; // if encrypt flag file exists, then the file is encrypted
BOOLEAN NeedEncrypt;
BOOLEAN IsCanCompress;
BOOLEAN DeleteOnClose;
KEVENT Event;
WCHAR Name[MAX_PATH];
} FILE_CONTEXT, *PFILE_CONTEXT;
#if WINVER >= 0x0501
//
// MULTIVERSION NOTE:
//
// If built in the Windows XP environment or later, we will dynamically import
// the function pointers for routines that were not supported on Windows 2000
// so that we can build a driver that will run, with modified logic, on
// Windows 2000 or later.
//
// Below are the prototypes for the function pointers that we need to
// dynamically import because not all OS versions support these routines.
//
typedef
NTSTATUS
(*PSPY_REGISTER_FILE_SYSTEM_FILTER_CALLBACKS) (
IN PDRIVER_OBJECT DriverObject,
IN PFS_FILTER_CALLBACKS Callbacks
);
typedef
NTSTATUS
(*PSPY_ENUMERATE_DEVICE_OBJECT_LIST) (
IN PDRIVER_OBJECT DriverObject,
IN PDEVICE_OBJECT *DeviceObjectList,
IN ULONG DeviceObjectListSize,
OUT PULONG ActualNumberDeviceObjects
);
typedef
NTSTATUS
(*PSPY_ATTACH_DEVICE_TO_DEVICE_STACK_SAFE) (
IN PDEVICE_OBJECT SourceDevice,
IN PDEVICE_OBJECT TargetDevice,
OUT PDEVICE_OBJECT *AttachedToDeviceObject
);
typedef
PDEVICE_OBJECT
(*PSPY_GET_LOWER_DEVICE_OBJECT) (
IN PDEVICE_OBJECT DeviceObject
);
typedef
PDEVICE_OBJECT
(*PSPY_GET_DEVICE_ATTACHMENT_BASE_REF) (
IN PDEVICE_OBJECT DeviceObject
);
typedef
NTSTATUS
(*PSPY_GET_STORAGE_STACK_DEVICE_OBJECT) (
IN PDEVICE_OBJECT FileSystemDeviceObject,
OUT PDEVICE_OBJECT *DiskDeviceObject
);
typedef
PDEVICE_OBJECT
(*PSPY_GET_ATTACHED_DEVICE_REFERENCE) (
IN PDEVICE_OBJECT DeviceObject
);
typedef
NTSTATUS
(*PSPY_GET_VERSION) (
IN OUT PRTL_OSVERSIONINFOW VersionInformation
);
typedef struct _SPY_DYNAMIC_FUNCTION_POINTERS {
PSPY_REGISTER_FILE_SYSTEM_FILTER_CALLBACKS RegisterFileSystemFilterCallbacks;
PSPY_ATTACH_DEVICE_TO_DEVICE_STACK_SAFE AttachDeviceToDeviceStackSafe;
PSPY_ENUMERATE_DEVICE_OBJECT_LIST EnumerateDeviceObjectList;
PSPY_GET_LOWER_DEVICE_OBJECT GetLowerDeviceObject;
PSPY_GET_DEVICE_ATTACHMENT_BASE_REF GetDeviceAttachmentBaseRef;
PSPY_GET_STORAGE_STACK_DEVICE_OBJECT GetStorageStackDeviceObject;
PSPY_GET_ATTACHED_DEVICE_REFERENCE GetAttachedDeviceReference;
PSPY_GET_VERSION GetVersion;
} SPY_DYNAMIC_FUNCTION_POINTERS, *PSPY_DYNAMIC_FUNCTION_POINTERS;
extern SPY_DYNAMIC_FUNCTION_POINTERS gSpyDynamicFunctions;
//
// MULTIVERSION NOTE: For this version of the driver, we need to know the
// current OS version while we are running to make decisions regarding what
// logic to use when the logic cannot be the same for all platforms. We
// will look up the OS version in DriverEntry and store the values
// in these global variables.
//
extern ULONG gSpyOsMajorVersion;
extern ULONG gSpyOsMinorVersion;
//
// Here is what the major and minor versions should be for the various
// OS versions:
//
// OS Name MajorVersion MinorVersion
// ---------------------------------------------------------------------
// Windows 2000 5 0
// Windows XP 5 1
// Windows Server 2003 5 2
//
#define IS_WINDOWSXP_OR_LATER() \
(((gSpyOsMajorVersion == 5) && (gSpyOsMinorVersion >= 1)) || \
(gSpyOsMajorVersion > 5))
#endif
//
// Structure used to pass context information from dispatch routines to
// completion routines for FSCTRL operations. We need a different structures
// for Windows 2000 from what we can use on Windows XP and later because
// we handle the completion processing differently.
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -