WDK Mini Filter Example
avscan/filter/context.h
Go to the documentation of this file.
1 /*++
2 
3 Copyright (c) 2011 Microsoft Corporation
4 
5 Module Name:
6 
7  context.h
8 
9 Abstract:
10 
11  Header file which contains context-related data
12  structures, type definitions, constants,
13  global variables and function prototypes.
14 
15 Environment:
16 
17  Kernel mode
18 
19 --*/
20 
21 #ifndef __CONTEXT_H__
22 #define __CONTEXT_H__
23 
24 //
25 // The file infected state.
26 //
27 
28 typedef enum _AV_FILE_INFECTED_STATE {
29 
30  AvFileUnknown,
31  AvFileInfected,
32  AvFileNotInfected, // clean.
33  AvFileModified,
34  AvFileScanning
35 
36 } AV_FILE_INFECTED_STATE;
37 
38 #define AV_STREAMHANDLE_CONTEXT_TAG 'hSvA'
39 #define AV_STREAM_CONTEXT_TAG 'cSvA'
40 #define AV_TRANSACTION_CONTEXT_TAG 'cTvA'
41 #define AV_SECTION_CONTEXT_TAG 'eSvA'
42 #define AV_INSTANCE_CONTEXT_TAG 'cIvA'
43 #define AV_INSTANCES_ARRAY_TAG 'aIvA'
44 #define AV_CONNECTION_CTX_TAG 'cCvA'
45 #define AV_SCAN_CTX_TAG 'cMvA'
46 
47 //
48 // Defines the transaction context structure
49 //
50 #define AV_TXCTX_ENLISTED 0x01
51 #define AV_TXCTX_LISTDRAINED 0x02
52 
53 typedef struct _AV_TRANSACTION_CONTEXT {
54 
55  //
56  // Transaction object pointer
57  //
58 
59  PKTRANSACTION Transaction;
60 
61  //
62  // List head for stream context list.
63  //
64 
65  LIST_ENTRY ScListHead;
66 
67  //
68  // Lock used to protect this context.
69  //
70 
71  PERESOURCE Resource;
72 
73  //
74  // A flag that tracks:
75  // AV_TXCTX_ENLISTED: if it has been enlisted in transaction
76  // AV_TXCTX_LISTDRAINED: list is drained.
77  //
78 
79  ULONG Flags;
80 
81 } AV_TRANSACTION_CONTEXT, *PAV_TRANSACTION_CONTEXT;
82 
83 #define AV_TRANSACTION_CONTEXT_SIZE sizeof( AV_TRANSACTION_CONTEXT )
84 
85 
86 #define IS_FILE_MODIFIED( _sCtx ) ( (_sCtx)->State == AvFileModified )
87 #define IS_FILE_INFECTED( _sCtx ) ( (_sCtx)->State == AvFileInfected )
88 #define IS_FILE_NOT_INFECTED( _sCtx ) ( (_sCtx)->State == AvFileNotInfected )
89 
90 #define IS_FILE_TX_MODIFIED( _sCtx ) ( (_sCtx)->TxState == AvFileModified )
91 #define IS_FILE_TX_INFECTED( _sCtx ) ( (_sCtx)->TxState == AvFileInfected )
92 #define IS_FILE_TX_NOT_INFECTED( _sCtx ) ( (_sCtx)->TxState == AvFileNotInfected )
93 
94 #define IS_FILE_NEED_SCAN( _sCtx ) ((((_sCtx)->TxContext == NULL) && IS_FILE_MODIFIED( _sCtx )) || \
95  (((_sCtx)->TxContext != NULL) && IS_FILE_TX_MODIFIED( _sCtx )))
96 
97 
98 #define SET_FILE_UNKNOWN( _sCtx ) InterlockedExchange(&(_sCtx)->State, AvFileUnknown)
99 #define SET_FILE_MODIFIED( _sCtx ) InterlockedExchange(&(_sCtx)->State, AvFileModified)
100 #define SET_FILE_INFECTED( _sCtx ) InterlockedExchange(&(_sCtx)->State, AvFileInfected)
101 #define SET_FILE_NOT_INFECTED( _sCtx ) InterlockedExchange(&(_sCtx)->State, AvFileNotInfected)
102 #define SET_FILE_SCANNING( _sCtx ) InterlockedExchange(&(_sCtx)->State, AvFileScanning)
103 
104 #define SET_FILE_TX_UNKNOWN( _sCtx ) InterlockedExchange(&(_sCtx)->TxState, AvFileUnknown)
105 #define SET_FILE_TX_MODIFIED( _sCtx ) InterlockedExchange(&(_sCtx)->TxState, AvFileModified)
106 #define SET_FILE_TX_INFECTED( _sCtx ) InterlockedExchange(&(_sCtx)->TxState, AvFileInfected)
107 #define SET_FILE_TX_NOT_INFECTED( _sCtx ) InterlockedExchange(&(_sCtx)->TxState, AvFileNotInfected)
108 #define SET_FILE_TX_SCANNING( _sCtx ) InterlockedExchange(&(_sCtx)->TxState, AvFileScanning)
109 
110 #define SET_FILE_UNKNOWN_EX( _flag, _sCtx ) {\
111  if (_flag) { \
112  SET_FILE_TX_UNKNOWN( _sCtx ); \
113  } else { \
114  SET_FILE_UNKNOWN( _sCtx ); \
115  } \
116  }
117 #define SET_FILE_MODIFIED_EX( _flag, _sCtx ) {\
118  if (_flag) { \
119  SET_FILE_TX_MODIFIED( _sCtx ); \
120  } else { \
121  SET_FILE_MODIFIED( _sCtx ); \
122  } \
123  }
124 #define SET_FILE_INFECTED_EX( _flag, _sCtx ) {\
125  if (_flag) { \
126  SET_FILE_TX_INFECTED( _sCtx ); \
127  } else { \
128  SET_FILE_INFECTED( _sCtx ); \
129  } \
130  }
131 #define SET_FILE_NOT_INFECTED_EX( _flag, _sCtx ) {\
132  if (_flag) { \
133  SET_FILE_TX_NOT_INFECTED( _sCtx ); \
134  } else { \
135  SET_FILE_NOT_INFECTED( _sCtx ); \
136  } \
137  }
138 #define SET_FILE_SCANNING_EX( _flag, _sCtx ) {\
139  if (_flag) { \
140  SET_FILE_TX_SCANNING( _sCtx ); \
141  } else { \
142  SET_FILE_SCANNING( _sCtx ); \
143  } \
144  }
145 
146 //
147 // Stream/Stream Handle flags
148 //
149 
150 #define AV_FLAG_PREFETCH 0x00000001
151 
152 typedef struct _AV_STREAMHANDLE_CONTEXT {
153 
154  //
155  // Handle flags
156  //
157 
158  ULONG Flags;
159 
160 } AV_STREAMHANDLE_CONTEXT, *PAV_STREAMHANDLE_CONTEXT;
161 
162 #define AV_STREAMHANDLE_CONTEXT_SIZE sizeof( AV_STREAMHANDLE_CONTEXT )
163 
164 typedef struct _AV_STREAM_CONTEXT {
165 
166  //
167  // Stream flags
168  //
169 
170  ULONG Flags;
171 
172  //
173  // File ID, obtained from querying the file system for
174  // FileInternalInformation or FileIdInformation.
175  //
176 
177  AV_FILE_REFERENCE FileId;
178 
179  //
180  // A pointer to the transaction context, so we can jump to list in the transaction.
181  //
182 
183  PAV_TRANSACTION_CONTEXT TxContext;
184 
185  //
186  // This list entry is exactly the embedded entry to
187  // form a doubly linked list inside transaction context.
188  //
189 
190  LIST_ENTRY ListInTransaction;
191 
192  //
193  // We need to synchronize the creation of the section object.
194  // If this syncrhonization is not made, FltCreateSectionForDataScan
195  // would return STATUS_FLT_CONTEXT_ALREADY_DEFINED when two threads
196  // are about to create the section for the same file.
197  //
198 
199  PKEVENT ScanSynchronizationEvent;
200 
201  //
202  // Please see AV_FILE_INFECTED_STATE for the definition of file state
203  // Note that we have TxState to maintain the isolation of
204  // the transacted writer's view.
205  //
206 
207  volatile LONG State;
208 
209 
210  volatile LONG TxState;
211 
212  //
213  // Revision numbers for files on CSVFS
214  //
215  LONGLONG VolumeRevision;
216  LONGLONG CacheRevision;
217  LONGLONG FileRevision;
218 
219 } AV_STREAM_CONTEXT, *PAV_STREAM_CONTEXT;
220 
221 #define AV_STREAM_CONTEXT_SIZE sizeof( AV_STREAM_CONTEXT )
222 
223 //
224 // Defines the section context structure
225 //
226 
227 typedef struct _AV_SECTION_CONTEXT {
228 
229  //
230  // The associated section handle.
231  //
232 
233  HANDLE SectionHandle;
234 
235  //
236  // The associated section object.
237  //
238 
239  PVOID SectionObject;
240 
241  //
242  // The cancel flag (if scan in the kernel mode).
243  //
244 
245  BOOLEAN Aborted;
246 
247 
248  //
249  // The size of the file associated with the section object.
250  //
251 
252  LONGLONG FileSize;
253 
254  //
255  // This flag indicates if this section data scan can be cancelable.
256  // Right now, only at pre-cleanup is cancelable on conflicting Io.
257  //
258 
259  BOOLEAN CancelableOnConflictingIo;
260 
261  //
262  // In the context of a conflict notification callback, only section context is given.
263  // We need to remember associated scan context to have scan id, so that
264  // We know which scan to cancel.
265  //
266  PVOID ScanContext;
267 
268 } AV_SECTION_CONTEXT, *PAV_SECTION_CONTEXT;
269 
270 #define AV_SECTION_CONTEXT_SIZE sizeof( AV_SECTION_CONTEXT )
271 
272 //
273 // Instance context
274 //
275 
276 typedef struct _AV_INSTANCE_CONTEXT {
277 
278  //
279  // The associated volume object pointer
280  //
281 
282  PFLT_VOLUME Volume;
283 
284  //
285  // The associated filter instance pointer
286  //
287 
288  PFLT_INSTANCE Instance;
289 
290  //
291  // The file system type of the volume
292  //
293 
294  FLT_FILESYSTEM_TYPE VolumeFSType;
295 
296  //
297  // If the file system is NTFS, then it will support a file state cache table
298  // that saves the state of the file.
299  //
300 
301  RTL_GENERIC_TABLE FileStateCacheTable;
302 
303  //
304  // The per-instance lock to protect the cache table above.
305  //
306 
307  ERESOURCE Resource;
308 
309  //
310  // When set this flag indicates that the filter is attached on the
311  // hidden NTFS volume corresponding to a CSVFS volume
312  //
313  BOOLEAN IsOnCsvMDS;
314 
315 } AV_INSTANCE_CONTEXT, *PAV_INSTANCE_CONTEXT;
316 
317 #define AV_INSTANCE_CONTEXT_SIZE sizeof( AV_INSTANCE_CONTEXT )
318 
319 NTSTATUS
320 AvFindOrCreateTransactionContext(
321  _In_ PCFLT_RELATED_OBJECTS FltObjects,
322  _Outptr_ PAV_TRANSACTION_CONTEXT *TransactionContext
323  );
324 
325 NTSTATUS
326 AvCreateSectionContext (
327  _In_ PFLT_INSTANCE Instance,
328  _In_ PFILE_OBJECT FileObject,
329  _Outptr_ PAV_SECTION_CONTEXT *SectionContext
330  );
331 
332 NTSTATUS
333 AvCreateStreamHandleContext (
334  _In_ PFLT_FILTER Filter,
335  _Outptr_ PAV_STREAMHANDLE_CONTEXT *StreamHandleContext
336  );
337 
338 NTSTATUS
339 AvCreateStreamContext (
340  _In_ PFLT_FILTER Filter,
341  _Outptr_ PAV_STREAM_CONTEXT *StreamContext
342  );
343 
344 NTSTATUS
345 AvEnumerateInstances(
346  _Outptr_result_buffer_(*NumberInstances) PFLT_INSTANCE **InstanceArray,
347  _Out_ PULONG NumberInstances
348  );
349 
350 VOID
351 AvFreeInstances (
352  _In_reads_(InstanceCount) PFLT_INSTANCE *InstanceArray,
353  _In_ ULONG InstanceCount
354  );
355 
356 #endif
357 
_AV_STREAM_CONTEXT::ScanSynchronizationEvent
PKEVENT ScanSynchronizationEvent
Definition: avscan/filter/context.h:199
_AV_SECTION_CONTEXT::ScanContext
PVOID ScanContext
Definition: avscan/filter/context.h:266
_AV_STREAM_CONTEXT::FileRevision
LONGLONG FileRevision
Definition: avscan/filter/context.h:217
AvFreeInstances
VOID AvFreeInstances(_In_reads_(InstanceCount) PFLT_INSTANCE *InstanceArray, _In_ ULONG InstanceCount)
Definition: avscan/filter/context.c:749
_AV_STREAM_CONTEXT::Flags
ULONG Flags
Definition: avscan/filter/context.h:170
_AV_STREAMHANDLE_CONTEXT
Definition: avscan/filter/context.h:152
_AV_STREAM_CONTEXT::TxContext
PAV_TRANSACTION_CONTEXT TxContext
Definition: avscan/filter/context.h:183
PAV_INSTANCE_CONTEXT
struct _AV_INSTANCE_CONTEXT * PAV_INSTANCE_CONTEXT
_AV_INSTANCE_CONTEXT::VolumeFSType
FLT_FILESYSTEM_TYPE VolumeFSType
Definition: avscan/filter/context.h:294
_AV_INSTANCE_CONTEXT::IsOnCsvMDS
BOOLEAN IsOnCsvMDS
Definition: avscan/filter/context.h:313
PAV_SECTION_CONTEXT
struct _AV_SECTION_CONTEXT * PAV_SECTION_CONTEXT
_AV_INSTANCE_CONTEXT::Instance
PFLT_INSTANCE Instance
Definition: avscan/filter/context.h:288
AV_TRANSACTION_CONTEXT
struct _AV_TRANSACTION_CONTEXT AV_TRANSACTION_CONTEXT
_AV_INSTANCE_CONTEXT::Volume
PFLT_VOLUME Volume
Definition: avscan/filter/context.h:282
AV_FILE_INFECTED_STATE
enum _AV_FILE_INFECTED_STATE AV_FILE_INFECTED_STATE
_AV_STREAM_CONTEXT::ListInTransaction
LIST_ENTRY ListInTransaction
Definition: avscan/filter/context.h:190
Instance
_In_opt_ PFILE_OBJECT _In_opt_ PFLT_INSTANCE Instance
Definition: nc.h:493
_AV_FILE_REFERENCE
Definition: avscan/filter/utility.h:45
_AV_STREAM_CONTEXT
Definition: avscan/filter/context.h:164
_AV_TRANSACTION_CONTEXT::Flags
ULONG Flags
Definition: avscan/filter/context.h:79
AvCreateSectionContext
NTSTATUS AvCreateSectionContext(_In_ PFLT_INSTANCE Instance, _In_ PFILE_OBJECT FileObject, _Outptr_ PAV_SECTION_CONTEXT *SectionContext)
Definition: avscan/filter/context.c:532
_AV_FILE_INFECTED_STATE
_AV_FILE_INFECTED_STATE
Definition: avscan/filter/context.h:28
_AV_SECTION_CONTEXT::SectionHandle
HANDLE SectionHandle
Definition: avscan/filter/context.h:233
AvEnumerateInstances
NTSTATUS AvEnumerateInstances(_Outptr_result_buffer_(*NumberInstances) PFLT_INSTANCE **InstanceArray, _Out_ PULONG NumberInstances)
Definition: avscan/filter/context.c:600
_AV_SECTION_CONTEXT::Aborted
BOOLEAN Aborted
Definition: avscan/filter/context.h:245
_AV_TRANSACTION_CONTEXT
Definition: avscan/filter/context.h:53
_AV_TRANSACTION_CONTEXT::Transaction
PKTRANSACTION Transaction
Definition: avscan/filter/context.h:59
_AV_STREAMHANDLE_CONTEXT::Flags
ULONG Flags
Definition: avscan/filter/context.h:158
PAV_STREAM_CONTEXT
struct _AV_STREAM_CONTEXT * PAV_STREAM_CONTEXT
AV_INSTANCE_CONTEXT
struct _AV_INSTANCE_CONTEXT AV_INSTANCE_CONTEXT
_AV_INSTANCE_CONTEXT::FileStateCacheTable
RTL_GENERIC_TABLE FileStateCacheTable
Definition: avscan/filter/context.h:301
AvFindOrCreateTransactionContext
NTSTATUS AvFindOrCreateTransactionContext(_In_ PCFLT_RELATED_OBJECTS FltObjects, _Outptr_ PAV_TRANSACTION_CONTEXT *TransactionContext)
Definition: avscan/filter/context.c:396
AvCreateStreamContext
NTSTATUS AvCreateStreamContext(_In_ PFLT_FILTER Filter, _Outptr_ PAV_STREAM_CONTEXT *StreamContext)
Definition: avscan/filter/context.c:325
_AV_SECTION_CONTEXT::FileSize
LONGLONG FileSize
Definition: avscan/filter/context.h:252
_AV_TRANSACTION_CONTEXT::ScListHead
LIST_ENTRY ScListHead
Definition: avscan/filter/context.h:65
AV_STREAM_CONTEXT
struct _AV_STREAM_CONTEXT AV_STREAM_CONTEXT
_AV_INSTANCE_CONTEXT
Definition: avscan/filter/context.h:276
AvCreateStreamHandleContext
NTSTATUS AvCreateStreamHandleContext(_In_ PFLT_FILTER Filter, _Outptr_ PAV_STREAMHANDLE_CONTEXT *StreamHandleContext)
Definition: avscan/filter/context.c:271
PAV_TRANSACTION_CONTEXT
struct _AV_TRANSACTION_CONTEXT * PAV_TRANSACTION_CONTEXT
_AV_STREAM_CONTEXT::FileId
AV_FILE_REFERENCE FileId
Definition: avscan/filter/context.h:177
_AV_SECTION_CONTEXT::SectionObject
PVOID SectionObject
Definition: avscan/filter/context.h:239
_AV_STREAM_CONTEXT::TxState
volatile LONG TxState
Definition: avscan/filter/context.h:210
_AV_STREAM_CONTEXT::State
volatile LONG State
Definition: avscan/filter/context.h:207
_AV_STREAM_CONTEXT::VolumeRevision
LONGLONG VolumeRevision
Definition: avscan/filter/context.h:215
_AV_SECTION_CONTEXT::CancelableOnConflictingIo
BOOLEAN CancelableOnConflictingIo
Definition: avscan/filter/context.h:259
_AV_STREAM_CONTEXT::CacheRevision
LONGLONG CacheRevision
Definition: avscan/filter/context.h:216
AV_STREAMHANDLE_CONTEXT
struct _AV_STREAMHANDLE_CONTEXT AV_STREAMHANDLE_CONTEXT
AV_SECTION_CONTEXT
struct _AV_SECTION_CONTEXT AV_SECTION_CONTEXT
_AV_INSTANCE_CONTEXT::Resource
ERESOURCE Resource
Definition: avscan/filter/context.h:307
PAV_STREAMHANDLE_CONTEXT
struct _AV_STREAMHANDLE_CONTEXT * PAV_STREAMHANDLE_CONTEXT
_AV_TRANSACTION_CONTEXT::Resource
PERESOURCE Resource
Definition: avscan/filter/context.h:71
FileObject
_In_opt_ PFILE_OBJECT FileObject
Definition: nc.h:493
_AV_SECTION_CONTEXT
Definition: avscan/filter/context.h:227

Social Network


Services Overview

Architect, implement and test file system filter drivers for a wide range of functionality. We can offer several levels of assistance to meet your specific.

Contact Us

You are welcome to contact us for salse or partnership.

Sales: sales@easefilter.com
Support: support@easefilter.com
Info: info@easefilter.com

© Copyright EaseFilter Inc..