documentation/WDKExample/minispy_8h_source.htm

 /*++

 Copyright (c) 1989-2002  Microsoft Corporation

 Module Name:

     minispy.h

 Abstract:

     Header file which contains the structures, type definitions,
     and constants that are shared between the kernel mode driver,
     minispy.sys, and the user mode executable, minispy.exe.

 Environment:

     Kernel and user mode

 --*/
 #ifndef __MINISPY_H__
 #define __MINISPY_H__


 //
 //  FltMgr's IRP major codes
 //

 #define IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION  ((UCHAR)-1)
 #define IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION  ((UCHAR)-2)
 #define IRP_MJ_ACQUIRE_FOR_MOD_WRITE                ((UCHAR)-3)
 #define IRP_MJ_RELEASE_FOR_MOD_WRITE                ((UCHAR)-4)
 #define IRP_MJ_ACQUIRE_FOR_CC_FLUSH                 ((UCHAR)-5)
 #define IRP_MJ_RELEASE_FOR_CC_FLUSH                 ((UCHAR)-6)
 #define IRP_MJ_NOTIFY_STREAM_FO_CREATION            ((UCHAR)-7)

 #define IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE            ((UCHAR)-13)
 #define IRP_MJ_NETWORK_QUERY_OPEN                   ((UCHAR)-14)
 #define IRP_MJ_MDL_READ                             ((UCHAR)-15)
 #define IRP_MJ_MDL_READ_COMPLETE                    ((UCHAR)-16)
 #define IRP_MJ_PREPARE_MDL_WRITE                    ((UCHAR)-17)
 #define IRP_MJ_MDL_WRITE_COMPLETE                   ((UCHAR)-18)
 #define IRP_MJ_VOLUME_MOUNT                         ((UCHAR)-19)
 #define IRP_MJ_VOLUME_DISMOUNT                      ((UCHAR)-20)

 //
 //  My own definition for transaction notify command
 //

 #define IRP_MJ_TRANSACTION_NOTIFY                   ((UCHAR)-40)


 //
 //  Version definition
 //

 #define MINISPY_MAJ_VERSION 2
 #define MINISPY_MIN_VERSION 0

 typedef struct _MINISPYVER {

     USHORT Major;
     USHORT Minor;

 } MINISPYVER, *PMINISPYVER;

 //
 //  Name of minispy's communication server port
 //

 #define MINISPY_PORT_NAME                   L"\\MiniSpyPort"

 //
 //  Local definitions for passing parameters between the filter and user mode
 //

 typedef ULONG_PTR FILE_ID;
 typedef _Return_type_success_(return >= 0) LONG NTSTATUS;

 //
 //  The maximum size of a record that can be passed from the filter
 //

 #define RECORD_SIZE     1024

 //
 //  This defines the type of record buffer this is along with certain flags.
 //

 #define RECORD_TYPE_NORMAL                       0x00000000
 #define RECORD_TYPE_FILETAG                      0x00000004

 #define RECORD_TYPE_FLAG_STATIC                  0x80000000
 #define RECORD_TYPE_FLAG_EXCEED_MEMORY_ALLOWANCE 0x20000000
 #define RECORD_TYPE_FLAG_OUT_OF_MEMORY           0x10000000
 #define RECORD_TYPE_FLAG_MASK                    0xffff0000

 //
 //  The fixed data received for RECORD_TYPE_NORMAL
 //

 typedef struct _RECORD_DATA {

     LARGE_INTEGER OriginatingTime;
     LARGE_INTEGER CompletionTime;

     FILE_ID DeviceObject;
     FILE_ID FileObject;
     FILE_ID Transaction;

     FILE_ID ProcessId;
     FILE_ID ThreadId;

     ULONG_PTR Information;

     NTSTATUS Status;

     ULONG IrpFlags;
     ULONG Flags;

     UCHAR CallbackMajorId;
     UCHAR CallbackMinorId;
     UCHAR Reserved[2];      // Alignment on IA64

     PVOID Arg1;
     PVOID Arg2;
     PVOID Arg3;
     PVOID Arg4;
     PVOID Arg5;
     LARGE_INTEGER Arg6;

     ULONG EcpCount;
     ULONG KnownEcpMask;

 } RECORD_DATA, *PRECORD_DATA;

 //
 //  What information we actually log.
 //

 #pragma warning(push)
 #pragma warning(disable:4200) // disable warnings for structures with zero length arrays.

 typedef struct _LOG_RECORD {


     ULONG Length;           // Length of log record.  This Does not include
     ULONG SequenceNumber;   // space used by other members of RECORD_LIST

     ULONG RecordType;       // The type of log record this is.
     ULONG Reserved;         // For alignment on IA64

     RECORD_DATA Data;
     WCHAR Name[];           //  This is a null terminated string

 } LOG_RECORD, *PLOG_RECORD;

 #pragma warning(pop)

 //
 //  How the mini-filter manages the log records.
 //

 typedef struct _RECORD_LIST {

     LIST_ENTRY List;

     //
     // Must always be last item.  See MAX_LOG_RECORD_LENGTH macro below.
     // Must be aligned on PVOID boundary in this structure. This is because the
     // log records are going to be packed one after another & accessed directly
     // Size of log record must also be multiple of PVOID size to avoid alignment
     // faults while accessing the log records on IA64
     //

     LOG_RECORD LogRecord;

 } RECORD_LIST, *PRECORD_LIST;

 //
 //  Defines the commands between the utility and the filter
 //

 typedef enum _MINISPY_COMMAND {

     GetMiniSpyLog,
     GetMiniSpyVersion

 } MINISPY_COMMAND;

 //
 //  Defines the command structure between the utility and the filter.
 //

 #pragma warning(push)
 #pragma warning(disable:4200) // disable warnings for structures with zero length arrays.

 typedef struct _COMMAND_MESSAGE {
     MINISPY_COMMAND Command;
     ULONG Reserved;  // Alignment on IA64
     UCHAR Data[];
 } COMMAND_MESSAGE, *PCOMMAND_MESSAGE;

 #pragma warning(pop)

 //
 //  The maximum number of BYTES that can be used to store the file name in the
 //  RECORD_LIST structure
 //

 #define MAX_NAME_SPACE ROUND_TO_SIZE( (RECORD_SIZE - sizeof(RECORD_LIST)), sizeof( PVOID ))

 //
 //  The maximum space, in bytes and WCHARs, available for the name (and ECP
 //  if present) string, not including the space that must be reserved for a NULL
 //

 #define MAX_NAME_SPACE_LESS_NULL (MAX_NAME_SPACE - sizeof(UNICODE_NULL))
 #define MAX_NAME_WCHARS_LESS_NULL MAX_NAME_SPACE_LESS_NULL / sizeof(WCHAR)

 //
 //  Returns the number of BYTES unused in the RECORD_LIST structure.  Note that
 //  LogRecord->Length already contains the size of LOG_RECORD which is why we
 //  have to remove it.
 //

 #define REMAINING_NAME_SPACE(LogRecord) \
     (FLT_ASSERT((LogRecord)->Length >= sizeof(LOG_RECORD)), \
      (USHORT)(MAX_NAME_SPACE - ((LogRecord)->Length - sizeof(LOG_RECORD))))

 #define MAX_LOG_RECORD_LENGTH  (RECORD_SIZE - FIELD_OFFSET( RECORD_LIST, LogRecord ))


 //
 //  Macros available in kernel mode which are not available in user mode
 //

 #ifndef Add2Ptr
 #define Add2Ptr(P,I) ((PVOID)((PUCHAR)(P) + (I)))
 #endif

 #ifndef ROUND_TO_SIZE
 #define ROUND_TO_SIZE(_length, _alignment)    \
             (((_length) + ((_alignment)-1)) & ~((_alignment) - 1))
 #endif

 #ifndef FlagOn
 #define FlagOn(_F,_SF)        ((_F) & (_SF))
 #endif

 #endif /* __MINISPY_H__ */

_RECORD_DATA::ThreadId
FILE_ID ThreadId
Definition: minispy.h:111

_MINISPYVER::Major
USHORT Major
Definition: minispy.h:61

_LOG_RECORD::Length
ULONG Length
Definition: minispy.h:146

_RECORD_LIST::LogRecord
LOG_RECORD LogRecord
Definition: minispy.h:175

_RECORD_DATA::Flags
ULONG Flags
Definition: minispy.h:118

PMINISPYVER
struct _MINISPYVER * PMINISPYVER

_RECORD_DATA::Arg4
PVOID Arg4
Definition: minispy.h:127

_RECORD_DATA::Arg6
LARGE_INTEGER Arg6
Definition: minispy.h:129

PRECORD_LIST
struct _RECORD_LIST * PRECORD_LIST

GetMiniSpyLog
Definition: minispy.h:185

_RECORD_DATA::FileObject
FILE_ID FileObject
Definition: minispy.h:107

FILE_ID
ULONG_PTR FILE_ID
Definition: minispy.h:76

_RECORD_LIST::List
LIST_ENTRY List
Definition: minispy.h:165

_RECORD_DATA::CallbackMajorId
UCHAR CallbackMajorId
Definition: minispy.h:120

PCOMMAND_MESSAGE
struct _COMMAND_MESSAGE * PCOMMAND_MESSAGE

_LOG_RECORD::Reserved
ULONG Reserved
Definition: minispy.h:150

_MINISPY_COMMAND
_MINISPY_COMMAND
Definition: minispy.h:183

LOG_RECORD
struct _LOG_RECORD LOG_RECORD

_RECORD_DATA::Arg1
PVOID Arg1
Definition: minispy.h:124

RECORD_DATA
struct _RECORD_DATA RECORD_DATA

_LOG_RECORD::SequenceNumber
ULONG SequenceNumber
Definition: minispy.h:147

_RECORD_DATA::Arg3
PVOID Arg3
Definition: minispy.h:126

PRECORD_DATA
struct _RECORD_DATA * PRECORD_DATA

_COMMAND_MESSAGE
Definition: avlib.h:89

_RECORD_LIST
Definition: minispy.h:163

COMMAND_MESSAGE
struct _COMMAND_MESSAGE COMMAND_MESSAGE

_RECORD_DATA::DeviceObject
FILE_ID DeviceObject
Definition: minispy.h:106

_RECORD_DATA::Status
NTSTATUS Status
Definition: minispy.h:115

MINISPY_COMMAND
enum _MINISPY_COMMAND MINISPY_COMMAND

RECORD_LIST
struct _RECORD_LIST RECORD_LIST

_RECORD_DATA::KnownEcpMask
ULONG KnownEcpMask
Definition: minispy.h:132

_COMMAND_MESSAGE::Reserved
ULONG Reserved
Definition: minispy.h:199

_RECORD_DATA
Definition: minispy.h:101

_MINISPYVER
Definition: minispy.h:59

_RECORD_DATA::IrpFlags
ULONG IrpFlags
Definition: minispy.h:117

_LOG_RECORD
Definition: minispy.h:143

_RECORD_DATA::Transaction
FILE_ID Transaction
Definition: minispy.h:108

_LOG_RECORD::Data
RECORD_DATA Data
Definition: minispy.h:152

_RECORD_DATA::ProcessId
FILE_ID ProcessId
Definition: minispy.h:110

MINISPYVER
struct _MINISPYVER MINISPYVER

_RECORD_DATA::Information
ULONG_PTR Information
Definition: minispy.h:113

_RECORD_DATA::CompletionTime
LARGE_INTEGER CompletionTime
Definition: minispy.h:104

PLOG_RECORD
struct _LOG_RECORD * PLOG_RECORD

_RECORD_DATA::EcpCount
ULONG EcpCount
Definition: minispy.h:131

_RECORD_DATA::Arg5
PVOID Arg5
Definition: minispy.h:128

_Return_type_success_
typedef _Return_type_success_(return >=0) LONG NTSTATUS

_COMMAND_MESSAGE::Command
MINISPY_COMMAND Command
Definition: minispy.h:198

_MINISPYVER::Minor
USHORT Minor
Definition: minispy.h:62

_RECORD_DATA::Arg2
PVOID Arg2
Definition: minispy.h:125

_RECORD_DATA::OriginatingTime
LARGE_INTEGER OriginatingTime
Definition: minispy.h:103

_LOG_RECORD::RecordType
ULONG RecordType
Definition: minispy.h:149

GetMiniSpyVersion
Definition: minispy.h:186

_RECORD_DATA::CallbackMinorId
UCHAR CallbackMinorId
Definition: minispy.h:121