WDK Mini Filter Example
mspyKern.h
Go to the documentation of this file.
1 /*++
2 
3 Copyright (c) 1989-2002 Microsoft Corporation
4 
5 Module Name:
6 
7  mspyKern.h
8 
9 Abstract:
10  Header file which contains the structures, type definitions,
11  constants, global variables and function prototypes that are
12  only visible within the kernel.
13 
14 Environment:
15 
16  Kernel mode
17 
18 --*/
19 #ifndef __MSPYKERN_H__
20 #define __MSPYKERN_H__
21 
22 #include <fltKernel.h>
23 //#include <dontuse.h>
24 #include <suppress.h>
25 #include "minispy.h"
26 
27 #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")
28 
29 //
30 // Memory allocation tag
31 //
32 
33 #define SPY_TAG 'ypSM'
34 
35 //
36 // Win8 define for support of NPFS/MSFS
37 // Win7 define for support of new ECPs.
38 // Vista define for including transaction support,
39 // older ECPs
40 //
41 
42 #define MINISPY_WIN8 (NTDDI_VERSION >= NTDDI_WIN8)
43 #define MINISPY_WIN7 (NTDDI_VERSION >= NTDDI_WIN7)
44 #define MINISPY_VISTA (NTDDI_VERSION >= NTDDI_VISTA)
45 #define MINISPY_NOT_W2K (OSVER(NTDDI_VERSION) > NTDDI_WIN2K)
46 
47 //
48 // Define callback types for Vista
49 //
50 
51 #if MINISPY_VISTA
52 
53 //
54 // Dynamically imported Filter Mgr APIs
55 //
56 
57 typedef NTSTATUS
58 (*PFLT_SET_TRANSACTION_CONTEXT)(
59  _In_ PFLT_INSTANCE Instance,
60  _In_ PKTRANSACTION Transaction,
61  _In_ FLT_SET_CONTEXT_OPERATION Operation,
62  _In_ PFLT_CONTEXT NewContext,
63  _Outptr_opt_ PFLT_CONTEXT *OldContext
64  );
65 
66 typedef NTSTATUS
67 (*PFLT_GET_TRANSACTION_CONTEXT)(
68  _In_ PFLT_INSTANCE Instance,
69  _In_ PKTRANSACTION Transaction,
70  _Outptr_ PFLT_CONTEXT *Context
71  );
72 
73 typedef NTSTATUS
74 (*PFLT_ENLIST_IN_TRANSACTION)(
75  _In_ PFLT_INSTANCE Instance,
76  _In_ PKTRANSACTION Transaction,
77  _In_ PFLT_CONTEXT TransactionContext,
78  _In_ NOTIFICATION_MASK NotificationMask
79  );
80 
81 //
82 // Flags for the known ECPs
83 //
84 
85 #define ECP_TYPE_FLAG_PREFETCH 0x00000001
86 
87 #if MINISPY_WIN7
88 
89 #define ECP_TYPE_FLAG_OPLOCK_KEY 0x00000002
90 #define ECP_TYPE_FLAG_NFS 0x00000004
91 #define ECP_TYPE_FLAG_SRV 0x00000008
92 
93 #endif
94 
95 #define ADDRESS_STRING_BUFFER_SIZE 64
96 
97 //
98 // Enumerate the ECPs MiniSpy supports
99 //
100 
101 typedef enum _ECP_TYPE {
102 
103  EcpPrefetchOpen,
104  EcpOplockKey,
105  EcpNfsOpen,
106  EcpSrvOpen,
107 
108  NumKnownEcps
109 
110 } ECP_TYPE;
111 
112 #endif
113 
114 //---------------------------------------------------------------------------
115 // Global variables
116 //---------------------------------------------------------------------------
117 
118 typedef struct _MINISPY_DATA {
119 
120  //
121  // The object that identifies this driver.
122  //
123 
124  PDRIVER_OBJECT DriverObject;
125 
126  //
127  // The filter that results from a call to
128  // FltRegisterFilter.
129  //
130 
131  PFLT_FILTER Filter;
132 
133  //
134  // Server port: user mode connects to this port
135  //
136 
137  PFLT_PORT ServerPort;
138 
139  //
140  // Client connection port: only one connection is allowed at a time.,
141  //
142 
143  PFLT_PORT ClientPort;
144 
145  //
146  // List of buffers with data to send to user mode.
147  //
148 
149  KSPIN_LOCK OutputBufferLock;
150  LIST_ENTRY OutputBufferList;
151 
152  //
153  // Lookaside list used for allocating buffers.
154  //
155 
156  NPAGED_LOOKASIDE_LIST FreeBufferList;
157 
158  //
159  // Variables used to throttle how many records buffer we can use
160  //
161 
162  LONG MaxRecordsToAllocate;
163  __volatile LONG RecordsAllocated;
164 
165  //
166  // static buffer used for sending an "out-of-memory" message
167  // to user mode.
168  //
169 
170  __volatile LONG StaticBufferInUse;
171 
172  //
173  // We need to make sure this buffer aligns on a PVOID boundary because
174  // minispy casts this buffer to a RECORD_LIST structure.
175  // That can cause alignment faults unless the structure starts on the
176  // proper PVOID boundary
177  //
178 
179  PVOID OutOfMemoryBuffer[RECORD_SIZE/sizeof( PVOID )];
180 
181  //
182  // Variable and lock for maintaining LogRecord sequence numbers.
183  //
184 
185  __volatile LONG LogSequenceNumber;
186 
187  //
188  // The name query method to use. By default, it is set to
189  // FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, but it can be overridden
190  // by a setting in the registery.
191  //
192 
193  ULONG NameQueryMethod;
194 
195  //
196  // Global debug flags
197  //
198 
199  ULONG DebugFlags;
200 
201 #if MINISPY_VISTA
202 
203  //
204  // Dynamically imported Filter Mgr APIs
205  //
206 
207  PFLT_SET_TRANSACTION_CONTEXT PFltSetTransactionContext;
208 
209  PFLT_GET_TRANSACTION_CONTEXT PFltGetTransactionContext;
210 
211  PFLT_ENLIST_IN_TRANSACTION PFltEnlistInTransaction;
212 
213 #endif
214 
215 } MINISPY_DATA, *PMINISPY_DATA;
216 
217 
218 //
219 // Defines the minispy context structure
220 //
221 
222 typedef struct _MINISPY_TRANSACTION_CONTEXT {
223  ULONG Flags;
224  ULONG Count;
225 
226 }MINISPY_TRANSACTION_CONTEXT, *PMINISPY_TRANSACTION_CONTEXT;
227 
228 //
229 // This macro below is used to set the flags field in minispy's
230 // MINISPY_TRANSACTION_CONTEXT structure once it has been
231 // successfully enlisted in the transaction.
232 //
233 
234 #define MINISPY_ENLISTED_IN_TRANSACTION 0x01
235 
236 //
237 // Minispy's global variables
238 //
239 
240 extern MINISPY_DATA MiniSpyData;
241 
242 #define DEFAULT_MAX_RECORDS_TO_ALLOCATE 500
243 #define MAX_RECORDS_TO_ALLOCATE L"MaxRecords"
244 
245 #define DEFAULT_NAME_QUERY_METHOD FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP
246 #define NAME_QUERY_METHOD L"NameQueryMethod"
247 
248 //
249 // DebugFlag values
250 //
251 
252 #define SPY_DEBUG_PARSE_NAMES 0x00000001
253 
254 //---------------------------------------------------------------------------
255 // Registration structure
256 //---------------------------------------------------------------------------
257 
258 extern const FLT_REGISTRATION FilterRegistration;
259 
260 //---------------------------------------------------------------------------
261 // Function prototypes
262 //---------------------------------------------------------------------------
263 
264 FLT_PREOP_CALLBACK_STATUS
265 SpyPreOperationCallback (
266  _Inout_ PFLT_CALLBACK_DATA Data,
267  _In_ PCFLT_RELATED_OBJECTS FltObjects,
268  _Flt_CompletionContext_Outptr_ PVOID *CompletionContext
269  );
270 
271 FLT_POSTOP_CALLBACK_STATUS
272 SpyPostOperationCallback (
273  _Inout_ PFLT_CALLBACK_DATA Data,
274  _In_ PCFLT_RELATED_OBJECTS FltObjects,
275  _In_ PVOID CompletionContext,
276  _In_ FLT_POST_OPERATION_FLAGS Flags
277  );
278 
279 NTSTATUS
280 SpyKtmNotificationCallback (
281  _In_ PCFLT_RELATED_OBJECTS FltObjects,
282  _In_ PFLT_CONTEXT TransactionContext,
283  _In_ ULONG TransactionNotification
284  );
285 
286 NTSTATUS
287 SpyFilterUnload (
288  _In_ FLT_FILTER_UNLOAD_FLAGS Flags
289  );
290 
291 NTSTATUS
292 SpyQueryTeardown (
293  _In_ PCFLT_RELATED_OBJECTS FltObjects,
294  _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
295  );
296 
297 VOID
298 SpyReadDriverParameters (
299  _In_ PUNICODE_STRING RegistryPath
300  );
301 
302 LONG
303 SpyExceptionFilter (
304  _In_ PEXCEPTION_POINTERS ExceptionPointer,
305  _In_ BOOLEAN AccessingUserBuffer
306  );
307 
308 //---------------------------------------------------------------------------
309 // Memory allocation routines
310 //---------------------------------------------------------------------------
311 
312 PRECORD_LIST
313 SpyAllocateBuffer (
314  _Out_ PULONG RecordType
315  );
316 
317 VOID
318 SpyFreeBuffer (
319  _In_ PVOID Buffer
320  );
321 
322 //---------------------------------------------------------------------------
323 // Logging routines
324 //---------------------------------------------------------------------------
325 PRECORD_LIST
326 SpyNewRecord (
327  VOID
328  );
329 
330 VOID
331 SpyFreeRecord (
332  _In_ PRECORD_LIST Record
333  );
334 
335 #if MINISPY_VISTA
336 
337 VOID
338 SpyParseEcps (
339  _In_ PFLT_CALLBACK_DATA Data,
340  _Inout_ PRECORD_LIST RecordList,
341  _Inout_ PUNICODE_STRING EcpData
342  );
343 
344 VOID
345 SpyBuildEcpDataString (
346  _In_ PRECORD_LIST RecordList,
347  _Inout_ PUNICODE_STRING EcpData,
348  _In_reads_(NumKnownEcps) PVOID * ContextPointers
349  );
350 
351 VOID
352 SpySetRecordNameAndEcpData (
353  _Inout_ PLOG_RECORD LogRecord,
354  _In_ PUNICODE_STRING Name,
355  _In_opt_ PUNICODE_STRING EcpData
356  );
357 
358 #else
359 
360 VOID
361 SpySetRecordName (
362  _Inout_ PLOG_RECORD LogRecord,
363  _In_ PUNICODE_STRING Name
364  );
365 
366 #endif
367 
368 VOID
369 SpyLogPreOperationData (
370  _In_ PFLT_CALLBACK_DATA Data,
371  _In_ PCFLT_RELATED_OBJECTS FltObjects,
372  _Inout_ PRECORD_LIST RecordList
373  );
374 
375 VOID
376 SpyLogPostOperationData (
377  _In_ PFLT_CALLBACK_DATA Data,
378  _Inout_ PRECORD_LIST RecordList
379  );
380 
381 VOID
382 SpyLogTransactionNotify (
383  _In_ PCFLT_RELATED_OBJECTS FltObjects,
384  _Inout_ PRECORD_LIST RecordList,
385  _In_ ULONG TransactionNotification
386  );
387 
388 VOID
389 SpyLog (
390  _In_ PRECORD_LIST RecordList
391  );
392 
393 NTSTATUS
394 SpyGetLog (
395  _Out_writes_bytes_to_(OutputBufferLength,*ReturnOutputBufferLength) PUCHAR OutputBuffer,
396  _In_ ULONG OutputBufferLength,
397  _Out_ PULONG ReturnOutputBufferLength
398  );
399 
400 VOID
401 SpyEmptyOutputBufferList (
402  VOID
403  );
404 
405 VOID
406 SpyDeleteTxfContext (
407  _Inout_ PFLT_CONTEXT Context,
408  _In_ FLT_CONTEXT_TYPE ContextType
409  );
410 
411 #endif //__MSPYKERN_H__
412 
_MINISPY_DATA::PFltEnlistInTransaction
PFLT_ENLIST_IN_TRANSACTION PFltEnlistInTransaction
Definition: mspyKern.h:211
SpyParseEcps
VOID SpyParseEcps(_In_ PFLT_CALLBACK_DATA Data, _Inout_ PRECORD_LIST RecordList, _Inout_ PUNICODE_STRING EcpData)
Definition: mspyLib.c:707
SpyAllocateBuffer
PRECORD_LIST SpyAllocateBuffer(_Out_ PULONG RecordType)
Definition: mspyLib.c:110
PFLT_GET_TRANSACTION_CONTEXT
NTSTATUS(* PFLT_GET_TRANSACTION_CONTEXT)(_In_ PFLT_INSTANCE Instance, _In_ PKTRANSACTION Transaction, _Outptr_ PFLT_CONTEXT *Context)
Definition: mspyKern.h:67
_MINISPY_DATA::DriverObject
PDRIVER_OBJECT DriverObject
Definition: mspyKern.h:124
_MINISPY_DATA::OutputBufferList
LIST_ENTRY OutputBufferList
Definition: mspyKern.h:150
_MINISPY_DATA::ClientPort
PFLT_PORT ClientPort
Definition: mspyKern.h:143
_MINISPY_DATA::PFltGetTransactionContext
PFLT_GET_TRANSACTION_CONTEXT PFltGetTransactionContext
Definition: mspyKern.h:209
SpyLogPreOperationData
VOID SpyLogPreOperationData(_In_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Inout_ PRECORD_LIST RecordList)
Definition: mspyLib.c:1047
SpyLog
VOID SpyLog(_In_ PRECORD_LIST RecordList)
Definition: mspyLib.c:1206
_MINISPY_DATA::StaticBufferInUse
__volatile LONG StaticBufferInUse
Definition: mspyKern.h:170
MINISPY_DATA
struct _MINISPY_DATA MINISPY_DATA
_MINISPY_DATA::NameQueryMethod
ULONG NameQueryMethod
Definition: mspyKern.h:193
_MINISPY_DATA::LogSequenceNumber
__volatile LONG LogSequenceNumber
Definition: mspyKern.h:185
SpyLogPostOperationData
VOID SpyLogPostOperationData(_In_ PFLT_CALLBACK_DATA Data, _Inout_ PRECORD_LIST RecordList)
Definition: mspyLib.c:1117
_MINISPY_DATA::OutOfMemoryBuffer
PVOID OutOfMemoryBuffer[RECORD_SIZE/sizeof(PVOID)]
Definition: mspyKern.h:179
Instance
_In_opt_ PFILE_OBJECT _In_opt_ PFLT_INSTANCE Instance
Definition: nc.h:493
SpyReadDriverParameters
VOID SpyReadDriverParameters(_In_ PUNICODE_STRING RegistryPath)
Definition: mspyLib.c:1445
PFLT_SET_TRANSACTION_CONTEXT
NTSTATUS(* PFLT_SET_TRANSACTION_CONTEXT)(_In_ PFLT_INSTANCE Instance, _In_ PKTRANSACTION Transaction, _In_ FLT_SET_CONTEXT_OPERATION Operation, _In_ PFLT_CONTEXT NewContext, _Outptr_opt_ PFLT_CONTEXT *OldContext)
Definition: mspyKern.h:58
_MINISPY_DATA::ServerPort
PFLT_PORT ServerPort
Definition: mspyKern.h:137
SpyPostOperationCallback
FLT_POSTOP_CALLBACK_STATUS SpyPostOperationCallback(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags)
Definition: minispy.c:911
SpyFreeBuffer
VOID SpyFreeBuffer(_In_ PVOID Buffer)
Definition: mspyLib.c:182
_MINISPY_DATA::PFltSetTransactionContext
PFLT_SET_TRANSACTION_CONTEXT PFltSetTransactionContext
Definition: mspyKern.h:207
SpyBuildEcpDataString
VOID SpyBuildEcpDataString(_In_ PRECORD_LIST RecordList, _Inout_ PUNICODE_STRING EcpData, _In_reads_(NumKnownEcps) PVOID *ContextPointers)
Definition: mspyLib.c:325
_MINISPY_DATA::Filter
PFLT_FILTER Filter
Definition: mspyKern.h:131
PMINISPY_DATA
struct _MINISPY_DATA * PMINISPY_DATA
_MINISPY_TRANSACTION_CONTEXT
Definition: mspyKern.h:222
MINISPY_TRANSACTION_CONTEXT
struct _MINISPY_TRANSACTION_CONTEXT MINISPY_TRANSACTION_CONTEXT
_RECORD_LIST
Definition: minispy.h:163
Buffer
_In_ BOOLEAN _Out_ PFILE_BASIC_INFORMATION Buffer
Definition: CdoOperations.c:1041
SpyLogTransactionNotify
VOID SpyLogTransactionNotify(_In_ PCFLT_RELATED_OBJECTS FltObjects, _Inout_ PRECORD_LIST RecordList, _In_ ULONG TransactionNotification)
Definition: mspyLib.c:1152
SpyEmptyOutputBufferList
VOID SpyEmptyOutputBufferList(VOID)
Definition: mspyLib.c:1396
SpyDeleteTxfContext
VOID SpyDeleteTxfContext(_Inout_ PFLT_CONTEXT Context, _In_ FLT_CONTEXT_TYPE ContextType)
SpySetRecordNameAndEcpData
VOID SpySetRecordNameAndEcpData(_Inout_ PLOG_RECORD LogRecord, _In_ PUNICODE_STRING Name, _In_opt_ PUNICODE_STRING EcpData)
Definition: mspyLib.c:885
PFLT_ENLIST_IN_TRANSACTION
NTSTATUS(* PFLT_ENLIST_IN_TRANSACTION)(_In_ PFLT_INSTANCE Instance, _In_ PKTRANSACTION Transaction, _In_ PFLT_CONTEXT TransactionContext, _In_ NOTIFICATION_MASK NotificationMask)
Definition: mspyKern.h:74
_MINISPY_DATA::DebugFlags
ULONG DebugFlags
Definition: mspyKern.h:199
_MINISPY_DATA
Definition: mspyKern.h:118
_MINISPY_DATA::FreeBufferList
NPAGED_LOOKASIDE_LIST FreeBufferList
Definition: mspyKern.h:156
ECP_TYPE
enum _ECP_TYPE ECP_TYPE
RECORD_SIZE
#define RECORD_SIZE
Definition: minispy.h:83
_LOG_RECORD
Definition: minispy.h:143
_MINISPY_DATA::OutputBufferLock
KSPIN_LOCK OutputBufferLock
Definition: mspyKern.h:149
_MINISPY_DATA::RecordsAllocated
__volatile LONG RecordsAllocated
Definition: mspyKern.h:163
SpyFilterUnload
NTSTATUS SpyFilterUnload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
Definition: minispy.c:309
SpyNewRecord
PRECORD_LIST SpyNewRecord(VOID)
Definition: mspyLib.c:218
SpyExceptionFilter
LONG SpyExceptionFilter(_In_ PEXCEPTION_POINTERS ExceptionPointer, _In_ BOOLEAN AccessingUserBuffer)
Definition: minispy.c:1336
_ECP_TYPE
_ECP_TYPE
Definition: mspyKern.h:101
MiniSpyData
MINISPY_DATA MiniSpyData
Definition: minispy.c:26
SpyPreOperationCallback
FLT_PREOP_CALLBACK_STATUS SpyPreOperationCallback(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext)
Definition: minispy.c:593
PMINISPY_TRANSACTION_CONTEXT
struct _MINISPY_TRANSACTION_CONTEXT * PMINISPY_TRANSACTION_CONTEXT
SpyGetLog
NTSTATUS SpyGetLog(_Out_writes_bytes_to_(OutputBufferLength, *ReturnOutputBufferLength) PUCHAR OutputBuffer, _In_ ULONG OutputBufferLength, _Out_ PULONG ReturnOutputBufferLength)
Definition: mspyLib.c:1240
SpyKtmNotificationCallback
NTSTATUS SpyKtmNotificationCallback(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ PFLT_CONTEXT TransactionContext, _In_ ULONG TransactionNotification)
Definition: minispy.c:1289
_MINISPY_DATA::MaxRecordsToAllocate
LONG MaxRecordsToAllocate
Definition: mspyKern.h:162
SpyFreeRecord
VOID SpyFreeRecord(_In_ PRECORD_LIST Record)
Definition: mspyLib.c:285
_MINISPY_TRANSACTION_CONTEXT::Flags
ULONG Flags
Definition: mspyKern.h:223
_MINISPY_TRANSACTION_CONTEXT::Count
ULONG Count
Definition: mspyKern.h:224
SpyQueryTeardown
NTSTATUS SpyQueryTeardown(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags)
Definition: minispy.c:354
FilterRegistration
const FLT_REGISTRATION FilterRegistration
Definition: filter/avscan.c:273

Social Network


Services Overview

Architect, implement and test file system filter drivers for a wide range of functionality. We can offer several levels of assistance to meet your specific.

Contact Us

You are welcome to contact us for salse or partnership.

Sales: sales@easefilter.com
Support: support@easefilter.com
Info: info@easefilter.com

© Copyright EaseFilter Inc..