Minifilter port based communication and actual code operation
I. MiniFilter context explanation
1.1 Context and instance context examples
In our MiniFilter Context framework, we can specify a Context structure array Where the Context is i here
What is context?
Context is actually a piece of memory attached to an object Cache related data in memory This memory is self - defined Like device extensions, they are essentially defined by ourselves Context is attached to the target object So what is the target object and what is the context
There are many targets
-
File object
-
Device object
-
Instance object
-
Volume device object
wait.
The API is as follows
FltAllocateContext FltReleaseContext
For example:
typdef {xxx}INSTANCE_CONTEXT;
status = FltAllocateContext(
g_pFilter,
FLT_INSTANCE_CONTEXT,
sizeof(INSTANCE_CONTEXT),//Size is the size of the structure
PagedPool,
&pcontext); //Outgoing parameters after success
The example is to apply for context memory for Instance It needs to be set in the Instance after application Bind
example:
FltSetInstanceContext(
FltObjects->Instance,
FLT_SET_CONTEXT_REPLACE_IF_EXISTS,
pContext,
NULL);
instance corresponds to the volume one by one Therefore, the context we apply for can store some information about the volume Such as sector size, etc
Get access
FltGetInstanceContext(FltObjects->Instance,&pcontext);
Summary:
In summary, there are four function calls to set context Context is our custom structure
FltAllocateContext Request a context FltSetInstanceContext Bind context to an object FltGetInstanceContext Gets a context from the bound object FltReleaseContext Context of release request
1.2 other contexts
-
Stream context
The so-called flow context refers to the FCB block (File Control Block) that we have often used. The file and FCB are one-to-one correspondence
FCB is to create a cache for a file when it is opened This cache is called FCB
The API of the operation is as follows:
FltGetStreamContext() FltSetStreamContext()
-
Stream handle context
File objects are called fileobjects. A file can have multiple fileobjects
Operation API
FltGetStreamHandleContext() FltSetStreamHandleContext()
The most common context should be this Because we use a lot of file objects
-
Instance context
Refer to section 1.1 for examples
-
Volume context
Volume is a common C D E F disk And network redirector Generally, a volume corresponds to a filter instance object
Instance context is often used to replace volume context in practical operation Because instances and volumes are one - to - one, you can use instances
API
FltGetVolumeContext() FltSetVolumeContext()
-
File context
After Vista, MiniFilter also provides file context
FltGetFileContext() FltSetFileContext()
If you need to query WDK help documents
1.3 introduction and examples of context cleanup function
In the scanner example in WDK, you can see how the context is used
As follows:
const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
{ FLT_STREAMHANDLE_CONTEXT,
0,
NULL,
sizeof(SCANNER_STREAM_HANDLE_CONTEXT),
'chBS' },
{ FLT_CONTEXT_END }
};
const FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
ContextRegistration, // Context Registration.
Callbacks, // Operation callbacks
ScannerUnload, // FilterUnload
ScannerInstanceSetup, // InstanceSetup
ScannerQueryTeardown, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
Also available in FLT_CONTEXT_REGISTRATION provides the cleanup function for each context
If the premise is that we use the context, we can release it
Release: the release here is not to be used
FltReleaseContext
To free context memory Instead, we release resources in our context structure, such as stored event synchronization handles And the memory pointed to by the saved pointer Instead of freeing context memory directly
As follows:
const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
{
FLT_STREAMHANDLE_CONTEXT,
0,
ContextCleanup,
CTX_STREAMHANDLE_CONTEXT_SIZE,
CTX_STREAMHANDLE_CONTEXT_TAG
},
{
FLT_INSTANCE_CONTEXT,
0,
ContextCleanup,
CTX_INSTANCE_CONTEXT_SIZE,
CTX_INSTANCE_CONTEXT_TAG
},
{
FLT_FILE_CONTEXT,
0,
ContextCleanup,
CTX_FILE_CONTEXT_SIZE,
CTX_FILE_CONTEXT_TAG
},
{
FLT_STREAM_CONTEXT,
0,
ContextCleanup,
CTX_STREAM_CONTEXT_SIZE,
CTX_STREAM_CONTEXT_TAG
},
{ FLT_CONTEXT_END}
II. File operation in MiniFilter
The kernel file manipulation API used in MiniFilter is no longer Zwxxxx Instead, it redefines the encapsulated fltxxx
Not using ZwXXX is to prevent re-entry For example, we filter files ourselves You also use the file API Then we capture the API operation It will lead to reentry
The API is as follows:
| API | effect |
|---|---|
| FltCreateFile | Open or create a file |
| FltReadFile | read file |
| FltWriteFile | Write file |
| FltClose | close a file handle |
| FltQueryXxx | Query functions such as query file information |
| FltSetXxx | Setting functions such as file information |
| FltGetXxx | Get some information from the file |
| FltPerformXxx | Confirmation routine notification |
These API operations are different from Zw operations in that the first two parameters are newly added and are associated with MiniFilter
give an example:
ntStatus = FltCreateFile(
pFilter,
pDstInstance,
&hDstFile,
GENERIC_WRITE | SYNCHRONIZE,
&objDstAttrib,
&ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ |
FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
FILE_CREATE,
CreateOptions,
NULL,0,0);
-
Parameter 1 handle of minifilter, obtained during registration
-
Parameter 2 instance
-
Other parameters are the same as Zw parameters. You can query the API document
Unfinished to be continued