我想为文件系统编写minifilter驱动程序,我在.sys文件中编译了代码( 没有错误),但安装后,我无法在DbgView中看到日志。但是过滤器可以在DeviceTree程序中看到。请告诉我我的问题。感谢。
#pragma once
#include <FltKernel.h>
#include <ntddk.h>
#include <dontuse.h>
#include <suppress.h>
#include <stdio.h>
#include <ntstrsafe.h>
FLT_POSTOP_CALLBACK_STATUS PostFileOperationCallback ( IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS
PreFileOperationCallback (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
);
NTSTATUS FilterUnload ( IN FLT_FILTER_UNLOAD_FLAGS Flags );
NTSTATUS FilterLoad (IN PCFLT_RELATED_OBJECTS FltObjects,
IN FLT_INSTANCE_SETUP_FLAGS Flags,
IN DEVICE_TYPE VolumeDeviceType,
IN FLT_FILESYSTEM_TYPE VolumeFilesystemType);
typedef struct _MINIFILTER
{
PDRIVER_OBJECT pDriverObject;
PFLT_FILTER pFilter;
} MINIFILTER, *PMINIFILTER;
const FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
PreFileOperationCallback,
PostFileOperationCallback },
{ IRP_MJ_OPERATION_END }
};
const FLT_CONTEXT_REGISTRATION Contexts[] = {
{ FLT_CONTEXT_END }
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
Contexts, // Context
Callbacks, // Operation callbacks
FilterUnload, // FilterUnload
FilterLoad, // InstanceSetup
NULL, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL // NormalizeNameComponent
};
MINIFILTER fileManager;
NTSTATUS FilterLoad (IN PCFLT_RELATED_OBJECTS FltObjects,
IN FLT_INSTANCE_SETUP_FLAGS Flags,
IN DEVICE_TYPE VolumeDeviceType,
IN FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
DbgPrint("12313");
if (VolumeDeviceType == FILE_DEVICE_NETWORK_FILE_SYSTEM) {
return STATUS_FLT_DO_NOT_ATTACH;
}
return STATUS_SUCCESS;
}
NTSTATUS FilterUnload ( IN FLT_FILTER_UNLOAD_FLAGS Flags )
{
return STATUS_SUCCESS;
}
FLT_PREOP_CALLBACK_STATUS
PreFileOperationCallback (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
NTSTATUS status;
PFILE_OBJECT FileObject;
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
/* If this is a callback for a FS Filter driver then we ignore the event */
if(FLT_IS_FS_FILTER_OPERATION(Data))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if (FltObjects->FileObject != NULL && Data != NULL) {
FileObject = Data->Iopb->TargetFileObject;
if(FileObject != NULL && Data->Iopb->MajorFunction == IRP_MJ_CREATE)
{
DbgPrint("MiniFilter: YES!!!");
}
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS PostFileOperationCallback ( IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags)
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
//////////////////////////////////////////////////////////////
/*
* обработчик-заглушка
*/
NTSTATUS
OnStubDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest (Irp,
IO_NO_INCREMENT
);
return Irp->IoStatus.Status;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
FltUnregisterFilter(fileManager.pFilter);
DbgPrint("MiniFilter: Unloaded");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
NTSTATUS status;
PCHAR ConfigInfo;
UNICODE_STRING test;
DbgPrint("MiniFilter: Started.");
// Register a dispatch function
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}
theDriverObject->DriverUnload = OnUnload;
fileManager.pDriverObject = theDriverObject;
status = FltRegisterFilter(theDriverObject, &FilterRegistration, &fileManager.pFilter);
if (!NT_SUCCESS(status))
{
DbgPrint("MiniFilter: Driver not started. ERROR FltRegisterFilter - %08x\n", status);
return status;
}
status = FltStartFiltering( fileManager.pFilter );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( fileManager.pFilter );
DbgPrint("MiniFilter: Driver not started. ERROR FltStartFiltering - %08x\n", status);
return status;
}
DbgPrint("MiniFilter: Filter was started and configured.");
return STATUS_SUCCESS;
}
答案 0 :(得分:2)
status = FltEnumerateVolumes(fileManager.pFilter, NULL, 0, &NumberofVolumes);
buffer = ExAllocatePool(PagedPool,1024);
if(buffer != NULL)
{
for(i = 0; i < NumberofVolumes; i++)
{
status = FltEnumerateVolumeInformation(fileManager.pFilter, i, FilterVolumeBasicInformation, buffer, 1024, &NumberofVolumes2);
pFilterInfo = (PFILTER_VOLUME_BASIC_INFORMATION)buffer;
uStrVolume.Length = (USHORT)pFilterInfo->FilterVolumeNameLength;
uStrVolume.MaximumLength = uStrVolume.Length;
uStrVolume.Buffer = &pFilterInfo->FilterVolumeName[0];
if(NT_SUCCESS(status)){
status = FltGetVolumeFromName(fileManager.pFilter, &uStrVolume, &pFLTVolume);
if(NT_SUCCESS(status)){
status = FltAttachVolume(fileManager.pFilter, pFLTVolume, NULL, NULL);
DbgPrint("Attached Volume Successfully.................... \n");
FltObjectDereference(pFLTVolume);
}
}
}
ExFreePool(buffer);
}
答案 1 :(得分:0)
从Vista调试消息开始逐渐过滤掉。您必须应用掩码才能在DbgView或Windbg上看到此消息。只需阅读本文http://www.osronline.com/article.cfm?article=295或者您可以从windbg修复它: ed nt!Kd_DEFAULT_Mask 0xFFFFFFFFFFFFFFFF(对于x64)