我有一个文件过滤器驱动程序没有接收到在DriverEntry中注册的IRP的回调。有没有人遇到过用FltRegisterFilter注册的PreOperation和PostOperation回调在他们的文件过滤器驱动程序中没有被调用的问题?
我以为我测试了VS2013文件过滤器驱动程序模板(而不是自己动手),并立即注意到驱动程序没有被调用注册的IRP。
我在FltRegisterFilter中指定的所有驱动程序回调上获得调试跟踪输出:
MyFileUnload, // MiniFilterUnload
MyFileInstanceSetup, // InstanceSetup
MyFileInstanceQueryTeardown, // InstanceQueryTeardown
MyFileInstanceTeardownStart, // InstanceTeardownStart
MyFileInstanceTeardownComplete, // InstanceTeardownComplete
...但是在同一个调用中提供的IRP处理程序都没有。在IRP处理程序中设置断点也不会受到影响,但在上述驱动程序回调中会出现断点。
来自Win7 x86目标的驱动程序 -
kd> !drvobj MyFile
Driver object (84b29168) is for:
\FileSystem\MyFile
Driver Extension List: (id , addr)
Device Object list:
kd>
断点
kd> bl
0 e 925b6000 [f:\MyFile\myfile.c @ 75] 0001 (0001) MyFile!DriverEntry
1 e 925b3340 [f:\MyFile\myfile.c @ 264] 0001 (0001) MyFile!MyFilePostOperation
2 e 925b3370 [f:\MyFile\myfile.c @ 143] 0001 (0001) MyFile!MyFilePreOperation
回调转储
kd> dt -a10 callbacks
MyFile!Callbacks
[0] @ 925b4068
---------------------------------------------
+0x000 MajorFunction : 0 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[1] @ 925b407c
---------------------------------------------
+0x000 MajorFunction : 0x1 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[2] @ 925b4090
---------------------------------------------
+0x000 MajorFunction : 0x2 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[ ... ]
kd> x Myfile!My*
925b3070 MyFile!MyFileInstanceQueryTeardown (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3410 MyFile!MyFilePreOperationNoPostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3370 MyFile!MyFilePreOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3240 MyFile!MyFileDoRequestOperationStatus (struct _FLT_CALLBACK_DATA *)
925b31c0 MyFile!MyFileUnload (unsigned long)
925b32c0 MyFile!MyFileOperationStatusCallback (struct _FLT_RELATED_OBJECTS *, struct _FLT_IO_PARAMETER_BLOCK *, long, void *)
925b3150 MyFile!MyFileInstanceTeardownStart (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b30e0 MyFile!MyFileInstanceTeardownComplete (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3340 MyFile!MyFilePostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void *, unsigned long)
925b3000 MyFile!MyFileInstanceSetup (struct _FLT_RELATED_OBJECTS *, unsigned long, unsigned long, _FLT_FILESYSTEM_TYPE)
代码段
// Filter registration
//
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_CREATE_NAMED_PIPE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_CLOSE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_READ,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_WRITE,
0,
MyFilePreOperation,
MyFilePostOperation },
[ ... all other file filter IRPs including fast I/O ... ]
{ IRP_MJ_VOLUME_DISMOUNT,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_OPERATION_END }
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
MyFileUnload, // MiniFilterUnload
MyFileInstanceSetup, // InstanceSetup
MyFileInstanceQueryTeardown, // InstanceQueryTeardown
MyFileInstanceTeardownStart, // InstanceTeardownStart
MyFileInstanceTeardownComplete, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyFile!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
return status;
}
同样,只调用DriverEntry和MyFileUnload回调(通过dbg跟踪和实时断点验证)。没有IRP处理程序在驱动程序中被调用(永远)。
谢谢你看看!
答案 0 :(得分:0)
您可以检查驱动程序的注册表数据。 xxxx\Instance[您的驱动程序名称]\Flags 是 0? 如果不是,则设置为 0。