Windows Minifilter驱动 - 获取进程ID, 进程名字和线程ID (5)
2014-09-22 14:43
393 查看
在minifilter里面可能有好几种获取调用进程id,名字和线程的办法。我这里有一种:
使用
PsSetCreateProcessNotifyRoutine 和
PsSetLoadImageNotifyRoutine
这是两个API,我们可以借助它们获取进程信息。具体看:http://msdn.microsoft.com/en-us/library/windows/hardware/ff559951(v=vs.85).aspx
PsSetLoadImageNotifyRoutine
可以使用这个函数设置一个通知回调,每当操作系统新加载一个影像文件的时候,回调函数会被调用。
比如在DriverEntry里面调用:
PsSetCreateProcessNotifyRoutine
我们可以使用这个函数来设置一个回调函数。每当操作系统创建一个进程或者关闭一个进程的时候,回调都会被调用。
DriverEntry调用:
具体回调:
IRP Event中获取进程ID和线程ID
比如在IRP_MJ_WRITE中获取:
如果我们想在IRP回调中获取进程名字。有个办法就是在PsSetLoadImageNotifyRoutine的回调函数里面把进程名和进程ID保存下来,比如保存到一个list。这样,在IRP回调里面可以用进程ID来获取进程名。
取消回调
在驱动被卸载之前,需要取消回调。不然会蓝屏。比如可以在FilterUnload那里取消。
完整代码:
使用
PsSetCreateProcessNotifyRoutine 和
PsSetLoadImageNotifyRoutine
这是两个API,我们可以借助它们获取进程信息。具体看:http://msdn.microsoft.com/en-us/library/windows/hardware/ff559951(v=vs.85).aspx
PsSetLoadImageNotifyRoutine
可以使用这个函数设置一个通知回调,每当操作系统新加载一个影像文件的时候,回调函数会被调用。
比如在DriverEntry里面调用:
PsSetLoadImageNotifyRoutine(MyMiniFilterLoadImage);回调函数:
VOID
MyMiniFilterLoadImage( __in_opt PUNICODE_STRING FullImageName, __in HANDLE ProcessId, __in PIMAGE_INFO ImageInfo )
{
UNREFERENCED_PARAMETER(ImageInfo);
if (FullImageName)
{
DbgPrint("MyMiniFilterLoadImage, image name: %wZ, pid: %d\n", FullImageName, ProcessId);
}
else
DbgPrint("MyMiniFilterLoadImage, image name: null, pid: %d\n", ProcessId);
}这样,当用户新启动一个进程的时候,这个函数就会被调用,里面可以获取进程名和进程id,还有个ImageInfo。PsSetCreateProcessNotifyRoutine
我们可以使用这个函数来设置一个回调函数。每当操作系统创建一个进程或者关闭一个进程的时候,回调都会被调用。
DriverEntry调用:
PsSetCreateProcessNotifyRoutine(MyMiniFilterProcessNotify, FALSE);
具体回调:
VOID
MyMiniFilterProcessNotify(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
)
{
DbgPrint("MyMiniFilterProcessNotify, pid: %d, tid: %d, create: %d\n", ParentId, ProcessId, Create);
}IRP Event中获取进程ID和线程ID
比如在IRP_MJ_WRITE中获取:
ULONG ProcessId = FltGetRequestorProcessId(Data);
ULONG ThreadId = (ULONG)PsGetThreadId(Data->Thread);
DbgPrint("IRP_MJ_WRITE, pid: %d, tid: %d\n", ProcessId, ThreadId);注意:PsGetThreadId是个未公开API。调用需要小心一些。如果我们想在IRP回调中获取进程名字。有个办法就是在PsSetLoadImageNotifyRoutine的回调函数里面把进程名和进程ID保存下来,比如保存到一个list。这样,在IRP回调里面可以用进程ID来获取进程名。
取消回调
在驱动被卸载之前,需要取消回调。不然会蓝屏。比如可以在FilterUnload那里取消。
PsSetCreateProcessNotifyRoutine(MyMiniFilterProcessNotify, TRUE); PsRemoveLoadImageNotifyRoutine(MyMiniFilterLoadImage);
完整代码:
/*++
Module Name:
MyMiniFilter.c
Abstract:
This is the main module of the MyMiniFilter miniFilter driver.
Environment:
Kernel mode
--*/
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>
#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")
PFLT_FILTER gFilterHandle;
ULONG_PTR OperationStatusCtx = 1;
#define PTDBG_TRACE_ROUTINES 0x00000001
#define PTDBG_TRACE_OPERATION_STATUS 0x00000002
ULONG gTraceFlags = 0;
/*
#define PT_DBG_PRINT( _dbgLevel, _string ) \
(FlagOn(gTraceFlags,(_dbgLevel)) ? \
DbgPrint _string : \
((int)0))*/
#define PT_DBG_PRINT( _dbgLevel, _string ) \
DbgPrint _string
/*************************************************************************
Prototypes
*************************************************************************/
DRIVER_INITIALIZE DriverEntry;
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
);
NTSTATUS
MyMiniFilterInstanceSetup (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_SETUP_FLAGS Flags,
_In_ DEVICE_TYPE VolumeDeviceType,
_In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType
);
VOID
MyMiniFilterInstanceTeardownStart (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
);
VOID
MyMiniFilterInstanceTeardownComplete (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
);
NTSTATUS
MyMiniFilterUnload (
_In_ FLT_FILTER_UNLOAD_FLAGS Flags
);
NTSTATUS
MyMiniFilterInstanceQueryTeardown (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
);
FLT_PREOP_CALLBACK_STATUS
MyMiniFilterPreOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
);
VOID
MyMiniFilterOperationStatusCallback (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot,
_In_ NTSTATUS OperationStatus,
_In_ PVOID RequesterContext
);
FLT_POSTOP_CALLBACK_STATUS
MyMiniFilterPostOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_opt_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
);
FLT_PREOP_CALLBACK_STATUS
MyMiniFilterPreOperationNoPostOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
);
BOOLEAN
MyMiniFilterDoRequestOperationStatus(
_In_ PFLT_CALLBACK_DATA Data
);
VOID
MyMiniFilterProcessNotify (
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
);
VOID
MyMiniFilterLoadImage(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
);
//
// Assign text sections for each routine.
//
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, MyMiniFilterUnload)
#pragma alloc_text(PAGE, MyMiniFilterInstanceQueryTeardown)
#pragma alloc_text(PAGE, MyMiniFilterInstanceSetup)
#pragma alloc_text(PAGE, MyMiniFilterInstanceTeardownStart)
#pragma alloc_text(PAGE, MyMiniFilterInstanceTeardownComplete)
#endif
//
// operation registration
//
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_WRITE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
#if 0 // TODO - List all of the requests to filter.
{ IRP_MJ_CREATE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_CREATE_NAMED_PIPE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_CLOSE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_READ,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_WRITE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_QUERY_INFORMATION,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_SET_INFORMATION,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_QUERY_EA,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_SET_EA,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_FLUSH_BUFFERS,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_QUERY_VOLUME_INFORMATION,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_SET_VOLUME_INFORMATION,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_DIRECTORY_CONTROL,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_FILE_SYSTEM_CONTROL,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_DEVICE_CONTROL,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_INTERNAL_DEVICE_CONTROL,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_SHUTDOWN,
0,
MyMiniFilterPreOperationNoPostOperation,
NULL }, //post operations not supported
{ IRP_MJ_LOCK_CONTROL,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_CLEANUP,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_CREATE_MAILSLOT,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_QUERY_SECURITY,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_SET_SECURITY,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_QUERY_QUOTA,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_SET_QUOTA,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_PNP,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_ACQUIRE_FOR_MOD_WRITE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_RELEASE_FOR_MOD_WRITE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_ACQUIRE_FOR_CC_FLUSH,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_RELEASE_FOR_CC_FLUSH,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_NETWORK_QUERY_OPEN,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_MDL_READ,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_MDL_READ_COMPLETE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_PREPARE_MDL_WRITE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_MDL_WRITE_COMPLETE,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_VOLUME_MOUNT,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
{ IRP_MJ_VOLUME_DISMOUNT,
0,
MyMiniFilterPreOperation,
MyMiniFilterPostOperation },
#endif // TODO
{ IRP_MJ_OPERATION_END }
};
//
// This defines what we want to filter with FltMgr
//
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
MyMiniFilterUnload, // MiniFilterUnload
MyMiniFilterInstanceSetup, // InstanceSetup
MyMiniFilterInstanceQueryTeardown, // InstanceQueryTeardown
MyMiniFilterInstanceTeardownStart, // InstanceTeardownStart
MyMiniFilterInstanceTeardownComplete, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
NTSTATUS
MyMiniFilterInstanceSetup (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_SETUP_FLAGS Flags,
_In_ DEVICE_TYPE VolumeDeviceType,
_In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
/*++
Routine Description:
This routine is called whenever a new instance is created on a volume. This
gives us a chance to decide if we need to attach to this volume or not.
If this routine is not defined in the registration structure, automatic
instances are always created.
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance and its associated volume.
Flags - Flags describing the reason for this attach request.
Return Value:
STATUS_SUCCESS - attach
STATUS_FLT_DO_NOT_ATTACH - do not attach
--*/
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
UNREFERENCED_PARAMETER( VolumeDeviceType );
UNREFERENCED_PARAMETER( VolumeFilesystemType );
PAGED_CODE();
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterInstanceSetup: Entered\n") );
return STATUS_SUCCESS;
}
NTSTATUS
MyMiniFilterInstanceQueryTeardown (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
)
/*++
Routine Description:
This is called when an instance is being manually deleted by a
call to FltDetachVolume or FilterDetach thereby giving us a
chance to fail that detach request.
If this routine is not defined in the registration structure, explicit
detach requests via FltDetachVolume or FilterDetach will always be
failed.
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance and its associated volume.
Flags - Indicating where this detach request came from.
Return Value:
Returns the status of this operation.
--*/
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterInstanceQueryTeardown: Entered\n") );
return STATUS_SUCCESS;
}
VOID
MyMiniFilterInstanceTeardownStart (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
)
/*++
Routine Description:
This routine is called at the start of instance teardown.
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance and its associated volume.
Flags - Reason why this instance is being deleted.
Return Value:
None.
--*/
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterInstanceTeardownStart: Entered\n") );
}
VOID
MyMiniFilterInstanceTeardownComplete (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
)
/*++
Routine Description:
This routine is called at the end of instance teardown.
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance and its associated volume.
Flags - Reason why this instance is being deleted.
Return Value:
None.
--*/
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterInstanceTeardownComplete: Entered\n") );
}
/*************************************************************************
MiniFilter initialization and unload routines.
*************************************************************************/
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this miniFilter driver. This
registers with FltMgr and initializes all global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Routine can return non success error codes.
--*/
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
PsSetCreateProcessNotifyRoutine(MyMiniFilterProcessNotify, FALSE);
PsSetLoadImageNotifyRoutine(MyMiniFilterLoadImage);
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
return status;
}
NTSTATUS
MyMiniFilterUnload (
_In_ FLT_FILTER_UNLOAD_FLAGS Flags
)
/*++
Routine Description:
This is the unload routine for this miniFilter driver. This is called
when the minifilter is about to be unloaded. We can fail this unload
request if this is not a mandatory unload indicated by the Flags
parameter.
Arguments:
Flags - Indicating if this is a mandatory unload.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterUnload: Entered\n") );
PsSetCreateProcessNotifyRoutine(MyMiniFilterProcessNotify, TRUE); PsRemoveLoadImageNotifyRoutine(MyMiniFilterLoadImage);
FltUnregisterFilter( gFilterHandle );
return STATUS_SUCCESS;
}
/*************************************************************************
MiniFilter callback routines.
*************************************************************************/
FLT_PREOP_CALLBACK_STATUS
MyMiniFilterPreOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
/*++
Routine Description:
This routine is a pre-operation dispatch routine for this miniFilter.
This is non-pageable because it could be called on the paging path
Arguments:
Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and
file object.
CompletionContext - The context for the completion routine for this
operation.
Return Value:
The return value is the status of the operation.
--*/
{
NTSTATUS status;
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
if (Data && Data->Thread)
{
ULONG ProcessId = FltGetRequestorProcessId(Data);
ULONG ThreadId = (ULONG)PsGetThreadId(Data->Thread);
DbgPrint("IRP_MJ_WRITE, pid: %d, tid: %d\n", ProcessId, ThreadId);
}
//
// See if this is an operation we would like the operation status
// for. If so request it.
//
// NOTE: most filters do NOT need to do this. You only need to make
// this call if, for example, you need to know if the oplock was
// actually granted.
//
if (MyMiniFilterDoRequestOperationStatus( Data )) {
status = FltRequestOperationStatusCallback( Data,
MyMiniFilterOperationStatusCallback,
(PVOID)(++OperationStatusCtx) );
if (!NT_SUCCESS(status)) {
PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS,
("MyMiniFilter!MyMiniFilterPreOperation: FltRequestOperationStatusCallback Failed, status=%08x\n",
status) );
}
}
// This template code does not do anything with the callbackData, but
// rather returns FLT_PREOP_SUCCESS_WITH_CALLBACK.
// This passes the request down to the next miniFilter in the chain.
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
VOID
MyMiniFilterOperationStatusCallback (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot,
_In_ NTSTATUS OperationStatus,
_In_ PVOID RequesterContext
)
/*++
Routine Description:
This routine is called when the given operation returns from the call
to IoCallDriver. This is useful for operations where STATUS_PENDING
means the operation was successfully queued. This is useful for OpLocks
and directory change notification operations.
This callback is called in the context of the originating thread and will
never be called at DPC level. The file object has been correctly
referenced so that you can access it. It will be automatically
dereferenced upon return.
This is non-pageable because it could be called on the paging path
Arguments:
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and
file object.
RequesterContext - The context for the completion routine for this
operation.
OperationStatus -
Return Value:
The return value is the status of the operation.
--*/
{
UNREFERENCED_PARAMETER( FltObjects );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterOperationStatusCallback: Entered\n") );
PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS,
("MyMiniFilter!MyMiniFilterOperationStatusCallback: Status=%08x ctx=%p IrpMj=%02x.%02x \"%s\"\n",
OperationStatus,
RequesterContext,
ParameterSnapshot->MajorFunction,
ParameterSnapshot->MinorFunction,
FltGetIrpName(ParameterSnapshot->MajorFunction)) );
}
FLT_POSTOP_CALLBACK_STATUS
MyMiniFilterPostOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_opt_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
)
/*++
Routine Description:
This routine is the post-operation completion routine for this
miniFilter.
This is non-pageable because it may be called at DPC level.
Arguments:
Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and
file object.
CompletionContext - The completion context set in the pre-operation routine.
Flags - Denotes whether the completion is successful or is being drained.
Return Value:
The return value is the status of the operation.
--*/
{
UNREFERENCED_PARAMETER( Data );
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
UNREFERENCED_PARAMETER( Flags );
/* PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterPostOperation: Entered\n") );*/
return FLT_POSTOP_FINISHED_PROCESSING;
}
FLT_PREOP_CALLBACK_STATUS
MyMiniFilterPreOperationNoPostOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
/*++
Routine Description:
This routine is a pre-operation dispatch routine for this miniFilter.
This is non-pageable because it could be called on the paging path
Arguments:
Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and
file object.
CompletionContext - The context for the completion routine for this
operation.
Return Value:
The return value is the status of the operation.
--*/
{
UNREFERENCED_PARAMETER( Data );
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyMiniFilter!MyMiniFilterPreOperationNoPostOperation: Entered\n") );
// This template code does not do anything with the callbackData, but
// rather returns FLT_PREOP_SUCCESS_NO_CALLBACK.
// This passes the request down to the next miniFilter in the chain.
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
BOOLEAN
MyMiniFilterDoRequestOperationStatus(
_In_ PFLT_CALLBACK_DATA Data
)
/*++
Routine Description:
This identifies those operations we want the operation status for. These
are typically operations that return STATUS_PENDING as a normal completion
status.
Arguments:
Return Value:
TRUE - If we want the operation status
FALSE - If we don't
--*/
{
PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb;
//
// return boolean state based on which operations we are interested in
//
return (BOOLEAN)
//
// Check for oplock operations
//
(((iopb->MajorFunction == IRP_MJ_FILE_SYSTEM_CONTROL) &&
((iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_FILTER_OPLOCK) ||
(iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_BATCH_OPLOCK) ||
(iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_1) ||
(iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_2)))
||
//
// Check for directy change notification
//
((iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL) &&
(iopb->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY))
);
}
VOID MyMiniFilterProcessNotify( IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create ) { DbgPrint("MyMiniFilterProcessNotify, pid: %d, tid: %d, create: %d\n", ParentId, ProcessId, Create); }
VOID MyMiniFilterLoadImage( __in_opt PUNICODE_STRING FullImageName, __in HANDLE ProcessId, __in PIMAGE_INFO ImageInfo ) { UNREFERENCED_PARAMETER(ImageInfo); if (FullImageName) { DbgPrint("MyMiniFilterLoadImage, image name: %wZ, pid: %d\n", FullImageName, ProcessId); } else DbgPrint("MyMiniFilterLoadImage, image name: null, pid: %d\n", ProcessId); }
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 【windows内核驱动开发】文件系统微过滤驱动Minifilter——获取进程信息
- 获取进程和线程id函数简介
- 获取当前进程/线程的ID、句柄和内核地址
- WinAPI: GetWindowThreadProcessId - 获取指定窗口的进程 ID 或线程 ID
- 通过Windows进程ID获取窗口句柄
- 根据进程名字获取id并kill
- 如何在Windows和Linux下获取当前线程的ID号
- Windows Minifilter驱动 - DriverEntry (3)
- 获取当前进程ID和子线程的线程ID
- 根绝exe名字获取进程ID
- Windows 驱动:获取当前进程名
- Windows-核心编程-04-进程-获取进程 线程 模块(DLL)信息
- Windows驱动_文件系统微小过滤驱动之五MiniFilter例程解析
- linux根据进程名字获取进程ID
- Hacking Windows CE: 如何从线程ID获取线程名称
- windows驱动里通过进程ID获得进程名和所属用户
- Windows下获取Dump文件以及进程下各线程调用栈的方法总结
- windows应用开发由浅入深(五)关于进程和线程--获取当前进程信息
- 获取iOS设备上所有的进程名字,以及进程的ID,
- Windows下获取Dump文件以及进程下各线程调用栈的方法总结(转)