Windows File System filter driver development tutorial (0, 1)

Windows File System filter driver development tutorial

0. Self-reported by Chu madman

I have been playing the role of "technical implementer" for all project managers online for a long time. I feel that the development of Windows File System drivers can find less information. I have written this tutorial with my work experience in order to keep my technical experience away from forgetting and arouse your interest in communication.

My understanding may not be correct. If you have any mistakes, please kindly advise. If you have any questions, contact me. We are also willing to develop various driver projects. Mailbox For MFC_Tan_Wen@163.com, QQ for 16191935.

You can obtain and modify this tutorial for free and paste it to any website. However, you shall not plagiarize any content as part or whole of any profitable publications.

1. Overview, research purpose and preparation

I often encounter requests from my peers online to develop File System drivers. Most of Windows PCs use filter drivers. The goal is:

First, it is used for anti-virus engines. When the system reads and writes files, it is expected to capture the read and write data and check whether the data contains viruses.Code.

Second, it is used to encrypt the file system and want to encrypt and decrypt the data during file writing.

Third, design transparent file system acceleration. Suitable cache for disk read/writeAlgorithmYes, it can greatly improve the efficiency of the disk. The cache algorithm of windows may not be suitable for some special read/write operations.

Disk operations (such as reading streaming media files on a Streaming Media Server ). I already have some experience designing my own cache algorithm.

If you have such requirements, read this tutorial.

File System drivers are one of the most complex types of drivers in windows. I can't hold too much hope for the help in ifsddk. In my experience, the DDK help related to the file system is extremely simple, and many important parts have only been omitted. If ifsddk is installed, read the documents under SRC \ filesys \ osr_docs. Not just the help of DDK.

There are few books on file system-driven development. I have only seen two or three chapters in a driver development book translated by Hou Jie. It is only applicable to the VxD driver of 9X. I have met an English document on the NT file system. I don't even remember the titles of these two books.

If you want to develop a 9x or NT file system driver, we recommend that you download the book mentioned above online. Both books have free electronic version downloads. If you want to develop a file system driver for Windows2000, WindowsXP, and window2003, read this tutorial. This tutorial only describes the file system filter driver. However, if you want to develop a new file system driver, this tutorial will be of great help to you.

Before learning file system driver development, you should install ifsddk on the machine. The more advanced the DDK version is, the more system calls are provided in the header file. Some people often ask questions such as the xpddk driver cannot run on 2000. I think it can be explained as follows: the DDK of the advanced version can always compile the code of the low-level driver, and the obtained binary version can always be run on the low-level system. However
In turn, it may not be possible. If you want to write a driver for a low-level system on an advanced system, pay attention to calling only some system calls on the low-level system.

Ifsddk can be downloaded for free on some FTP.

I use ifs DDK for XP, but one of the two machines I used for development is Windows 2000 and the other is Windows 2003. I try to make the compiled driver pass the test on all three systems, 2000 \ XP \ 2003.

There are many introductions on how to install and configure DDK and develop drivers in VC. After ifsddk is installed, the filesys directory under the src directory contains an example of a file system driver. By reading this code, you can quickly learn file system driver development.

The sfilter in the filter directory is an example of a file system filter driver. Another filespy is completely complicated by the code in this example.

For more information about how to compile this example with DDK, see related documents.

After the file system filter driver is compiled, you get a file with the extension sys. At the same time, you need to write a. inf file to install the driver. I will not discuss the details of the. inf file here. You can directly use the INF file under the sfilter directory to modify it.

Right-click the INF file and choose "Install" from the shortcut menu to install the filter driver. However, it takes effect only after the system is restarted.

If the blue screen cannot be started after restart, you can use other methods to boot the system and then delete your. SYS file in the System32 \ DRIVERS directory and restart the system. In this case, I tried to use the security mode and returned

It is a blue screen. So I had to install two 2000 systems on the machine later. In the case of two systems, one system crashes and starts with another system. Just delete the original driver.

To debug the code, install SoftICE.

Open the file sources under the sfilter directory (this file does not have an extension) and add a line
Browser_info = 1

Then open the symbol loader, file-> open, select the compiled XXX. sys, modul-> load, modul-> translate, and then debug the program.

Open SoftICE and enter file * to view the code.

If you are ready, we can start to figure out the development of the filter driver for the Windows file system.