Windows Filesystem filter driver

標籤：des   blog   http   os   使用   io   for   ar   art   

參考：http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial

關鍵點：

To perform attaching, we create a new device object with the device extension (call IoCreateDevice) and the propagate device object flags from the device object we are trying to attach to (DO_BUFFERED_IO, DO_DIRECT_IO,FILE_DEVICE_SECURE_OPEN). Then, we call IoAttachDeviceToDeviceStackSafe in a loop with a delay in the case of failure. It is possible for this attachment request to fail because the device object has not finished initialization. This situation can occur if we try to mount the filter that was loaded as the volume only. When attaching is finished, we save the “attached to” device object to the device extension and clear the DO_DEVICE_INITIALIZING flag. The device extension is shown below:

首先建立一個hookDevice，指定我們正在操作的driver為它服務；

然後使用IoAttachDeviceByPointer或者IoAttachDeviceToDeviceStack，將hookDevice放到targetDevice所在Dev Stack的頂部，這樣，當有IRP過來時，會先經過hookDevice，即先調用我們的Driver進行處理，再傳給下一層driver進行處理。

The IoAttachDeviceToDeviceStack routine attaches the caller‘s device object to the highest device object in the chain and returns a pointer to the previously highest device object. 

　　

下面以例子說明

kd> !drvobj atapiDriver object (867ce610) is for: \Driver\atapiDriver Extension List: (id , addr)(f744e8d8 867d2430)  Device Object list:86758b00  8675ab00  86790b00  8678603086787030 

　　

kd> dt _DRIVER_OBJECT 0x867ce610ntdll!_DRIVER_OBJECT   +0x000 Type             : 0n4   +0x002 Size             : 0n168   +0x004 DeviceObject     : 0x86758b00 _DEVICE_OBJECT   +0x008 Flags            : 0x12   +0x00c DriverStart      : 0xf743a000 Void   +0x010 DriverSize       : 0x17480   +0x014 DriverSection    : 0x867ebbc0 Void   +0x018 DriverExtension  : 0x867ce6b8 _DRIVER_EXTENSION   +0x01c DriverName       : _UNICODE_STRING "\Driver\atapi"   +0x024 HardwareDatabase : 0x80670260 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"   +0x028 FastIoDispatch   : (null)    +0x02c DriverInit       : 0xf744f5f7     long  atapi!GsDriverEntry+0   +0x030 DriverStartIo    : 0xf74417c6     void  atapi!IdePortStartIo+0   +0x034 DriverUnload     : 0xf744b204     void  atapi!IdePortUnload+0   +0x038 MajorFunction    : [28] 0xf7444572     long  atapi!IdePortAlwaysStatusSuccessIrp+0

　　

表明，驅動名稱為apapi，它一共為5個device提供服務，我們來看一下其中第一個device object

kd> dt _DEVICE_OBJECT 0x86758b00ntdll!_DEVICE_OBJECT   +0x000 Type             : 0n3   +0x002 Size             : 0x234   +0x004 ReferenceCount   : 0n0   +0x008 DriverObject     : 0x867ce610 _DRIVER_OBJECT   +0x00c NextDevice       : 0x8675ab00 _DEVICE_OBJECT   +0x010 AttachedDevice   : 0x8678f030 _DEVICE_OBJECT   +0x014 CurrentIrp       : (null)    +0x018 Timer            : (null)    +0x01c Flags            : 0x5050   +0x020 Characteristics  : 0x101   +0x024 Vpb              : (null)    +0x028 DeviceExtension  : 0x86758bb8 Void   +0x02c DeviceType       : 2   +0x030 StackSize        : 1 ‘‘   +0x034 Queue            : __unnamed   +0x05c AlignmentRequirement : 1   +0x060 DeviceQueue      : _KDEVICE_QUEUE   +0x074 Dpc              : _KDPC   +0x094 ActiveThreadCount : 0   +0x098 SecurityDescriptor : 0xe100cf70 Void   +0x09c DeviceLock       : _KEVENT   +0x0ac SectorSize       : 0   +0x0ae Spare1           : 1   +0x0b0 DeviceObjectExtension : 0x86758d38 _DEVOBJ_EXTENSION   +0x0b4 Reserved         : (null) 

　　

+0x008 DriverObject : 0x867ce610 _DRIVER_OBJECT　　【指向為其服務的driver，即atapi】
+0x00c NextDevice : 0x8675ab00 _DEVICE_OBJECT　　【指向atapi中的device list中的下一項，在!drvobj atapi的結果中得到了驗證】
+0x010 AttachedDevice 　: 0x8678f030 _DEVICE_OBJECT　　【指向該device object所在的device stack中的下一項，或者說更加靠近頂層的一項】

我們沿著device stack一直向下遍曆：

kd> dt _DEVICE_OBJECT 0x8678f030 ntdll!_DEVICE_OBJECT   +0x000 Type             : 0n3   +0x002 Size             : 0x47c   +0x004 ReferenceCount   : 0n0   +0x008 DriverObject     : 0x867d0970 _DRIVER_OBJECT   +0x00c NextDevice       : (null)    +0x010 AttachedDevice   : (null)    +0x014 CurrentIrp       : (null)    +0x018 Timer            : 0x8679a548 _IO_TIMER   +0x01c Flags            : 0x2050   +0x020 Characteristics  : 0x101   +0x024 Vpb              : 0x867bebe0 _VPB   +0x028 DeviceExtension  : 0x8678f0e8 Void   +0x02c DeviceType       : 2   +0x030 StackSize        : 3 ‘‘   +0x034 Queue            : __unnamed   +0x05c AlignmentRequirement : 1   +0x060 DeviceQueue      : _KDEVICE_QUEUE   +0x074 Dpc              : _KDPC   +0x094 ActiveThreadCount : 0   +0x098 SecurityDescriptor : 0xe100cf70 Void   +0x09c DeviceLock       : _KEVENT   +0x0ac SectorSize       : 0   +0x0ae Spare1           : 0   +0x0b0 DeviceObjectExtension : 0x8678f4b0 _DEVOBJ_EXTENSION   +0x0b4 Reserved         : (null) 

kd> !devstack 0x8678f030   !DevObj   !DrvObj            !DevExt   ObjectName> 8678f030  \Driver\Cdrom      8678f0e8  CdRom0  86758b00  \Driver\atapi      86758bb8  IdeDeviceP1T0L0-17!DevNode 8678f9b8 :  DeviceInst is "IDE\CdRomVBOX_CD-ROM_____________________________1.0_____\42562d3231303037333036372020202020202020"  ServiceName is "cdrom"

　　

可見，device stack其實就是通過_DEVICE_OBJECT中的AttachedDevice指標串聯起來的一個單鏈表，當調用IoAttachDeviceToDeviceStack時，會在該device stack的最頂端添加我們自己的device object。

然後，當一個IRP過來時，不論它是以這個device object中的哪一個device object作為參數，它都會傳遞到棧的最頂端的device所對應的driver中去處理。

因此，這就是為什麼IoAttachDeviceToDeviceStack能夠建立file system filter driver的原因。

　　

 

Windows Filesystem filter driver