文件操作

开发平台：

Visual C++

FILEMON.C：源码内容

strcpy( Buffer, "NOT A DIRECTORY" );
break;
case STATUS_NO_SUCH_FILE:
strcpy( Buffer, "NO SUCH FILE" );
break;
case STATUS_OBJECT_NAME_COLLISION:
strcpy( Buffer, "NAME COLLISION" );
break;
case STATUS_NONEXISTENT_SECTOR:
strcpy( Buffer, "NONEXISTENT SECTOR" );
break;
case STATUS_BAD_NETWORK_PATH:
strcpy( Buffer, "BAD NETWORK PATH" );
break;
case STATUS_OBJECT_PATH_NOT_FOUND:
strcpy( Buffer, "PATH NOT FOUND" );
break;
case STATUS_NO_SUCH_DEVICE:
strcpy( Buffer, "INVALID PARAMETER" );
break;
case STATUS_END_OF_FILE:
strcpy( Buffer, "END OF FILE" );
break;
case STATUS_NOTIFY_CLEANUP:
strcpy( Buffer, "NOTIFY CLEANUP" );
break;
case STATUS_BUFFER_OVERFLOW:
strcpy( Buffer, "BUFFER OVERFLOW" );
break;
case STATUS_NO_MORE_ENTRIES:
strcpy( Buffer, "NO MORE ENTRIES" );
break;
case STATUS_ACCESS_DENIED:
strcpy( Buffer, "ACCESS DENIED" );
break;
case STATUS_SHARING_VIOLATION:
strcpy( Buffer, "SHARING VIOLATION" );
break;
case STATUS_INVALID_PARAMETER:
strcpy( Buffer, "INVALID PARAMETER" );
break;
case STATUS_OPLOCK_BREAK_IN_PROGRESS:
strcpy( Buffer, "OPLOCK BREAK" );
break;
case STATUS_OPLOCK_NOT_GRANTED:
strcpy( Buffer, "OPLOCK NOT GRANTED" );
break;
case STATUS_FILE_LOCK_CONFLICT:
strcpy( Buffer, "FILE LOCK CONFLICT" );
break;
case STATUS_PENDING:
strcpy( Buffer, "PENDING" );
break;
case STATUS_REPARSE:
strcpy( Buffer, "REPARSE" );
break;
case STATUS_MORE_ENTRIES:
strcpy( Buffer, "MORE" );
break;
case STATUS_DELETE_PENDING:
strcpy( Buffer, "DELETE PEND" );
break;
case STATUS_CANNOT_DELETE:
strcpy( Buffer, "CANNOT DELETE" );
break;
case STATUS_LOCK_NOT_GRANTED:
strcpy( Buffer, "NOT GRANTED" );
break;
case STATUS_FILE_IS_A_DIRECTORY:
strcpy( Buffer, "IS DIRECTORY" );
break;
case STATUS_ALREADY_COMMITTED:
strcpy( Buffer, "ALREADY COMMITTED" );
break;
case STATUS_INVALID_EA_FLAG:
strcpy( Buffer, "INVALID EA FLAG" );
break;
case STATUS_INVALID_INFO_CLASS:
strcpy( Buffer, "INVALID INFO CLASS" );
break;
case STATUS_INVALID_HANDLE:
strcpy( Buffer, "INVALID HANDLE" );
break;
case STATUS_INVALID_DEVICE_REQUEST:
strcpy( Buffer, "INVALID DEVICE REQUEST" );
break;
case STATUS_WRONG_VOLUME:
strcpy( Buffer, "WRONG VOLUME" );
break;
case STATUS_UNEXPECTED_NETWORK_ERROR:
strcpy( Buffer, "NETWORK ERROR" );
break;
case STATUS_DFS_UNAVAILABLE:
strcpy( Buffer, "DFS UNAVAILABLE" );
break;
case STATUS_LOG_FILE_FULL:
strcpy( Buffer, "LOG FILE FULL" );
break;
//
// Named pipe errors
//
case STATUS_INSTANCE_NOT_AVAILABLE:
strcpy( Buffer, "INSTANCE NOT AVAILABLE" );
break;
case STATUS_PIPE_NOT_AVAILABLE:
strcpy( Buffer, "PIPE NOT AVAILABLE" );
break;
case STATUS_INVALID_PIPE_STATE:
strcpy( Buffer, "INVALID PIPE STATE" );
break;
case STATUS_PIPE_BUSY:
strcpy( Buffer, "PIPE BUSY" );
break;
case STATUS_PIPE_DISCONNECTED:
strcpy( Buffer, "PIPE DISCONNECTED" );
break;
case STATUS_PIPE_CLOSING:
strcpy( Buffer, "PIPE CLOSING" );
break;
case STATUS_PIPE_CONNECTED:
strcpy( Buffer, "PIPE CONNECTED" );
break;
case STATUS_PIPE_LISTENING:
strcpy( Buffer, "PIPE LISTENING" );
break;
case STATUS_INVALID_READ_MODE:
strcpy( Buffer, "INVALID READ MODE" );
break;
case STATUS_PIPE_EMPTY:
strcpy( Buffer, "PIPE EMPTY" );
break;
case STATUS_PIPE_BROKEN:
strcpy( Buffer, "PIPE BROKEN" );
break;
case STATUS_IO_TIMEOUT:
strcpy( Buffer, "IO TIMEOUT" );
break;
default:
sprintf( Buffer, "* 0x%X", RetStat );
break;
}
return Buffer;
}
//----------------------------------------------------------------------
//
// CreateOptionsString
//
// Takes the options mask and returns a string that represents
// the settings.
//
//----------------------------------------------------------------------
PCHAR CreateOptionsString( ULONG Options, PCHAR Buffer )
{
ULONG disposition;
Buffer[0] = 0;
disposition = (Options >> 24) & 0xFF;
switch( disposition ) {
case FILE_SUPERSEDE:
strcat( Buffer, "Supersede " );
break;
case FILE_CREATE:
strcat( Buffer, "Create " );
break;
case FILE_OPEN_IF:
strcat( Buffer, "OpenIf " );
break;
case FILE_OPEN:
strcat( Buffer, "Open " );
break;
case FILE_OVERWRITE:
strcat( Buffer, "Overwrite " );
break;
case FILE_OVERWRITE_IF:
strcat( Buffer, "OverwriteIf " );
break;
}
if( Options & FILE_DIRECTORY_FILE )
strcat( Buffer, "Directory " );
if( Options & FILE_WRITE_THROUGH )
strcat( Buffer, "WriteThrough " );
if( Options & FILE_SEQUENTIAL_ONLY )
strcat( Buffer, "Sequential " );
if( Options & FILE_NO_INTERMEDIATE_BUFFERING )
strcat( Buffer, "NoBuffer" );
return Buffer;
}
//----------------------------------------------------------------------
//
// CreateAttributesString
//
// Take attributes and return a string that represents them.
//
//----------------------------------------------------------------------
PCHAR CreateAttributesString( USHORT Attributes, PCHAR Buffer )
{
Buffer[0] = 0;
if( !Attributes ) {
strcat( Buffer, "Any" );
return Buffer;
}
if( Attributes & FILE_ATTRIBUTE_COMPRESSED) strcat( Buffer, "C" );
if( Attributes & FILE_ATTRIBUTE_TEMPORARY) strcat( Buffer, "T" );
if( Attributes & FILE_ATTRIBUTE_DIRECTORY) strcat( Buffer, "D" );
if( Attributes & FILE_ATTRIBUTE_READONLY) strcat( Buffer, "R" );
if( Attributes & FILE_ATTRIBUTE_HIDDEN ) strcat( Buffer, "H" );
if( Attributes & FILE_ATTRIBUTE_SYSTEM ) strcat( Buffer, "S" );
if( Attributes & FILE_ATTRIBUTE_ARCHIVE ) strcat( Buffer, "A" );
if( Attributes & FILE_ATTRIBUTE_NORMAL ) strcat( Buffer, "N" );
return Buffer;
}
//----------------------------------------------------------------------
// F A S T I O R O U T I N E S
//
// NOTE: There is no need for us to worry about accessing fastio
// parameters within try/except because the I/O manager has either
// probed the validity of the arguments or calls within its own
// try/except block (it doesn't trust us anyway :-) ).
//
//----------------------------------------------------------------------
//----------------------------------------------------------------------
//
// FilemonFastIoCheckIfPossible
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoCheckifPossible( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset,
IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, IN BOOLEAN CheckForReadOperation,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoCheckIfPossible ) ) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoCheckIfPossible(
FileObject, FileOffset, Length,
Wait, LockKey, CheckForReadOperation, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_CHECK_IF_POSSIBLEt%st%s Offset: %d Length: %dt%s",
name, fullPathName,
CheckForReadOperation ? "Read:" : "Write:",
FileOffset->LowPart, Length,
retval?"SUCCESS":"FAILURE" );
}
if ( fullPathName ) ExFreePool( fullPathName );
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoRead
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoRead( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset,
IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoRead ) ) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoRead(
FileObject, FileOffset, Length,
Wait, LockKey, Buffer, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_READt%stOffset: %d Length: %ldt%s",
name, fullPathName,
FileOffset->LowPart, Length,
retval?ErrorString( IoStatus->Status, errorBuf):"FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoWrite
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoWrite( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset,
IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, IN PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoWrite )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoWrite(
FileObject, FileOffset, Length, Wait, LockKey,
Buffer, IoStatus, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_WRITEt%stOffset: %d Length: %dt%s",
name, fullPathName,
FileOffset->LowPart, Length,
retval?ErrorString( IoStatus->Status, errorBuf ):"FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoQueryBasicinfo
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoQueryBasicInfo( IN PFILE_OBJECT FileObject, IN BOOLEAN Wait,
OUT PFILE_BASIC_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
CHAR attributeString[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoQueryBasicInfo ) ) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoQueryBasicInfo(
FileObject, Wait, Buffer, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
if( retval ) {
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_QUERY_BASIC_INFOt%stAttributes: %st%s",
name, fullPathName,
NT_SUCCESS(IoStatus->Status) ?
CreateAttributesString((USHORT)((PFILE_BASIC_INFORMATION) Buffer)->FileAttributes,
attributeString ) :
"Error",
retval?ErrorString( IoStatus->Status, errorBuf ):"FAILURE" );
} else {
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_QUERY_BASIC_INFOt%stt%s",
name, fullPathName, retval?"SUCCESS":"FAILURE" );
}
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoQueryStandardInfo
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoQueryStandardInfo( IN PFILE_OBJECT FileObject, IN BOOLEAN Wait,
OUT PFILE_STANDARD_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoQueryStandardInfo ) ) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoQueryStandardInfo(
FileObject, Wait, Buffer, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
if( retval ) {
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_QUERY_STANDARD_INFOt%stSize: %dt%s",
name, fullPathName,
((PFILE_STANDARD_INFORMATION) Buffer)->EndOfFile.LowPart,
retval?"SUCCESS":"FAILURE" );
} else {
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_QUERY_STANDARD_INFOt%stt%s",
name, fullPathName,
retval?ErrorString( IoStatus->Status, errorBuf ):"FAILURE" );
}
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoLock
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoLock( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length, PEPROCESS ProcessId, ULONG Key,
BOOLEAN FailImmediately, BOOLEAN ExclusiveLock,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoLock )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoLock(
FileObject, FileOffset, Length, ProcessId, Key, FailImmediately,
ExclusiveLock, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_LOCKt%stExcl: %s Offset: %d Length: %dt%s",
name, fullPathName,
ExclusiveLock ? "Yes":"No", FileOffset ? FileOffset->LowPart : 0,
Length ? Length->LowPart : 0, retval?ErrorString( IoStatus->Status, errorBuf ):"FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoUnlockSingle
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoUnlockSingle( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length, PEPROCESS ProcessId, ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoUnlockSingle )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoUnlockSingle(
FileObject, FileOffset, Length, ProcessId, Key,
IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_UNLOCKt%stOffset: %d Length: %dt%s",
name, fullPathName,
FileOffset? FileOffset->LowPart : 0, Length ? Length->LowPart : 0,
retval?ErrorString( IoStatus->Status, errorBuf ):"FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoUnlockAll
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoUnlockAll( IN PFILE_OBJECT FileObject, PEPROCESS ProcessId,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if ( FASTIOPRESENT(hookExt, FastIoUnlockAll ) ) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoUnlockAll(
FileObject, ProcessId, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_UNLOCK_ALLt%stt%s",
name, fullPathName,
retval?ErrorString( IoStatus->Status, errorBuf ):"FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoUnlockAllByKey
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoUnlockAllByKey( IN PFILE_OBJECT FileObject, PEPROCESS ProcessId, ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoUnlockAllByKey )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoUnlockAllByKey(
FileObject, ProcessId, Key, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_UNLOCK_ALL_BY_KEYt%stt%s",
name, fullPathName,
retval?ErrorString( IoStatus->Status, errorBuf):"FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoQueryNetworkOpenInfo
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoQueryNetworkOpenInfo(IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT struct _FILE_NETWORK_OPEN_INFORMATION *Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoQueryNetworkOpenInfo )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoQueryNetworkOpenInfo(
FileObject, Wait, Buffer, IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_QUERY_NETWORK_OPEN_INFOt%stt%s",
name, fullPathName,
retval ? ErrorString( IoStatus->Status, errorBuf ): "FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoAcquireForModWrite
//
//----------------------------------------------------------------------
NTSTATUS FilemonFastIoAcquireForModWrite( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER EndingOffset,
OUT struct _ERESOURCE **ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_IMPLEMENTED;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, errval[ERRORLEN], name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, AcquireForModWrite )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->AcquireForModWrite(
FileObject, EndingOffset, ResourceToRelease, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_ACQUIRE_FOR_MOD_WRITEt%stEndOffset: %dt%s",
name, fullPathName, EndingOffset,
ErrorString( retval, errval ) );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoMdlRead
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoMdlRead( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset, IN ULONG Length,
IN ULONG LockKey, OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, MdlRead )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->MdlRead(
FileObject, FileOffset, Length, LockKey, MdlChain,
IoStatus, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_MDL_READt%stOffset: %d Length: %dt%s",
name, fullPathName,
FileOffset->LowPart, Length,
retval ? ErrorString( IoStatus->Status, errorBuf ): "FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoMdlReadComplete
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoMdlReadComplete( IN PFILE_OBJECT FileObject,
IN PMDL MdlChain, IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, MdlReadComplete )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = (BOOLEAN) hookExt->FileSystem->DriverObject->FastIoDispatch->MdlReadComplete( FileObject,
MdlChain, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_MDL_READ_COMPLETEt%stt%s",
name, fullPathName, "OK" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoPrepareMdlWrite
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoPrepareMdlWrite( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset, IN ULONG Length,
IN ULONG LockKey, OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
IoStatus->Status = STATUS_NOT_IMPLEMENTED;
IoStatus->Information = 0;
if( FASTIOPRESENT( hookExt, PrepareMdlWrite )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->PrepareMdlWrite(
FileObject, FileOffset, Length, LockKey, MdlChain, IoStatus,
hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_PREPARE_MDL_WRITEt%stOffset: %d Length: %dt%s",
name, fullPathName,
FileOffset->LowPart, Length,
retval ? ErrorString( IoStatus->Status, errorBuf ): "FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoMdlWriteComplete
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoMdlWriteComplete( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, MdlWriteComplete )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->MdlWriteComplete(
FileObject, FileOffset, MdlChain, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_MDL_WRITE_COMPLETEt%stOffset: %dtOK",
name, fullPathName, FileOffset->LowPart );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoReadCompressed
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoReadCompressed( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset, IN ULONG Length,
IN ULONG LockKey, OUT PVOID Buffer,
OUT PMDL *MdlChain, OUT PIO_STATUS_BLOCK IoStatus,
OUT struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength, IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoReadCompressed )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoReadCompressed(
FileObject, FileOffset, Length, LockKey, Buffer, MdlChain, IoStatus,
CompressedDataInfo, CompressedDataInfoLength, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_READ_COMPRESSEDt%stOffset: %d Length: %dt%s",
name, fullPathName,
FileOffset->LowPart, Length,
retval ? ErrorString( IoStatus->Status, errorBuf ) : "FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoWriteCompressed
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoWriteCompressed( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset, IN ULONG Length,
IN ULONG LockKey, OUT PVOID Buffer,
OUT PMDL *MdlChain, OUT PIO_STATUS_BLOCK IoStatus,
OUT struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength, IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoWriteCompressed )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoWriteCompressed(
FileObject, FileOffset, Length, LockKey, Buffer, MdlChain, IoStatus,
CompressedDataInfo, CompressedDataInfoLength, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_WRITE_COMPRESSEDt%stOffset: %d Length: %dt%s",
name, fullPathName,
FileOffset->LowPart, Length,
retval ? ErrorString( IoStatus->Status, errorBuf ) : "FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoMdlReadCompleteCompressed
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoMdlReadCompleteCompressed( IN PFILE_OBJECT FileObject,
IN PMDL MdlChain, IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, MdlReadCompleteCompressed )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->MdlReadCompleteCompressed(
FileObject, MdlChain, hookExt->FileSystem );
if( FilterDef.logreads && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_MDL_READ_COMPLETE_COMPRESSEDt%stt%s",
name, fullPathName, "OK" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoMdlWriteCompleteCompressed
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoMdlWriteCompleteCompressed( IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, MdlWriteCompleteCompressed )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->MdlWriteCompleteCompressed(
FileObject, FileOffset, MdlChain, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_MDL_WRITE_COMPLETE_COMPRESSEDt%stOffset: %dt%s",
name, fullPathName, FileOffset->LowPart, "OK" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoQueryOpen
//
// This call actually passes an IRP!
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoQueryOpen( IN PIRP Irp,
OUT PFILE_NETWORK_OPEN_INFORMATION NetworkInformation,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
PFILE_OBJECT FileObject;
CHAR *fullPathName, name[PROCNAMELEN];
PIO_STACK_LOCATION currentIrpStack;
PIO_STACK_LOCATION nextIrpStack;
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return FALSE;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoQueryOpen )) {
currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
nextIrpStack = IoGetNextIrpStackLocation(Irp);
FileObject = currentIrpStack->FileObject;
//
// copy parameters down to next level in the stack
//
*nextIrpStack = *currentIrpStack;
nextIrpStack->DeviceObject = hookExt->FileSystem;
IoSetNextIrpStackLocation( Irp );
//
// Get path and timestamp
//
GETPATHNAME(TRUE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoQueryOpen(
Irp, NetworkInformation, hookExt->FileSystem );
//
// Restore the stack location because pre-NT 5.0 checked builds complain
//
Irp->CurrentLocation++;
Irp->Tail.Overlay.CurrentStackLocation++;
if( FilterDef.logreads && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_QUERY_OPENt%stt%s",
name, fullPathName, retval ? "SUCCESS" : "FAILURE" );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoReleaseForModWrite
//
//----------------------------------------------------------------------
NTSTATUS FilemonFastIoReleaseForModWrite( IN PFILE_OBJECT FileObject,
IN struct _ERESOURCE *ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_IMPLEMENTED;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, errval[ERRORLEN], name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return STATUS_NOT_IMPLEMENTED;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, ReleaseForModWrite )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->ReleaseForModWrite(
FileObject, ResourceToRelease, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_RELEASE_FOR_MOD_WRITEt%stt%s",
name, fullPathName, ErrorString( retval, errval ));
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoAcquireForCcFlush
//
//----------------------------------------------------------------------
NTSTATUS FilemonFastIoAcquireForCcFlush( IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_IMPLEMENTED;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, errval[ERRORLEN], name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return STATUS_NOT_IMPLEMENTED;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, AcquireForCcFlush )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->AcquireForCcFlush(
FileObject, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_ACQUIRE_FOR_CC_FLUSHt%stt%s",
name, fullPathName, ErrorString( retval, errval));
}
if ( fullPathName) ExFreePool( fullPathName );
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoReleaseForCcFlush
//
//----------------------------------------------------------------------
NTSTATUS FilemonFastIoReleaseForCcFlush( IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_IMPLEMENTED;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, errval[ERRORLEN], name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if( !DeviceObject ) return STATUS_NOT_IMPLEMENTED;
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, ReleaseForCcFlush )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->ReleaseForCcFlush(
FileObject, hookExt->FileSystem );
if( FilterDef.logwrites && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence),
&timeResult,
"%stFASTIO_RELEASE_FOR_CC_FLUSHt%stt%s",
name, fullPathName, ErrorString( retval, errval) );
}
FREEPATHNAME();
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoDeviceControl
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoDeviceControl( IN PFILE_OBJECT FileObject, IN BOOLEAN Wait,
IN PVOID InputBuffer, IN ULONG InputBufferLength,
OUT PVOID OutputBuffer, IN ULONG OutputBufferLength, IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
PSTORE_BUF old;
CHAR fullPathName[MAXPATHLEN], name[PROCNAMELEN], errorBuf[ERRORLEN];
KIRQL oldirql;
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
if ( DeviceObject == GUIDevice ) {
//
// Its a message from our GUI!
//
IoStatus->Status = STATUS_SUCCESS; // Assume success
IoStatus->Information = 0; // Assume nothing returned
switch ( IoControlCode ) {
case IOCTL_FILEMON_VERSION:
//
// Version #
//
if ( OutputBufferLength >= sizeof(ULONG)) {
*(ULONG *)OutputBuffer = FILEMONVERSION;
IoStatus->Information = sizeof(ULONG);
} else {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
}
break;
case IOCTL_FILEMON_SETDRIVES:
//
// Hook and/or unhook drives
//
DbgPrint (("Filemon: set drivesn"));
if ( InputBufferLength >= sizeof(ULONG) &&
OutputBufferLength >= sizeof(ULONG)) {
*(ULONG *)OutputBuffer = HookDriveSet( *(ULONG *)InputBuffer, DeviceObject->DriverObject );
IoStatus->Information = sizeof(ULONG);
} else {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
}
break;
case IOCTL_FILEMON_HOOKSPECIAL:
if( InputBufferLength >= sizeof(FILE_SYSTEM_TYPE )) {
if( !HookSpecialFs( DeviceObject->DriverObject, *(PFILE_SYSTEM_TYPE) InputBuffer )) {
IoStatus->Status = STATUS_UNSUCCESSFUL;
}
} else {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
}
break;
case IOCTL_FILEMON_UNHOOKSPECIAL:
if( InputBufferLength >= sizeof(FILE_SYSTEM_TYPE )) {
UnhookSpecialFs( *(PFILE_SYSTEM_TYPE) InputBuffer );
} else {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
}
break;
case IOCTL_FILEMON_STOPFILTER:
//
// Turn off logging
//
DbgPrint(("Filemon: stop loggingn"));
FilterOn = FALSE;
break;
case IOCTL_FILEMON_STARTFILTER:
//
// Turn on logging
//
DbgPrint(("Filemon: start loggingn"));
FilterOn = TRUE;
break;
case IOCTL_FILEMON_SETFILTER:
//
// Gui is updating the filter functions
//
DbgPrint(("Filemon: set filtern"));
if( InputBufferLength >= sizeof(FILTER) ) {
FilterDef = *(PFILTER) InputBuffer;
FilemonUpdateFilters();
} else {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
}
break;
case IOCTL_FILEMON_TIMETYPE:
//
// Set the timing type
//
if( InputBufferLength >= sizeof(BOOLEAN) ) {
TimeIsDuration = *(PBOOLEAN) InputBuffer;
} else {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
}
break;
case IOCTL_FILEMON_UNLOADQUERY:
//
// Is it possible to unload?
//
KeAcquireSpinLock( &CountMutex, &oldirql );
IoStatus->Information = OutstandingIRPCount;
//
// Any outstanding Irps?
//
if( !OutstandingIRPCount ) {
//
// Nope, so don't process anymore
//
UnloadInProgress = TRUE;
KeReleaseSpinLock( &CountMutex, oldirql );
//
// Disconnect from filesystems
//
HookDriveSet( 0, DeviceObject->DriverObject );
} else {
KeReleaseSpinLock( &CountMutex, oldirql );
}
break;
case IOCTL_FILEMON_ZEROSTATS:
//
// Reset all output buffers
//
DbgPrint (("Filemon: zero statsn"));
ExAcquireFastMutex( &StoreMutex );
while ( Store->Next ) {
//
// Free all but the first output buffer
//
old = Store->Next;
Store->Next = old->Next;
ExFreePool( old );
NumStore--;
}
//
// Set the output pointer to the start of the output buffer
//
Store->Len = 0;
Sequence = 0;
ExReleaseFastMutex( &StoreMutex );
break;
case IOCTL_FILEMON_GETSTATS:
//
// Copy the oldest output buffer to the caller
//
DbgPrint (("Filemon: get statsn"));
//
// If the output buffer is too large to fit into the caller's buffer
//
if ( MAX_STORE > OutputBufferLength ) {
IoStatus->Status = STATUS_BUFFER_TOO_SMALL;
return FALSE;
}
//
// Probe the output buffer
//
try {
ProbeForWrite( OutputBuffer,
OutputBufferLength,
sizeof( UCHAR ));
} except( EXCEPTION_EXECUTE_HANDLER ) {
IoStatus->Status = STATUS_INVALID_PARAMETER;
return FALSE;
}
//
// We're okay, lock the buffer pool
//
ExAcquireFastMutex( &StoreMutex );
if ( Store->Len || Store->Next ) {
//
// Start output to a new output buffer
//
FilemonNewStore();
//
// Fetch the oldest to give to user
//
old = FilemonOldestStore();
ExReleaseFastMutex( &StoreMutex );
//
// Copy it to the caller's buffer
//
memcpy( OutputBuffer, old->Data, old->Len );
//
// Return length of copied info
//
IoStatus->Information = old->Len;
//
// Deallocate buffer
//
if( old != Store ) ExFreePool( old );
} else {
//
// There is no unread data
//
ExReleaseFastMutex( &StoreMutex );
IoStatus->Information = 0;
}
break;
default:
//
// Unknown control
//
DbgPrint (("Filemon: unknown IRP_MJ_DEVICE_CONTROLn"));
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
retval = TRUE;
} else {
//
// Its a call for a file system, so pass it through
//
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoDeviceControl )) {
FilemonGetFullPath( FALSE, FileObject, hookExt, fullPathName );
TIMESTAMPSTART();
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoDeviceControl(
FileObject, Wait, InputBuffer, InputBufferLength, OutputBuffer,
OutputBufferLength, IoControlCode, IoStatus, hookExt->FileSystem );
if( ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence), &timeResult,
"%stFASTIO_DEVICE_CONTROLt%stIOCTL: 0x%Xt%s",
name, fullPathName,
IoControlCode,
retval ? ErrorString( IoStatus->Status, errorBuf ) : "FAILURE" );
}
}
}
return retval;
}
//----------------------------------------------------------------------
//
// FilemonFastIoAcquireFile
//
//----------------------------------------------------------------------
VOID FilemonFastIoAcquireFile( PFILE_OBJECT FileObject ) {
PDEVICE_OBJECT deviceObject, checkDevice;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
//
// We've got to locate our own device object
//
checkDevice = FileObject->DeviceObject->Vpb->DeviceObject;
while( checkDevice ) {
if( checkDevice->DriverObject == FilemonDriver ) {
//
// Found it
//
deviceObject = checkDevice;
hookExt = deviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, AcquireFileForNtCreateSection )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
hookExt->FileSystem->DriverObject->FastIoDispatch->AcquireFileForNtCreateSection(
FileObject );
if( FilterDef.logreads && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence), &timeResult,
"%stFASTIO_ACQUIRE_FILEt%sttOK", name,
fullPathName );
}
FREEPATHNAME();
}
return;
}
checkDevice = checkDevice->AttachedDevice;
}
}
//----------------------------------------------------------------------
//
// FilemonFastIoReleaseFile
//
//----------------------------------------------------------------------
VOID FilemonFastIoReleaseFile( PFILE_OBJECT FileObject ) {
PDEVICE_OBJECT deviceObject, checkDevice;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
//
// We've got to locate our own device object
//
checkDevice = FileObject->DeviceObject->Vpb->DeviceObject;
while( checkDevice ) {
if( checkDevice->DriverObject == FilemonDriver ) {
deviceObject = IoGetRelatedDeviceObject( FileObject );
hookExt = deviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, ReleaseFileForNtCreateSection )) {
GETPATHNAME(FALSE);
TIMESTAMPSTART();
hookExt->FileSystem->DriverObject->FastIoDispatch->ReleaseFileForNtCreateSection( FileObject );
if( FilterDef.logreads && ApplyFilters( name, fullPathName )) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence), &timeResult,
"%stFASTIO_RELEASE_FILEt%sttOK", name,
fullPathName );
}
FREEPATHNAME();
}
return;
}
checkDevice = checkDevice->AttachedDevice;
}
}
//----------------------------------------------------------------------
//
// FilemonFastIoDetachDevice
//
// We get this call when a device that we have hooked is being deleted.
// This happens when, for example, a floppy is formatted. We have
// to detach from it and delete our device. We should notify the GUI
// that the hook state has changed, but its not worth the trouble.
//
//----------------------------------------------------------------------
VOID FilemonFastIoDetachDevice( PDEVICE_OBJECT SourceDevice, PDEVICE_OBJECT TargetDevice ) {
PHOOK_EXTENSION hookExt;
ULONG i;
CHAR name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
//
// See if a device (like a floppy) is being removed out from under us. If so,
// we have to detach from it before it disappears
//
for( i = 0; i < 26; i++ ) {
if( SourceDevice == LDriveDevices[i] ) {
//
// We've hooked it, so we must detach
//
hookExt = SourceDevice->DeviceExtension;
DbgPrint(("Filemon: Detaching from drive: %cn",
hookExt->LogicalDrive ));
IoDetachDevice( TargetDevice );
IoDeleteDevice( SourceDevice );
LDriveDevices[i] = NULL;
LDriveMap[i] = 0;
return;
}
}
//
// Now we can pass the call through
//
hookExt = SourceDevice->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoDetachDevice )) {
TIMESTAMPSTART();
hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoDetachDevice(
SourceDevice, TargetDevice );
if( FilemonGetProcess( name ) ) {
TIMESTAMPSTOP();
UpdateStore( MyInterlockedIncrement(&Sequence), &timeResult,
"%stFASTIO_DETACH_DEVICEtttOK",
name);
}
}
}
//----------------------------------------------------------------------
// D I S P A T C H A N D H O O K E N T R Y P O I N T S
//----------------------------------------------------------------------
//----------------------------------------------------------------------
//
// FilemonHookDoneWork
//
// Worker routine that simply calls update store. Since we want
// to avoid using spin locks in order to improve SMP performance
// we need to do everything at passive. When our completion routine
// is called at dispatch, we queue the update off to a worker thread.
//
//----------------------------------------------------------------------
VOID FilemonHookDoneWork( PVOID Context )
{
PFILEMON_WORK filemonWork = (PFILEMON_WORK) Context;
UpdateStore( filemonWork->Sequence,
&filemonWork->TimeResult,
filemonWork->ErrString );
ExFreePool( filemonWork );
}
//----------------------------------------------------------------------
//
// FilemonHookDone
//
// Gets control after a filesystem operation has completed so that
// we can get return status information about it.
//
//----------------------------------------------------------------------
NTSTATUS FilemonHookDone( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp,
IN PVOID Context )
{
PIO_STACK_LOCATION IrpSp;
int seq = (int)Context;
CHAR errval[ERRORLEN], errString[ERRORLEN];
KIRQL oldirql;
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
PFILEMON_WORK filemonWorkContext;
//
// A request completed - look at the result
//
IrpSp = IoGetCurrentIrpStackLocation( Irp );
//
// Store the return status in the output buffer. Tag it with the
// sequence number so that the GUI can match it with the IRP input information.
//
if( FilterOn ) {
//
// Quick, get the completion time
//
timeStampStart = IrpSp->Parameters.Read.ByteOffset;
if( IrpSp->Parameters.Read.Length ) {
timeStampComplete = KeQueryPerformanceCounter(NULL);
timeResult.QuadPart = timeStampComplete.QuadPart - timeStampStart.QuadPart;
} else {
timeResult = timeStampStart;
}
//
// Queue off to a worker thread if we have to
//
if( KeGetCurrentIrql() == DISPATCH_LEVEL ) {
filemonWorkContext = ExAllocatePool( NonPagedPool, sizeof(FILEMON_WORK));
if( filemonWorkContext ) {
filemonWorkContext->Sequence = seq;
filemonWorkContext->TimeResult = timeResult;
sprintf( filemonWorkContext->ErrString, "tttt%s",
ErrorString( Irp->IoStatus.Status, errval ));
ExInitializeWorkItem( &filemonWorkContext->WorkItem,
FilemonHookDoneWork, filemonWorkContext );
ExQueueWorkItem( &filemonWorkContext->WorkItem, CriticalWorkQueue );
}
} else {
sprintf( errString, "tttt%s", ErrorString( Irp->IoStatus.Status, errval ));
UpdateStore( seq, &timeResult, errString );
}
}
//
// If this was an error on a create call, we have to free the hash entry we
// created for this name
//
if( (IrpSp->MajorFunction == IRP_MJ_CREATE ||
IrpSp->MajorFunction == IRP_MJ_CREATE_NAMED_PIPE ||
IrpSp->MajorFunction == IRP_MJ_CREATE_MAILSLOT ) &&
!NT_SUCCESS( Irp->IoStatus.Status )) {
FilemonFreeHashEntry( IrpSp->FileObject );
}
//
// We have finished processing an IRP so decrement oustanding IRP count
//
KeAcquireSpinLock( &CountMutex, &oldirql );
OutstandingIRPCount--;
KeReleaseSpinLock( &CountMutex, oldirql );
//
// Now we have to mark Irp as pending if necessary
//
if( Irp->PendingReturned ) {
IoMarkIrpPending( Irp );
}
return Irp->IoStatus.Status;
}
//----------------------------------------------------------------------
//
// FilemonHookRoutine
//
// This routine is the main hook routine where we figure out what
// calls are being sent to the file system.
//
//----------------------------------------------------------------------
NTSTATUS FilemonHookRoutine( PDEVICE_OBJECT HookDevice, IN PIRP Irp )
{
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
PFILE_OBJECT fileObject;
PHOOK_EXTENSION hookExt;
LARGE_INTEGER timeStampStart;
PCHAR fullPathName;
CHAR controlCodeBuffer[ERRORLEN];
CHAR attributeString[ERRORLEN];
CHAR optionString[ERRORLEN];
CHAR name[PROCNAMELEN];
ULONG seq = MyInterlockedIncrement(&Sequence);
KIRQL oldirql;
//
// Allocate a buffer
//
if( fullPathName = ExAllocatePool( NonPagedPool, MAXPATHLEN ) ) {
fullPathName[0] = 0;
}
//
// Extract the file object from the IRP
//
fileObject = currentIrpStack->FileObject;
//
// Point at the device extension, which contains information on which
// file system this IRP is headed for
//
hookExt = HookDevice->DeviceExtension;
//
// If a GUI is up there, get the canonical pathname
//
if( FilterOn ) {
if( currentIrpStack->MajorFunction == IRP_MJ_CREATE ||
currentIrpStack->MajorFunction == IRP_MJ_CREATE_NAMED_PIPE ||
currentIrpStack->MajorFunction == IRP_MJ_CREATE_MAILSLOT ) {
//
// Clear any existing fileobject/name association stored in the
// hash table
//
FilemonFreeHashEntry( fileObject );
}
FilemonGetFullPath( (BOOLEAN) (currentIrpStack->MajorFunction == IRP_MJ_CREATE ||
currentIrpStack->MajorFunction == IRP_MJ_CREATE_NAMED_PIPE ||
currentIrpStack->MajorFunction == IRP_MJ_CREATE_MAILSLOT ),
fileObject, hookExt, fullPathName );
}
//
// If measuring absolute time go and get the timestamp.
//
if( !TimeIsDuration ) KeQuerySystemTime( &timeStampStart );
else timeStampStart.QuadPart = 0;
//
// Only log it if it passes the filter
//
if( ApplyFilters( name, fullPathName ) ) {
//
// Determine what function we're dealing with
//
switch( currentIrpStack->MajorFunction ) {
case IRP_MJ_CREATE:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_CREATEt%stAttributes: %s Options: %s",
name, fullPathName,
CreateAttributesString( currentIrpStack->Parameters.Create.FileAttributes,
attributeString ),
CreateOptionsString( currentIrpStack->Parameters.Create.Options,
optionString ));
break;
case IRP_MJ_CREATE_NAMED_PIPE:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_CREATE_NAMED_PIPEt%stAttributes: %s Options: %s",
name, fullPathName,
CreateAttributesString( currentIrpStack->Parameters.Create.FileAttributes,
attributeString ),
CreateOptionsString( currentIrpStack->Parameters.Create.Options,
optionString ));
break;
case IRP_MJ_CREATE_MAILSLOT:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_CREATE_MAILSLOTt%stAttributes: %s Options: %s",
name, fullPathName,
CreateAttributesString( currentIrpStack->Parameters.Create.FileAttributes,
attributeString ),
CreateOptionsString( currentIrpStack->Parameters.Create.Options,
optionString ));
break;
case IRP_MJ_READ:
if( FilterDef.logreads ) {
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_READ%ct%stOffset: %d Length: %d",
name,
(Irp->Flags & IRP_PAGING_IO) || (Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO) ? '*' : ' ',
fullPathName,
currentIrpStack->Parameters.Read.ByteOffset.LowPart,
currentIrpStack->Parameters.Read.Length );
}
break;
case IRP_MJ_WRITE:
if( FilterDef.logwrites ) {
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_WRITE%ct%stOffset: %d Length: %d",
name,
(Irp->Flags & IRP_PAGING_IO) || (Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO) ? '*' : ' ',
fullPathName,
currentIrpStack->Parameters.Write.ByteOffset.LowPart,
currentIrpStack->Parameters.Write.Length );
}
break;
case IRP_MJ_CLOSE:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_CLOSEt%st", name, fullPathName );
//
// This fileobject/name association can be discarded now.
//
FilemonFreeHashEntry( fileObject );
break;
case IRP_MJ_FLUSH_BUFFERS:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_FLUSHt%st", name, fullPathName );
break;
case IRP_MJ_QUERY_INFORMATION:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_QUERY_INFORMATIONt%st%s",
name, fullPathName,
FileInformation[currentIrpStack->Parameters.QueryFile.FileInformationClass] );
break;
case IRP_MJ_SET_INFORMATION:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_SET_INFORMATIONt%st%s",
name, fullPathName,
FileInformation[currentIrpStack->Parameters.SetFile.FileInformationClass] );
break;
case IRP_MJ_QUERY_EA:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_QUERY_EAt%st", name, fullPathName );
break;
case IRP_MJ_SET_EA:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_SET_EAt%st", name, fullPathName );
break;
case IRP_MJ_QUERY_VOLUME_INFORMATION:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_QUERY_VOLUME_INFORMATIONt%st%s",
name, fullPathName,
VolumeInformation[currentIrpStack->Parameters.QueryVolume.FsInformationClass] );
break;
case IRP_MJ_SET_VOLUME_INFORMATION:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_SET_VOLUME_INFORMATIONt%st",
name, fullPathName );
break;
case IRP_MJ_DIRECTORY_CONTROL:
switch( currentIrpStack->MinorFunction ) {
case IRP_MN_NOTIFY_CHANGE_DIRECTORY:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_DIRECTORY_CONTROLt%stChange Notify",
name, fullPathName );
break;
case IRP_MN_QUERY_DIRECTORY:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_DIRECTORY_CONTROLt%st%s",
name, fullPathName,
FileInformation[((PQUERY_DIRECTORY)&currentIrpStack->Parameters)->FileInformationClass]);
break;
default:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_DIRECTORY_CONTROLt%st",
name, fullPathName );
break;
}
break;
case IRP_MJ_FILE_SYSTEM_CONTROL:
UpdateStore( seq, &timeStampStart, "%st%st%st%s",
name,
ControlCodeString( currentIrpStack,
currentIrpStack->Parameters.DeviceIoControl.IoControlCode,
controlCodeBuffer, optionString ),
fullPathName, optionString );
break;
case IRP_MJ_SHUTDOWN:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_SHUTDOWNtt", name );
break;
case IRP_MJ_LOCK_CONTROL:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_LOCK_CONTROLt%stOffset: %d Length: %d",
name, fullPathName,
((PLOCK_CONTROL)&currentIrpStack->Parameters)->ByteOffset.LowPart,
((PLOCK_CONTROL)&currentIrpStack->Parameters)->Length ?
((PLOCK_CONTROL)&currentIrpStack->Parameters)->Length->LowPart : 0 );
break;
case IRP_MJ_CLEANUP:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_CLEANUPt%st", name, fullPathName );
break;
case IRP_MJ_DEVICE_CONTROL:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_DEVICE_CONTROLt%stIOCTL: 0x%X", name,
fullPathName, currentIrpStack->Parameters.DeviceIoControl.IoControlCode );
break;
case IRP_MJ_QUERY_SECURITY:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_QUERY_SECURITYt%st",
name, fullPathName );
break;
case IRP_MJ_SET_SECURITY:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_SET_SECURITYt%st",
name, fullPathName );
break;
case IRP_MJ_PNP_POWER:
UpdateStore( seq, &timeStampStart, "%stIRP_MJ_PNP_POWERt%st",
name, fullPathName );
break;
default:
UpdateStore( seq, &timeStampStart, "%st*UNKNOWN* 0x%Xtt", name, currentIrpStack->MajorFunction );
break;
}
} else {
//
// Do name processing for the sake of keeping the hash table current
//
switch( currentIrpStack->MajorFunction ) {
case IRP_MJ_CLOSE:
//
// This fileobject/name association can be discarded now.
//
FilemonFreeHashEntry( fileObject );
break;
}
}
//
// Free the buffer
//
if ( fullPathName ) {
ExFreePool( fullPathName );
}
//
// Copy parameters down to next level in the stack for the driver below us
//
*nextIrpStack = *currentIrpStack;
//
// If an unload isn't in progress, we should register a completion callback
// so that the IRP's return status can be examined.
//
KeAcquireSpinLock( &CountMutex, &oldirql );
if( !UnloadInProgress && FilterOn ) {
//
// Increment the outstanding IRP count since this IRP will be headed
// for our completion routine
//
OutstandingIRPCount++;
//
// Grab the time stamp and store it in the current stack location. This
// is legal since the stack location is ours, and we're done looking at
// the parameters. This makes it easy to pass this to the completion routine. The
// DiskPerf example in the NT DDK uses this trick.
//
if( TimeIsDuration ) {
currentIrpStack->Parameters.Read.ByteOffset = KeQueryPerformanceCounter((PVOID)NULL);
currentIrpStack->Parameters.Read.Length = 1;
} else {
currentIrpStack->Parameters.Read.ByteOffset = timeStampStart;
currentIrpStack->Parameters.Read.Length = 0;
}
IoSetCompletionRoutine( Irp, FilemonHookDone, (void *)seq, TRUE, TRUE, TRUE );
} else {
//
// Set no completion routine
//
IoSetCompletionRoutine( Irp, FilemonHookDone, NULL, FALSE, FALSE, FALSE );
}
KeReleaseSpinLock( &CountMutex, oldirql );
//
// Return the results of the call to the caller
//
return IoCallDriver( hookExt->FileSystem, Irp );
}
//----------------------------------------------------------------------
//
// FilemonDeviceRoutine
//
// In this routine we handle requests to our own device. The only
// requests we care about handling explicitely are IOCTL commands that
// we will get from the GUI. We also expect to get Create and Close
// commands when the GUI opens and closes communications with us.
//
//----------------------------------------------------------------------
NTSTATUS FilemonDeviceRoutine( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
//
// Go ahead and set the request up as successful
//
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
DbgPrint(("Filemon: IRP_MJ_CREATEn"));
//
// Start the sequence number at 0
//
Sequence = 0;
break;
case IRP_MJ_CLOSE:
DbgPrint(("Filemon: IRP_MJ_CLOSEn"));
//
// A GUI is closing communication
//
FilterOn = FALSE;
//
// If the GUI has no more references to us, reset the output
// buffers and hash table.
//
FilemonResetStore();
FilemonHashCleanup();
//
// Disconnect from file systems
//
HookDriveSet( 0, DeviceObject->DriverObject );
break;
case IRP_MJ_DEVICE_CONTROL:
//
// This path will never execute because we have registered a
// fast I/O path for device control. That means that the fast I/O entry
// point will ALWAYS be called for Device Control operations
//
DbgPrint (("Filemon: IRP_MJ_DEVICE_CONTROLn"));
//
// Get output buffer if its passed as an MDL
//
if( Irp->MdlAddress ) {
outputBuffer = MmGetSystemAddressForMdl( Irp->MdlAddress );
}
//
// Its a request from the GUI. Simply call our fast handler.
//
FilemonFastIoDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
//
// Complete the IRP
//
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
//----------------------------------------------------------------------
//
// FilemonDispatch
//
// Based on which device the Irp is destined for we call either the
// filesystem filter function, or our own device handling routine.
//
//----------------------------------------------------------------------
NTSTATUS FilemonDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
//
// Determine if its a request from the GUI to us, or one that is
// directed at a file system driver that we've hooked
//
if ( GUIDevice != DeviceObject ) {
return( FilemonHookRoutine( DeviceObject, Irp ));
} else {
return( FilemonDeviceRoutine( DeviceObject, Irp ));
}
}
//----------------------------------------------------------------------
//
// FilemonUnload
//
// Our job is done - time to leave.
//
//----------------------------------------------------------------------
VOID FilemonUnload( IN PDRIVER_OBJECT DriverObject )
{
WCHAR deviceLinkBuffer[] = L"\DosDevices\Filemon";
UNICODE_STRING deviceLinkUnicodeString;
//
// Disconnect from file systems
//
HookDriveSet( 0, DriverObject );
UnhookSpecialFs( NPFS );
UnhookSpecialFs( MSFS );
//
// Delete the symbolic link for our GUI device
//
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
DbgPrint(("Filemon.SYS: unloadingn"));
//
// Delete the device object, making sure that the GUI device
// object is always deleted.
//
if ( GUIDevice == DriverObject->DeviceObject ) {
IoDeleteDevice( DriverObject->DeviceObject );
} else {
IoDeleteDevice( DriverObject->DeviceObject );
IoDeleteDevice( GUIDevice );
}
DbgPrint(("Filemon.SYS: deleted devicesn"));
//
// Now we can free any memory that is allocated
//
FilemonFreeFilters();
FilemonHashCleanup();
FilemonFreeStore();
//
// Delete the resources
//
ExDeleteResourceLite( &FilterResource );
ExDeleteResourceLite( &HashResource );
DbgPrint(("Filemon.SYS: freed memoryn"));
}
//----------------------------------------------------------------------
//
// DriverEntry
//
// Installable driver initialization. Here we just set ourselves up.
//
//----------------------------------------------------------------------
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
NTSTATUS ntStatus;
WCHAR deviceNameBuffer[] = L"\Device\Filemon";
UNICODE_STRING deviceNameUnicodeString;
WCHAR deviceLinkBuffer[] = L"\DosDevices\Filemon";
UNICODE_STRING deviceLinkUnicodeString;
ULONG i;
DbgPrint (("Filemon.SYS: entering DriverEntryn"));
FilemonDriver = DriverObject;
//
// If not NT 4.0 Final Release, shorten the Fast I/O table so that Filemon
// will work on the Betas and Release Candidates
//
if( *NtBuildNumber < NT4FINAL ) {
FastIOHook.SizeOfFastIoDispatch = (ULONG) &FastIOHook.FastIoQueryNetworkOpenInfo -
(ULONG) &FastIOHook;
}
//
// Setup the device name
//
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
//
// Create the device used for GUI communications
//
ntStatus = IoCreateDevice ( DriverObject,
0,
&deviceNameUnicodeString,
FILE_DEVICE_FILEMON,
0,
TRUE,
&GUIDevice );
//
// If successful, make a symbolic link that allows for the device
// object's access from Win32 programs
//
if (NT_SUCCESS(ntStatus)) {
//
// Create a symbolic link that the GUI can specify to gain access
// to this driver/device
//
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
if (!NT_SUCCESS(ntStatus)) {
DbgPrint (("Filemon.SYS: IoCreateSymbolicLink failedn"));
}
//
// Create dispatch points for all routines that must be handled.
// All entry points are registered since we might filter a
// file system that processes all of them.
//
for( i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ ) {
DriverObject->MajorFunction[i] = FilemonDispatch;
}
#if DBG
//
// Driver unload is only set if we are debugging Filemon. This is
// because unloading a filter is not really safe - threads could
// be in our fastio routines (or about to enter them), and there is
// no way to tell. When debugging, we can risk the occasional
// unload crash as a trade-off for not having to reboot as often.
//
DriverObject->DriverUnload = FilemonUnload;
#endif
//
// Set up the Fast I/O dispatch table
//
DriverObject->FastIoDispatch = &FastIOHook;
}
//
// If something went wrong, cleanup the device object and don't load
//
if (!NT_SUCCESS(ntStatus)) {
DbgPrint(("Filemon: Failed to create our device!n"));
if( GUIDevice ) {
IoDeleteDevice( GUIDevice );
}
return ntStatus;
}
//
// Initialize the drive map
//
for(i = 0; i < 26; i++ ) LDriveMap[i] = 0;
//
// Initialize the name hash table
//
for(i = 0; i < NUMHASH; i++ ) HashTable[i] = NULL;
//
// Find the process name offset
//
ProcessNameOffset = FilemonGetProcessNameOffset();
//
// Initialize the synchronization objects
//
KeInitializeSpinLock( &CountMutex );
ExInitializeFastMutex( &StoreMutex );
ExInitializeResourceLite( &FilterResource );
ExInitializeResourceLite( &HashResource );
//
// Allocate the first output buffer
//
Store = ExAllocatePool( NonPagedPool, sizeof(*Store) );
if ( !Store ) {
//
// Oops - we can't do anything without at least one buffer
//
IoDeleteDevice( GUIDevice );
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Set the buffer pointer to the start of the buffer just allocated
//
Store->Len = 0;
Store->Next = NULL;
NumStore = 1;
return ntStatus;
}