开发者

MiniFilter driver. Filter attaching problems

开发者 https://www.devze.com 2023-03-04 16:56 出处:网络
I\'m developing a miniFilter driver and took the Microsoft\'s SwapBuffers miniFilter as example. An InstaceSetup routin by default is attaching to all volumes. But I don\'t want

I'm developing a miniFilter driver and took the Microsoft's SwapBuffers miniFilter as example. An InstaceSetup routin by default is attaching to all volumes. But I don't want to attach to all of them, only to some choosen...

I tried to set "NULL" instead of "InstanceSetup" in "FLT_REGISTRATION FilterRegistration" and then to call "FltAttachVolume" in the "DriverEntry" routin. I've done the following:

PFLT_VOLUME vol; UNICODE_STRING vname; .... RtlInitUnicodeString(&vname, L"E:\"); FltGetVolumeFromName(gFilterHandle, &vname, &vol); ... FltAttachVolume(gFilterHandle, vol, NULL, NULL); ...

When i tried to call FltAttachVolume with the "NULL" 3-d parameter (PCUNICODE_STRING InstanceName) i received a "STATUS_FLT_INSTANCE_NAME_COLLISION" error.

If i call FltAttachVolume with a "NOT NULL" 3-d parameter, such as a "UniqueInstaceName" it returns me "-2145452013".

I'm receiving the same errors, when i,m trying to attach a volume, using a FilterAttach routine from my User application, like this:

... driver.driverName = L"swapBuffers"; ... LPCWSTR vname = L"F:\"; ... FilterAttach(driver.driverName, vname, NULL, NULL, NULL);

With "NULL" 3-d parameter (LPCWSTR lpInstanceName): "ERROR_FLT_INSTANCE_NAME_COLLISION"

With "NOT-NULL": "-2145452013".

In MiniSpy miniFilter there is a User application, and the routine FilterAttach is used. I tried to call this routine in my application the same way - no results.

Finally, i changed the swapBuffers inf-file:

  • there was no DefaultInstance parameter, i set it: "SwapBuffers - Top Instance".
  • also i copied this from the MiniSpy inf-file:

    [MiniFilter.AddRegistry] HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% HKR,"Instances\"%Instance2.Name%,"Altitude",0x00000000,%Instance2.Altitude% HKR,"Instances\"%Instance2.Name%,"Flags",0x00010001,%Instance2.Flags% HKR,"Instances\"%Instance3.Name%,"Altitude",0x00000000,%Instance3.Altitude% HKR,"Instances\"%Instance3.Name%,"Flags",0x00010001,%Instance3.Flags%

    ............. Instance1.Name = "SwapBuffers - Middle Instance" Instance1.Altitude = "370000" Instance1.Flags = 0x1 ; Suppress automatic attachments Instance2.Name = "SwapBuffers - Bottom Instance" Instance2.Altitude = "361000" Instance2.Flags = 0x1 ; Suppress automatic attachments Instance3.Name = "SwapBuffers - Top Instance" Instance3.Altitude = "385100" Instance3.Flags = 0x1 ; Suppress automatic attachments

changing the flags to 0x1 to suppress automatic attachments. And only installing my SwapBuffers miniFilter through t开发者_开发技巧his Inf file, i received "STATUS_SUCCESS" from FltAttachVolume routine in my driver. But it isn't really attaching to the disk...

What am i doing wrong? Thanks.


Instance1.Flags = 0x1 

That is fine. I have somewhat similar code and that works fine.

status = FltRegisterFilter( DriverObject,
                            &FilterRegistration,
                            &gFilterHandle );

FLT_ASSERT( NT_SUCCESS( status ) );

if (NT_SUCCESS( status )) {
    PSECURITY_DESCRIPTOR sd;
    OBJECT_ATTRIBUTES oa;
    UNICODE_STRING uniString;

    status = FltBuildDefaultSecurityDescriptor(&sd,
        FLT_PORT_ALL_ACCESS);

    if (!NT_SUCCESS(status)) {
        return status;
    }

    RtlInitUnicodeString(&uniString, PORT_NAME);

    InitializeObjectAttributes(&oa,
        &uniString,
        OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
        NULL,
        sd);

    status = FltCreateCommunicationPort(gFilterHandle,
        &gServerPort,
        &oa,
        NULL,
        Connect,
        Disconnect,
        Message,
        1);

    FltFreeSecurityDescriptor(sd);

    BREAK_HERE(); // DbgBreak() macro

    //
    //  Start filtering i/o
    //

    status = FltStartFiltering(gFilterHandle);

    if (!NT_SUCCESS(status)) {

        FltUnregisterFilter(gFilterHandle);
    }
    else {
        RtlInitUnicodeString(&uniString, L"\\Device\\HarddiskVolume1");
        PFLT_VOLUME vol;
        FltGetVolumeFromName(gFilterHandle, &uniString, &vol);
        status = FltAttachVolume(gFilterHandle, vol, NULL, NULL);
        // status == 0x0 at that point and the mini filter is attached to the Volume
    }
}

I normally attach to all volumes but I wanted to try attaching to a single volume and it works fine.

0

精彩评论

暂无评论...
验证码 换一张
取 消