未调用Windows文件筛选器驱动程序IRP回调
未调用Windows文件筛选器驱动程序IRP回调
提问于 2014-12-18 03:38:40
我有一个文件筛选器驱动程序,它不能接收对DriverEntry中注册的IRP的回调。有没有人遇到过这样的问题:他们在FltRegisterFilter中注册的PreOperation和PostOperation回调在他们的文件过滤驱动中没有被调用?
我想我应该测试VS2013文件过滤器驱动程序模板(而不是使用我自己的模板),并立即注意到该驱动程序没有被注册的IRP调用。
在FltRegisterFilter中指定的所有驱动程序回调上,我都得到了调试跟踪输出:
MyFileUnload, // MiniFilterUnload
MyFileInstanceSetup, // InstanceSetup
MyFileInstanceQueryTeardown, // InstanceQueryTeardown
MyFileInstanceTeardownStart, // InstanceTeardownStart
MyFileInstanceTeardownComplete, // InstanceTeardownComplete..。但没有来自同一调用中提供的IRP处理程序。在IRP处理程序中设置断点也不会命中,但在上面的驱动程序回调中会命中断点。
来自Win7 x86目标的驱动程序
kd> !drvobj MyFile
Driver object (84b29168) is for:
\FileSystem\MyFile
Driver Extension List: (id , addr)
Device Object list:
kd>断点
kd> bl
0 e 925b6000 [f:\MyFile\myfile.c @ 75] 0001 (0001) MyFile!DriverEntry
1 e 925b3340 [f:\MyFile\myfile.c @ 264] 0001 (0001) MyFile!MyFilePostOperation
2 e 925b3370 [f:\MyFile\myfile.c @ 143] 0001 (0001) MyFile!MyFilePreOperation回调转储
kd> dt -a10 callbacks
MyFile!Callbacks
[0] @ 925b4068
---------------------------------------------
+0x000 MajorFunction : 0 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[1] @ 925b407c
---------------------------------------------
+0x000 MajorFunction : 0x1 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[2] @ 925b4090
---------------------------------------------
+0x000 MajorFunction : 0x2 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[ ... ]
kd> x Myfile!My*
925b3070 MyFile!MyFileInstanceQueryTeardown (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3410 MyFile!MyFilePreOperationNoPostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3370 MyFile!MyFilePreOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3240 MyFile!MyFileDoRequestOperationStatus (struct _FLT_CALLBACK_DATA *)
925b31c0 MyFile!MyFileUnload (unsigned long)
925b32c0 MyFile!MyFileOperationStatusCallback (struct _FLT_RELATED_OBJECTS *, struct _FLT_IO_PARAMETER_BLOCK *, long, void *)
925b3150 MyFile!MyFileInstanceTeardownStart (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b30e0 MyFile!MyFileInstanceTeardownComplete (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3340 MyFile!MyFilePostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void *, unsigned long)
925b3000 MyFile!MyFileInstanceSetup (struct _FLT_RELATED_OBJECTS *, unsigned long, unsigned long, _FLT_FILESYSTEM_TYPE)代码片段
// Filter registration
//
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_CREATE_NAMED_PIPE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_CLOSE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_READ,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_WRITE,
0,
MyFilePreOperation,
MyFilePostOperation },
[ ... all other file filter IRPs including fast I/O ... ]
{ IRP_MJ_VOLUME_DISMOUNT,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_OPERATION_END }
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
MyFileUnload, // MiniFilterUnload
MyFileInstanceSetup, // InstanceSetup
MyFileInstanceQueryTeardown, // InstanceQueryTeardown
MyFileInstanceTeardownStart, // InstanceTeardownStart
MyFileInstanceTeardownComplete, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyFile!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
return status;
}同样,只有DriverEntry和MyFileUnload回调被调用(通过dbg跟踪和活动断点进行验证)。在驱动程序中不会调用IRP处理程序。
感谢您的关注!
回答 1
Stack Overflow用户
发布于 2020-12-30 14:24:01
您可以检查驱动程序的注册表数据。xxxx\实例您的驱动程序名称\标志是0吗?如果不是,则设置0。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/27533495
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号