【发布时间】:2015-02-16 11:13:52
【问题描述】:
我有一个文件过滤器驱动程序没有接收到在 DriverEntry 中注册的 IRP 的回调。有没有人遇到过使用 FltRegisterFilter 注册的 PreOperation 和 PostOperation 回调没有在他们的文件过滤器驱动程序中被调用的问题?
我想我应该测试一下 VS2013 文件过滤器驱动程序模板(而不是自己滚动),并立即注意到驱动程序没有被注册的 IRP 调用。
我正在获取 FltRegisterFilter 中指定的所有驱动程序回调的调试跟踪输出:
MyFileUnload, // MiniFilterUnload
MyFileInstanceSetup, // InstanceSetup
MyFileInstanceQueryTeardown, // InstanceQueryTeardown
MyFileInstanceTeardownStart, // InstanceTeardownStart
MyFileInstanceTeardownComplete, // InstanceTeardownComplete
...但没有来自同一调用中提供的 IRP 处理程序。在 IRP 处理程序中设置断点也不会被命中,但在上述驱动程序回调中会命中断点。
来自 Win7 x86 目标的驱动程序 -
kd> !drvobj MyFile
Driver object (84b29168) is for:
\FileSystem\MyFile
Driver Extension List: (id , addr)
Device Object list:
kd>
断点
kd> bl
0 e 925b6000 [f:\MyFile\myfile.c @ 75] 0001 (0001) MyFile!DriverEntry
1 e 925b3340 [f:\MyFile\myfile.c @ 264] 0001 (0001) MyFile!MyFilePostOperation
2 e 925b3370 [f:\MyFile\myfile.c @ 143] 0001 (0001) MyFile!MyFilePreOperation
回调转储
kd> dt -a10 callbacks
MyFile!Callbacks
[0] @ 925b4068
---------------------------------------------
+0x000 MajorFunction : 0 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[1] @ 925b407c
---------------------------------------------
+0x000 MajorFunction : 0x1 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[2] @ 925b4090
---------------------------------------------
+0x000 MajorFunction : 0x2 ''
+0x004 Flags : 0
+0x008 PreOperation : 0x925b3370 _FLT_PREOP_CALLBACK_STATUS MyFile!MyFilePreOperation+0
+0x00c PostOperation : 0x925b3340 _FLT_POSTOP_CALLBACK_STATUS MyFile!MyFilePostOperation+0
+0x010 Reserved1 : (null)
[ ... ]
kd> x Myfile!My*
925b3070 MyFile!MyFileInstanceQueryTeardown (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3410 MyFile!MyFilePreOperationNoPostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3370 MyFile!MyFilePreOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void **)
925b3240 MyFile!MyFileDoRequestOperationStatus (struct _FLT_CALLBACK_DATA *)
925b31c0 MyFile!MyFileUnload (unsigned long)
925b32c0 MyFile!MyFileOperationStatusCallback (struct _FLT_RELATED_OBJECTS *, struct _FLT_IO_PARAMETER_BLOCK *, long, void *)
925b3150 MyFile!MyFileInstanceTeardownStart (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b30e0 MyFile!MyFileInstanceTeardownComplete (struct _FLT_RELATED_OBJECTS *, unsigned long)
925b3340 MyFile!MyFilePostOperation (struct _FLT_CALLBACK_DATA *, struct _FLT_RELATED_OBJECTS *, void *, unsigned long)
925b3000 MyFile!MyFileInstanceSetup (struct _FLT_RELATED_OBJECTS *, unsigned long, unsigned long, _FLT_FILESYSTEM_TYPE)
代码片段
// Filter registration
//
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_CREATE_NAMED_PIPE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_CLOSE,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_READ,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_WRITE,
0,
MyFilePreOperation,
MyFilePostOperation },
[ ... all other file filter IRPs including fast I/O ... ]
{ IRP_MJ_VOLUME_DISMOUNT,
0,
MyFilePreOperation,
MyFilePostOperation },
{ IRP_MJ_OPERATION_END }
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
MyFileUnload, // MiniFilterUnload
MyFileInstanceSetup, // InstanceSetup
MyFileInstanceQueryTeardown, // InstanceQueryTeardown
MyFileInstanceTeardownStart, // InstanceTeardownStart
MyFileInstanceTeardownComplete, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("MyFile!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
return status;
}
同样,只有 DriverEntry 和 MyFileUnload 回调被调用(通过 dbg 跟踪和实时断点进行验证)。驱动程序中不会调用任何 IRP 处理程序。
感谢观看!
【问题讨论】:
-
你的
MyFileInstanceSetup返回成功了吗? -
@user1966831 你好。我面临同样的问题。自从你发帖后你能修复它吗?我会对解决方案感兴趣。
-
我终于在我的案例中发现了这个问题。这是 inf 文件中的输入问题(输入错误的字符串名称)。我希望这会有所帮助。
标签: windows filter callback driver irp