1 #ifndef _FLTMGR_INTERNAL_H 2 #define _FLTMGR_INTERNAL_H 3 4 5 #define MAX_CONTEXT_TYPES 6 6 7 8 typedef enum _FLT_OBJECT_FLAGS 9 { 10 FLT_OBFL_DRAINING = 1, 11 FLT_OBFL_ZOMBIED = 2, 12 FLT_OBFL_TYPE_INSTANCE = 0x1000000, 13 FLT_OBFL_TYPE_FILTER = 0x2000000, 14 FLT_OBFL_TYPE_VOLUME = 0x4000000 15 16 } FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS; 17 18 typedef enum _FLT_FILTER_FLAGS 19 { 20 FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1, 21 FLTFL_FILTERING_INITIATED = 2 22 23 } FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS; 24 25 typedef struct _FLT_OBJECT // size = 0x14 26 { 27 volatile FLT_OBJECT_FLAGS Flags; 28 ULONG PointerCount; 29 EX_RUNDOWN_REF RundownRef; 30 LIST_ENTRY PrimaryLink; 31 32 } FLT_OBJECT, *PFLT_OBJECT; 33 34 typedef struct _ALLOCATE_CONTEXT_HEADER 35 { 36 PFLT_FILTER Filter; 37 PFLT_CONTEXT_CLEANUP_CALLBACK ContextCleanupCallback; 38 struct _ALLOCATE_CONTEXT_HEADER *Next; 39 FLT_CONTEXT_TYPE ContextType; 40 char Flags; 41 char AllocationType; 42 43 } ALLOCATE_CONTEXT_HEADER, *PALLOCATE_CONTEXT_HEADER; 44 45 typedef struct _FLT_RESOURCE_LIST_HEAD 46 { 47 ERESOURCE rLock; 48 LIST_ENTRY rList; 49 ULONG rCount; 50 51 } FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; 52 53 typedef struct _FLT_MUTEX_LIST_HEAD 54 { 55 FAST_MUTEX mLock; 56 LIST_ENTRY mList; 57 ULONG mCount; 58 59 } FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; 60 61 typedef struct _FLT_TYPE 62 { 63 USHORT Signature; 64 USHORT Size; 65 66 } FLT_TYPE, *PFLT_TYPE; 67 68 // http://fsfilters.blogspot.co.uk/2010/02/filter-manager-concepts-part-1.html 69 typedef struct _FLTP_FRAME 70 { 71 FLT_TYPE Type; 72 LIST_ENTRY Links; 73 unsigned int FrameID; 74 ERESOURCE AltitudeLock; 75 UNICODE_STRING AltitudeIntervalLow; 76 UNICODE_STRING AltitudeIntervalHigh; 77 char LargeIrpCtrlStackSize; 78 char SmallIrpCtrlStackSize; 79 FLT_RESOURCE_LIST_HEAD RegisteredFilters; 80 FLT_RESOURCE_LIST_HEAD AttachedVolumes; 81 LIST_ENTRY MountingVolumes; 82 FLT_MUTEX_LIST_HEAD AttachedFileSystems; 83 FLT_MUTEX_LIST_HEAD ZombiedFltObjectContexts; 84 ERESOURCE FilterUnloadLock; 85 FAST_MUTEX DeviceObjectAttachLock; 86 //FLT_PRCB *Prcb; 87 void *PrcbPoolToFree; 88 void *LookasidePoolToFree; 89 //FLTP_IRPCTRL_STACK_PROFILER IrpCtrlStackProfiler; 90 NPAGED_LOOKASIDE_LIST SmallIrpCtrlLookasideList; 91 NPAGED_LOOKASIDE_LIST LargeIrpCtrlLookasideList; 92 //STATIC_IRP_CONTROL GlobalSIC; 93 94 } FLTP_FRAME, *PFLTP_FRAME; 95 96 typedef struct _FLT_FILTER // size = 0x120 97 { 98 FLT_OBJECT Base; 99 PFLTP_FRAME Frame; 100 UNICODE_STRING Name; 101 UNICODE_STRING DefaultAltitude; 102 FLT_FILTER_FLAGS Flags; 103 PDRIVER_OBJECT DriverObject; 104 FLT_RESOURCE_LIST_HEAD InstanceList; 105 PVOID VerifierExtension; 106 PFLT_FILTER_UNLOAD_CALLBACK FilterUnload; 107 PFLT_INSTANCE_SETUP_CALLBACK InstanceSetup; 108 PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK InstanceQueryTeardown; 109 PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownStart; 110 PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownComplete; 111 PALLOCATE_CONTEXT_HEADER SupportedContextsListHead; 112 PALLOCATE_CONTEXT_HEADER SupportedContexts[MAX_CONTEXT_TYPES]; 113 PVOID PreVolumeMount; 114 PVOID PostVolumeMount; 115 PFLT_GENERATE_FILE_NAME GenerateFileName; 116 PFLT_NORMALIZE_NAME_COMPONENT NormalizeNameComponent; 117 PFLT_NORMALIZE_CONTEXT_CLEANUP NormalizeContextCleanup; 118 PFLT_OPERATION_REGISTRATION Operations; 119 PFLT_FILTER_UNLOAD_CALLBACK OldDriverUnload; 120 FLT_MUTEX_LIST_HEAD ActiveOpens; 121 FLT_MUTEX_LIST_HEAD ConnectionList; 122 FLT_MUTEX_LIST_HEAD PortList; 123 EX_PUSH_LOCK PortLock; 124 125 } FLT_FILTER, *PFLT_FILTER; 126 127 typedef enum _FLT_yINSTANCE_FLAGS 128 { 129 INSFL_CAN_BE_DETACHED = 0x01, 130 INSFL_DELETING = 0x02, 131 INSFL_INITING = 0x04 132 133 } FLT_INSTANCE_FLAGS, *PFLT_INSTANCE_FLAGS; 134 135 136 137 typedef struct _FLT_INSTANCE // size = 0x144 (324) 138 { 139 FLT_OBJECT Base; 140 ULONG OperationRundownRef; 141 PVOID Volume; //PFLT_VOLUME 142 PFLT_FILTER Filter; 143 FLT_INSTANCE_FLAGS Flags; 144 UNICODE_STRING Altitude; 145 UNICODE_STRING Name; 146 LIST_ENTRY FilterLink; 147 ERESOURCE ContextLock; 148 PVOID Context; //PCONTEXT_NODE 149 PVOID TrackCompletionNodes; //PRACK_COMPLETION_NODES 150 PVOID CallbackNodes[50]; //PCALLBACK_NODE 151 152 } FLT_INSTANCE, *PFLT_INSTANCE; 153 154 155 typedef struct _TREE_ROOT 156 { 157 RTL_SPLAY_LINKS *Tree; 158 159 } TREE_ROOT, *PTREE_ROOT; 160 161 typedef struct _CONTEXT_LIST_CTRL 162 { 163 TREE_ROOT List; 164 165 } CONTEXT_LIST_CTRL, *PCONTEXT_LIST_CTRL; 166 167 // http://fsfilters.blogspot.co.uk/2010/02/filter-manager-concepts-part-6.html 168 typedef struct _STREAM_LIST_CTRL // size = 0xC8 (200) 169 { 170 FLT_TYPE Type; 171 FSRTL_PER_STREAM_CONTEXT ContextCtrl; 172 LIST_ENTRY VolumeLink; 173 ULONG Flags; //STREAM_LIST_CTRL_FLAGS Flags; 174 int UseCount; 175 ERESOURCE ContextLock; 176 CONTEXT_LIST_CTRL StreamContexts; 177 CONTEXT_LIST_CTRL StreamHandleContexts; 178 ERESOURCE NameCacheLock; 179 LARGE_INTEGER LastRenameCompleted; 180 ULONG NormalizedNameCache; //NAME_CACHE_LIST_CTRL NormalizedNameCache; 181 ULONG ShortNameCache; // NAME_CACHE_LIST_CTRL ShortNameCache; 182 ULONG OpenedNameCache; // NAME_CACHE_LIST_CTRL OpenedNameCache; 183 int AllNameContextsTemporary; 184 185 } STREAM_LIST_CTRL, *PSTREAM_LIST_CTRL; 186 187 188 typedef struct _FLT_SERVER_PORT_OBJECT 189 { 190 LIST_ENTRY FilterLink; 191 PFLT_CONNECT_NOTIFY ConnectNotify; 192 PFLT_DISCONNECT_NOTIFY DisconnectNotify; 193 PFLT_MESSAGE_NOTIFY MessageNotify; 194 PFLT_FILTER Filter; 195 PVOID Cookie; 196 ULONG Flags; 197 LONG NumberOfConnections; 198 LONG MaxConnections; 199 200 } FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; 201 202 203 typedef struct _FLT_MESSAGE_WAITER_QUEUE 204 { 205 IO_CSQ Csq; 206 FLT_MUTEX_LIST_HEAD WaiterQ; 207 ULONG MinimumWaiterLength; 208 KSEMAPHORE Semaphore; 209 KEVENT Event; 210 211 } FLT_MESSAGE_WAITER_QUEUE, *PFLT_MESSAGE_WAITER_QUEUE; 212 213 214 typedef struct _FLT_PORT_OBJECT 215 { 216 LIST_ENTRY FilterLink; 217 PFLT_SERVER_PORT_OBJECT ServerPort; 218 PVOID Cookie; 219 EX_RUNDOWN_REF MsgNotifRundownRef; 220 FAST_MUTEX Lock; 221 FLT_MESSAGE_WAITER_QUEUE MsgQ; 222 ULONGLONG MessageId; 223 KEVENT DisconnectEvent; 224 BOOLEAN Disconnected; 225 226 } FLT_PORT_OBJECT, *PFLT_PORT_OBJECT; 227 228 229 typedef enum _FLT_VOLUME_FLAGS 230 { 231 VOLFL_NETWORK_FILESYSTEM = 0x1, 232 VOLFL_PENDING_MOUNT_SETUP_NOTIFIES = 0x2, 233 VOLFL_MOUNT_SETUP_NOTIFIES_CALLED = 0x4, 234 VOLFL_MOUNTING = 0x8, 235 VOLFL_SENT_SHUTDOWN_IRP = 0x10, 236 VOLFL_ENABLE_NAME_CACHING = 0x20, 237 VOLFL_FILTER_EVER_ATTACHED = 0x40, 238 VOLFL_STANDARD_LINK_NOT_SUPPORTED = 0x80 239 240 } FLT_VOLUME_FLAGS, *PFLT_VOLUME_FLAGS; 241 242 243 typedef enum _CALLBACK_NODE_FLAGS 244 { 245 CBNFL_SKIP_PAGING_IO = 0x1, 246 CBNFL_SKIP_CACHED_IO = 0x2, 247 CBNFL_USE_NAME_CALLBACK_EX = 0x4, 248 CBNFL_SKIP_NON_DASD_IO = 0x8 249 250 } CALLBACK_NODE_FLAGS, *PCALLBACK_NODE_FLAGS; 251 252 253 typedef struct _CALLBACK_CTRL 254 { 255 LIST_ENTRY OperationLists[50]; 256 CALLBACK_NODE_FLAGS OperationFlags[50]; 257 258 } CALLBACK_CTRL, *PCALLBACK_CTRL; 259 260 261 typedef struct _NAME_CACHE_LIST_CTRL_STATS 262 { 263 ULONG Searches; 264 ULONG Hits; 265 ULONG Created; 266 ULONG Temporary; 267 ULONG Duplicate; 268 ULONG Removed; 269 ULONG RemovedDueToCase; 270 271 } NAME_CACHE_LIST_CTRL_STATS, *PNAME_CACHE_LIST_CTRL_STATS; 272 273 274 typedef struct _NAME_CACHE_VOLUME_CTRL_STATS 275 { 276 ULONG AllContextsTemporary; 277 ULONG PurgeNameCache; 278 NAME_CACHE_LIST_CTRL_STATS NormalizedNames; 279 NAME_CACHE_LIST_CTRL_STATS OpenedNames; 280 NAME_CACHE_LIST_CTRL_STATS ShortNames; 281 ULONG AncestorLookup; 282 ULONG ParentHit; 283 ULONG NonParentHit; 284 285 } NAME_CACHE_VOLUME_CTRL_STATS, *PNAME_CACHE_VOLUME_CTRL_STATS; 286 287 288 typedef struct _NAME_CACHE_VOLUME_CTRL 289 { 290 FAST_MUTEX Lock; 291 ULONG AllContextsTemporary; 292 LARGE_INTEGER LastRenameCompleted; 293 NAME_CACHE_VOLUME_CTRL_STATS Stats; 294 295 } NAME_CACHE_VOLUME_CTRL, *PNAME_CACHE_VOLUME_CTRL; 296 297 298 typedef struct _FLT_VOLUME 299 { 300 FLT_OBJECT Base; 301 FLT_VOLUME_FLAGS Flags; 302 FLT_FILESYSTEM_TYPE FileSystemType; 303 PDEVICE_OBJECT DeviceObject; 304 PDEVICE_OBJECT DiskDeviceObject; 305 PFLT_VOLUME FrameZeroVolume; 306 PFLT_VOLUME VolumeInNextFrame; 307 PFLTP_FRAME Frame; 308 UNICODE_STRING DeviceName; 309 UNICODE_STRING GuidName; 310 UNICODE_STRING CDODeviceName; 311 UNICODE_STRING CDODriverName; 312 FLT_RESOURCE_LIST_HEAD InstanceList; 313 CALLBACK_CTRL Callbacks; 314 EX_PUSH_LOCK ContextLock; 315 CONTEXT_LIST_CTRL VolumeContexts; 316 FLT_RESOURCE_LIST_HEAD StreamListCtrls; 317 FLT_RESOURCE_LIST_HEAD FileListCtrls; 318 NAME_CACHE_VOLUME_CTRL NameCacheCtrl; 319 ERESOURCE MountNotifyLock; 320 ULONG TargetedOpenActiveCount; 321 EX_PUSH_LOCK TxVolContextListLock; 322 TREE_ROOT TxVolContexts; 323 324 } FLT_VOLUME, *PFLT_VOLUME; 325 326 327 typedef struct _MANAGER_CCB 328 { 329 PFLTP_FRAME Frame; 330 unsigned int Iterator; 331 332 } MANAGER_CCB, *PMANAGER_CCB; 333 334 typedef struct _FILTER_CCB 335 { 336 PFLT_FILTER Filter; 337 unsigned int Iterator; 338 339 } FILTER_CCB, *PFILTER_CCB; 340 341 typedef struct _INSTANCE_CCB 342 { 343 PFLT_INSTANCE Instance; 344 345 } INSTANCE_CCB, *PINSTANCE_CCB; 346 347 typedef struct _VOLUME_CCB 348 { 349 UNICODE_STRING Volume; 350 unsigned int Iterator; 351 352 } VOLUME_CCB, *PVOLUME_CCB; 353 354 typedef struct _PORT_CCB 355 { 356 PFLT_PORT_OBJECT Port; 357 FLT_MUTEX_LIST_HEAD ReplyWaiterList; 358 359 } PORT_CCB, *PPORT_CCB; 360 361 362 typedef union _CCB_TYPE 363 { 364 MANAGER_CCB Manager; 365 FILTER_CCB Filter; 366 INSTANCE_CCB Instance; 367 VOLUME_CCB Volume; 368 PORT_CCB Port; 369 370 } CCB_TYPE, *PCCB_TYPE; 371 372 373 typedef struct _FLT_CCB 374 { 375 FLT_TYPE Type; 376 CCB_TYPE Data; 377 378 } FLT_CCB, *PFLT_CCB; 379 380 VOID 381 FltpExInitializeRundownProtection( 382 _Out_ PEX_RUNDOWN_REF RundownRef 383 ); 384 385 BOOLEAN 386 FltpExAcquireRundownProtection( 387 _Inout_ PEX_RUNDOWN_REF RundownRef 388 ); 389 390 BOOLEAN 391 FltpExReleaseRundownProtection( 392 _Inout_ PEX_RUNDOWN_REF RundownRef 393 ); 394 395 NTSTATUS 396 NTAPI 397 FltpObjectRundownWait( 398 _Inout_ PEX_RUNDOWN_REF RundownRef 399 ); 400 401 BOOLEAN 402 FltpExRundownCompleted( 403 _Inout_ PEX_RUNDOWN_REF RundownRef 404 ); 405 406 407 NTSTATUS 408 FltpGetBaseDeviceObjectName( 409 _In_ PDEVICE_OBJECT DeviceObject, 410 _Inout_ PUNICODE_STRING ObjectName 411 ); 412 413 NTSTATUS 414 FltpGetObjectName( 415 _In_ PVOID Object, 416 _Inout_ PUNICODE_STRING ObjectName 417 ); 418 419 ULONG 420 FltpObjectPointerReference( 421 _In_ PFLT_OBJECT Object 422 ); 423 424 VOID 425 FltpObjectPointerDereference( 426 _In_ PFLT_OBJECT Object 427 ); 428 429 NTSTATUS 430 FltpReallocateUnicodeString( 431 _In_ PUNICODE_STRING String, 432 _In_ SIZE_T NewLength, 433 _In_ BOOLEAN CopyExisting 434 ); 435 436 VOID 437 FltpFreeUnicodeString( 438 _In_ PUNICODE_STRING String 439 ); 440 441 442 443 NTSTATUS 444 FltpDeviceControlHandler( 445 _In_ PDEVICE_OBJECT DeviceObject, 446 _Inout_ PIRP Irp 447 ); 448 449 NTSTATUS 450 FltpDispatchHandler( 451 _In_ PDEVICE_OBJECT DeviceObject, 452 _Inout_ PIRP Irp 453 ); 454 455 NTSTATUS 456 FltpMsgCreate( 457 _In_ PDEVICE_OBJECT DeviceObject, 458 _Inout_ PIRP Irp 459 ); 460 461 NTSTATUS 462 FltpMsgDispatch( 463 _In_ PDEVICE_OBJECT DeviceObject, 464 _Inout_ PIRP Irp 465 ); 466 467 NTSTATUS 468 FltpSetupCommunicationObjects( 469 _In_ PDRIVER_OBJECT DriverObject 470 ); 471 472 #endif /* _FLTMGR_INTERNAL_H */ 473