1 #ifndef _FLTMGR_INTERNAL_H 2 #define _FLTMGR_INTERNAL_H 3 4 5 #define MAX_CONTEXT_TYPES 6 6 7 8 typedef enum _FLT_OBJECT_FLAGS 9 { 10 FLT_OBFL_DRAINING = 1, 11 FLT_OBFL_ZOMBIED = 2, 12 FLT_OBFL_TYPE_INSTANCE = 0x1000000, 13 FLT_OBFL_TYPE_FILTER = 0x2000000, 14 FLT_OBFL_TYPE_VOLUME = 0x4000000 15 16 } FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS; 17 18 typedef enum _FLT_FILTER_FLAGS 19 { 20 FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1, 21 FLTFL_FILTERING_INITIATED = 2 22 23 } FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS; 24 25 typedef struct _FLT_OBJECT // size = 0x14 26 { 27 volatile FLT_OBJECT_FLAGS Flags; 28 ULONG PointerCount; 29 EX_RUNDOWN_REF RundownRef; 30 LIST_ENTRY PrimaryLink; 31 32 } FLT_OBJECT, *PFLT_OBJECT; 33 34 typedef struct _ALLOCATE_CONTEXT_HEADER 35 { 36 PFLT_FILTER Filter; 37 PFLT_CONTEXT_CLEANUP_CALLBACK ContextCleanupCallback; 38 struct _ALLOCATE_CONTEXT_HEADER *Next; 39 FLT_CONTEXT_TYPE ContextType; 40 char Flags; 41 char AllocationType; 42 43 } ALLOCATE_CONTEXT_HEADER, *PALLOCATE_CONTEXT_HEADER; 44 45 typedef struct _FLT_RESOURCE_LIST_HEAD 46 { 47 ERESOURCE rLock; 48 LIST_ENTRY rList; 49 ULONG rCount; 50 51 } FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; 52 53 typedef struct _FLT_MUTEX_LIST_HEAD 54 { 55 FAST_MUTEX mLock; 56 LIST_ENTRY mList; 57 ULONG mCount; 58 59 } FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; 60 61 typedef struct _FLT_FILTER // size = 0x120 62 { 63 FLT_OBJECT Base; 64 PVOID Frame; //FLTP_FRAME 65 UNICODE_STRING Name; 66 UNICODE_STRING DefaultAltitude; 67 FLT_FILTER_FLAGS Flags; 68 PDRIVER_OBJECT DriverObject; 69 FLT_RESOURCE_LIST_HEAD InstanceList; 70 PVOID VerifierExtension; 71 PFLT_FILTER_UNLOAD_CALLBACK FilterUnload; 72 PFLT_INSTANCE_SETUP_CALLBACK InstanceSetup; 73 PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK InstanceQueryTeardown; 74 PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownStart; 75 PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownComplete; 76 PALLOCATE_CONTEXT_HEADER SupportedContextsListHead; 77 PALLOCATE_CONTEXT_HEADER SupportedContexts[MAX_CONTEXT_TYPES]; 78 PVOID PreVolumeMount; 79 PVOID PostVolumeMount; 80 PFLT_GENERATE_FILE_NAME GenerateFileName; 81 PFLT_NORMALIZE_NAME_COMPONENT NormalizeNameComponent; 82 PFLT_NORMALIZE_CONTEXT_CLEANUP NormalizeContextCleanup; 83 PFLT_OPERATION_REGISTRATION Operations; 84 PFLT_FILTER_UNLOAD_CALLBACK OldDriverUnload; 85 FLT_MUTEX_LIST_HEAD ActiveOpens; 86 FLT_MUTEX_LIST_HEAD ConnectionList; 87 FLT_MUTEX_LIST_HEAD PortList; 88 EX_PUSH_LOCK PortLock; 89 90 } FLT_FILTER, *PFLT_FILTER; 91 92 typedef enum _FLT_yINSTANCE_FLAGS 93 { 94 INSFL_CAN_BE_DETACHED = 0x01, 95 INSFL_DELETING = 0x02, 96 INSFL_INITING = 0x04 97 98 } FLT_INSTANCE_FLAGS, *PFLT_INSTANCE_FLAGS; 99 100 typedef struct _FLT_TYPE 101 { 102 USHORT Signature; 103 USHORT Size; 104 105 } FLT_TYPE, *PFLT_TYPE; 106 107 typedef struct _FLT_INSTANCE // size = 0x144 (324) 108 { 109 FLT_OBJECT Base; 110 ULONG OperationRundownRef; 111 PVOID Volume; //PFLT_VOLUME 112 PFLT_FILTER Filter; 113 FLT_INSTANCE_FLAGS Flags; 114 UNICODE_STRING Altitude; 115 UNICODE_STRING Name; 116 LIST_ENTRY FilterLink; 117 ERESOURCE ContextLock; 118 PVOID Context; //PCONTEXT_NODE 119 PVOID TrackCompletionNodes; //PRACK_COMPLETION_NODES 120 PVOID CallbackNodes[50]; //PCALLBACK_NODE 121 122 } FLT_INSTANCE, *PFLT_INSTANCE; 123 124 // http://fsfilters.blogspot.co.uk/2010/02/filter-manager-concepts-part-1.html 125 typedef struct _FLTP_FRAME 126 { 127 FLT_TYPE Type; 128 LIST_ENTRY Links; 129 unsigned int FrameID; 130 ERESOURCE AltitudeLock; 131 UNICODE_STRING AltitudeIntervalLow; 132 UNICODE_STRING AltitudeIntervalHigh; 133 char LargeIrpCtrlStackSize; 134 char SmallIrpCtrlStackSize; 135 FLT_RESOURCE_LIST_HEAD RegisteredFilters; 136 FLT_RESOURCE_LIST_HEAD AttachedVolumes; 137 LIST_ENTRY MountingVolumes; 138 FLT_MUTEX_LIST_HEAD AttachedFileSystems; 139 FLT_MUTEX_LIST_HEAD ZombiedFltObjectContexts; 140 ERESOURCE FilterUnloadLock; 141 FAST_MUTEX DeviceObjectAttachLock; 142 //FLT_PRCB *Prcb; 143 void *PrcbPoolToFree; 144 void *LookasidePoolToFree; 145 //FLTP_IRPCTRL_STACK_PROFILER IrpCtrlStackProfiler; 146 NPAGED_LOOKASIDE_LIST SmallIrpCtrlLookasideList; 147 NPAGED_LOOKASIDE_LIST LargeIrpCtrlLookasideList; 148 //STATIC_IRP_CONTROL GlobalSIC; 149 150 } FLTP_FRAME, *PFLTP_FRAME; 151 152 153 // http://fsfilters.blogspot.co.uk/2010/02/filter-manager-concepts-part-6.html 154 typedef struct _STREAM_LIST_CTRL // size = 0xC8 (200) 155 { 156 FLT_TYPE Type; 157 FSRTL_PER_STREAM_CONTEXT ContextCtrl; 158 LIST_ENTRY VolumeLink; 159 //STREAM_LIST_CTRL_FLAGS Flags; 160 int UseCount; 161 ERESOURCE ContextLock; 162 //CONTEXT_LIST_CTRL StreamContexts; 163 //CONTEXT_LIST_CTRL StreamHandleContexts; 164 ERESOURCE NameCacheLock; 165 LARGE_INTEGER LastRenameCompleted; 166 //NAME_CACHE_LIST_CTRL NormalizedNameCache; 167 // NAME_CACHE_LIST_CTRL ShortNameCache; 168 // NAME_CACHE_LIST_CTRL OpenedNameCache; 169 int AllNameContextsTemporary; 170 171 } STREAM_LIST_CTRL, *PSTREAM_LIST_CTRL; 172 173 174 typedef struct _FLT_SERVER_PORT_OBJECT 175 { 176 LIST_ENTRY FilterLink; 177 PFLT_CONNECT_NOTIFY ConnectNotify; 178 PFLT_DISCONNECT_NOTIFY DisconnectNotify; 179 PFLT_MESSAGE_NOTIFY MessageNotify; 180 PFLT_FILTER Filter; 181 PVOID Cookie; 182 ULONG Flags; 183 LONG NumberOfConnections; 184 LONG MaxConnections; 185 186 } FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; 187 188 189 typedef struct _FLT_PORT_OBJECT 190 { 191 LIST_ENTRY FilterLink; 192 PFLT_SERVER_PORT_OBJECT ServerPort; 193 PVOID Cookie; 194 EX_RUNDOWN_REF MsgNotifRundownRef; 195 FAST_MUTEX Lock; 196 PVOID MsgQ; // FLT_MESSAGE_WAITER_QUEUE MsgQ; 197 ULONGLONG MessageId; 198 KEVENT DisconnectEvent; 199 BOOLEAN Disconnected; 200 201 } FLT_PORT_OBJECT, *PFLT_PORT_OBJECT; 202 203 204 typedef enum _FLT_VOLUME_FLAGS 205 { 206 VOLFL_NETWORK_FILESYSTEM = 0x1, 207 VOLFL_PENDING_MOUNT_SETUP_NOTIFIES = 0x2, 208 VOLFL_MOUNT_SETUP_NOTIFIES_CALLED = 0x4, 209 VOLFL_MOUNTING = 0x8, 210 VOLFL_SENT_SHUTDOWN_IRP = 0x10, 211 VOLFL_ENABLE_NAME_CACHING = 0x20, 212 VOLFL_FILTER_EVER_ATTACHED = 0x40, 213 VOLFL_STANDARD_LINK_NOT_SUPPORTED = 0x80 214 215 } FLT_VOLUME_FLAGS, *PFLT_VOLUME_FLAGS; 216 217 218 typedef enum _CALLBACK_NODE_FLAGS 219 { 220 CBNFL_SKIP_PAGING_IO = 0x1, 221 CBNFL_SKIP_CACHED_IO = 0x2, 222 CBNFL_USE_NAME_CALLBACK_EX = 0x4, 223 CBNFL_SKIP_NON_DASD_IO = 0x8 224 225 } CALLBACK_NODE_FLAGS, *PCALLBACK_NODE_FLAGS; 226 227 228 typedef struct _CALLBACK_CTRL 229 { 230 LIST_ENTRY OperationLists[50]; 231 CALLBACK_NODE_FLAGS OperationFlags[50]; 232 233 } CALLBACK_CTRL, *PCALLBACK_CTRL; 234 235 typedef struct _TREE_ROOT 236 { 237 RTL_SPLAY_LINKS *Tree; 238 239 } TREE_ROOT, *PTREE_ROOT; 240 241 242 typedef struct _CONTEXT_LIST_CTRL 243 { 244 TREE_ROOT List; 245 246 } CONTEXT_LIST_CTRL, *PCONTEXT_LIST_CTRL; 247 248 typedef struct _NAME_CACHE_LIST_CTRL_STATS 249 { 250 ULONG Searches; 251 ULONG Hits; 252 ULONG Created; 253 ULONG Temporary; 254 ULONG Duplicate; 255 ULONG Removed; 256 ULONG RemovedDueToCase; 257 258 } NAME_CACHE_LIST_CTRL_STATS, *PNAME_CACHE_LIST_CTRL_STATS; 259 260 261 typedef struct _NAME_CACHE_VOLUME_CTRL_STATS 262 { 263 ULONG AllContextsTemporary; 264 ULONG PurgeNameCache; 265 NAME_CACHE_LIST_CTRL_STATS NormalizedNames; 266 NAME_CACHE_LIST_CTRL_STATS OpenedNames; 267 NAME_CACHE_LIST_CTRL_STATS ShortNames; 268 ULONG AncestorLookup; 269 ULONG ParentHit; 270 ULONG NonParentHit; 271 272 } NAME_CACHE_VOLUME_CTRL_STATS, *PNAME_CACHE_VOLUME_CTRL_STATS; 273 274 275 typedef struct _NAME_CACHE_VOLUME_CTRL 276 { 277 FAST_MUTEX Lock; 278 ULONG AllContextsTemporary; 279 LARGE_INTEGER LastRenameCompleted; 280 NAME_CACHE_VOLUME_CTRL_STATS Stats; 281 282 } NAME_CACHE_VOLUME_CTRL, *PNAME_CACHE_VOLUME_CTRL; 283 284 285 typedef struct _FLT_VOLUME 286 { 287 FLT_OBJECT Base; 288 FLT_VOLUME_FLAGS Flags; 289 FLT_FILESYSTEM_TYPE FileSystemType; 290 PDEVICE_OBJECT DeviceObject; 291 PDEVICE_OBJECT DiskDeviceObject; 292 PFLT_VOLUME FrameZeroVolume; 293 PFLT_VOLUME VolumeInNextFrame; 294 PFLTP_FRAME Frame; 295 UNICODE_STRING DeviceName; 296 UNICODE_STRING GuidName; 297 UNICODE_STRING CDODeviceName; 298 UNICODE_STRING CDODriverName; 299 FLT_RESOURCE_LIST_HEAD InstanceList; 300 CALLBACK_CTRL Callbacks; 301 EX_PUSH_LOCK ContextLock; 302 CONTEXT_LIST_CTRL VolumeContexts; 303 FLT_RESOURCE_LIST_HEAD StreamListCtrls; 304 FLT_RESOURCE_LIST_HEAD FileListCtrls; 305 NAME_CACHE_VOLUME_CTRL NameCacheCtrl; 306 ERESOURCE MountNotifyLock; 307 ULONG TargetedOpenActiveCount; 308 EX_PUSH_LOCK TxVolContextListLock; 309 TREE_ROOT TxVolContexts; 310 311 } FLT_VOLUME, *PFLT_VOLUME; 312 313 314 315 VOID 316 FltpExInitializeRundownProtection( 317 _Out_ PEX_RUNDOWN_REF RundownRef 318 ); 319 320 BOOLEAN 321 FltpExAcquireRundownProtection( 322 _Inout_ PEX_RUNDOWN_REF RundownRef 323 ); 324 325 BOOLEAN 326 FltpExReleaseRundownProtection( 327 _Inout_ PEX_RUNDOWN_REF RundownRef 328 ); 329 330 NTSTATUS 331 NTAPI 332 FltpObjectRundownWait( 333 _Inout_ PEX_RUNDOWN_REF RundownRef 334 ); 335 336 BOOLEAN 337 FltpExRundownCompleted( 338 _Inout_ PEX_RUNDOWN_REF RundownRef 339 ); 340 341 342 NTSTATUS 343 FltpGetBaseDeviceObjectName( 344 _In_ PDEVICE_OBJECT DeviceObject, 345 _Inout_ PUNICODE_STRING ObjectName 346 ); 347 348 NTSTATUS 349 FltpGetObjectName( 350 _In_ PVOID Object, 351 _Inout_ PUNICODE_STRING ObjectName 352 ); 353 354 ULONG 355 FltpObjectPointerReference( 356 _In_ PFLT_OBJECT Object 357 ); 358 359 VOID 360 FltpObjectPointerDereference( 361 _In_ PFLT_OBJECT Object 362 ); 363 364 NTSTATUS 365 FltpReallocateUnicodeString( 366 _In_ PUNICODE_STRING String, 367 _In_ SIZE_T NewLength, 368 _In_ BOOLEAN CopyExisting 369 ); 370 371 VOID 372 FltpFreeUnicodeString( 373 _In_ PUNICODE_STRING String 374 ); 375 376 377 378 NTSTATUS 379 FltpDeviceControlHandler( 380 _In_ PDEVICE_OBJECT DeviceObject, 381 _Inout_ PIRP Irp 382 ); 383 384 NTSTATUS 385 FltpDispatchHandler( 386 _In_ PDEVICE_OBJECT DeviceObject, 387 _Inout_ PIRP Irp 388 ); 389 390 391 392 #endif /* _FLTMGR_INTERNAL_H */ 393