1 #ifndef _FLTMGR_INTERNAL_H 2 #define _FLTMGR_INTERNAL_H 3 4 5 #define MAX_CONTEXT_TYPES 6 6 7 8 typedef enum _FLT_OBJECT_FLAGS 9 { 10 FLT_OBFL_DRAINING = 1, 11 FLT_OBFL_ZOMBIED = 2, 12 FLT_OBFL_TYPE_INSTANCE = 0x1000000, 13 FLT_OBFL_TYPE_FILTER = 0x2000000, 14 FLT_OBFL_TYPE_VOLUME = 0x4000000 15 16 } FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS; 17 18 typedef enum _FLT_FILTER_FLAGS 19 { 20 FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1, 21 FLTFL_FILTERING_INITIATED = 2 22 23 } FLT_FILTER_FLAGS, *PFLT_FILTER_FLAGS; 24 25 typedef struct _FLT_OBJECT // size = 0x14 26 { 27 volatile FLT_OBJECT_FLAGS Flags; 28 ULONG PointerCount; 29 EX_RUNDOWN_REF RundownRef; 30 LIST_ENTRY PrimaryLink; 31 32 } FLT_OBJECT, *PFLT_OBJECT; 33 34 typedef struct _ALLOCATE_CONTEXT_HEADER 35 { 36 PFLT_FILTER Filter; 37 PFLT_CONTEXT_CLEANUP_CALLBACK ContextCleanupCallback; 38 struct _ALLOCATE_CONTEXT_HEADER *Next; 39 FLT_CONTEXT_TYPE ContextType; 40 char Flags; 41 char AllocationType; 42 43 } ALLOCATE_CONTEXT_HEADER, *PALLOCATE_CONTEXT_HEADER; 44 45 typedef struct _FLT_RESOURCE_LIST_HEAD 46 { 47 ERESOURCE rLock; 48 LIST_ENTRY rList; 49 ULONG rCount; 50 51 } FLT_RESOURCE_LIST_HEAD, *PFLT_RESOURCE_LIST_HEAD; 52 53 typedef struct _FLT_MUTEX_LIST_HEAD 54 { 55 FAST_MUTEX mLock; 56 LIST_ENTRY mList; 57 ULONG mCount; 58 59 } FLT_MUTEX_LIST_HEAD, *PFLT_MUTEX_LIST_HEAD; 60 61 typedef struct _FLT_FILTER // size = 0x120 62 { 63 FLT_OBJECT Base; 64 PVOID Frame; //FLTP_FRAME 65 UNICODE_STRING Name; 66 UNICODE_STRING DefaultAltitude; 67 FLT_FILTER_FLAGS Flags; 68 PDRIVER_OBJECT DriverObject; 69 FLT_RESOURCE_LIST_HEAD InstanceList; 70 PVOID VerifierExtension; 71 PFLT_FILTER_UNLOAD_CALLBACK FilterUnload; 72 PFLT_INSTANCE_SETUP_CALLBACK InstanceSetup; 73 PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK InstanceQueryTeardown; 74 PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownStart; 75 PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownComplete; 76 PALLOCATE_CONTEXT_HEADER SupportedContextsListHead; 77 PALLOCATE_CONTEXT_HEADER SupportedContexts[MAX_CONTEXT_TYPES]; 78 PVOID PreVolumeMount; 79 PVOID PostVolumeMount; 80 PFLT_GENERATE_FILE_NAME GenerateFileName; 81 PFLT_NORMALIZE_NAME_COMPONENT NormalizeNameComponent; 82 PFLT_NORMALIZE_CONTEXT_CLEANUP NormalizeContextCleanup; 83 PFLT_OPERATION_REGISTRATION Operations; 84 PFLT_FILTER_UNLOAD_CALLBACK OldDriverUnload; 85 FLT_MUTEX_LIST_HEAD ActiveOpens; 86 FLT_MUTEX_LIST_HEAD ConnectionList; 87 FLT_MUTEX_LIST_HEAD PortList; 88 EX_PUSH_LOCK PortLock; 89 90 } FLT_FILTER, *PFLT_FILTER; 91 92 typedef enum _FLT_yINSTANCE_FLAGS 93 { 94 INSFL_CAN_BE_DETACHED = 0x01, 95 INSFL_DELETING = 0x02, 96 INSFL_INITING = 0x04 97 98 } FLT_INSTANCE_FLAGS, *PFLT_INSTANCE_FLAGS; 99 100 typedef struct _FLT_TYPE 101 { 102 USHORT Signature; 103 USHORT Size; 104 105 } FLT_TYPE, *PFLT_TYPE; 106 107 typedef struct _FLT_INSTANCE // size = 0x144 (324) 108 { 109 FLT_OBJECT Base; 110 ULONG OperationRundownRef; 111 PVOID Volume; //PFLT_VOLUME 112 PFLT_FILTER Filter; 113 FLT_INSTANCE_FLAGS Flags; 114 UNICODE_STRING Altitude; 115 UNICODE_STRING Name; 116 LIST_ENTRY FilterLink; 117 ERESOURCE ContextLock; 118 PVOID Context; //PCONTEXT_NODE 119 PVOID TrackCompletionNodes; //PRACK_COMPLETION_NODES 120 PVOID CallbackNodes[50]; //PCALLBACK_NODE 121 122 } FLT_INSTANCE, *PFLT_INSTANCE; 123 124 // http://fsfilters.blogspot.co.uk/2010/02/filter-manager-concepts-part-1.html 125 typedef struct _FLTP_FRAME 126 { 127 FLT_TYPE Type; 128 LIST_ENTRY Links; 129 unsigned int FrameID; 130 ERESOURCE AltitudeLock; 131 UNICODE_STRING AltitudeIntervalLow; 132 UNICODE_STRING AltitudeIntervalHigh; 133 char LargeIrpCtrlStackSize; 134 char SmallIrpCtrlStackSize; 135 FLT_RESOURCE_LIST_HEAD RegisteredFilters; 136 FLT_RESOURCE_LIST_HEAD AttachedVolumes; 137 LIST_ENTRY MountingVolumes; 138 FLT_MUTEX_LIST_HEAD AttachedFileSystems; 139 FLT_MUTEX_LIST_HEAD ZombiedFltObjectContexts; 140 ERESOURCE FilterUnloadLock; 141 FAST_MUTEX DeviceObjectAttachLock; 142 //FLT_PRCB *Prcb; 143 void *PrcbPoolToFree; 144 void *LookasidePoolToFree; 145 //FLTP_IRPCTRL_STACK_PROFILER IrpCtrlStackProfiler; 146 NPAGED_LOOKASIDE_LIST SmallIrpCtrlLookasideList; 147 NPAGED_LOOKASIDE_LIST LargeIrpCtrlLookasideList; 148 //STATIC_IRP_CONTROL GlobalSIC; 149 150 } FLTP_FRAME, *PFLTP_FRAME; 151 152 153 // http://fsfilters.blogspot.co.uk/2010/02/filter-manager-concepts-part-6.html 154 typedef struct _STREAM_LIST_CTRL // size = 0xC8 (200) 155 { 156 FLT_TYPE Type; 157 FSRTL_PER_STREAM_CONTEXT ContextCtrl; 158 LIST_ENTRY VolumeLink; 159 //STREAM_LIST_CTRL_FLAGS Flags; 160 int UseCount; 161 ERESOURCE ContextLock; 162 //CONTEXT_LIST_CTRL StreamContexts; 163 //CONTEXT_LIST_CTRL StreamHandleContexts; 164 ERESOURCE NameCacheLock; 165 LARGE_INTEGER LastRenameCompleted; 166 //NAME_CACHE_LIST_CTRL NormalizedNameCache; 167 // NAME_CACHE_LIST_CTRL ShortNameCache; 168 // NAME_CACHE_LIST_CTRL OpenedNameCache; 169 int AllNameContextsTemporary; 170 171 } STREAM_LIST_CTRL, *PSTREAM_LIST_CTRL; 172 173 174 typedef struct _FLT_SERVER_PORT_OBJECT 175 { 176 LIST_ENTRY FilterLink; 177 PFLT_CONNECT_NOTIFY ConnectNotify; 178 PFLT_DISCONNECT_NOTIFY DisconnectNotify; 179 PFLT_MESSAGE_NOTIFY MessageNotify; 180 PFLT_FILTER Filter; 181 PVOID Cookie; 182 ULONG Flags; 183 LONG NumberOfConnections; 184 LONG MaxConnections; 185 186 } FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; 187 188 189 typedef struct _FLT_PORT_OBJECT 190 { 191 LIST_ENTRY FilterLink; 192 PFLT_SERVER_PORT_OBJECT ServerPort; 193 PVOID Cookie; 194 EX_RUNDOWN_REF MsgNotifRundownRef; 195 FAST_MUTEX Lock; 196 PVOID MsgQ; // FLT_MESSAGE_WAITER_QUEUE MsgQ; 197 ULONGLONG MessageId; 198 KEVENT DisconnectEvent; 199 BOOLEAN Disconnected; 200 201 } FLT_PORT_OBJECT, *PFLT_PORT_OBJECT; 202 203 204 205 206 207 VOID 208 FltpExInitializeRundownProtection( 209 _Out_ PEX_RUNDOWN_REF RundownRef 210 ); 211 212 BOOLEAN 213 FltpExAcquireRundownProtection( 214 _Inout_ PEX_RUNDOWN_REF RundownRef 215 ); 216 217 BOOLEAN 218 FltpExReleaseRundownProtection( 219 _Inout_ PEX_RUNDOWN_REF RundownRef 220 ); 221 222 NTSTATUS 223 NTAPI 224 FltpObjectRundownWait( 225 _Inout_ PEX_RUNDOWN_REF RundownRef 226 ); 227 228 BOOLEAN 229 FltpExRundownCompleted( 230 _Inout_ PEX_RUNDOWN_REF RundownRef 231 ); 232 233 234 NTSTATUS 235 FltpGetBaseDeviceObjectName( 236 _In_ PDEVICE_OBJECT DeviceObject, 237 _Inout_ PUNICODE_STRING ObjectName 238 ); 239 240 NTSTATUS 241 FltpGetObjectName( 242 _In_ PVOID Object, 243 _Inout_ PUNICODE_STRING ObjectName 244 ); 245 246 ULONG 247 FltpObjectPointerReference( 248 _In_ PFLT_OBJECT Object 249 ); 250 251 VOID 252 FltpObjectPointerDereference( 253 _In_ PFLT_OBJECT Object 254 ); 255 256 NTSTATUS 257 FltpReallocateUnicodeString( 258 _In_ PUNICODE_STRING String, 259 _In_ SIZE_T NewLength, 260 _In_ BOOLEAN CopyExisting 261 ); 262 263 VOID 264 FltpFreeUnicodeString( 265 _In_ PUNICODE_STRING String 266 ); 267 268 269 270 NTSTATUS 271 FltpDeviceControlHandler( 272 _In_ PDEVICE_OBJECT DeviceObject, 273 _Inout_ PIRP Irp 274 ); 275 276 NTSTATUS 277 FltpDispatchHandler( 278 _In_ PDEVICE_OBJECT DeviceObject, 279 _Inout_ PIRP Irp 280 ); 281 282 283 284 #endif /* _FLTMGR_INTERNAL_H */ 285