www.pudn.com > Ó²Å̵ļà¿Ø.rar > fspyKern.h
/*++
Copyright (c) 1989-1999 Microsoft Corporation
Module Name:
filespyKernel.h
Abstract:
Header file which contains the structures, type definitions,
constants, global variables and function prototypes that are
only visible within the kernel.
Author:
Environment:
Kernel mode
Revision History:
--*/
#ifndef __FSPYKERN_H__
#define __FSPYKERN_H__
// #undef DBG
// #define DBG 1 //do not force debug on
#if DBG
#define DBGSTATIC
#undef ASSERTMSG
#define ASSERTMSG(msg,exp) \
if (!(exp)) { \
extern PBOOLEAN KdDebuggerEnabled; \
DbgPrint("%s:%d %s %s\n",__FILE__,__LINE__,msg,#exp); \
if (*KdDebuggerEnabled) { \
DbgBreakPoint(); \
} \
}
#undef ASSERT
#define ASSERT(exp) \
((!(exp)) ? \
DbgPrint("%s:%d %s\n",__FILE__,__LINE__,#exp),DbgBreakPoint(),FALSE : \
TRUE)
#else
#define DBGSTATIC // static
#undef ASSERTMSG
#define ASSERTMSG(msg,exp) ((void)0)
#undef ASSERT
#define ASSERT(exp) (TRUE)
#endif // DBG
#define MSFM_TAG 'YPSF' // memory allocation tag value
#define USE_LOOKASIDE_LIST 0 // do NOT use look aside lists (use Allocate Pool)
#ifndef INVALID_HANDLE_VALUE
#define INVALID_HANDLE_VALUE (HANDLE) -1
#endif
#define HASH_SIZE 128 // MUST be a power of 2
#define HASH_FUNC(FileObject) \
(((UINT_PTR)(FileObject) >> 8) & (HASH_SIZE - 1))
typedef struct _HASH_ENTRY {
LIST_ENTRY List;
PFILE_OBJECT FileObject;
UNICODE_STRING Name;
} HASH_ENTRY, *PHASH_ENTRY;
//
// Define the device extension structure that the FileSpy driver
// adds to each device object it is attached to. It stores
// the context FileSpy needs to perform its logging operations on
// a device.
//
typedef struct _DEVICE_EXTENSION {
CSHORT Type;
CSHORT Size;
PDEVICE_OBJECT NextDriverDeviceObject; // device object we are attached to
BOOLEAN LogThisDevice;
LIST_ENTRY NextDevice; // linked list of devices we are
// attached to
UNICODE_STRING DeviceName; // receives name of device
WCHAR NameBuffer[DEVICE_NAME_SZ]; // holds actual device name
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
typedef enum _CONTROL_DEVICE_STATE {
OPENED,
CLOSED,
CLEANING_UP
} CONTROL_DEVICE_STATE;
//---------------------------------------------------------------------------
// Global variables
//---------------------------------------------------------------------------
extern FAST_MUTEX gSpyDeviceExtensionListLock;
extern LIST_ENTRY gSpyDeviceExtensionList;
extern KSPIN_LOCK gOutputBufferLock;
extern LIST_ENTRY gOutputBufferList;
extern NPAGED_LOOKASIDE_LIST gFreeBufferList;
extern ULONG gLogSequenceNumber;
extern KSPIN_LOCK gLogSequenceLock;
extern CONTROL_DEVICE_STATE gControlDeviceState;
extern KSPIN_LOCK gControlDeviceStateLock;
extern UNICODE_STRING gVolumeString;
extern UNICODE_STRING gOverrunString;
extern UNICODE_STRING gPagingIoString;
extern LIST_ENTRY gHashTable[HASH_SIZE];
extern KSPIN_LOCK gHashLockTable[HASH_SIZE];
extern ULONG gHashMaxCounters[HASH_SIZE];
extern ULONG gHashCurrentCounters[HASH_SIZE];
extern HASH_STATISTICS gHashStat;
#define DEFAULT_MAX_RECORDS_TO_ALLOCATE 100;
#define DEFAULT_MAX_NAMES_TO_ALLOCATE 100;
#define MAX_RECORDS_TO_ALLOCATE L"MaxRecords"
#define MAX_NAMES_TO_ALLOCATE L"MaxNames"
#define ATTACH_TO L"Attach" // multi-sz containing drives to attach to at reinit time
#define ATTACH_BUFFER_SIZE 512
extern LONG gMaxRecordsToAllocate;
extern LONG gRecordsAllocated;
extern LONG gMaxNamesToAllocate;
extern LONG gNamesAllocated;
extern LONG gStaticBufferInUse;
extern CHAR gOutOfMemoryBuffer[RECORD_SIZE];
#define MINIMUM(a, b) ((a) < (b) ? (a) : (b))
#define MAXIMUM(a, b) ((a) > (b) ? (a) : (b))
// Returns the number of BYTES unused in the RECORD_LIST structure
#define REMAINING_NAME_SPACE(RecordList) \
(USHORT)(RECORD_SIZE - \
(((RecordList)->LogRecord.Length) + sizeof(LIST_ENTRY)))
// The maximum number of BYTES that can be used to store the file name in the
// RECORD_LIST structure
#define MAX_NAME_SPACE (RECORD_SIZE - sizeof(RECORD_LIST))
//
// Define driver entry routine.
//
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
#ifdef SPY_BOOT_DRIVER
VOID
SpyReinitDriver(
PDRIVER_OBJECT DriverObject,
PVOID Context,
ULONG Count
);
#endif
/***********************************************************
Prototypes for the routines this driver uses to filter
the data that is being seen by the file systems.
Implementation in FileSpy.c
************************************************************/
DBGSTATIC
NTSTATUS
SpyDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
DBGSTATIC
NTSTATUS
SpyPassThrough(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
DBGSTATIC
NTSTATUS
SpyPassThroughCompletion(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
);
DBGSTATIC
NTSTATUS
SpyCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
DBGSTATIC
BOOLEAN
SpyFastIoCheckIfPossible(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN BOOLEAN CheckForReadOperation,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoRead(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoWrite(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoQueryBasicInfo(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_BASIC_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoQueryStandardInfo(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_STANDARD_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoLock(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
PEPROCESS ProcessId,
ULONG Key,
BOOLEAN FailImmediately,
BOOLEAN ExclusiveLock,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoUnlockSingle(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
PEPROCESS ProcessId,
ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoUnlockAll(
IN PFILE_OBJECT FileObject,
PEPROCESS ProcessId,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoUnlockAllByKey(
IN PFILE_OBJECT FileObject,
PVOID ProcessId,
ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
VOID
SpyFastIoDetachDevice(
IN PDEVICE_OBJECT SourceDevice,
IN PDEVICE_OBJECT TargetDevice
);
DBGSTATIC
BOOLEAN
SpyFastIoQueryNetworkOpenInfo(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_NETWORK_OPEN_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
NTSTATUS
SpyFastIoAcquireForModWrite(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER EndingOffset,
OUT PERESOURCE *ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoMdlRead(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoMdlReadComplete(
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoPrepareMdlWrite(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoMdlWriteComplete(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoReadCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
OUT struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoWriteCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoMdlReadCompleteCompressed(
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoMdlWriteCompleteCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
BOOLEAN
SpyFastIoQueryOpen(
IN PIRP Irp,
OUT PFILE_NETWORK_OPEN_INFORMATION NetworkInformation,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
NTSTATUS
SpyFastIoReleaseForModWrite(
IN PFILE_OBJECT FileObject,
IN PERESOURCE ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
NTSTATUS
SpyFastIoAcquireForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject
);
DBGSTATIC
NTSTATUS
SpyFastIoReleaseForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject
);
/***********************************************
Memory allocation routines
Implementation in msfmlib.c
***********************************************/
DBGSTATIC
PVOID
SpyAllocateBuffer(
IN OUT PLONG Counter,
IN LONG MaxCounterValue,
OUT PULONG RecordType
);
DBGSTATIC
VOID
SpyFreeBuffer(
PVOID Buffer,
PLONG Counter
);
/***********************************************
Logging routines
Implementation in msfmlib.c
***********************************************/
DBGSTATIC
PRECORD_LIST
SpyNewRecord(
ULONG AssignedSequenceNumber
);
DBGSTATIC
VOID
SpyFreeRecord(
PRECORD_LIST Record
);
DBGSTATIC
VOID
SpyLogIrp(
IN PIRP Irp,
IN UCHAR LoggingFlags,
OUT PRECORD_LIST RecordList
);
DBGSTATIC
PRECORD_LIST
SpyLogFastIoStart(
IN FASTIO_TYPE FastIoType,
IN UCHAR LoggingFlags,
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait
);
DBGSTATIC
VOID
SpyLogFastIoComplete(
IN UCHAR LoggingFlags,
IN PFILE_OBJECT FileObject,
IN PIO_STATUS_BLOCK ReturnStatus,
IN PRECORD_LIST RecordList
);
DBGSTATIC
NTSTATUS
SpyLog(
IN PRECORD_LIST NewRecord
);
DBGSTATIC
USHORT
SpyGetFullPathName(
IN PFILE_OBJECT FileObject,
IN PCHAR FileName,
IN USHORT Length,
IN PUNICODE_STRING VolumeName,
IN ULONG LookupFlags
);
DBGSTATIC
VOID
SpyNameDelete(
IN PFILE_OBJECT FileObject
);
DBGSTATIC
USHORT
SpyNameLookup(
IN PRECORD_LIST RecordList,
IN PFILE_OBJECT FileObject,
IN ULONG LookupFlags,
IN PUNICODE_STRING VolumeName
);
/***********************************************
FileName cache routines
Implementation in msfmlib.c
***********************************************/
DBGSTATIC
PHASH_ENTRY
SpyHashBucketLookup(
PLIST_ENTRY ListHead,
PFILE_OBJECT FileObject
);
DBGSTATIC
VOID
SpyNameDeleteAllNames(
VOID
);
/***********************************************
Library support routines
Implementation in msfmlib.c
***********************************************/
DBGSTATIC
VOID
SpyReadDriverParameters(
IN PUNICODE_STRING RegistryPath,
IN PDRIVER_OBJECT DriverObject
);
NTSTATUS
SpyAttachDevice(
PDEVICE_OBJECT DeviceObject,
PWSTR DeviceName
);
NTSTATUS
SpyDetachDevice(
PWSTR deviceName
);
NTSTATUS
SpyGetAttachList(
PVOID buffer,
ULONG bufferSize,
PULONG_PTR returnLength
);
VOID
SpyGetLog(
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
OUT PIO_STATUS_BLOCK IoStatus
);
DBGSTATIC
VOID
SpyCloseControlDevice(
);
#endif /* __MFKRNL_H__ */