Windows驱动程序:未调用预操作回调
我正在尝试使用Microsoft示例(passthrough、minispy…)创建一个基本的迷你过滤器驱动程序,但没有调用我的MfPreOperationCallback。我尝试了不同的上下文(即使我不确定这是如何工作的…)。我尝试了PassThrough示例,它运行得非常好,与我的代码非常相似 这是我的inf文件和代码:Windows驱动程序:未调用预操作回调,windows,driver,Windows,Driver,我正在尝试使用Microsoft示例(passthrough、minispy…)创建一个基本的迷你过滤器驱动程序,但没有调用我的MfPreOperationCallback。我尝试了不同的上下文(即使我不确定这是如何工作的…)。我尝试了PassThrough示例,它运行得非常好,与我的代码非常相似 这是我的inf文件和代码: ; ; KmdfMiniFilter.inf ; [Version] Signature = "$WINDOWS NT$" Class = "Activi
;
; KmdfMiniFilter.inf
;
[Version]
Signature = "$WINDOWS NT$"
Class = "ActivityMonitor"
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %ProviderString%
DriverVer = 02/09/2017,1.0.0.0
CatalogFile = KmdfMiniFilter.cat
[DestinationDirs]
DefaultDestDir = 12
KmdfMiniFilter.DriverFiles = 12
[DefaultInstall]
OptionDesc = %ServiceDescription%
CopyFiles = KmdfMiniFilter.DriverFiles
[DefaultInstall.Services]
AddService = %ServiceName%,,KmdfMiniFilter.Service
[DefaultUninstall]
DelFiles = KmdfMiniFilter.DriverFiles
[DefaultUninstall.Services]
DelService = %ServiceName%,0x200
[KmdfMiniFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %12%\%DriverName%.sys
Dependencies = "FltMgr"
ServiceType = 2 ; SERVICE_FILE_SYSTEM_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
LoadOrderGroup = "FSFilter Activity Monitor"
AddReg = KmdfMiniFilter.AddRegistry
[KmdfMiniFilter.AddRegistry]
HKR,,"DebugFlags",0x00010001 ,0x0
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
[KmdfMiniFilter.DriverFiles]
%DriverName%.sys
[SourceDisksFiles]
KmdfMiniFilter.sys = 1,,
[SourceDisksNames]
1 = %DiskId1%,,,
[Strings]
ProviderString = "GUIDONO"
ServiceDescription = "KmdfMiniFilter mini-filter driver"
ServiceName = "KmdfMiniFilter"
DriverName = "KmdfMiniFilter"
DiskId1 = "File Change Monitoring Device Installation Disk"
DefaultInstance = "KmdfMiniFilter Instance"
Instance1.Name = "KmdfMiniFilter Middle Instance"
Instance1.Altitude = "370000"
Instance1.Flags = 0x1 ; Suppress automatic attachments
/**
Filter registration information
*/
#pragma once
#include <fltKernel.h>
#include "MiniFilter.h"
// Callbacks : list of FLT_OPERATION_REGISTRATION structures, one for each type of I/O for which the minifilter
// registers preoperation and postoperation callback routines.
// The last element must be IRP_MJ_OPERATION_END
CONST FLT_OPERATION_REGISTRATION Callbacks[] =
{
{
IRP_MJ_CREATE,
0,
MfPreOperationCallback,
MfPostOperationCallback
},
{ IRP_MJ_OPERATION_END }
};
// Defines the minifilter context structure
typedef struct _MINIFILTER_TRANSACTION_CONTEXT {
ULONG Flags;
ULONG Count;
} MINIFILTER_TRANSACTION_CONTEXT, *PMINIFILTER_CONTEXT;
// Contexts : a context structure is used to register context types
const FLT_CONTEXT_REGISTRATION Contexts[] =
{
{
FLT_TRANSACTION_CONTEXT, // Context type
0, // Flags
MfDeleteTxfContext, // ContextCleanupCallback
sizeof(MINIFILTER_TRANSACTION_CONTEXT), // Size
'ypsM' // PoolTag
},
{
FLT_CONTEXT_END
}
};
// This defines what we want to filter with FltMgr
CONST FLT_REGISTRATION FilterRegistration =
{
sizeof(FLT_REGISTRATION), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
Contexts, // Contexts
Callbacks, // Callbacks
MfUnload, // FilterUnload
MfInstanceSetup, // InstanceSetup
MfInstanceQueryTeardown, // InstanceQueryTeardown
MfInstanceTeardownStart, // InstanceTeardownStart
MfInstanceTeardownComplete, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL, // NormalizeNameComponent
};
有人看到发生了什么吗?我解决了我的问题:我的inf文件中有错误的标志。好的是0x0标志,以便自动将微型过滤器连接到不同的卷
Instance1.Flags = 0x1 ; Suppress automatic attachments
你的司机上了车?FltRegisterFilter是否正常?错误在哪里<代码>有人看到发生了什么吗-但你呢?你看到这个了吗?尝试查看?我没有错误,是的,我的筛选器已加载,并且在startfiltering函数上没有收到错误代码,因此我猜它正在筛选。。。但是kdprint没有在我的preoperation函数中调用,所以我假设这个函数回调没有被调用。。。(我通过创建一个文件来测试我的驱动程序,PassThrough示例对此事件做出反应,但不是我的过滤器!)是否调用MfInstanceSetup?什么windows版本?嗯不不是。。。即使我读了msdn文档,我仍然不知道这个函数应该做什么…当你的过滤器实例连接到卷时,这个函数被调用。如果没有附加-否以及此卷上的任何操作前/操作后回调。所以您说从驱动程序条目中存在dbgprint并从这里调用ok,但
MfInstanceSetup#pragma once
#include <fltKernel.h>
typedef struct MINIFILTER_DATA {
PDRIVER_OBJECT Driver;
PFLT_FILTER Filter;
} MINIFILTER_DATA;
FLT_PREOP_CALLBACK_STATUS MfPreOperationCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
);
FLT_POSTOP_CALLBACK_STATUS MfPostOperationCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
);
NTSTATUS MfInstanceSetup(
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_SETUP_FLAGS Flags,
_In_ DEVICE_TYPE VolumeDeviceType,
_In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType
);
NTSTATUS MfInstanceQueryTeardown (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
);
VOID MfInstanceTeardownStart (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
);
VOID MfInstanceTeardownComplete (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
);
VOID MfDeleteTxfContext(
_Inout_ PFLT_CONTEXT Context,
_In_ FLT_CONTEXT_TYPE ContextType
);
NTSTATUS MfUnload(
_In_ FLT_FILTER_UNLOAD_FLAGS Flags
);
NTSTATUS MfQueryTearDown(
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
);
NTSTATUS MfInstanceQueryTeardown(
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
);
#include "MiniFilter.h"
FLT_PREOP_CALLBACK_STATUS MfPreOperationCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
{
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
KdPrint(("MINIFILTER PreOperationCallback\n"));
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS MfPostOperationCallback(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ PVOID CompletionContext,
_In_ FLT_POST_OPERATION_FLAGS Flags
)
{
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
UNREFERENCED_PARAMETER(Flags);
KdPrint(("MINIFILTER PostOperationCallback\n"));
return FLT_POSTOP_FINISHED_PROCESSING;
}
VOID MfDeleteTxfContext(
_Inout_ PFLT_CONTEXT Context,
_In_ FLT_CONTEXT_TYPE ContextType
)
{
UNREFERENCED_PARAMETER(Context);
UNREFERENCED_PARAMETER(ContextType);
KdPrint(("MINIFILTER DeleteTxfContext\n"));
}
NTSTATUS
MfInstanceSetup (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_SETUP_FLAGS Flags,
_In_ DEVICE_TYPE VolumeDeviceType,
_In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
UNREFERENCED_PARAMETER( VolumeDeviceType );
UNREFERENCED_PARAMETER( VolumeFilesystemType );
PAGED_CODE();
KdPrint(("PassThrough!PtInstanceSetup: Entered\n") );
return STATUS_SUCCESS;
}
NTSTATUS
MfInstanceQueryTeardown (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
KdPrint(("PassThrough!PtInstanceQueryTeardown: Entered\n") );
return STATUS_SUCCESS;
}
VOID
MfInstanceTeardownStart (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
KdPrint(("PassThrough!PtInstanceTeardownStart: Entered\n") );
}
VOID
MfInstanceTeardownComplete (
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
PAGED_CODE();
KdPrint(("PassThrough!PtInstanceTeardownComplete: Entered\n") );
}
Instance1.Flags = 0x1 ; Suppress automatic attachments
Instance1.Flags = 0x0 ; Automatic attachments