FilterDriverDeveloperGuide.pdf资源-CSDN文库

windows

driver

4星 · 超过85%的资源需积分: 9 173 浏览量 2008-10-09 16:10:41 上传评论收藏 182KB PDF 举报

资源推荐

资源详情

资源评论

Page 1 of 28

F I L E S Y S T E M F I L T E R M A N A G E R

Filter Driver

Development Guide

Version 1.0a

Summary

This specification includes, but is not limited to, the following topic areas:

• Description of the new 'File System Filter Manager' architecture and interfaces

• Aspects of the Windows 'Memory Manager', 'I/O Manager', and 'Cache Manager' interfaces that affect the

development of file system filters using the new File System Filter Manager architecture.

Disclaimer

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of

the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date

of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR

STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part

of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any

means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written

permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject

matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this

document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,

places and events depicted herein are fictitious, and no association with any real company, organization, product, domain

name, email address, logo, person, place or event is intended or should be inferred.

Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United

States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Generated by Foxit PDF Creator © Foxit Software

http://www.foxitsoftware.com For evaluation only.

Page 2 of 28

Table Of Contents

Overview................................................................................................................................... 3

Terms........................................................................................................................................ 3

Minifilter Installation ................................................................................................................ 4

Minifilter Registration ............................................................................................................... 4

Initiating filtering ..................................................................................................................... 4

Instance Notification Support ................................................................................................... 5

6.1.

Setting up an Instance ..................................................................................................... 5

6.2.

Controlling Instance Teardown .......................................................................................... 6

6.3.

Synchronizing Instance Detach.......................................................................................... 6

Callback Support ....................................................................................................................... 7

7.1.

Callback data .................................................................................................................. 7

7.2.

Pre-Operation Callbacks ................................................................................................... 8

7.3.

Post-Operation Callbacks .................................................................................................. 9

Manipulating Callback Data Parameters.................................................................................. 11

8.1.

I/O Parameter Block .......................................................................................................11

8.2.

Accessing buffer/MDL......................................................................................................12

8.3.

Swapping buffers............................................................................................................12

Context Support...................................................................................................................... 13

9.1.

Context Registration .......................................................................................................14

9.2.

Context Creation APIs .....................................................................................................14

9.3.

Context Retrieval APIs.....................................................................................................17

9.4.

Context Freeing APIs.......................................................................................................18

10.

User Mode Communication...................................................................................................... 19

10.1.

Filter Communication Port Object......................................................................................19

10.2.

Connecting to Communication Port from User Mode ............................................................20

10.3.

Disconnecting from the Communication Port ......................................................................21

10.4.

Unload issues.................................................................................................................21

11.

File Name Support................................................................................................................... 21

11.1.

Retrieving a File Name during an Operation .......................................................................21

11.2.

Additional Support for File Names.....................................................................................23

11.3.

Interfaces for Name Providing Filters.................................................................................23

12.

Filter Initiated I/O.................................................................................................................. 25

13.

Rules for Unload/Unregister/Detach ...................................................................................... 27

14.

Support Routines .................................................................................................................... 27

15.

Building a Minifilter................................................................................................................. 28

Generated by Foxit PDF Creator © Foxit Software

http://www.foxitsoftware.com For evaluation only.

Page 3 of 28

1. Overview

This document pertains to filter drivers between the I/O manager and the base filesystem, which can be local

or remote. It does not pertain to filter drivers that sit between the filesystem and the storage driver(s), such

as FtDisk or DMIO.

We will refer to a file system filter driver written using the new model as a mini file system filter

driver/minifilter.

The existing file system filters based on the sfilter sample – using IRP and device-object based filtering will be

referred to as 'legacy filters'.

One of the key components of the new architecture is a legacy file system filter which is called 'Filter

Manager'. In future Windows operating system releases, this driver will be installed by default on the system.

This driver manages the minifilters by providing export libraries to which the minifilters link. The necessary

header files, libraries and binaries are available in the Minifilter IFSKit.

Why write a mini file system filter driver?

• Simpler, get a more reliable filter driver with less development effort.

• Dynamic load and unload, attach and detach.

• Attach at a well-defined location in the filter stack.

• Context management: fast, clean, reliable contexts for file objects, streams, files, instances, and volumes

• A host of utility routines including support for looking up names and caching them for efficient access,

communication between minifilters and user mode services, and IO queuing.

• Support non-recursive I/O so minifilter generated I/O can easily be seen only by lower minifilters and the

file system.

• Filter only operations of interest to minifilter – unlike the legacy model where a filter has to hook every

entry point to pass through operation.

2. Terms

In the Filter Manager architecture, some new objects are defined. For clarity these objects will be defined up

front.

Filter: A driver that performs some type of filtering operation on the file system.

Volume: For local file systems, the object that represents logical volume the file system manages. For

network redirectors, this represents the object to which all network requests are directed. The volume maps

directly to the file system (local or remote) DEVICE_OBJECT in the legacy filter model.

Instance: An instantiation of a filter on a volume at a unique altitude. The Filter Manager manages

presenting IOs to each instance in the stack of instances attached to a volume. There may be more than one

instance of a given minifilter for a given volume. The canonical example is a filter like FileSpy. It would be

helpful to attach FileSpy both above and below another filter on the same volume with each instance

maintaining a private context. This context could contain the log of IOs seen by the instance for later

comparison of the IO as seen above and below the filter.

File: A named object of data that could be composed of multiple streams that is stored on a disk by the file

system.

Stream: Represents a physical stream of data in a file.

FileObject: Represents a user’s open of a physical stream of data in a file.

CallbackData: The Filter Manager structure that encapsulates all the information about an operation. This

is equivalent to an IRP in the legacy filter model.

Generated by Foxit PDF Creator © Foxit Software

http://www.foxitsoftware.com For evaluation only.

Page 4 of 28

3. Minifilter Installation

Minifilters will be installed via an INF file. The INF file indicates what instances the minifilter supports.

Instances are defined in Section 5. Each instance is also accompanied by an altitude value which indicates its

absolute position in a minifilter stack and a set of flags.

The list of instances with their altitudes in the INF is the preferred means for file system filter vendors to ship

their minifilters. The flags indicate if the minifilter needs 'automatic attachment'. If this is the case, for every

volume in the system (and for new ones as they arrive), the minifilter gets a notification that it can respond

to and attach. The altitude in the INF file determines the altitude to which the minifilter attaches if it chooses

to do so.

A file system filter vendor may also create an instance dynamically at a specified altitude at any time when

the minifilter is running via the

FilterAttachAtAltitude()

function. This is provided as an override and

a potential debugging and testing aid.

4. Minifilter Registration

Mini file system filter drivers are kernel-mode drivers. As such, they must export a function called

DriverEntry(),

which will be the first function invoked when the driver is loaded. Most minifilters will call

FltRegisterFilter()

in their

DriverEntry().

FltRegisterFilter()

takes as a parameter a

FLT_REGISTRATION

structure, which contains an unload

routine, instance notification callbacks, a list of context callback function pointers and a list of file system

operation callback pointers. In the most common case, where the minifilter hooks just a few operations, this

list can be very short.

The minifilter also can specify additional flags for each operation that controls whether it receives the

callbacks in all cases. For instance, if

FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO

is supplied,

the minifilter will not receive any paging I/O operations for that particular IRP major code.

Similarly, if

FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO

is specified, only the non-cached I/O

path will be seen for that operation (i.e., if it is supplied for

IRP_MJ_READ

, all cached read paths will be

skipped by that minifilter).

5. Initiating filtering

Once a minifilter registers itself, it should initiate filtering at some point by calling the function

FltStartFiltering().

It is not necessary to call it from

DriverEntry(),

though most filters will

probably prefer to.

This function will kick-off the necessary notifications that will result in the minifilter attaching to the

appropriate volumes and start filtering I/O.

For this the Filter Manager walks through the list of instances

that are registered by the minifilter via its INF.

Each instance specifies an "altitude". An altitude is an infinite precision string (e.g., "100.123456") that

defines where it will be attached in a stack of minifilter instances. Altitudes for commercially released

minifilter drivers will be assigned by Microsoft.

The larger the altitude in numeric value, the higher the instance is attached in the minifilter stack for a

volume. Several sample altitudes are provided for developers to use while implementing minifilters and these

are the only altitudes an unsigned driver may use. There are two purposes for altitudes. The first is to

enforce relative minifilter ordering when it is necessary for proper functioning regardless of when the

individual drivers load. For instance, an encryption filter and an antivirus filter must attach with the antivirus

filter on top, otherwise the antivirus filter could not scan the clear text for viruses. The second purpose is to

provide a smaller test matrix for minifilter interoperability testing. Each minifilter instance will have a well-

specified altitude, therefore, when testing the interoperability between one or more minifilters, there is

exactly one well-defined configuration to test.

An INF instance specification also has associated flags. If bit 1 is set, the minifilter will not be automatically

notified when volumes appear in the system so that it can attach its instance. An instance with this flag set

http://www.foxitsoftware.com For evaluation only.

Page 5 of 28

in its specification would be manually attached via a Filter Manager API. If bit 2 is set, the minifilter will not

be asked to attach this instance to a volume when a manual attachment request is made.

6. Instance Notification Support

A set of callbacks are provided to notify a minifilter when an instance is being created or torn down. Through

these callbacks, the minifilter can control when instances are attached and detached from volumes.

6.1. Setting up an Instance

The

InstanceSetupCallback()

routine gets called for the following reasons:

• When a minifilter is loaded it is called for each volume that currently exists in the system.

• When a new volume is mounted.

• When

FltAttachVolume()

is called (kernel mode).

• When

FltAttachVolumeAtAltitude()

is called (kernel mode).

• When

FilterAttach()

is called (user mode).

• When

FilterAttachAtAltitude()

is called (user mode).

It is during the processing of the InstanceSetupCallback() that the minifilter decides whether or not the

instance should be created on the volume specified. This callback has the following signature:

typedef NTSTATUS

(*PFLT_INSTANCE_SETUP_CALLBACK) (

IN PCFLT_RELATED_OBJECTS FltObjects,

IN FLT_INSTANCE_SETUP_FLAGS Flags,

IN DEVICE_TYPE VolumeDeviceType,

IN FLT_FILESYSTEM_TYPE VolumeFilesystemType

);

The

FltObjects

structure contains pointers to the minifilter, volume and instance that define the instance

being created by this

InstanceSetupCallback()

. The Flags explain what operation triggered this

InstanceSetupCallback()

•

FLTFL_INSTANCE_SETUP_AUTOMATIC_ATTACHMENT

: This is an automatic attachment that is

occurring because the minifilter has just registered; therefore the Filter Manager is enumerating all

existing volumes in the systems for the newly loaded minifilter. This flag is not set when a user

explicitly request an instance to attach to a volume.

•

FLTFL_INSTANCE_SETUP_MANUAL_ATTACHMENT

: A manual attachment request has been issued

via the

FilterAttach()

(user-mode),

FilterAttachVolumeAtAltitude()

(user-mode),

FltAttachVolume()

(kernel-mode), or

FltAttachVolumeAtAltitude()

(kernel-mode) call.

•

FLTFL_INSTANCE_SETUP_NEWLY_MOUNTED_VOLUME

: The file system has just mounted this

volume, therefore it is calling the

InstanceSetupCallback()

for the minifilter to create an

instance on the volume if desired.

During the InstanceSetupCallback(), the minifilter also receives the VolumeDeviceType and the

VolumeFilesystemType to help the minifilter decide whether or not it is interested in attaching to this volume.

From the InstanceSetupCallback(), a minifilter can query the volume properties by calling

FltGetVolumeProperties()

and set a context using

FltSetInstanceContext()

on this instance if it

plans to attach this instance to the volume. It can also open and close files on the volume.

If the minifilter returns a success code from the instance setup callback, the instance will be attached to the

given volume. If the minifilter returns a warning or an error code, the instance will not be attached to the

volume.

If a minifilter does not register an

InstanceSetup()

routine, the system will treat this as if the user

returned

STATUS_SUCCESS and allow the instance to be created on the volume

http://www.foxitsoftware.com For evaluation only.

剩余27页未读，继续阅读

评论收藏

内容反馈

stecdeng

2012-07-18

学习驱动使用英文清晰版

roadblossom

粉丝: 11
资源: 117

Filter Driver Developer Guide.pdf

最新资源

Filter Driver Developer Guide.pdf

filter driver

Filter Driver Development Guide

ARM Developer Suit Developer Guide.pdf

SuperDog Developer's Guide.pdf

XML Developer's Guide.pdf

LWUIT Developer_Guide.pdf

HornetQ Messaging Developer's Guide.pdf

Linux下防火墙框架Net Filter剖析与扩展.pdf

Quaternion kinematics for the error-state Kalman filter.pdf

Realization of Digital Filter Structures in MATLAB.pdf

Azure_Developer_Guide.pdf

Dubbo Developer Guide.pdf

ARDrone_Developer_Guide.pdf

TensorRT-Developer-Guide.pdf

Python之filter共2页.pdf.zip

Multirate Systems And Filter Banks - P. Vaidyanathan (Prentice-Hall, 1993).pdf（后缀文件丢失，自行添加.pdf查看）

javafilter[参考].pdf

Stream的Filter与谓词逻辑.pdf

Digital Filter Design.pdf

Indirect Kalman Filter for 3D Attitude Estimation.pdf

第 10 节 GEE 的参数类型 (Filter,Join).pdf

filter属性[定义].pdf

Windows-file-system-filter-driver--.rar_filter driver

Designing And Implementing Linux Firewalls And Qos Using Netfilter, Iproute2, Nat, And l7-Filter; Packt Publishing.pdf

滤波器设计教程Practical.Analog.and.Digital.Filter.Design_MAZ.pdf

卡尔曼滤波（Kalman Filter）原理与公式推导.pdf

最新资源