/*==================================================================
Copyright (c) enjoy it for free!!!but it will be highly appreciated if you
keep the author declaration and my email:).
Module Name:
debug.c
Environment:
Kernel mode
Author: Winglet(hustwing@126.com) 20080424
===================================================================*/
#include "debug.h"
CONST CHAR *FileInfoClassStr[] =
{
"FileDirectoryInformation",
"FileFullDirectoryInformation",
"FileBothDirectoryInformation",
"FileBasicInformation",
"FileStandardInformation",
"FileInternalInformation",
"FileEaInformation",
"FileAccessInformation",
"FileNameInformation",
"FileRenameInformation",
"FileLinkInformation",
"FileNamesInformation",
"FileDispositionInformation",
"FilePositionInformation",
"FileFullEaInformation",
"FileModeInformation",
"FileAlignmentInformation",
"FileAllInformation",
"FileAllocationInformation",
"FileEndOfFileInformation",
"FileAlternateNameInformation",
"FileStreamInformation",
"FilePipeInformation",
"FilePipeLocalInformation",
"FilePipeRemoteInformation",
"FileMailslotQueryInformation",
"FileMailslotSetInformation",
"FileCompressionInformation",
"FileObjectIdInformation",
"FileCompletionInformation",
"FileMoveClusterInformation",
"FileQuotaInformation",
"FileReparsePointInformation",
"FileNetworkOpenInformation",
"FileAttributeTagInformation",
"FileTrackingInformation",
"FileIdBothDirectoryInformation",
"FileIdFullDirectoryInformation",
"FileValidDataLengthInformation",
"FileShortNameInformation",
"FileIoCompletionNotificationInformation",
"FileIoStatusBlockRangeInformation",
"FileIoPriorityHintInformation",
"FileSfioReserveInformation",
"FileSfioVolumeInformation",
"FileHardLinkInformation",
"FileProcessIdsUsingFileInformation",
"FileNormalizedNameInformation",
"FileNetworkPhysicalNameInformation",
"FileIdGlobalTxDirectoryInformation",
"FileMaximumInformation"
};
#define PAGE_SIZE 0x1000 //4K
#define SYSNAME "System"
ULONG ProcessNameOffset = 0;
//得到System进程名在PEB中的进程偏移地址,对于本机的其他进程,这个偏移是一样的
ULONG DbgiGetProcNameOffset();
VOID DbgInitialize()
{
ProcessNameOffset = DbgiGetProcNameOffset();
}
//该函数代码来自于FileMon
ULONG DbgiGetProcNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
//
// Scan for 12KB, hoping the KPEB never grows that big!
//
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) ))
{
return i;
}
}
//
// Name not found - oh, well
//
return 0;
}
#define NT_PROCNAMELEN 16
PCHAR DbgGetProcessNameUnsafe(__inout PCHAR ProcName,__in PEPROCESS ProcPtr)
{
CHAR *NamePtr;
NamePtr = (PCHAR) ProcPtr + ProcessNameOffset;
strncpy( ProcName, NamePtr, NT_PROCNAMELEN-1 );
ProcName[NT_PROCNAMELEN-1] = 0;
return ProcName;
}
PCHAR DbgGetCurrentProcessName(__inout PCHAR ProcName)
{
CHAR *NamePtr;
PEPROCESS ProcPtr = PsGetCurrentProcess();
NamePtr = (PCHAR) ProcPtr + ProcessNameOffset;
strncpy( ProcName, NamePtr, NT_PROCNAMELEN-1 );
#ifdef DBG_RIPEXCEPTION
#endif
ProcName[NT_PROCNAMELEN-1] = 0;
return ProcName;
}
VOID DbgPrintUnicodeString(__in PUNICODE_STRING UniStr)
{
ANSI_STRING AnsiStr;
NTSTATUS status;
status = RtlUnicodeStringToAnsiString(&AnsiStr,UniStr,TRUE);
if (NT_SUCCESS(status))
{
KdPrint((AnsiStr.Buffer));
RtlFreeAnsiString(&AnsiStr);
}
}
//打印出当前QueryInformation的FileInformationClass和是否FastIo操作
VOID DbgPrintFileInformationClass(__in PFLT_CALLBACK_DATA Data)
{
USHORT FileInfoClass;
if (FLT_IS_FASTIO_OPERATION(Data))
{
KdPrint(("FAST_IO_QUERY_INFO: "));
}
else
{
KdPrint(("IRP_MJ_QUERY_INFO: "));
}
FileInfoClass = Data->Iopb->Parameters.QueryFileInformation.FileInformationClass;
if (FileInfoClass <= 50)
{
KdPrint(("%s",FileInfoClassStr[FileInfoClass]));
}
else
{
KdPrint(("查询文件其他信息"));
}
}
VOID DbgPrintFOBooleanSet(__in PFILE_OBJECT FileObject)
{
KdPrint(("该FO的Boolean设置为: "));
if (FileObject->LockOperation)
{
KdPrint(("LockOperation..."));
}
if (FileObject->DeletePending)
{
KdPrint(("DeletePending..."));
}
if (FileObject->ReadAccess)
{
KdPrint(("ReadAccess..."));
}
if (FileObject->WriteAccess)
{
KdPrint(("WriteAccess..."));
}
if (FileObject->DeleteAccess)
{
KdPrint(("DeleteAccess..."));
}
if (FileObject->SharedRead)
{
KdPrint(("SharedRead..."));
}
if (FileObject->SharedWrite)
{
KdPrint(("SharedWrite..."));
}
if (FileObject->SharedDelete)
{
KdPrint(("SharedDelete..."));
}
KdPrint(("\n"));
}
//打印出当前IRP的Flags字符串值
VOID DbgPrintIrpFlags(__in PFLT_CALLBACK_DATA Data)
{
ULONG IrpFlags = Data->Iopb->IrpFlags;
KdPrint(("当前IRP设置的Flag为:"));
if (FlagOn(IRP_NOCACHE,IrpFlags))KdPrint(("IRP_NOCACHE "));
if (FlagOn(IRP_PAGING_IO,IrpFlags))KdPrint(("IRP_PAGING_IO "));
if (FlagOn(IRP_SYNCHRONOUS_PAGING_IO,IrpFlags))KdPrint(("IRP_SYNCHRONOUS_PAGING_IO "));
if (FlagOn(IRP_MOUNT_COMPLETION,IrpFlags))KdPrint(("IRP_MOUNT_COMPLETION "));
if (FlagOn(IRP_SYNCHRONOUS_API,IrpFlags))KdPrint(("IRP_SYNCHRONOUS_API "));
if (FlagOn(IRP_ASSOCIATED_IRP,IrpFlags))KdPrint(("IRP_ASSOCIATED_IRP "));
if (FlagOn(IRP_BUFFERED_IO,IrpFlags))KdPrint(("IRP_BUFFERED_IO "));
if (FlagOn(IRP_DEALLOCATE_BUFFER,IrpFlags))KdPrint(("IRP_DEALLOCATE_BUFFER "));
if (FlagOn(IRP_INPUT_OPERATION,IrpFlags))KdPrint(("IRP_INPUT_OPERATION "));
if (FlagOn(IRP_CREATE_OPERATION,IrpFlags))KdPrint(("IRP_CREATE_OPERATION "));
if (FlagOn(IRP_READ_OPERATION,IrpFlags))KdPrint(("IRP_READ_OPERATION "));
if (FlagOn(IRP_WRITE_OPERATION,IrpFlags))KdPrint(("IRP_WRITE_OPERATION "));
if (FlagOn(IRP_CLOSE_OPERATION,IrpFlags))KdPrint(("IRP_CLOSE_OPERATION "));
if (FlagOn(IRP_DEFER_IO_COMPLETION,IrpFlags))KdPrint(("IRP_DEFER_IO_COMPLETION "));
if (FlagOn(IRP_OB_QUERY_NAME,IrpFlags))KdPrint(("IRP_OB_QUERY_NAME "));
if (FlagOn(IRP_HOLD_DEVICE_QUEUE,IrpFlags))KdPrint(("IRP_HOLD_DEVICE_QUEUE "));
KdPrint(("\n"));
}
//打印出当前FileObject的Flags值
VOID DbgPrintFileObjectFlags(__in PFILE_OBJECT FileObject)
{
ULONG FoFlag = FileObject->Flags;
KdPrint(("该FileObject设置的Flag为:"));
if (FlagOn(FO_FILE_OPEN,FoFlag))
{
KdPrint(("FO_FILE_OPEN "));
}
if (FlagOn(FO_SYNCHRONOUS_IO,FoFlag))
{
KdPrint(("FO_SYNCHRONOUS_IO "));
}
if (FlagOn(FO_ALERTABLE_IO,FoFlag))
{
KdPrint(("FO_ALERTABLE_IO "));
}
if (FlagOn(FO_NO_INTERMEDIATE_BUFFERING,FoFlag))
{
KdPrint(("FO_NO_INTERMEDIATE_BUFFERING "));
}
if (FlagOn(FO_WRITE_THROUGH,FoFlag))
{
KdPrint(("FO_WRITE_THROUGH "));
}
if (FlagOn(FO_SEQUENTIAL_ONLY,FoFlag))
{
KdPrint(("FO_SEQUENTIAL_ONLY "));
}
if (FlagOn(FO_CACHE_SUPPORTED,FoFlag))
{
KdPrint(("FO_CACHE_SUPPORTED "));
}
if (FlagOn(FO_STREAM_FILE,FoFlag))
{
KdPrint(("FO_STREAM_FILE "));
}
if (FlagOn(FO_GENERATE_AUDIT_ON_CLOSE,FoFlag))
{
KdPrint(("FO_GENERATE_AUDIT_ON_CLOSE "));
}
if (FlagOn(FO_FILE_MODIFIED,FoFlag))
{
KdPrint(("FO_FILE_MODIFIED "));
}
if (FlagOn(FO_FILE_SIZE_CHANGED,FoFlag))
{
KdPrint(("FO_FILE_SIZE_CHANGED "));
}
if (FlagOn(FO_CLEANUP_COMPLETE,FoFlag))
{
KdPrint(("FO_CLEANUP_COMPLETE "));
}
if (FlagOn(FO_TEMPORARY_FILE,FoFlag))
{
KdPrint(("FO_TEMPORARY_FILE
