MiniFilter driver. Filter attaching problems
I'm developing a miniFilter driver and took the Microsoft's SwapBuffers miniFilter as example. An InstaceSetup routin by default is attaching to all volumes. But I don't want to attach to all of them, only to some choosen...
I tried to set "NULL" instead of "InstanceSetup" in "FLT_REGISTRATION FilterRegistration" and then to call "FltAttachVolume" in the "DriverEntry" routin. I've done the following:
PFLT_VOLUME vol; UNICODE_STRING vname; .... RtlInitUnicodeString(&vname, L"E:\"); FltGetVolumeFromName(gFilterHandle, &vname, &vol); ... FltAttachVolume(gFilterHandle, vol, NULL, NULL); ...
When i tried to call FltAttachVolume with the "NULL" 3-d parameter (PCUNICODE_STRING InstanceName) i received a "STATUS_FLT_INSTANCE_NAME_COLLISION" error.
If i call FltAttachVolume with a "NOT NULL" 3-d parameter, such as a "UniqueInstaceName" it returns me "-2145452013".
I'm receiving the same errors, when i,m trying to attach a volume, using a FilterAttach routine from my User application, like this:
... driver.driverName = L"swapBuffers"; ... LPCWSTR vname = L"F:\"; ... FilterAttach(driver.driverName, vname, NULL, NULL, NULL);
With "NULL" 3-d parameter (LPCWSTR lpInstanceName): "ERROR_FLT_INSTANCE_NAME_COLLISION"
With "NOT-NULL": "-2145452013".
In MiniSpy miniFilter there is a User application, and the routine FilterAttach is used. I tried to call this routine in my application the same way - no results.
Finally, i changed the swapBuffers inf-file:
- there was no DefaultInstance parameter, i set it: "SwapBuffers - Top Instance".
also i copied this from the MiniSpy inf-file:
[MiniFilter.AddRegistry] HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% HKR,"Instances\"%Instance2.Name%,"Altitude",0x00000000,%Instance2.Altitude% HKR,"Instances\"%Instance2.Name%,"Flags",0x00010001,%Instance2.Flags% HKR,"Instances\"%Instance3.Name%,"Altitude",0x00000000,%Instance3.Altitude% HKR,"Instances\"%Instance3.Name%,"Flags",0x00010001,%Instance3.Flags%
............. Instance1.Name = "SwapBuffers - Middle Instance" Instance1.Altitude = "370000" Instance1.Flags = 0x1 ; Suppress automatic attachments Instance2.Name = "SwapBuffers - Bottom Instance" Instance2.Altitude = "361000" Instance2.Flags = 0x1 ; Suppress automatic attachments Instance3.Name = "SwapBuffers - Top Instance" Instance3.Altitude = "385100" Instance3.Flags = 0x1 ; Suppress automatic attachments
changing the flags to 0x1 to suppress automatic attachments. And only installing my SwapBuffers miniFilter through t开发者_开发技巧his Inf file, i received "STATUS_SUCCESS" from FltAttachVolume routine in my driver. But it isn't really attaching to the disk...
What am i doing wrong? Thanks.
Instance1.Flags = 0x1
That is fine. I have somewhat similar code and that works fine.
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
status = FltBuildDefaultSecurityDescriptor(&sd,
FLT_PORT_ALL_ACCESS);
if (!NT_SUCCESS(status)) {
return status;
}
RtlInitUnicodeString(&uniString, PORT_NAME);
InitializeObjectAttributes(&oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd);
status = FltCreateCommunicationPort(gFilterHandle,
&gServerPort,
&oa,
NULL,
Connect,
Disconnect,
Message,
1);
FltFreeSecurityDescriptor(sd);
BREAK_HERE(); // DbgBreak() macro
//
// Start filtering i/o
//
status = FltStartFiltering(gFilterHandle);
if (!NT_SUCCESS(status)) {
FltUnregisterFilter(gFilterHandle);
}
else {
RtlInitUnicodeString(&uniString, L"\\Device\\HarddiskVolume1");
PFLT_VOLUME vol;
FltGetVolumeFromName(gFilterHandle, &uniString, &vol);
status = FltAttachVolume(gFilterHandle, vol, NULL, NULL);
// status == 0x0 at that point and the mini filter is attached to the Volume
}
}
I normally attach to all volumes but I wanted to try attaching to a single volume and it works fine.
加载中,请稍侯......
精彩评论