查看文章 |
最近开始学习文件过滤驱动。资料打印了部分(不过都是英文的 上网时候就到处溜达,找点文章资料和部分代码看看. 于是在kanxue看到了一篇关于删除正在运行的程序文件的帖子:bbs.pediy.com/showthread.php.哈哈,正好拿来学习~~~~ ---------------------------------------------资料查到哪儿写到哪儿-------------------------------------------------- ① Interrupt Objects 每个驱动的物理设备都要产生中断,就必须注册一个ISR,此时系统创建一个interrupt object来保存信息
运用Interrupt Objects可以使驱动兼容各个WINDOWS版本,因为驱动不是直接访问硬件,而是传递指向Interrupt Objects的指针到系统,由系统获得对象内容. ② Input parameters for all Dispatch routines are supplied in the IRP structure pointed to by Irp. Additional parameters are supplied in the driver's associated I/O stack location, which is described by the IO_STACK_LOCATION structure and can be obtained by calling IoGetCurrentIrpStackLocation. ③ Registering an ISR 通过IoConnectInterrupt注册ISR. 好像很复杂,看了一下,头晕了.discard... ④ Providing ISR Context Information 或者存放在device object中,或者是device extension 中 ⑤ Writing an ISR ISR这个东西会竭尽全力去解除此中断,possibly including stopping the device from interrupting.然后保存当前状态,排队一个DPC来完成I/O操作,这个过程的IRQL小于当前的ISR's A driver's ISR executes in an interrupt context, at some system-assigned DIRQL, as specified by the SynchronizeIrql parameter to IoConnectInterrupt. In general, an ISR does no actual I/O processing to satisfy an IRP. Instead, it stops its device from interrupting, sets up necessary state information, and queues the driver’s DpcForIsr or CustomDpc to do whatever I/O processing is necessary to satisfy the current request that caused the device to interrupt. ⑥ Synchronizing Access to Device Data Raising the processor's IRQL to the device's DIRQL value prevents the current processor from being interrupted, except by a higher-priority device. Acquiring a spin lock prevents other processors from executing any critical section code associated with that spin lock. (This spin lock is sometimes called an interrupt spin lock.) ---------------------------------------------sudami.的分割线--------------------------------------------------
 哈哈,一大堆函数,慢慢的看.先把这些函数看完,做个铺垫,然后再读MmFlushImageSection函数的源码就容易多了; 现在来看看 LOCK_PFN 这个龌龊的宏 #define LOCK_PFN(OLDIRQL) ASSERT (KeGetCurrentIrql() <= APC_LEVEL); \ MiLockPfnDatabase也是一个宏,它调用的是上面图片中的函数: KeAcquireQueuedSpinLock (This function raises IRQL to DISPATCH_LEVEL and acquires the specified numbered queued spin lock.) MI_SET_PFN_OWNER 宏定义如下:
LOCK_PFN_TIMESTAMP() 这个宏没查到是什么 再看看 UNLOCK_PFN 宏  差不多就这意思了。。。 ---------------------------------------------sudami.的分割线-------------------------------------------------- MmFlushImageSection函数的开头部分就是2个参数,主要关注第一个参数: BOOLEAN
lkd> dt nt!_SECTION_OBJECT_POINTERS MmFlushImageSection 就是判断2个指针是否为空 ImageSectionObject、DataSectionObject
lkd> dt nt!_CONTROL_AREA
+0x020 u : union __unnamed, 2 elements, 0x4 bytes 晕死,然后下面的源码看得太蒙胧了。。。 ---------------------------------------------sudami.的分割线--------------------------------------------------
/*++ Routine Description: This function determines if any views of the specified image section Arguments: SectionPointer - Supplies a pointer to a section object pointers FlushType - Supplies the type of flush to check for. One of Return Value: Returns TRUE if either no section exists for the file object or --*/ { if (FlushType == MmFlushForDelete) { // LOCK_PFN (OldIrql); // state = MiCheckControlAreaStatus (CheckImageSection, if (ControlArea == NULL) { // // do { // ControlArea->u.Flags.BeingDeleted = 1; if (ControlArea->u.Flags.GlobalOnlyPerSession == 0) { // // ASSERT (ControlArea->u.Flags.GlobalOnlyPerSession == 1); Next = ((PLARGE_CONTROL_AREA)ControlArea)->UserGlobalList.Flink; LargeControlArea = CONTAINING_RECORD (Next, LargeControlArea->NumberOfSectionReferences += 1; // UNLOCK_PFN (OldIrql); MiCleanSection (ControlArea, TRUE); // if (LargeControlArea != NULL) { } while (ControlArea); return (BOOLEAN) state; |
,而且WINDOWS Internal的PDF还有保护,不能打印,郁闷啊);
