|
阅读:1910回复:4
自己创建的读irp,可以读,为什么又重写回文件了?
自己创建的读irp,可以读,为什么又重写回文件了?
测试过程: 1.打开测试的文件: tt111.txt (内容: “1234567890”) 2.看到monitor工具中显示出自己要读的有第4个byte开始读6bytes数据(数据为“567890”),读成功 3.修改tt111.txt( 原数据: “1234567890” 改为 “BbbbbbbbbbB”) 4.出现的显现:tt111.txt文件的内容变为:"567890BbbbbbbbbB" 怎么没删除“567890”,而是变成“567890BbbbbbbbbbB”; 为什么将我读的标识数据“567890”写进去了???? 二楼附上我的代码 |
|
|
沙发#
发布于:2007-07-17 19:06
static NTSTATUS irpCompletion(
PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context ) { UNREFERENCED_PARAMETER( DeviceObject ); UNREFERENCED_PARAMETER( Context ); *Irp->UserIosb = Irp->IoStatus; // Copy status information to // the user if (Irp->MdlAddress) { MmUnmapLockedPages( MmGetSystemAddressForMdl(Irp->MdlAddress), Irp->MdlAddress); MmUnlockPages(Irp->MdlAddress); IoFreeMdl(Irp->MdlAddress); Irp->MdlAddress = NULL; } KeSetEvent(Irp->UserEvent, 0, FALSE); // Signal event IoFreeIrp(Irp); // Free IRP return STATUS_MORE_PROCESSING_REQUIRED; // Tell the I/O manager to stop } NTSTATUS SfIssueReadWriteIrpSynchronously( IN PDEVICE_OBJECT DeviceObject, IN PFILE_OBJECT FileObject, IN ULONG MajorFunction, IN PIO_STATUS_BLOCK IoStatus, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset, IN ULONG IrpFlags ) { PIRP Irp = NULL; PIO_STACK_LOCATION IrpSp = NULL; KEVENT Event; NTSTATUS Status; ASSERT((MajorFunction == IRP_MJ_READ) || (MajorFunction == IRP_MJ_WRITE)); KeInitializeEvent(&Event, NotificationEvent, FALSE); Irp = IoBuildAsynchronousFsdRequest( MajorFunction, DeviceObject, Buffer, Length, ByteOffset, //&Event, IoStatus ); if (!Irp) return STATUS_INSUFFICIENT_RESOURCES; Irp->Flags |= IrpFlags; Irp->Flags |= IRP_NOCACHE ; Irp->Flags |= IRP_SYNCHRONOUS_API; Irp->UserEvent = &Event; IrpSp = IoGetNextIrpStackLocation(Irp); IrpSp->FileObject = FileObject; IoSetCompletionRoutine(Irp, &irpCompletion, 0, TRUE, TRUE, TRUE); Status = IoCallDriver(DeviceObject, Irp); if (STATUS_PENDING == Status) { KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL); } //IoCompleteRequest( Irp, IO_NO_INCREMENT ); return IoStatus->Status; } NTSTATUS SfIsEncryptFlagExist(IN PVOID Context) { PPOST_CREATE_WORKER_CONTEXT WorkerCtx = Context; NTSTATUS Status; IO_STATUS_BLOCK IoStatus={0}; UCHAR Buff[6]={0}; LARGE_INTEGER ByteOffset; PFILE_CONTEXT FileCtxPtr = WorkerCtx->FileContext; KeWaitForSingleObject(&FileCtxPtr->Event, Executive, KernelMode, FALSE, NULL); ByteOffset.QuadPart=4; IoStatus.Status = STATUS_SUCCESS; IoStatus.Information = 0; Status =SfIssueReadWriteIrpSynchronously(WorkerCtx->DeviceObject ,WorkerCtx->FileObject,IRP_MJ_READ,&IoStatus,Buff, sizeof(Buff),&ByteOffset,0); if (!NT_SUCCESS(Status)) { if (STATUS_END_OF_FILE == Status) { WorkerCtx->FileContext->EncryptFlagExist=FALSE; Status = STATUS_SUCCESS; } KeSetEvent(&FileCtxPtr->Event, IO_NO_INCREMENT, FALSE); KeSetEvent(&WorkerCtx->Event, IO_NO_INCREMENT, FALSE); KdPrint(("SFilter!SfIsEncryptFlagExist ERROR: %s\n", Buff)); return Status; } KeSetEvent(&FileCtxPtr->Event, IO_NO_INCREMENT, FALSE); KeSetEvent(&WorkerCtx->Event, IO_NO_INCREMENT, FALSE); if(Buff[0] != 0) { Buff[511] = 0; KdPrint(("SFilter!SfIsEncryptFlagExist: %s\n", Buff)); } return Status; } NTSTATUS SpyCreateCompletion ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { PKEVENT event = Context; UNREFERENCED_PARAMETER( DeviceObject ); UNREFERENCED_PARAMETER( Irp ); ASSERT(IS_FILESPY_DEVICE_OBJECT( DeviceObject )); //KdPrint(("SFilter!SpyCreateCompletion\n")); KeSetEvent(event, IO_NO_INCREMENT, FALSE); return STATUS_MORE_PROCESSING_REQUIRED; } NTSTATUS SpyCreate ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status; PFILESPY_DEVICE_EXTENSION DevExt = (PFILESPY_DEVICE_EXTENSION) DeviceObject->DeviceExtension; PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp); PFILE_OBJECT FileObject = IrpSp->FileObject; PNAME_CONTROL newName = NULL; PWSTR FileName = NULL; PAGED_CODE(); // // If this is for our control device object, don't allow it to be opened. // if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) { Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_INVALID_DEVICE_REQUEST; } ASSERT(IS_FILESPY_DEVICE_OBJECT( DeviceObject )); { UNICODE_STRING tempstr; RtlInitUnicodeString( &tempstr, L"\\tt111.txt" ); if(!RtlEqualUnicodeString(&FileObject->FileName , &tempstr, TRUE)) { IoSkipCurrentIrpStackLocation( Irp ); return IoCallDriver( DevExt->NLExtHeader.AttachedToDeviceObject, Irp ); } KdPrint(("SFilter!SfCreate 0\n")); if(bFlag != 0) { IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } } { KEVENT waitEvent; // // Initialize an event to wait for the completion routine to occur // KeInitializeEvent( &waitEvent, NotificationEvent, FALSE ); // // Copy the stack and set our Completion routine // IoCopyCurrentIrpStackLocationToNext( Irp ); IoSetCompletionRoutine( Irp, SpyCreateCompletion, &waitEvent, TRUE, TRUE, TRUE ); // // Call the next driver in the stack. // status = IoCallDriver( DevExt->NLExtHeader.AttachedToDeviceObject, Irp ); // // Wait for the completion routine to be called // if (STATUS_PENDING == status) { NTSTATUS localStatus = KeWaitForSingleObject(&waitEvent, Executive, KernelMode, FALSE, NULL); ASSERT(STATUS_SUCCESS == localStatus); } // // Verify the IoCompleteRequest was called // ASSERT(KeReadStateEvent(&waitEvent) || !NT_SUCCESS(Irp->IoStatus.Status)); do{ POST_CREATE_WORKER_CONTEXT WorkerCtx; PFILE_CONTEXT FileCtxPtr = NULL; if (IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE) { // // We don't care about directories // //ExFreeToPagedLookasideList(&gFileNameLookAsideList, FileName); break; } KdPrint(("SFilter!SfCreate 2\n")); if(!SfIsObjectFile(FileObject)) break; KdPrint(("SFilter!SfCreate 3\n")); //FileCtx.FsContext = FileObject->FsContext; if ((IrpSp->Parameters.Create.SecurityContext->DesiredAccess == FILE_READ_ATTRIBUTES) ) //FILE_READ_DATA break; FileCtxPtr = ExAllocatePoolWithTag( NonPagedPool, sizeof( FILE_CONTEXT ), FILESPY_CONTEXT_TAG ); if(FileCtxPtr==NULL) break; FileCtxPtr->RefCount = 1; KdPrint(("SFilter!SfCreate 4\n")); KeInitializeEvent(&FileCtxPtr->Event, SynchronizationEvent, TRUE); ExInitializeWorkItem(&WorkerCtx.WorkItem, SfIsEncryptFlagExist, &WorkerCtx); WorkerCtx.DeviceObject = DeviceObject; WorkerCtx.FileObject = FileObject; KeInitializeEvent(&WorkerCtx.Event, NotificationEvent, FALSE); WorkerCtx.FileContext = FileCtxPtr; //WorkerCtx.NewElement = NewElement; if (KeGetCurrentIrql() == PASSIVE_LEVEL) SfIsEncryptFlagExist(&WorkerCtx); else { ExQueueWorkItem(&WorkerCtx.WorkItem, DelayedWorkQueue); KeWaitForSingleObject(&WorkerCtx.Event, Executive, KernelMode, FALSE, NULL); } ExFreePool(FileCtxPtr); KdPrint(("SFilter!SfCreate 5\n")); bFlag = 1; KdPrint(("SFilter!SfCreate bFlag = [%d]\n", bFlag)); }while (FALSE); status = Irp->IoStatus.Status; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return status; } } |
|
|
板凳#
发布于:2007-07-17 19:07
测试发现,修改测试文件时,多了一个write的动作
我并没有发起write的动作啦,为什么会出现??? |
|
|
地板#
发布于:2007-07-18 23:50
帮顶一下。
|
|
|
地下室#
发布于:2010-01-08 16:31
这么久了,还是帮顶一下哈。,,,
 |
|