sfilter疑问1--如何将 filter driver object 挂在文件系统驱动堆栈上？

我现在都不明白，到底是用IoAttachDeviceToDeviceStack函数呢，还是用FsRtlRegisterFileSystemFilterCallbacks

IoAttachDeviceToDeviceStack

File system filter driver DriverEntry中的工作
1，创建Control Device Object
RtlInitUnicodeString(&nameString, FILESPY_FULLDEVICE_NAME);
status = IoCreateDevice(
        DriverObject,                  //DriverObject
        0,                             //DeviceExtensionSize
        &nameString,                   //DeviceName
        FILE_DEVICE_DISK_FILE_SYSTEM,  //DeviceType
        FILE_DEVICE_SECURE_OPEN,       //DeviceCharacteristics
        FALSE,                         //Exclusive
        &gControlDeviceObject);        //DeviceObject

2,注册IRP派遣函数
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
    DriverObject->MajorFunction = SpyDispatch;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = SpyCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = SpyClose;
DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] = SpyFsControl;

3,注册Fast I/O 派遣函数
RtlZeroMemory(fastIoDispatch, sizeof(FAST_IO_DISPATCH));
fastIoDispatch->SizeOfFastIoDispatch = sizeof(FAST_IO_DISPATCH);
fastIoDispatch->FastIoCheckIfPossible = SpyFastIoCheckIfPossible;
fastIoDispatch->FastIoRead = SpyFastIoRead;
fastIoDispatch->FastIoWrite = SpyFastIoWrite;
fastIoDispatch->FastIoQueryBasicInfo = SpyFastIoQueryBasicInfo;
fastIoDispatch->FastIoQueryStandardInfo = SpyFastIoQueryStandardInfo;
fastIoDispatch->FastIoLock = SpyFastIoLock;
fastIoDispatch->FastIoUnlockSingle = SpyFastIoUnlockSingle;
fastIoDispatch->FastIoUnlockAll = SpyFastIoUnlockAll;
fastIoDispatch->FastIoUnlockAllByKey = SpyFastIoUnlockAllByKey;
fastIoDispatch->FastIoDeviceControl = SpyFastIoDeviceControl;
fastIoDispatch->FastIoDetachDevice = SpyFastIoDetachDevice;
fastIoDispatch->FastIoQueryNetworkOpenInfo = SpyFastIoQueryNetworkOpenInfo;
fastIoDispatch->MdlRead = SpyFastIoMdlRead;
fastIoDispatch->MdlReadComplete = SpyFastIoMdlReadComplete;
fastIoDispatch->PrepareMdlWrite = SpyFastIoPrepareMdlWrite;
fastIoDispatch->MdlWriteComplete = SpyFastIoMdlWriteComplete;
fastIoDispatch->FastIoReadCompressed = SpyFastIoReadCompressed;
fastIoDispatch->FastIoWriteCompressed = SpyFastIoWriteCompressed;
fastIoDispatch->MdlReadCompleteCompressed = SpyFastIoMdlReadCompleteCompressed;
fastIoDispatch->MdlWriteCompleteCompressed = SpyFastIoMdlWriteCompleteCompressed;
fastIoDispatch->FastIoQueryOpen = SpyFastIoQueryOpen;

DriverObject->FastIoDispatch = fastIoDispatch;


4,注册回调函数
fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(FS_FILTER_CALLBACKS);
fsFilterCallbacks.PreAcquireForSectionSynchronization = SpyPreFsFilterOperation;
fsFilterCallbacks.PostAcquireForSectionSynchronization = SpyPostFsFilterOperation;
fsFilterCallbacks.PreReleaseForSectionSynchronization = SpyPreFsFilterOperation;
fsFilterCallbacks.PostReleaseForSectionSynchronization = SpyPostFsFilterOperation;
fsFilterCallbacks.PreAcquireForCcFlush = SpyPreFsFilterOperation;
fsFilterCallbacks.PostAcquireForCcFlush = SpyPostFsFilterOperation;
fsFilterCallbacks.PreReleaseForCcFlush = SpyPreFsFilterOperation;
fsFilterCallbacks.PostReleaseForCcFlush = SpyPostFsFilterOperation;
fsFilterCallbacks.PreAcquireForModifiedPageWriter = SpyPreFsFilterOperation;
fsFilterCallbacks.PostAcquireForModifiedPageWriter = SpyPostFsFilterOperation;
fsFilterCallbacks.PreReleaseForModifiedPageWriter = SpyPreFsFilterOperation;
fsFilterCallbacks.PostReleaseForModifiedPageWriter = SpyPostFsFilterOperation;

status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject, &fsFilterCallbacks);


5,其他初始化工作

6，注册回调函数
Filter drivers can call IoRegisterFsRegistrationChange to register a callback routine to be called whenever a file system driver calls IoRegisterFileSystem or IoUnregisterFileSystem to register or unregister itself. Filter drivers do this so they can see new file systems enter the system and choose whether to attach to them.

7,[Optional] Saving a Copy of the Registry Path String

8,Returning Status


但是我的疑问是：
Attaching a Filter to a File System or Volume　有两种方法：
（１）The end user can specify the volumes to filter by, for example, typing in the drive letters for the volumes. The end user's commands are relayed to the filter driver as a private IRP_MJ_DEVICE_CONTROL request. The FileSpy sample driver uses this approach when it is compiled with the global variable gFileSpyAttachMode set to FILESPY_ATTACH_ON_DEMAND. (It is set to FILESPY_ATTACH_ALL_VOLUMES by default.)
（２）The file system filter driver can attach to one or more file system drivers, listen for IRP_MJ_FILE_SYSTEM_CONTROL, IRP_MN_MOUNT_VOLUME requests, and attach to volumes as they are mounted. The SFilter sample driver uses this approach. The FileSpy sample driver uses this approach when it is compiled with the global variable gFileSpyAttachMode set to FILESPY_ATTACH_ALL_VOLUMES (the default value).

也就是说需要在IRP_MJ_FILE_SYSTEM_CONTROL派遣函数中Attaching a Filter to a File System or Volume.
但是，如果还没有Ａｔｔａｃｈ，如何收到该ＩＲＰ呢？

我又考虑，可能是load order group的原因，导致将该ｆｉｌｔｅｒ　ｄｒｉｖｅｒ加载到了file system堆栈中的吧。那么它可以收到该IRP了？

是不是该在该IRP中Attach呢？

1111