|
阅读:3901回复:3
请教,在minifilter中如何截获FastIO读写操作
使用Flag为0,注册的 IRP_MJ_READ IRP_MJ_WRITE,会有FastIO但不是我感兴趣的
请问在Minifilter中如何截获所有的FastIO读写? 就是在IRP_MJ_READ IRP_MJ_WRITE中处理? |
|
|
沙发#
发布于:2008-03-10 15:07
FLT_OPERATION_REGISTRATION
The FLT_OPERATION_REGISTRATION structure is used to register operation callback routines. typedef struct _FLT_OPERATION_REGISTRATION { UCHAR MajorFunction; FLT_OPERATION_REGISTRATION_FLAGS Flags; PFLT_PRE_OPERATION_CALLBACK PreOperation; PFLT_POST_OPERATION_CALLBACK PostOperation; PVOID Reserved1; } FLT_OPERATION_REGISTRATION, *PFLT_OPERATION_REGISTRATION; Flags Bitmask of flags specifying whether to call the preoperation (PFLT_PRE_OPERATION_CALLBACK) and postoperation (PFLT_POST_OPERATION_CALLBACK) callback routines for cached I/O or paging I/O operations. This member is optional and can be zero. Flag Meaning FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO A minifilter sets this flag for read or write operations to specify that its preoperation and postoperation callback routines should not be called for cached I/O operations. This flag applies to fast I/O as well as IRP-based reads and writes because all fast I/O is cached. FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO A minifilter sets this flag for read or write operations to specify that its preoperation and postoperation callback routines should not be called for paging I/O operations. This flag applies only to IRP-based I/O operations. It is ignored for I/O operations that are not IRP-based. set FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO Flag |
|
|
板凳#
发布于:2008-03-10 15:32
默认情况下你会接收到FASTIO的,可以在接收后用FLT_IS_FASTIO_OPERATION进行判断是否是FASTIO。
|
|
|
|
地板#
发布于:2008-03-10 16:22
谢谢 clarence和 devia的回复,明白了!
|
|