阅读:1327回复:5
新手请教filespy问题
filespy运行之后 每次修改重编译都要重新启动系统才能使新的sys生效吗
请各位大哥指教阿!谢谢乐 |
|
沙发#
发布于:2004-04-27 12:52
在XP以后可以动态加载与卸载,不过2K下好象只有重新启动了......
|
|
|
板凳#
发布于:2004-04-27 14:30
大佬
好象2000也不用重新启动 |
|
|
地板#
发布于:2004-04-27 15:04
我是xp阿
怎么样动态加载卸载阿 是用net start和net stop吗 好像不能net stop阿 提示说要重启才能生效 |
|
地下室#
发布于:2004-04-29 09:33
NTSTATUS
DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) /*///////////////////////////////////////////////////////////////////////// Routine Description: This is the initialization routine for the general purpose file system filter driver. This routine creates the device object that represents this driver in the system and registers it for watching all file systems that register or unregister themselves as active file systems. Arguments: DriverObject - Pointer to driver object created by the system. Return Value: The function value is the final status from the initialization operation. --*////////////////////////////////////////////////////////////////////////// { UNICODE_STRING nameString; PFILE_OBJECT fileObject; NTSTATUS status; PFAST_IO_DISPATCH fastIoDispatch; ULONG i; PDEVICE_EXTENSION deviceExtension; UNICODE_STRING linkString; ////////////////////////////////////////////////////////////////////// // // // General setup for all filter drivers. This sets up the filter // // driver\'s DeviceObject and registers the callback routines for // // the filter driver. // // // ////////////////////////////////////////////////////////////////////// // // Create the device object that will represent the FileSpy device. // RtlInitUnicodeString( &nameString, FILESPY_FULLDEVICE_NAME ); // // Create the \"control\" device object. Note that this device object does // not have a device extension (set to NULL). Most of the fast IO routines // check for this condition to determine if the fast IO is directed at the // control device. // status = IoCreateDevice( DriverObject, 0, &nameString, FILESPY_DEVICE_TYPE, 0, FALSE, &gControlDeviceObject); if (!NT_SUCCESS( status )) { #if DBG DbgPrint( \"Error creating FileSpy device, error: %x\\n\", status ); #endif // DBG return status; } else { RtlInitUnicodeString ( &linkString, FILESPY_DOSDEVICE_NAME ); status = IoCreateSymbolicLink ( &linkString, &nameString ); if (!NT_SUCCESS(status)) { DbgPrint ((\"FileSpy.SYS: IoCreateSymbolicLink failed\\n\")); IoDeleteDevice(gControlDeviceObject); return status; } } // // Initialize the driver object with this device driver\'s entry points. // for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction = SpyDispatch; } DriverObject->MajorFunction[IRP_MJ_CREATE] = SpyCreate; // // Allocate fast I/O data structure and fill it in. This structure // is used to register the callbacks for FileSpy in the fast I/O // data paths. // fastIoDispatch = ExAllocatePool( NonPagedPool, sizeof( FAST_IO_DISPATCH ) ); if (!fastIoDispatch) { IoDeleteDevice( gControlDeviceObject ); return STATUS_INSUFFICIENT_RESOURCES; } RtlZeroMemory( fastIoDispatch, sizeof( FAST_IO_DISPATCH ) ); fastIoDispatch->SizeOfFastIoDispatch = sizeof( FAST_IO_DISPATCH ); fastIoDispatch->FastIoCheckIfPossible = SpyFastIoCheckIfPossible; fastIoDispatch->FastIoRead = SpyFastIoRead; fastIoDispatch->FastIoWrite = SpyFastIoWrite; fastIoDispatch->FastIoQueryBasicInfo = SpyFastIoQueryBasicInfo; fastIoDispatch->FastIoQueryStandardInfo = SpyFastIoQueryStandardInfo; fastIoDispatch->FastIoLock = SpyFastIoLock; fastIoDispatch->FastIoUnlockSingle = SpyFastIoUnlockSingle; fastIoDispatch->FastIoUnlockAll = SpyFastIoUnlockAll; fastIoDispatch->FastIoUnlockAllByKey = SpyFastIoUnlockAllByKey; fastIoDispatch->FastIoDeviceControl = SpyFastIoDeviceControl; fastIoDispatch->FastIoDetachDevice = SpyFastIoDetachDevice; fastIoDispatch->FastIoQueryNetworkOpenInfo = SpyFastIoQueryNetworkOpenInfo; fastIoDispatch->AcquireForModWrite = SpyFastIoAcquireForModWrite; fastIoDispatch->MdlRead = SpyFastIoMdlRead; fastIoDispatch->MdlReadComplete = SpyFastIoMdlReadComplete; fastIoDispatch->PrepareMdlWrite = SpyFastIoPrepareMdlWrite; fastIoDispatch->MdlWriteComplete = SpyFastIoMdlWriteComplete; fastIoDispatch->FastIoReadCompressed = SpyFastIoReadCompressed; fastIoDispatch->FastIoWriteCompressed = SpyFastIoWriteCompressed; fastIoDispatch->MdlReadCompleteCompressed = SpyFastIoMdlReadCompleteCompressed; fastIoDispatch->MdlWriteCompleteCompressed = SpyFastIoMdlWriteCompleteCompressed; fastIoDispatch->FastIoQueryOpen = SpyFastIoQueryOpen; fastIoDispatch->ReleaseForModWrite = SpyFastIoReleaseForModWrite; fastIoDispatch->AcquireForCcFlush = SpyFastIoAcquireForCcFlush; fastIoDispatch->ReleaseForCcFlush = SpyFastIoReleaseForCcFlush; DriverObject->FastIoDispatch = fastIoDispatch; ////////////////////////////////////////////////////////////////////// // // // Initialize global data structures that are used for FileSpy\'s // // logging of I/O operations. // // // ////////////////////////////////////////////////////////////////////// InitializeListHead( &gSpyDeviceExtensionList ); // // A fast mutex was used in this case because the mutex is never acquired at DPC level or above. // Spinlocks were chosen in other cases because they are acquired at DPC level or above. // Another consideration is that on an MP machine, a spin lock will literally spin trying to // acquire the lock when the lock is already acquired. Acquiring a previously acquired fast // mutex will suspend the thread, thus freeing up the processor. // ExInitializeFastMutex( &gSpyDeviceExtensionListLock ); gFsDriverObject = DriverObject; KeInitializeSpinLock( &gControlDeviceStateLock ); InitializeListHead( &gOutputBufferList ); KeInitializeSpinLock( &gOutputBufferLock ); KeInitializeSpinLock( &gLogSequenceLock ); #ifndef MEMORY_DBG // // When we aren\'t debugging our memory usage, we want to allocate // memory from a lookaside list for better performance. Unfortunately, // we cannot benefit from the memory debugging help of the Driver // Verifier if we allocate memory from a look-aside list. // ExInitializeNPagedLookasideList( &gFreeBufferList, ExAllocatePoolWithTag, ExFreePool, 0, RECORD_SIZE, MSFM_TAG, 100 ); #endif // // Initialize the hash table // for (i = 0; i < HASH_SIZE; i++){ InitializeListHead(&gHashTable); KeInitializeSpinLock(&gHashLockTable); } // // Indicate that the type for this device object is a primary, not a // filter device object so that it doesn\'t accidentally get used to // call a file system. // RtlInitUnicodeString(&gVolumeString, L\"VOLUME\"); RtlInitUnicodeString(&gOverrunString, L\"......\"); RtlInitUnicodeString(&gPagingIoString, L\"Paging IO\"); // // Read the custom parameters for FileSpy from the registry // SpyReadDriverParameters(RegistryPath, DriverObject); return STATUS_SUCCESS; } |
|
|
5楼#
发布于:2004-04-29 09:36
这是FILESPY的Driverentry
我没有找到DRIVERUNLOAD ROUTINE是在那里定义的 FILESPY一旦Attach,就不能真正意义上的DEATACH 程序里仅仅停止LOG抓取信息而已 |
|
|