新手请教filespy问题

filespy运行之后 每次修改重编译都要重新启动系统才能使新的sys生效吗
请各位大哥指教阿!谢谢乐

在XP以后可以动态加载与卸载,不过2K下好象只有重新启动了......

大佬
好象2000也不用重新启动

我是xp阿
怎么样动态加载卸载阿
是用net start和net stop吗
好像不能net stop阿 提示说要重启才能生效

NTSTATUS
DriverEntry(
    IN PDRIVER_OBJECT  DriverObject,
    IN PUNICODE_STRING RegistryPath
)

/*/////////////////////////////////////////////////////////////////////////

Routine Description:

    This is the initialization routine for the general purpose file system
    filter driver.  This routine creates the device object that represents
    this driver in the system and registers it for watching all file systems
    that register or unregister themselves as active file systems.

Arguments:

    DriverObject - Pointer to driver object created by the system.

Return Value:

    The function value is the final status from the initialization operation.

--*//////////////////////////////////////////////////////////////////////////
{
    UNICODE_STRING    nameString;
    PFILE_OBJECT      fileObject;
    NTSTATUS          status;
    PFAST_IO_DISPATCH fastIoDispatch;
    ULONG             i;
    PDEVICE_EXTENSION deviceExtension;
    UNICODE_STRING    linkString;
    
    //////////////////////////////////////////////////////////////////////
    //                                                                  //
    //  General setup for all filter drivers.  This sets up the filter  //
    //  driver\'s DeviceObject and registers the callback routines for   //
    //  the filter driver.                                              //
    //                                                                  //
    //////////////////////////////////////////////////////////////////////

    //
    // Create the device object that will represent the FileSpy device.
    //

    RtlInitUnicodeString( &nameString, FILESPY_FULLDEVICE_NAME );
    
    //
    // Create the \"control\" device object.  Note that this device object does
    // not have a device extension (set to NULL).  Most of the fast IO routines
    // check for this condition to determine if the fast IO is directed at the
    // control device.
    //
    status = IoCreateDevice(
        DriverObject,
        0,
        &nameString,
        FILESPY_DEVICE_TYPE,
        0,
        FALSE,
        &gControlDeviceObject);

    if (!NT_SUCCESS( status ))
{
#if DBG
        DbgPrint( \"Error creating FileSpy device, error: %x\\n\", status );
#endif // DBG
        return status;
    }
else
{
        RtlInitUnicodeString ( &linkString, FILESPY_DOSDEVICE_NAME );
        status = IoCreateSymbolicLink ( &linkString, &nameString );
        if (!NT_SUCCESS(status))
{
            DbgPrint ((\"FileSpy.SYS: IoCreateSymbolicLink failed\\n\"));
            IoDeleteDevice(gControlDeviceObject);
            return status;
        }
    }

    //
    // Initialize the driver object with this device driver\'s entry points.
    //
    for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
        DriverObject->MajorFunction = SpyDispatch;
    }
    DriverObject->MajorFunction[IRP_MJ_CREATE] = SpyCreate;

    //
    // Allocate fast I/O data structure and fill it in.  This structure
    // is used to register the callbacks for FileSpy in the fast I/O
    // data paths.
    //
    fastIoDispatch = ExAllocatePool( NonPagedPool, sizeof( FAST_IO_DISPATCH ) );
    if (!fastIoDispatch)
{
        IoDeleteDevice( gControlDeviceObject );
        return STATUS_INSUFFICIENT_RESOURCES;
    }

    RtlZeroMemory( fastIoDispatch, sizeof( FAST_IO_DISPATCH ) );
    fastIoDispatch->SizeOfFastIoDispatch = sizeof( FAST_IO_DISPATCH );
    fastIoDispatch->FastIoCheckIfPossible = SpyFastIoCheckIfPossible;
    fastIoDispatch->FastIoRead = SpyFastIoRead;
    fastIoDispatch->FastIoWrite = SpyFastIoWrite;
    fastIoDispatch->FastIoQueryBasicInfo = SpyFastIoQueryBasicInfo;
    fastIoDispatch->FastIoQueryStandardInfo = SpyFastIoQueryStandardInfo;
    fastIoDispatch->FastIoLock = SpyFastIoLock;
    fastIoDispatch->FastIoUnlockSingle = SpyFastIoUnlockSingle;
    fastIoDispatch->FastIoUnlockAll = SpyFastIoUnlockAll;
    fastIoDispatch->FastIoUnlockAllByKey = SpyFastIoUnlockAllByKey;
    fastIoDispatch->FastIoDeviceControl = SpyFastIoDeviceControl;
    fastIoDispatch->FastIoDetachDevice = SpyFastIoDetachDevice;
    fastIoDispatch->FastIoQueryNetworkOpenInfo = SpyFastIoQueryNetworkOpenInfo;
    fastIoDispatch->AcquireForModWrite = SpyFastIoAcquireForModWrite;
    fastIoDispatch->MdlRead = SpyFastIoMdlRead;
    fastIoDispatch->MdlReadComplete = SpyFastIoMdlReadComplete;
    fastIoDispatch->PrepareMdlWrite = SpyFastIoPrepareMdlWrite;
    fastIoDispatch->MdlWriteComplete = SpyFastIoMdlWriteComplete;
    fastIoDispatch->FastIoReadCompressed = SpyFastIoReadCompressed;
    fastIoDispatch->FastIoWriteCompressed = SpyFastIoWriteCompressed;
    fastIoDispatch->MdlReadCompleteCompressed =
                                    SpyFastIoMdlReadCompleteCompressed;
    fastIoDispatch->MdlWriteCompleteCompressed =
                                    SpyFastIoMdlWriteCompleteCompressed;
    fastIoDispatch->FastIoQueryOpen = SpyFastIoQueryOpen;
    fastIoDispatch->ReleaseForModWrite = SpyFastIoReleaseForModWrite;
    fastIoDispatch->AcquireForCcFlush = SpyFastIoAcquireForCcFlush;
    fastIoDispatch->ReleaseForCcFlush = SpyFastIoReleaseForCcFlush;

    DriverObject->FastIoDispatch = fastIoDispatch;

    //////////////////////////////////////////////////////////////////////
    //                                                                  //
    //  Initialize global data structures that are used for FileSpy\'s   //
    //  logging of I/O operations.                                      //
    //                                                                  //
    //////////////////////////////////////////////////////////////////////

    InitializeListHead( &gSpyDeviceExtensionList );
    
    //
    // A fast mutex was used in this case because the mutex is never acquired at DPC level or above.
    // Spinlocks were chosen in other cases because they are acquired at DPC level or above.
    // Another consideration is that on an MP machine, a spin lock will literally spin trying to
    // acquire the lock when the lock is already acquired.  Acquiring a previously acquired fast
    // mutex will suspend the thread, thus freeing up the processor.
    //
    
    ExInitializeFastMutex( &gSpyDeviceExtensionListLock );


    gFsDriverObject = DriverObject;

    KeInitializeSpinLock( &gControlDeviceStateLock );

    InitializeListHead( &gOutputBufferList );

    KeInitializeSpinLock( &gOutputBufferLock );
    KeInitializeSpinLock( &gLogSequenceLock );


#ifndef MEMORY_DBG

    //
    //  When we aren\'t debugging our memory usage, we want to allocate
    //  memory from a lookaside list for better performance.  Unfortunately,
    //  we cannot benefit from the memory debugging help of the Driver
    //  Verifier if we allocate memory from a look-aside list.
    //

    ExInitializeNPagedLookasideList(
        &gFreeBufferList,
        ExAllocatePoolWithTag,
        ExFreePool,
        0,
        RECORD_SIZE,
        MSFM_TAG,
        100 );
#endif

    //
    // Initialize the hash table
    //
        
    for (i = 0; i < HASH_SIZE; i++){
        InitializeListHead(&gHashTable);
        KeInitializeSpinLock(&gHashLockTable);
    }

    //
    // Indicate that the type for this device object is a primary, not a
    // filter device object so that it doesn\'t accidentally get used to
    // call a file system.
    //

    RtlInitUnicodeString(&gVolumeString, L\"VOLUME\");
    RtlInitUnicodeString(&gOverrunString, L\"......\");
    RtlInitUnicodeString(&gPagingIoString, L\"Paging IO\");

    //
    // Read the custom parameters for FileSpy from the registry
    //
    SpyReadDriverParameters(RegistryPath, DriverObject);

    return STATUS_SUCCESS;
}

这是FILESPY的Driverentry

我没有找到DRIVERUNLOAD ROUTINE是在那里定义的

FILESPY一旦Attach,就不能真正意义上的DEATACH
程序里仅仅停止LOG抓取信息而已