..............

发现自己比较sb......

[编辑 -  7/15/04 by  Txzcy2004]

我和你的发现一样的。经过苦苦搜索，发现，
必须自己创建IRP，向下面的FSD询问文件名。
以下是我参照FileMon做的。
但实际情况是加载驱动后蓝苹。

用GetFullPathName可以得到文件名。

#define DBGPUS1( key,msg ) \
KdPrint( ("%10s:%5d: %s=%wZ\n",__FILE__,__LINE__,(key),(msg) ) )

#define DBGD1( key,value ) \
KdPrint( ("%10s:%5d: %s=%08x\n",__FILE__,__LINE__,(key),(value) ) )

//----------------------------------------------------------------------
//
// PadLockFilterQueryFileComplete
//
// This routine is used to handle I/O completion for our self-generated
// IRP that is used to query a file's name or number.
//
//----------------------------------------------------------------------
NTSTATUS
PadLockFilterQueryFileComplete(
PDEVICE_OBJECT DeviceObject,
PIRP Irp,
PVOID Context
)
{
PVOID pTmp;
//
// Copy the status information back into the "user" IOSB.
//
*Irp->UserIosb = Irp->IoStatus;
if( !NT_SUCCESS(Irp->IoStatus.Status) )
{
DBGD1("ERROR ON IRP:", Irp->IoStatus.Status);
}

//
// Set the user event - wakes up the mainline code doing this.
//
KeSetEvent(Irp->UserEvent, 0, FALSE);

//
// Free the IRP now that we are done with it.
//
IoFreeIrp(Irp);

pTmp = DeviceObject;
pTmp = Context;

//
// We return STATUS_MORE_PROCESSING_REQUIRED because this "magic" return value
// tells the I/O Manager that additional processing will be done by this driver
// to the IRP - in fact, it might (as it is in this case) already BE done - and
// the IRP cannot be completed.
//

return STATUS_MORE_PROCESSING_REQUIRED;
}

//----------------------------------------------------------------------
//
// PadLockFilterQueryFile
//
// This function retrieves the "standard" information for the
// underlying file system, asking for the filename in particular.
//
//----------------------------------------------------------------------
BOOLEAN
PadLockFilterQueryFile(
    PDEVICE_OBJECT DeviceObject,
    PFILE_OBJECT FileObject,
    FILE_INFORMATION_CLASS FileInformationClass,
    PVOID FileQueryBuffer,
    ULONG FileQueryBufferLength
    )
{
    PIRP irp;
    KEVENT event;
    IO_STATUS_BLOCK IoStatusBlock;
    PIO_STACK_LOCATION ioStackLocation;

    DBGD1("Getting file name for FileObject", FileObject);

    //
    // Initialize the event
    //
    KeInitializeEvent(&event, SynchronizationEvent, FALSE);

    //
    // Allocate an irp for this request.  This could also come from a
    // private pool, for instance.
    //
    irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
    if(!irp)
{
        //
        // Failure!
        //
        return FALSE;
    }
  
    //
    // Build the IRP's main body
    //  
    irp->AssociatedIrp.SystemBuffer = FileQueryBuffer;
    irp->UserEvent = &event;
    irp->UserIosb = &IoStatusBlock;
    irp->Tail.Overlay.Thread = PsGetCurrentThread();
    irp->Tail.Overlay.OriginalFileObject = FileObject;
    irp->RequestorMode = KernelMode;
    irp->Flags = 0;

    //
    // Set up the I/O stack location.
    //
    ioStackLocation = IoGetNextIrpStackLocation(irp);
    ioStackLocation->MajorFunction = IRP_MJ_QUERY_INFORMATION;
    ioStackLocation->DeviceObject = DeviceObject;
    ioStackLocation->FileObject = FileObject;
    ioStackLocation->Parameters.QueryFile.Length
= FileQueryBufferLength;
    ioStackLocation->Parameters.QueryFile.FileInformationClass
= FileInformationClass;

    //
    // Set the completion routine.
    //
    IoSetCompletionRoutine(irp, PadLockFilterQueryFileComplete, 0, TRUE, TRUE, TRUE);

    //
    // Send it to the FSD
    //
    (void) IoCallDriver(DeviceObject, irp);

    //
    // Wait for the I/O
    //
    KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);

    //
    // Done! Note that since our completion routine frees the IRP we cannot
    // touch the IRP now.
    //
    return NT_SUCCESS( IoStatusBlock.Status );
}



VOID
GetFullPathName(PDEVICE_OBJECT devObj,PFILE_OBJECT fileObject)
{
PFILE_NAME_INFORMATION fileNameInfo;
UNICODE_STRING      fullUniName;


fileNameInfo = (PFILE_NAME_INFORMATION)
ExAllocatePool( NonPagedPool,MAXPATHLEN*sizeof(WCHAR) );

if( fileNameInfo
&& PadLockFilterQueryFile( devObj ,
fileObject,
FileNameInformation,
fileNameInfo,
(MAXPATHLEN )*sizeof(WCHAR) )
)
{

fullUniName.Length = (SHORT) fileNameInfo->FileNameLength;
fullUniName.Buffer = fileNameInfo->FileName;

//if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &fileName, &fullUniName, TRUE ))) {

// fullPathName[ fileName.Length + prefixLen ] = 0;

// if( hookExt->Type == NPFS ) {

// strcpy( fullPathName, NAMED_PIPE_PREFIX );

// } else if( hookExt->Type == MSFS ) {

// strcpy( fullPathName, MAIL_SLOT_PREFIX );

// } else if( fileObject->DeviceObject->DeviceType != FILE_DEVICE_NETWORK_FILE_SYSTEM ) {

// sprintf( fullPathName, "%C:", hookExt->LogicalDrive );

// } else {

// //
// // No prefix for network devices
// //
// }

// memcpy( &fullPathName[prefixLen], fileName.Buffer, fileName.Length );
// gotPath = TRUE;
// RtlFreeAnsiString( &fileName );
// fileName.Buffer = NULL;
//}
}
DBGPUS1( "FileName",&fullUniName);

if( fileNameInfo ) ExFreePool( fileNameInfo );
}

我和你的发现一样的。经过苦苦搜索，发现，
必须自己创建IRP，向下面的FSD询问文件名。
以下是我参照FileMon做的。
但实际情况是加载驱动后蓝苹。

用GetFullPathName可以得到文件名。

#define DBGPUS1( key,msg )
KdPrint( ("%10s:%5d: %s=%wZn",__FILE__,__LINE__,(key),(msg) ) )

#define DBGD1( key,value )
KdPrint( ("%10s:%5d: %s=%08xn",__FILE__,__LINE__,(key),(value) ) )

//----------------------------------------------------------------------
//
// PadLockFilterQueryFileComplete
//
// This routine is used to handle I/O completion for our self-generated
// IRP that is used to query a file's name or number.
//
//----------------------------------------------------------------------
NTSTATUS
PadLockFilterQueryFileComplete(
PDEVICE_OBJECT DeviceObject,
PIRP Irp,
PVOID Context
)
{
PVOID pTmp;
//
// Copy the status information back into the "user" IOSB.
//
*Irp->UserIosb = Irp->IoStatus;
if( !NT_SUCCESS(Irp->IoStatus.Status) )
{
DBGD1("ERROR ON IRP:", Irp->IoStatus.Status);
}

//
// Set the user event - wakes up the mainline code doing this.
//
KeSetEvent(Irp->UserEvent, 0, FALSE);

//
// Free the IRP now that we are done with it.
//
IoFreeIrp(Irp);

pTmp = DeviceObject;
pTmp = Context;

//
// We return STATUS_MORE_PROCESSING_REQUIRED because this "magic" return value
// tells the I/O Manager that additional processing will be done by this driver
// to the IRP - in fact, it might (as it is in this case) already BE done - and
// the IRP cannot be completed.
//

return STATUS_MORE_PROCESSING_REQUIRED;
}

//----------------------------------------------------------------------
//
// PadLockFilterQueryFile
//
// This function retrieves the "standard" information for the
// underlying file system, asking for the filename in particular.
//
//----------------------------------------------------------------------
BOOLEAN
PadLockFilterQueryFile(
    PDEVICE_OBJECT DeviceObject,
    PFILE_OBJECT FileObject,
    FILE_INFORMATION_CLASS FileInformationClass,
    PVOID FileQueryBuffer,
    ULONG FileQueryBufferLength
    )
{
    PIRP irp;
    KEVENT event;
    IO_STATUS_BLOCK IoStatusBlock;
    PIO_STACK_LOCATION ioStackLocation;

    DBGD1("Getting file name for FileObject", FileObject);

    //
    // Initialize the event
    //
    KeInitializeEvent(&event, SynchronizationEvent, FALSE);

    //
    // Allocate an irp for this request.  This could also come from a
    // private pool, for instance.
    //
    irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
    if(!irp)
{
        //
        // Failure!
        //
        return FALSE;
    }
  
    //
    // Build the IRP's main body
    //  
    irp->AssociatedIrp.SystemBuffer = FileQueryBuffer;
    irp->UserEvent = &event;
    irp->UserIosb = &IoStatusBlock;
    irp->Tail.Overlay.Thread = PsGetCurrentThread();
    irp->Tail.Overlay.OriginalFileObject = FileObject;
    irp->RequestorMode = KernelMode;
    irp->Flags = 0;

    //
    // Set up the I/O stack location.
    //
    ioStackLocation = IoGetNextIrpStackLocation(irp);
    ioStackLocation->MajorFunction = IRP_MJ_QUERY_INFORMATION;
    ioStackLocation->DeviceObject = DeviceObject;
    ioStackLocation->FileObject = FileObject;
    ioStackLocation->Parameters.QueryFile.Length
= FileQueryBufferLength;
    ioStackLocation->Parameters.QueryFile.FileInformationClass
= FileInformationClass;

    //
    // Set the completion routine.
    //
    IoSetCompletionRoutine(irp, PadLockFilterQueryFileComplete, 0, TRUE, TRUE, TRUE);

    //
    // Send it to the FSD
    //
    (void) IoCallDriver(DeviceObject, irp);

    //
    // Wait for the I/O
    //
    KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);

    //
    // Done! Note that since our completion routine frees the IRP we cannot
    // touch the IRP now.
    //
    return NT_SUCCESS( IoStatusBlock.Status );
}



VOID
GetFullPathName(PDEVICE_OBJECT devObj,PFILE_OBJECT fileObject)
{
PFILE_NAME_INFORMATION fileNameInfo;
UNICODE_STRING      fullUniName;


fileNameInfo = (PFILE_NAME_INFORMATION)
ExAllocatePool( NonPagedPool,MAXPATHLEN*sizeof(WCHAR) );

if( fileNameInfo
&& PadLockFilterQueryFile( devObj ,
fileObject,
FileNameInformation,
fileNameInfo,
(MAXPATHLEN )*sizeof(WCHAR) )
)
{

fullUniName.Length = (SHORT) fileNameInfo->FileNameLength;
fullUniName.Buffer = fileNameInfo->FileName;

//if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &fileName, &fullUniName, TRUE ))) {

// fullPathName[ fileName.Length + prefixLen ] = 0;

// if( hookExt->Type == NPFS ) {

// strcpy( fullPathName, NAMED_PIPE_PREFIX );

// } else if( hookExt->Type == MSFS ) {

// strcpy( fullPathName, MAIL_SLOT_PREFIX );

// } else if( fileObject->DeviceObject->DeviceType != FILE_DEVICE_NETWORK_FILE_SYSTEM ) {

// sprintf( fullPathName, "%C:", hookExt->LogicalDrive );

// } else {

// //
// // No prefix for network devices
// //
// }

// memcpy( &fullPathName[prefixLen], fileName.Buffer, fileName.Length );
// gotPath = TRUE;
// RtlFreeAnsiString( &fileName );
// fileName.Buffer = NULL;
//}
}
DBGPUS1( "FileName",&fullUniName);

if( fileNameInfo ) ExFreePool( fileNameInfo );
}

1.SetCompleteRoute没有当前IRP栈？
2.StackSize是否够用？