windows下的卷过滤代码

windows下的卷过滤代码

#include<ntddk.h> #include< Ntddvol.h> PDEVICE_OBJECT DesDev;//要记录的D盘的过滤设备 typedef struct _DevExt {     WCHAR VolumeLetter;//卷的名字如C或D     PDEVICE_OBJECT FltDev;     PDEVICE_OBJECT LowerDev;     PDEVICE_OBJECT PhyDev; }DevExt,*PDevExt; typedef struct _Parameter {     DevExt ParDexExt;     KEVENT Event; }Par,*PPar; //下发请求的分发函数 NTSTATUS Dispatch(PDEVICE_OBJECT Device,PIRP irp) {     PDevExt lp=(PDevExt)Device->DeviceExtension ;     IoSkipCurrentIrpStackLocation(irp);     return IoCallDriver(lp->LowerDev ,irp); } NTSTATUS DispatchPower(PDEVICE_OBJECT Device,PIRP irp) {     PDevExt lp=(PDevExt)Device->DeviceExtension ;     PoStartNextPowerIrp(irp);     IoSkipCurrentIrpStackLocation(irp);     return PoCallDriver(lp->LowerDev ,irp); } NTSTATUS DispatchReadWrite(PDEVICE_OBJECT Device,PIRP irp) {         if(DesDev==Device)     {         return STATUS_SUCCESS;     }     else    {          return Dispatch( Device, irp);     } } NTSTATUS MyProc(PDEVICE_OBJECT Device,PIRP irp,PVOID Context) {     PPar lp=(PPar)Device->DeviceExtension ;     NTSTATUS status=STATUS_SUCCESS;     UNICODE_STRING DosName={0};     ASSERT(Context!=NULL);     status=IoVolumeDeviceToDosName(lp->ParDexExt .PhyDev,&DosName);     //将dos名字改为大写     lp->ParDexExt.VolumeLetter  =DosName.Buffer [0];     if(DosName.Length >0)             DbgPrint("The Str is: %ws\n",DosName.Buffer );     else        KdPrint(("对不起，没有获得卷的名称"));     _asm             {                 int 3;             }         KeSetEvent(&lp->Event ,0,FALSE);         return STATUS_SUCCESS; } NTSTATUS DispatchCtrl(PDEVICE_OBJECT Device,PIRP irp) {     PDevExt lp=(PDevExt)Device->DeviceExtension ;     NTSTATUS status=STATUS_SUCCESS;     PIO_STACK_LOCATION irpsp=IoGetCurrentIrpStackLocation(irp);     PKEVENT Event=NULL;     Event=new KEVENT;     KeInitializeEvent(Event,NotificationEvent,FALSE);     Par nowPar={0};     nowPar.ParDexExt=*lp;     nowPar.Event=*Event;     switch(irpsp->Parameters .DeviceIoControl .IoControlCode )     {     case IOCTL_VOLUME_ONLINE:         {             IoCopyCurrentIrpStackLocationToNext(irp);             IoSetCompletionRoutine(irp,MyProc,&nowPar,TRUE,TRUE,TRUE);             status=IoCallDriver(lp->LowerDev ,irp);                     KeWaitForSingleObject(&nowPar.Event ,Executive,KernelMode,FALSE,NULL);                               delete Event;             return status;         }     default:         break;     }     IoSkipCurrentIrpStackLocation(irp);     return IoCallDriver(lp->LowerDev ,irp); } NTSTATUS DispatchAdd(PDRIVER_OBJECT Driver,PDEVICE_OBJECT Device) {     NTSTATUS status=STATUS_SUCCESS;     PDevExt lp=NULL;     PDEVICE_OBJECT FltDev=NULL;     PDEVICE_OBJECT LowerDev=NULL;     PDEVICE_OBJECT PhyDev=Device;     status=IoCreateDevice(Driver,sizeof(DevExt),NULL,FILE_DEVICE_DISK,FILE_DEVICE_SECURE_OPEN,FALSE,&FltDev);     if(!NT_SUCCESS(status))     {         goto ERROUT;     }     lp=(PDevExt)FltDev->DeviceExtension ;     //清空过滤设备的扩展     RtlZeroMemory(lp,sizeof(DevExt));     LowerDev=IoAttachDeviceToDeviceStack(FltDev,Device);     if(NULL==LowerDev)     {         status=STATUS_NO_SUCH_DEVICE;         goto ERROUT;     }     FltDev->Flags |=LowerDev->Flags ;     FltDev->Flags &=~DO_DEVICE_INITIALIZING;     //进行初始化设备扩展     lp->FltDev =FltDev;     lp->LowerDev =LowerDev;     lp->PhyDev =Device; ERROUT:     if(!NT_SUCCESS(status))     {         //如果上面有不成功的地方首先需要接触可能存在的附加         if(NULL!=LowerDev)         {             IoDetachDevice(LowerDev);             lp->LowerDev =NULL;         }         //然后删除可能建立的过滤设备         if(NULL!=FltDev)         {             IoDeleteDevice(FltDev);             lp->FltDev =NULL;         }     }     return status; } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath) {     ULONG i=0;     for(i=0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++)     {         DriverObject->MajorFunction [i]=Dispatch;     }     DriverObject->MajorFunction [IRP_MJ_POWER]=DispatchPower;     DriverObject->MajorFunction [IRP_MJ_WRITE]=DispatchReadWrite;     DriverObject->MajorFunction [IRP_MJ_DEVICE_CONTROL]=DispatchCtrl;     DriverObject->DriverExtension ->AddDevice =DispatchAdd;     return STATUS_SUCCESS; }

之前调试出现过 'C'  'E'，应该没什么大的问题
调试信息是：
DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x7B

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from 804f8b9d to 80528bdc

STACK_TEXT: 
f8ac1090 804f8b9d 00000003 f8ac13ec 00000000 nt!RtlpBreakWithStatusInstruction
f8ac10dc 804f978a 00000003 00000000 80087000 nt!KiBugCheckDebugBreak+0x19
f8ac14bc 804f9cb5 0000007b f8ac1528 c000000e nt!KeBugCheck2+0x574
f8ac14dc 80687ce9 0000007b f8ac1528 c000000e nt!KeBugCheckEx+0x1b
f8ac1644 8068be0a 80087000 00000000 80087000 nt!IopMarkBootPartition+0xf5
f8ac1694 80688b48 80087000 f8ac16b0 00043000 nt!IopInitializeBootDrivers+0x4ba
f8ac183c 80686fdd 80087000 00000000 821b95b8 nt!IoInitSystem+0x712
f8ac1dac 805c7160 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5
f8ac1ddc 80542dd2 80686628 80087000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!IopMarkBootPartition+f5
80687ce9 8d85e0feffff    lea     eax,[ebp-120h]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  nt!IopMarkBootPartition+f5

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4802516a

FAILURE_BUCKET_ID:  0x7B_nt!IopMarkBootPartition+f5

BUCKET_ID:  0x7B_nt!IopMarkBootPartition+f5

Followup: MachineOwner
你如果在系统里面生成了系统分区，那么系统就会对该分区进行管理。这种情况下，你把所有的Read/Write都拒绝了，系统会出于安全考虑，产生Bugcheck，不再继续。