Right below the FLTP_FRAME in the hierarchy of filter manager objects is the FLT_VOLUME. It is a structure that describes the attachment of the FLTP_FRAME to a volume:
So, as you can see, each frame is pretty much a list of volumes. These volumes are in fact DEVICE_OBJECTs with which FltMgr attaches to each IO stack in the system. So let’s see what they look like in the debugger:
0: kd> !fltkd.volumesVolume List: fffff98001218bf0 "Frame 0"FLT_VOLUME: fffff980012f6810 "\Device\Mup"FLT_INSTANCE: fffff9800133abb0 "FileInfo" "45000"FLT_VOLUME: fffff980016b6800 "\Device\HarddiskVolume1"FLT_INSTANCE: fffff9800822c4c0 "luafv" "135000"FLT_INSTANCE: fffff980017c6bb0 "FileInfo" "45000"FLT_VOLUME: fffff980045ec800 "\Device\HarddiskVolume2"FLT_INSTANCE: fffff9800450cbb0 "FileInfo" "45000"FLT_VOLUME: fffff980064d2820 "\Device\CdRom0"FLT_INSTANCE: fffff98006514bb0 "FileInfo" "45000"
Let’s look in more detail at the volume for \Device\HarddiskVolume1:
0: kd> !fltkd.volume fffff980016b6800FLT_VOLUME: fffff980016b6800 "\Device\HarddiskVolume1"FLT_OBJECT: fffff980016b6800 [04000000] VolumeRundownRef : 0x000000000000008c (70)PointerCount : 0x00000001PrimaryLink : [fffff98003ce6810-fffff980012f6820]Frame : fffff98001218ac0 "Frame 0"Flags : [00000064] SetupNotifyCalled EnableNameCaching FilterAttachedFileSystemType : [00000002] FLT_FSTYPE_NTFSVolumeLink : [fffff98003ce6810-fffff980012f6820]DeviceObject : fffffa8003678690DiskDeviceObject : fffffa80036015f0FrameZeroVolume : fffff980016b6800VolumeInNextFrame : 0000000000000000Guid : ""CDODeviceName : "\Ntfs"CDODriverName : "\FileSystem\Ntfs"TargetedOpenCount : 67Callbacks : (fffff980016b6910)ContextLock : (fffff980016b6cf8)VolumeContexts : (fffff980016b6d00) Count=0StreamListCtrls : (fffff980016b6d08) rCount=2378FileListCtrls : (fffff980016b6d88) rCount=0NameCacheCtrl : (fffff980016b6e08)InstanceList : (fffff980016b6890)FLT_INSTANCE: fffff9800822c4c0 "luafv" "135000"FLT_INSTANCE: fffff980017c6bb0 "FileInfo" "45000"
This is somewhat more interesting than a frame. It obviously has a reference to the frame it’s in, but it also has pointers to the DEVICE_OBJECT it’s associated with as well as the DEVICE_OBJECT for the disk, it knows what file system is at the bottom of the stack and it has a bunch of other information we will address later, once we’re done going through all the concepts.
That last thing I’d like to show you is how to get to the FLT_VOLUME structure from one of FltMgr’s DEVICE_OBJECTs (this comes up quite a lot for some reason):
0: kd> !devstack fffffa8003678690!DevObj !DrvObj !DevExt ObjectName> fffffa8003678690 \FileSystem\FltMgr fffffa80036787e0fffffa800367d030 \FileSystem\Ntfs fffffa800367d1800: kd> dt fffffa80036787e0 fltmgr!_VOLUME_DEVICE_EXTENSION+0x000 Type : _FLT_TYPE+0x008 AttachedToDeviceObject : 0xfffffa80`0367d030 _DEVICE_OBJECT+0x010 Frame : 0xfffff980`01218ac0 _FLTP_FRAME+0x018 VolumeAccessLock : _FAST_MUTEX+0x050 Volume : 0xfffff980`016b6800 _FLT_VOLUME
Please note that FltMgr attaches to CDOs as well as VDOs so not all FltMgr’s devices have a DeviceExtension of type fltmgr!_VOLUME_DEVICE_EXTENSION.
No comments:
Post a Comment