Well, as you have probably guessed, FLT_FILTER is a structure that describes a minifilter. It is a pretty important structure and people usually become familiar with it once they discover that their minifilter is not unloading, which invariably happens at some point during development. In the grand scheme of things the FLT_FILTER is very similar to the DRIVER_OBJECT.
A thing worth mentioning is that a FLT_FILTER is linked into a specific frame based on its default altitude. This might trigger creation of a new frame (in fact loading a new filter is the only thing that can create a new frame).
Here is a picture of how FLT_FILTERs fit in the model:
You can see that a frame can contain one or more filters. It is possible that a frame has no filters at all if minifilters get unloaded since frames never go away (though i don’t show any empty frames in my picture).
Let’s look at one in the debugger:
1: kd> !fltkd.filter fffff9800696c6a0FLT_FILTER: fffff9800696c6a0 "luafv" "135000"FLT_OBJECT: fffff9800696c6a0 [02000000] FilterRundownRef : 0x0000000000000008 (4)PointerCount : 0x00000001PrimaryLink : [fffff980012e2b50-fffff9800122ab70]Frame : fffff9800122aac0 "Frame 0"Flags : [00000006] FilteringInitiated NameProviderDriverObject : fffffa800407e080FilterLink : [fffff980012e2b50-fffff9800122ab70]PreVolumeMount : fffff880053a32d8 (no symbol)PostVolumeMount : 0000000000000000 (null)FilterUnload : 0000000000000000 (null)InstanceSetup : fffff88001b5b010 (no symbol)InstanceQueryTeardown : 0000000000000000 (null)InstanceTeardownStart : 0000000000000000 (null)InstanceTeardownComplete : 0000000000000000 (null)ActiveOpens : (fffff9800696c838) mCount=1Communication Port List : (fffff9800696c888) mCount=0Client Port List : (fffff9800696c8d8) mCount=0VerifierExtension : fffff98007c8ebc0Operations : fffff9800696c9d0OldDriverUnload : 0000000000000000 (null)SupportedContexts : (fffff9800696c7c0)VolumeContexts : (fffff9800696c7c0)InstanceContexts : (fffff9800696c7c8)ALLOCATE_CONTEXT_NODE: fffff980068dcd80 "luafv" [01] LookasideList (size=856)FileContexts : (fffff9800696c7d0)StreamContexts : (fffff9800696c7d8)StreamHandleContexts : (fffff9800696c7e0)ALLOCATE_CONTEXT_NODE: fffff980068dcec0 "luafv" [01] LookasideList (size=24)TransactionContext : (fffff9800696c7e8)PagedContextNodeList : (fffff9800696c930) mCount=0NonPagedContextNodeList : (fffff9800696c980) mCount=1InstanceList : (fffff9800696c6f8)FLT_INSTANCE: fffff98006ff44c0 "luafv" "135000"
As you can see there are lot of fields for callbacks and storing contexts and some lists. We’ll go into all those later, when we start exploring the !fltkd extension.
No comments:
Post a Comment