minifilter----volume

Right below the FLTP_FRAME in the hierarchy of filter manager objects is the FLT_VOLUME. It is a structure that describes the attachment of the FLTP_FRAME to a volume:

So, as you can see, each frame is pretty much a list of volumes. These volumes are in fact DEVICE_OBJECTs with which FltMgr attaches to each IO stack in the system. So let’s see what they look like in the debugger:

 
  
0: kd> !fltkd.volumes
 
  
Volume List: fffff98001218bf0 "Frame 0"
   FLT_VOLUME: fffff980012f6810 "\Device\Mup"
      FLT_INSTANCE: fffff9800133abb0 "FileInfo" "45000"
   FLT_VOLUME: fffff980016b6800 "\Device\HarddiskVolume1"
      FLT_INSTANCE: fffff9800822c4c0 "luafv" "135000"
      FLT_INSTANCE: fffff980017c6bb0 "FileInfo" "45000"
   FLT_VOLUME: fffff980045ec800 "\Device\HarddiskVolume2"
      FLT_INSTANCE: fffff9800450cbb0 "FileInfo" "45000"
   FLT_VOLUME: fffff980064d2820 "\Device\CdRom0"
      FLT_INSTANCE: fffff98006514bb0 "FileInfo" "45000"

Let’s look in more detail at the volume for \Device\HarddiskVolume1:

 
  
0: kd> !fltkd.volume fffff980016b6800
 
  
FLT_VOLUME: fffff980016b6800 "\Device\HarddiskVolume1"
   FLT_OBJECT: fffff980016b6800  [04000000] Volume
      RundownRef               : 0x000000000000008c (70)
      PointerCount             : 0x00000001
      PrimaryLink              : [fffff98003ce6810-fffff980012f6820]
   Frame                    : fffff98001218ac0 "Frame 0"
   Flags                    : [00000064] SetupNotifyCalled EnableNameCaching FilterAttached
   FileSystemType           : [00000002] FLT_FSTYPE_NTFS
   VolumeLink               : [fffff98003ce6810-fffff980012f6820]
   DeviceObject             : fffffa8003678690
   DiskDeviceObject         : fffffa80036015f0
   FrameZeroVolume          : fffff980016b6800
   VolumeInNextFrame        : 0000000000000000
   Guid                     : ""
   CDODeviceName            : "\Ntfs"
   CDODriverName            : "\FileSystem\Ntfs"
   TargetedOpenCount        : 67
   Callbacks                : (fffff980016b6910)
   ContextLock              : (fffff980016b6cf8)
   VolumeContexts           : (fffff980016b6d00)  Count=0
   StreamListCtrls          : (fffff980016b6d08)  rCount=2378
   FileListCtrls            : (fffff980016b6d88)  rCount=0
   NameCacheCtrl            : (fffff980016b6e08)
   InstanceList             : (fffff980016b6890)
      FLT_INSTANCE: fffff9800822c4c0 "luafv" "135000"
      FLT_INSTANCE: fffff980017c6bb0 "FileInfo" "45000"

This is somewhat more interesting than a frame. It obviously has a reference to the frame it’s in, but it also has pointers to the DEVICE_OBJECT it’s associated with as well as the DEVICE_OBJECT for the disk, it knows what file system is at the bottom of the stack and it has a bunch of other information we will address later, once we’re done going through all the concepts. 

That last thing I’d like to show you is how to get to the FLT_VOLUME structure from one of FltMgr’s DEVICE_OBJECTs (this comes up quite a lot for some reason):

 
  
0: kd> !devstack fffffa8003678690
  !DevObj   !DrvObj            !DevExt   ObjectName
> fffffa8003678690  \FileSystem\FltMgr fffffa80036787e0
  fffffa800367d030  \FileSystem\Ntfs   fffffa800367d180
0: kd> dt fffffa80036787e0 fltmgr!_VOLUME_DEVICE_EXTENSION
   +0x000 Type             : _FLT_TYPE
   +0x008 AttachedToDeviceObject : 0xfffffa80`0367d030 _DEVICE_OBJECT
   +0x010 Frame            : 0xfffff980`01218ac0 _FLTP_FRAME
   +0x018 VolumeAccessLock : _FAST_MUTEX
   +0x050 Volume           : 0xfffff980`016b6800 _FLT_VOLUME

Please note that FltMgr attaches to CDOs as well as VDOs so not all FltMgr’s devices have a DeviceExtension of type fltmgr!_VOLUME_DEVICE_EXTENSION.

你可能感兴趣的:(minifilter)