Mini Filter 操作消息的分析



• Create ：

1. 在 Create preoperation 的时候， FsContext, FsContext2 ，Vpb, SectionObjectPointer 都是 0
2. 在 Create PostOperation 的时候， FsContext, FsContext2, Vpb, SectionObjectPointer 都被初始化成相应的数值
3. 同一个文件的不同 FILE_OBJECT 中的 FsContext, FsContext2, Vpb, SectionObjectPointer 都相同。
4. 在 Create 操作的时候 PrivateCacheMap 是0， 还没有被赋有效值

• Read：

第一个log：

FileObject is : 86909D18
FileObject->FsContext is : E18F30D0
FileObject->FsContext2 is : E20E2E00
FileObject->Vpb is : 86F2A7F0
FileObject->SectionObjectPointer is : 86A987F4
FileObject->SectionObjectPointer->DataSectionObject is : 86A98B20
FileObject->SectionObjectPointer->ImageSectionObject is : 00000000
FileObject->SectionObjectPointer->SharedCacheMap is : 00000000
FileObject->RelatedFileObject is : 00000000
FileObject->PrivateCacheMap is : 00000000

第二个log：

FileObject is : 86CC17E8
FileObject->FsContext is : E18F30D0
FileObject->FsContext2 is : E1175980
FileObject->Vpb is : 86F2A7F0
FileObject->SectionObjectPointer is : 86A987F4
FileObject->SectionObjectPointer->DataSectionObject is : 86A98B20
FileObject->SectionObjectPointer->ImageSectionObject is : 00000000
FileObject->SectionObjectPointer->SharedCacheMap is : 868C66D0
FileObject->RelatedFileObject is : 00000000
FileObject->PrivateCacheMap is : 00000000

第三个log：

FileObject is : 868529D8
FileObject->FsContext is : E18F30D0
FileObject->FsContext2 is : E18F3228
FileObject->Vpb is : 86F2A7F0
FileObject->SectionObjectPointer is : 86A987F4
FileObject->SectionObjectPointer->DataSectionObject is : 86A98B20
FileObject->SectionObjectPointer->ImageSectionObject is : 00000000
FileObject->SectionObjectPointer->SharedCacheMap is : 868C66D0
FileObject->RelatedFileObject is : 00000000
FileObject->PrivateCacheMap is : 00000000