minifilter----volume

最新推荐文章于 2024-05-23 14:06:47 发布

转载最新推荐文章于 2024-05-23 14:06:47 发布 · 986 阅读

minifilter 专栏收录该内容

5 篇文章

订阅专栏

本文深入探讨了Windows系统中FLT_VOLUME结构的作用，详细解析了其在滤波管理器对象层级中的位置及与帧、设备对象等组件的关系。通过展示具体的调试器输出，本文揭示了FLT_VOLUME如何描述帧与体积的关联，并提供了如何从设备对象获取该结构的方法。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Right below the FLTP_FRAME in the hierarchy of filter manager objects is the FLT_VOLUME. It is a structure that describes the attachment of the FLTP_FRAME to a volume:

So, as you can see, each frame is pretty much a list of volumes. These volumes are in fact DEVICE_OBJECTs with which FltMgr attaches to each IO stack in the system. So let’s see what they look like in the debugger:

0: kd> !fltkd.volumes
Volume List: fffff98001218bf0 "Frame 0"
   FLT_VOLUME: fffff980012f6810 "\Device\Mup"
      FLT_INSTANCE: fffff9800133abb0 "FileInfo" "45000"
   FLT_VOLUME: fffff980016b6800 "\Device\HarddiskVolume1"
      FLT_INSTANCE: fffff9800822c4c0 "luafv" "135000"
      FLT_INSTANCE: fffff980017c6bb0 "FileInfo" "45000"
   FLT_VOLUME: fffff980045ec800 "\Device\HarddiskVolume2"
      FLT_INSTANCE: fffff9800450cbb0 "FileInfo" "45000"
   FLT_VOLUME: fffff980064d2820 "\Device\CdRom0"
      FLT_INSTANCE: fffff98006514bb0 "FileInfo" "45000"

Let’s look in more detail at the volume for \Device\HarddiskVolume1:

0: kd> !fltkd.volume fffff980016b6800
FLT_VOLUME: fffff980016b6800 "\Device\HarddiskVolume1"
   FLT_OBJECT: fffff980016b6800  [04000000] Volume
      RundownRef               : 0x000000000000008c (70)
      PointerCount             : 0x00000001
      PrimaryLink              : [fffff98003ce6810-fffff980012f6820]
   Frame                    : fffff98001218ac0 "Frame 0"
   Flags                    : [00000064] SetupNotifyCalled EnableNameCaching FilterAttached
   FileSystemType           : [00000002] FLT_FSTYPE_NTFS
   VolumeLink               : [fffff98003ce6810-fffff980012f6820]
   DeviceObject             : fffffa8003678690
   DiskDeviceObject         : fffffa80036015f0
   FrameZeroVolume          : fffff980016b6800
   VolumeInNextFrame        : 0000000000000000
   Guid                     : ""
   CDODeviceName            : "\Ntfs"
   CDODriverName            : "\FileSystem\Ntfs"
   TargetedOpenCount        : 67
   Callbacks                : (fffff980016b6910)
   ContextLock              : (fffff980016b6cf8)
   VolumeContexts           : (fffff980016b6d00)  Count=0
   StreamListCtrls          : (fffff980016b6d08)  rCount=2378
   FileListCtrls            : (fffff980016b6d88)  rCount=0
   NameCacheCtrl            : (fffff980016b6e08)
   InstanceList             : (fffff980016b6890)
      FLT_INSTANCE: fffff9800822c4c0 "luafv" "135000"
      FLT_INSTANCE: fffff980017c6bb0 "FileInfo" "45000"

This is somewhat more interesting than a frame. It obviously has a reference to the frame it’s in, but it also has pointers to the DEVICE_OBJECT it’s associated with as well as the DEVICE_OBJECT for the disk, it knows what file system is at the bottom of the stack and it has a bunch of other information we will address later, once we’re done going through all the concepts.

That last thing I’d like to show you is how to get to the FLT_VOLUME structure from one of FltMgr’s DEVICE_OBJECTs (this comes up quite a lot for some reason):

0: kd> !devstack fffffa8003678690
  !DevObj   !DrvObj            !DevExt   ObjectName
> fffffa8003678690  \FileSystem\FltMgr fffffa80036787e0
  fffffa800367d030  \FileSystem\Ntfs   fffffa800367d180
0: kd> dt fffffa80036787e0 fltmgr!_VOLUME_DEVICE_EXTENSION
   +0x000 Type             : _FLT_TYPE
   +0x008 AttachedToDeviceObject : 0xfffffa80`0367d030 _DEVICE_OBJECT
   +0x010 Frame            : 0xfffff980`01218ac0 _FLTP_FRAME
   +0x018 VolumeAccessLock : _FAST_MUTEX
   +0x050 Volume           : 0xfffff980`016b6800 _FLT_VOLUME

Please note that FltMgr attaches to CDOs as well as VDOs so not all FltMgr’s devices have a DeviceExtension of type fltmgr!_VOLUME_DEVICE_EXTENSION.