关于“IRP_MJ_CREATE ” 的Dispatch中判断FileObject是文件还是目录问题

最新推荐文章于 2019-12-12 10:51:01 发布

kaylc

最新推荐文章于 2019-12-12 10:51:01 发布

阅读量1.2k

点赞数

分类专栏：驱动常识文章标签： file attributes object filter system application

驱动常识专栏收录该内容

10 篇文章

订阅专栏

本文详细解释了在滤波驱动程序中如何通过I/O堆栈位置判断一个FILE_OBJECT是否代表文件或目录，强调了在成功创建文件后询问底层文件系统的重要性，特别是对于那些需要区分文件和目录的应用。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

当Ring3 CreateFile发起对某个文件对象的请求时，如：C:/Program Files/Microsoft Visual Studio/VC98/LIB/LIBC.lib"。请求进入Ring0，Fs会把该请求生成多个IRP_MJ_CREATE，逐层的打开目录对象，直至到目标文件LIBC.lib，所以在
IRP_MJ_CREATE的Dispatch中的IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE可以判断到达目标文件对象前的那些请求，肯定就是目录。

注意：但在IRP_MJ_CREATE的Dispatch中无法使用IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE来判断目标文件对象（LIBC.lib）是文件还是目录，得将IRP传递到底层后，在完成例程中判断目标文件对象是文件还是目录。而上述是因为目标文件前的一定是目录，所以可以判断。
待续~

参考：

Osr

Q58 How do I determine if the FILE_OBJECT represents a file or a directory from my filter driver? Can I rely upon the FILE_DIRECTORY_FILE bit?
http://www.osronline.com/article.cfm?article=17#Q58

The determination of whether or not a given FILE_OBJECT represents a directory is the sole domain of the file system driver. Thus, for a file system filter driver to determine if a file is a directory, it must ask the file system. This can be done by querying the attributes of the file (e.g., after it has been successfully opened by the underlying file system) or by examining the attributes within the directory, which can be done before the underlying file has been opened.

Options specified during create are not adequate for determining if a file is, in fact, a directory. For example, an application may optionally specify that the file being opened must be a directory by setting the FILE_DIRECTORY_FILE option as part of create (this is a bit in the I/O Stack location, Parameters.Create.Options, the low 24 bits of which are used for file options). If the file creation is successful, the file system filter driver can conclude that the FILE_OBJECT does represent a directory. If the file creation is successful and the caller did not specify FILE_DIRECTORY_FILE, however, the caller cannot presume that the file is a directory. The FILE_NON_DIRECTORY_FILE bit can similarly be used to determine that the given FILE_OBJECT does not represent a file.

There is one complication for those writing a file system filter driver - they must keep in mind that some file options now combine these two bits. For example FILE_COPY_STRUCTURED_STORAGE (which is not used but is still present in ntifs.h for Windows XP) is defined as FILE_DIRECTORY_FILE and FILE_NON_DIRECTORY_FILE.

Thus, the safest way to determine if a FILE_OBJECT represents a directory remains to ask the underlying file system.