接上篇win10 1909逆向（MiniFilter原理剖析1---FltMgr的初始化）

status = FltRegisterFilter( DriverObject, &FilterRegistration,&gFilterHandle );

FLT_REGISTRATION-----------------------微过滤器注册结构（用户自已填写）

FLT_FILTER----------------------------------微过滤器对象结构（在注册阶段，由系统根据FLT_REGISTRATION结构填写）

// Filter管理器还没有初始化就调用注册函数。需要确保 filter管理器已经作为一个驱动启动了

 if ( !(GLOBALS->Gflags & 1) )                           // dt _FLTMGR!_GLOBALS 微过滤器的全局结构

   return STATUS_FLT_NOT_INITIALIZED;  

FltMgr管理器的全局结构，后续会多次用到。

// 判断版本号，次版本号可以忽略，但主版本号必须正确

if ((Registration->Version & 0xFF00) != FLT_MAJOR_VERSION)

{

return STATUS_INVALID_PARAMETER;

}

//判断命名回调组合

if ((!Registration->GenerateFileNameCallback && Registration->NormalizeNameComponentCallback) ||

(!Registration->NormalizeNameComponentCallback && Registration->NormalizeContextCleanupCallback))

{

return STATUS_INVALID_PARAMETER;

}

//得到回调函数集合地址

Callbacks = (PFLT_OPERATION_REGISTRATION)Registration->OperationRegistration;

//计算当前回调函数集合有几个回调

while (Callbacks)

{

Count++;

if (Callbacks->MajorFunction == IRP_MJ_OPERATION_END)

break;

Callbacks++;

}

//计算过滤器缓存结构大小

CallbackBufferSize = Count * sizeof(FLT_OPERATION_REGISTRATION);

FilterBufferSize = sizeof(FLT_FILTER) +

CallbackBufferSize +

DriverObject->DriverExtension->ServiceKeyName.Length;

//分配一个块空间来保存我们的过滤器缓存结构

Filter = ExAllocatePoolWithTag(NonPagedPoolNx,FilterBufferSize,FM_TAG_FILTER);

if (Filter == NULL) return STATUS_INSUFFICIENT_RESOURCES;

RtlZeroMemory(Filter, FilterBufferSize);

//设置回调地址，将注册结构的回调地址复制到Filter对象里

Filter->FilterUnload = Registration->FilterUnloadCallback;

Filter->InstanceSetup = Registration->InstanceSetupCallback;

Filter->InstanceQueryTeardown = Registration->InstanceQueryTeardownCallback;

Filter->InstanceTeardownStart = Registration->InstanceTeardownStartCallback;

Filter->InstanceTeardownComplete = Registration->InstanceTeardownCompleteCallback;

Filter->GenerateFileName = Registration->GenerateFileNameCallback;

Filter->NormalizeNameComponent = Registration->NormalizeNameComponentCallback;

Filter->NormalizeContextCleanup = Registration->NormalizeContextCleanupCallback;

UINT64 Version=Registration->Version;

if ( Version>= 0x201 )  //Vista Beta 2以上

   {

     Filter->KtmNotification= Registration->TransactionNotificationCallback;

     Version = Registration->Version;

   }

if ( Version>= 0x202 )  //Vista RTM以上

   {

    Filter->NormalizeNameComponentEx= Registration->NormalizeNameComponentExCallback;

     Version = Registration->Version;

   }

if ( Version>= 0x203 )  //Win 8以上

   {

    Filter->SectionNotification= Registration->SectionNotificationCallback;

    if(Registration->Flags & FLTFL_REGISTRATION_SUPPORT_NPFS_MSFS)   //如果已设置，则此筛选器可识别命名管道和邮件槽筛选

       {

                 Filter->Flags | = FLTFL_SUPPORTS_PIPES_MAILSLOTS;  

       }

   }

if(Registration->Flags & FLTFL_REGISTRATION_SUPPORT_DAX_VOLUME)  //如果已设置，则此筛选器将识别DAX卷，即支持直接在永久内存

  {                                                                                                                           //设备上映射文件的卷。对于这样的卷，缓存和内存映射到用户

         Filter->Flags | = FLTFL_SUPPORTS_DAX_VOLUME;                               //文件的IO不会生成分页IO。

  }

//Ptr是FilterBuffer结构的一部分，里面会存放Flt_Registration里的OperationRegistration的数据，然后将ptr的地址放进_FLT_FILTER->Operation

Ptr = (PCHAR)(Filter + 1);

Filter->Base.Flags = FLT_OBFL_TYPE_FILTER;   //设置类型

Filter->Base.PointerCount = 1;  //引向次数+1

ExInitializeRundownProtection(&Filter->Base.RundownRef); //初始化停止运行保护机制

//初始化

Filter->Base.PrimaryLink=0;

Filter->UniqueIdentifier.Data1=0;

Filter->UniqueIdentifier.Data2=0;

Filter->UniqueIdentifier.Data3=0;

Filter->UniqueIdentifier.Data4=0;

FltObjectReference(&Filter->Base);  //锁住保护Filter

Filter->DriverObject = DriverObject;

//初始化各个链表

ExInitializeResourceLite(&Filter->InstanceList.rLock);

InitializeListHead(&Filter->InstanceList.rList);

Filter->InstanceList.rCount = 0;

ExInitializeFastMutex(&Filter->ActiveOpens.mLock);

InitializeListHead(&Filter->ActiveOpens.mList);

Filter->ActiveOpens.mCount = 0;

ExInitializeFastMutex(&Filter->ConnectionList.mLock);

InitializeListHead(&Filter->ConnectionList.mList);

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课