[FLTMGR] Add a bit more basic code layout for filter registration

Needs implementing
2024-12-28 10:04:49 +00:00 · 2018-10-29 17:03:11 +00:00 · 2018-10-29 17:03:11 +00:00 · fa46f362ea
commit fa46f362ea
parent 97066b792c
2 changed files with 81 additions and 13 deletions
--- a/drivers/filters/fltmgr/Filter.c
+++ b/drivers/filters/fltmgr/Filter.c
@ -21,6 +21,9 @@
 #define SERVICES_KEY L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"
 #define MAX_KEY_LENGTH  0x200

+LIST_ENTRY FilterList;
+ERESOURCE FilterListLock;
+
 NTSTATUS
 FltpStartingToDrainObject(
    _Inout_ PFLT_OBJECT Object
@ -30,6 +33,12 @@ VOID
 FltpMiniFilterDriverUnload(
 );

+NTSTATUS
+FltpAttachFrame(
+    _In_ PUNICODE_STRING Altitude,
+    _Inout_ PFLTP_FRAME *Frame
+);
+
 static
 NTSTATUS
 GetFilterAltitude(
@ -37,6 +46,14 @@ GetFilterAltitude(
    _Inout_ PUNICODE_STRING AltitudeString
 );

+static
+NTSTATUS
+GetFilterFrame(
+    _In_ PFLT_FILTER Filter,
+    _In_ PUNICODE_STRING Altitude,
+    _Out_ PFLTP_FRAME *Frame
+);
+

 /* EXPORTED FUNCTIONS ******************************************************/

@ -98,6 +115,7 @@ FltRegisterFilter(_In_ PDRIVER_OBJECT DriverObject,
 {
    PFLT_OPERATION_REGISTRATION Callbacks;
    PFLT_FILTER Filter;
+    PFLTP_FRAME Frame;
    ULONG CallbackBufferSize;
    ULONG FilterBufferSize;
    ULONG Count = 0;
@ -235,12 +253,28 @@ FltRegisterFilter(_In_ PDRIVER_OBJECT DriverObject,
    Filter->Name.Buffer = (PWCH)Ptr;
    RtlCopyUnicodeString(&Filter->Name, &DriverObject->DriverExtension->ServiceKeyName);

+    /* Lookup the altitude of the mini-filter */
    Status = GetFilterAltitude(Filter, &Filter->DefaultAltitude);
    if (!NT_SUCCESS(Status))
    {
        goto Quit;
    }

+    /* Lookup the filter frame */
+    Status = GetFilterFrame(Filter, &Filter->DefaultAltitude, &Frame);
+    if (Status == STATUS_NOT_FOUND)
+    {
+        /* Store the frame this mini-filter's main struct */
+        Filter->Frame = Frame;
+
+        Status = FltpAttachFrame(&Filter->DefaultAltitude, &Frame);
+    }
+
+    if (!NT_SUCCESS(Status))
+    {
+        goto Quit;
+    }
+
    //
    // - Slot the filter into the correct altitude location
    // - More stuff??
@ -364,6 +398,17 @@ FltStartFiltering(_In_ PFLT_FILTER Filter)
    return Status;
 }

+NTSTATUS
+NTAPI
+FltGetFilterFromName(_In_ PCUNICODE_STRING FilterName,
+                     _Out_ PFLT_FILTER *RetFilter)
+{
+   UNIMPLEMENTED;
+    UNREFERENCED_PARAMETER(FilterName);
+    *RetFilter = NULL;
+    return STATUS_NOT_IMPLEMENTED;
+}
+

 /* INTERNAL FUNCTIONS ******************************************************/

@ -389,13 +434,24 @@ FltpMiniFilterDriverUnload()
    __debugbreak();
 }

+
+NTSTATUS
+FltpAttachFrame(
+    _In_ PUNICODE_STRING Altitude,
+    _Inout_ PFLTP_FRAME *Frame)
+{
+    UNIMPLEMENTED;
+    UNREFERENCED_PARAMETER(Altitude);
+    *Frame = NULL;
+    return STATUS_SUCCESS;
+}
+
 /* PRIVATE FUNCTIONS ******************************************************/

 static
 NTSTATUS
-GetFilterAltitude(
-    _In_ PFLT_FILTER Filter,
-    _Inout_ PUNICODE_STRING AltitudeString)
+GetFilterAltitude(_In_ PFLT_FILTER Filter,
+                  _Inout_ PUNICODE_STRING AltitudeString)
 {
    UNICODE_STRING InstancesKey = RTL_CONSTANT_STRING(L"Instances");
    UNICODE_STRING DefaultInstance = RTL_CONSTANT_STRING(L"DefaultInstance");
@ -523,14 +579,21 @@ Quit:
    return Status;
 }

-
-
+static
 NTSTATUS
-FltpReadRegistryValue(
-    _In_ HANDLE KeyHandle,
-    _In_ PUNICODE_STRING ValueName,
-    _In_opt_ ULONG Type,
-    _Out_writes_bytes_(BufferSize) PVOID Buffer,
-    _In_ ULONG BufferSize,
-    _Out_opt_ PULONG BytesRequired
-);
+GetFilterFrame(_In_ PFLT_FILTER Filter,
+               _In_ PUNICODE_STRING Altitude,
+               _Out_ PFLTP_FRAME *Frame)
+{
+    UNIMPLEMENTED;
+    UNREFERENCED_PARAMETER(Filter);
+    UNREFERENCED_PARAMETER(Altitude);
+
+    //
+    // Try to find a frame from our existing filter list (see FilterList)
+    // If none exists, create a new frame, add it and return it
+    //
+
+    *Frame = NULL;
+    return STATUS_SUCCESS;
+}
--- a/drivers/filters/fltmgr/Interface.c
+++ b/drivers/filters/fltmgr/Interface.c
@ -29,6 +29,8 @@
      ((_devObj)->DeviceExtension != NULL))

 extern PDEVICE_OBJECT CommsDeviceObject;
+extern LIST_ENTRY FilterList;
+extern ERESOURCE FilterListLock;


 DRIVER_INITIALIZE DriverEntry;
@ -2129,6 +2131,9 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject,
    FLT_ASSERT(Status != STATUS_DEVICE_ALREADY_ATTACHED); // Windows checks for this, I'm not sure how it can happen. Needs investigation??
    if (!NT_SUCCESS(Status))  goto Cleanup;

+    InitializeListHead(&FilterList);
+    ExInitializeResourceLite(&FilterListLock);
+
    /* IoRegisterFsRegistrationChange isn't notified about the raw  file systems, so we attach to them manually */
    RtlInitUnicodeString(&ObjectName, L"\\Device\\RawDisk");
    Status = IoGetDeviceObjectPointer(&ObjectName,