[p30arena]

hi again
the problem is, minifilter never calls "InstanceSetupCallback"

CODE :

Code: Select all

#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>

#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")

struct _FLT_VOLUME {
	unsigned char Base[20]; /*  +0x0000 a5 12 00 00  */
	unsigned char Flags[4]; /*  +0x0014 a7 12 00 00  */
	unsigned char FileSystemType[4]; /*  +0x0018 a9 12 00 00  */
	unsigned char DeviceObject[4]; /*  +0x001c ae 10 00 00  */
	unsigned char DiskDeviceObject[4]; /*  +0x0020 ae 10 00 00  */
	unsigned char FrameZeroVolume[4]; /*  +0x0024 43 12 00 00  */
	unsigned char VolumeInNextFrame[4]; /*  +0x0028 43 12 00 00  */
	unsigned char Frame[4]; /*  +0x002c ab 12 00 00  */
	unsigned char DeviceName[8]; /*  +0x0030 2e 10 00 00  */
	unsigned char GuidName[8]; /*  +0x0038 2e 10 00 00  */
	unsigned char CDODeviceName[8]; /*  +0x0040 2e 10 00 00  */
	unsigned char CDODriverName[8]; /*  +0x0048 2e 10 00 00  */
	unsigned char InstanceList[68]; /*  +0x0050 33 12 00 00  */
	unsigned char Callbacks[600]; /*  +0x0094 ac 12 00 00  */
	unsigned char ContextLock[4]; /*  +0x02ec d3 11 00 00  */
	unsigned char VolumeContexts[4]; /*  +0x02f0 4f 12 00 00  */
	unsigned char StreamListCtrls[68]; /*  +0x02f4 33 12 00 00  */
	unsigned char FileListCtrls[72]; /*  +0x0338 33 12 00 00  */
	unsigned char NameCacheCtrl[152]; /*  +0x0380 ad 12 00 00  */
	unsigned char MountNotifyLock[56]; /*  +0x0418 cc 11 00 00  */
	long  TargetedOpenActiveCount; /*  +0x0450  */
	unsigned char TxVolContextListLock[4]; /*  +0x0454 d3 11 00 00  */
	unsigned char TxVolContexts[4]; /*  +0x0458 08 12 00 00  */
	long  SupportedFeatures; /*  +0x045c  */
};
//---------------------------------------------------------------------------
//      Global variables
//---------------------------------------------------------------------------

#define NULL_FILTER_FILTER_NAME     L"NullFilter"

typedef struct _NULL_FILTER_DATA {
    PFLT_FILTER FilterHandle;
} NULL_FILTER_DATA, *PNULL_FILTER_DATA;

DRIVER_INITIALIZE DriverEntry;
NTSTATUS
DriverEntry (
    __in PDRIVER_OBJECT DriverObject,
    __in PUNICODE_STRING RegistryPath
    );

NTSTATUS
NullUnload (
    __in FLT_FILTER_UNLOAD_FLAGS Flags
    );

NTSTATUS InstanceSetupCallback(
  __in  PCFLT_RELATED_OBJECTS FltObjects,
  __in  FLT_INSTANCE_SETUP_FLAGS Flags,
  __in  DEVICE_TYPE VolumeDeviceType,
  __in  FLT_FILESYSTEM_TYPE VolumeFilesystemType
);

//
//  Structure that contains all the global data structures
//  used throughout NullFilter.
//

NULL_FILTER_DATA NullFilterData;

//
//  Assign text sections for each routine.
//

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, NullUnload)
#pragma alloc_text(PAGE, NullQueryTeardown)
#endif


//
//  This defines what we want to filter with FltMgr
//

CONST FLT_REGISTRATION FilterRegistration = {

    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    NULL,                                  //  Flags
    NULL,                               //  Context
    NULL,                               //  Operation callbacks
    NullUnload,                         //  FilterUnload
    InstanceSetupCallback,                               //  InstanceSetup
    NULL,                  //  InstanceQueryTeardown
    NULL,                               //  InstanceTeardownStart
    NULL,                               //  InstanceTeardownComplete
    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent
};


/*************************************************************************
    Filter initialization and unload routines.
*************************************************************************/

NTSTATUS
DriverEntry (
    __in PDRIVER_OBJECT DriverObject,
    __in PUNICODE_STRING RegistryPath
    )
{
    NTSTATUS status;

    UNREFERENCED_PARAMETER( RegistryPath );

    //
    //  Register with FltMgr
    //

    status = FltRegisterFilter( DriverObject,
                                &FilterRegistration,
                                &NullFilterData.FilterHandle );

    ASSERT( NT_SUCCESS( status ) );

    if (NT_SUCCESS( status )) {

        //
        //  Start filtering i/o
        //

        status = FltStartFiltering( NullFilterData.FilterHandle );

        if (!NT_SUCCESS( status )) {
            FltUnregisterFilter( NullFilterData.FilterHandle );
        }
    }
	DbgPrint("Loaded\n");
    return status;
}

NTSTATUS
NullUnload (
    __in FLT_FILTER_UNLOAD_FLAGS Flags
    )
{
    UNREFERENCED_PARAMETER( Flags );

    PAGED_CODE();

    FltUnregisterFilter( NullFilterData.FilterHandle );
    return STATUS_SUCCESS;
}

NTSTATUS InstanceSetupCallback(
  __in  PCFLT_RELATED_OBJECTS FltObjects,
  __in  FLT_INSTANCE_SETUP_FLAGS Flags,
  __in  DEVICE_TYPE VolumeDeviceType,
  __in  FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
{
	UNREFERENCED_PARAMETER( FltObjects );
    UNREFERENCED_PARAMETER( Flags );

    PAGED_CODE();
	DbgPrint("InstanceSetupCallback\n");
	DbgPrint("\nTESTUNG : %s\n",FltObjects->Volume->Base);
	return STATUS_SUCCESS;
}

INF File :

Code: Select all

;;;
;;; NullFilter
;;;
;;;
;;; Copyright (c) 1999 - 2002, Microsoft Corporation
;;;

[Version]
Signature   = "$Windows NT$"
Class       = "ActivityMonitor"             ;This is determined by the work this filter driver does
ClassGuid   = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}    ;This value is determined by the Class
Provider    = %Msft%
DriverVer   = 06/16/2007,1.0.0.0
CatalogFile = nullfilter.cat


[DestinationDirs]
DefaultDestDir          = 12
NullFilter.DriverFiles  = 12            ;%windir%\system32\drivers

;;
;; Default install sections
;;

[DefaultInstall]
OptionDesc  = %ServiceDescription%
CopyFiles   = NullFilter.DriverFiles

[DefaultInstall.Services]
AddService  = %ServiceName%,,NullFilter.Service

;;
;; Default uninstall sections
;;

[DefaultUninstall]
DelFiles   = NullFilter.DriverFiles

[DefaultUninstall.Services]
DelService = %ServiceName%,0x200      ;Ensure service is stopped before deleting

;
; Services Section
;

[NullFilter.Service]
DisplayName      = %ServiceName%
Description      = %ServiceDescription%
ServiceBinary    = %12%\%DriverName%.sys    ;%windir%\system32\drivers\
Dependencies     = "FltMgr"
ServiceType      = 2                        ;SERVICE_FILE_SYSTEM_DRIVER
StartType        = 3                        ;SERVICE_DEMAND_START
ErrorControl     = 1                        ;SERVICE_ERROR_NORMAL
LoadOrderGroup   = "FSFilter Activity Monitor"
AddReg           = NullFilter.AddRegistry

;
; Registry Modifications
;

[NullFilter.AddRegistry]
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%

;
; Copy Files
;

[NullFilter.DriverFiles]
%DriverName%.sys

[SourceDisksFiles]
nullfilter.sys = 1,,

[SourceDisksNames]
1 = %DiskId1%,,,

;;
;; String Section
;;

[Strings]
Msft                    = "Microsoft Corporation"
ServiceDescription      = "NullFilter mini-filter driver"
ServiceName             = "NullFilter"
DriverName              = "NullFilter"
DiskId1                 = "NullFilter Device Installation Disk"

;Instances specific information.
DefaultInstance         = "Null Instance"
Instance1.Name          = "Null Instance"
Instance1.Altitude      = "370020"
Instance1.Flags         = 0x1          ; Suppress automatic attachments

[0x16/7ton]

may be in inf file you need change to this
Instance1.Altitude = "265000"
Instance1.Flags = 0x0

[Vrtule]

When the Flags member of the instance registry key the minifilter can be attached only manually (FltAttachVolume / FilterAttach, fltmc attach). When the Flags is set to zero, FltMgr automatically attaches the minifilter to every volume in the system. This is my experience.