wdk 下的 FltRegisterFilter

来源：互联网发布：春英广场舞服装淘宝网编辑：程序博客网时间：2024/06/11 18:41

NTSTATUS
FltRegisterFilter(
IN PDRIVER_OBJECT Driver,
IN CONST FLT_REGISTRATION *Registration,
OUT PFLT_FILTER *RetFilter

);

1. 参数介绍

1.1 Driver

通过DriverEntry 传递进来的。

1.2 Registration

是一个结构体，有一系列的callback 定义：

typedef struct _FLT_REGISTRATION {
USHORT Size;
USHORT Version;
FLT_REGISTRATION_FLAGS Flags;
CONST FLT_CONTEXT_REGISTRATION *ContextRegistration;
CONST FLT_OPERATION_REGISTRATION *OperationRegistration;
PFLT_FILTER_UNLOAD_CALLBACK FilterUnloadCallback;
PFLT_INSTANCE_SETUP_CALLBACK InstanceSetupCallback;
PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK InstanceQueryTeardownCallback;
PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownStartCallback;
PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownCompleteCallback;
PFLT_GENERATE_FILE_NAME GenerateFileNameCallback;
PFLT_NORMALIZE_NAME_COMPONENT NormalizeNameComponentCallback;
PFLT_NORMALIZE_CONTEXT_CLEANUP NormalizeContextCleanupCallback;
#if FLT_MGR_LONGHORN
PFLT_TRANSACTION_NOTIFICATION_CALLBACK TransactionNotificationCallback;
PFLT_NORMALIZE_NAME_COMPONENT_EX NormalizeNameComponentExCallback;
#endif // FLT_MGR_LONGHORN
} FLT_REGISTRATION, *PFLT_REGISTRATION;

其中callback定义如下：

FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
ContextRegistration, // Context
Callbacks, // Operation callbacks
Unload, // Filters unload routine
InstanceSetup, // InstanceSetup routine
InstanceQueryTeardown, // InstanceQueryTeardown routine
InstanceTeardownStart, // InstanceTeardownStart routine
InstanceTeardownComplete, // InstanceTeardownComplete routine
NULL, NULL, NULL // Unused naming support callbacks
};

FltRegisterFilter 中filterRegistration结构体其实就是一系列的callback。