WDK Minifilter Driver

In order to develop a driver for lab project , I try to review code in WDK source. After a very short view , I found there are some example code which are worthy to read.For example, In source code of Minifilter Driver(scanner.c), the author state that "This filter scans the data in a file before allowing an open to proceed.  This is similar to what virus checkers do."

Minifilter can ....

To use Minifilter , first we need to construct a FLT_REGISTRATION  structure.Here is examples in WDK.


const FLT_REGISTRATION FilterRegistration = {
    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    0,                                  //  Flags
    ContextRegistration,                //  Context Registration.
    Callbacks,                          //  Operation callbacks
    ScannerUnload,                      //  FilterUnload
    ScannerInstanceSetup,               //  InstanceSetup
    ScannerQueryTeardown,               //  InstanceQueryTeardown
    NULL,                               //  InstanceTeardownStart
    NULL,                               //  InstanceTeardownComplete
    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent
};


Third member of FLT_REGISTRATION  is an FLT_CONTEXT_REGISTRATION which define context type. And Callbacks is an FLT_OPERATION_REGISTRATION structure to register call back operator.Following is examples of this two structure.


const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
    { FLT_STREAMHANDLE_CONTEXT,
      0,
      NULL,
      sizeof(SCANNER_STREAM_HANDLE_CONTEXT),
      'chBS' },

    { FLT_CONTEXT_END }
};
[structure explain]

const FLT_OPERATION_REGISTRATION Callbacks[] = {

    { IRP_MJ_CREATE,
      0,
      ScannerPreCreate,
      ScannerPostCreate},

    { IRP_MJ_CLEANUP,
      0,
      ScannerPreCleanup,
      NULL},

    { IRP_MJ_WRITE,
      0,
      ScannerPreWrite,
      NULL},

    { IRP_MJ_OPERATION_END}
};
[structure explain]

The most interesting part is ScannerPostCreate function.Then we move to ScannerPostCreate function and take a look.
This function check file extension then call ScannerpScanFileInUserMode function. If the return value safe, then we leave it for write check.Otherwise , use FltCancelFileOpen to cancel file open operator.

In function ScannerpScanFileInUserMode ,  it calls FltReadFile function to read file content to buffer then pass it to user space by FltSendMessage.And user space program is responsible for scanning the content.

[How to communicate between user space and kernel space]