编程框架

1. FltRegisterFilter 注册Minifilter驱动；使用结束后用FltUnregisterFilter卸载。
   注册时，第二参数传入构建的FLT_REGISTRATION结构，主要是操作回调函数集和驱动卸载函数。
2. FltBuildDefaultSecurityDescriptor 生成默认安全描述符。
3. FltCreateCommunicationPort 创建通信服务器端口；使用结束后用FltCloseCommunicationPort关闭。
4. FltStartFiltering开始过滤。
5. 当有I/O操作发生时，执行流会进入操作回调函数集。

FLT_REGISTRATION

typedef struct _FLT_REGISTRATION {USHORT                                      Size;		// 结构体大小USHORT                                      Version;	// 版本FLT_REGISTRATION_FLAGS                      Flags;	// 标志位const FLT_CONTEXT_REGISTRATION              *ContextRegistration;		// 上下文注册const FLT_OPERATION_REGISTRATION            *OperationRegistration;	// 操作回调函数集注册！！！PFLT_FILTER_UNLOAD_CALLBACK                 FilterUnloadCallback;		// 驱动卸载回调！！！PFLT_INSTANCE_SETUP_CALLBACK                InstanceSetupCallback;	// 实例安装回调PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK       InstanceQueryTeardownCallback;	// 控制实例销毁函数PFLT_INSTANCE_TEARDOWN_CALLBACK             InstanceTeardownStartCallback;	// 实例解绑定函数PFLT_INSTANCE_TEARDOWN_CALLBACK             InstanceTeardownCompleteCallback;	// 实际解绑定完成函数PFLT_GENERATE_FILE_NAME                     GenerateFileNameCallback;			// 生成文件名回调PFLT_NORMALIZE_NAME_COMPONENT               NormalizeNameComponentCallback;	// 格式化名字组件回调PFLT_NORMALIZE_CONTEXT_CLEANUP              NormalizeContextCleanupCallback;	// 格式化上下文清理回调PFLT_TRANSACTION_NOTIFICATION_CALLBACK      TransactionNotificationCallback;PFLT_NORMALIZE_NAME_COMPONENT_EX            NormalizeNameComponentExCallback;PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK SectionNotificationCallback;
} FLT_REGISTRATION, *PFLT_REGISTRATION;

操作回调函数集

typedef struct _FLT_OPERATION_REGISTRATION {UCHAR                            MajorFunction;	// IRPFLT_OPERATION_REGISTRATION_FLAGS Flags;			// 标志位：0(仅对读/写回调有用);FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO(不过来缓冲读/写请求);FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IP(不过滤分页读/写请求)PFLT_PRE_OPERATION_CALLBACK      PreOperation;	// 预操作回调函数PFLT_POST_OPERATION_CALLBACK     PostOperation;	// 后操作回调函数PVOID                            Reserved1;
} FLT_OPERATION_REGISTRATION, *PFLT_OPERATION_REGISTRATION;// 自定义
static
CONST
FLT_OPERATION_REGISTRATION
OperationRegistration[] = {{IRP_MJ_CREATE,	// 文件创建0,PrevCreate,	PostCreate,	},{IRP_MJ_OPERATION_END},
};

预操作回调函数

FLT_PREOP_CALLBACK_STATUS PfltPreOperationCallback([in, out] PFLT_CALLBACK_DATA Data,			// 回调数据包，内包含这个请求相关的全部信息[in]      PCFLT_RELATED_OBJECTS FltObjects,	// 包含与当前 I/O 请求相关的对象的不透明指针[out]     PVOID *CompletionContext			// 如果该回调函数返回FLT_PREOP_SUCCESS_WITH_CALLBACK或FLT_PREOP_SYNCHRONIZE，则此参数是传递给相应操作后回调例程的可选上下文指针，否则必须为 NULL

回调数据包（FLT_CALLBACK_DATA）

typedef struct _FLT_CALLBACK_DATA {FLT_CALLBACK_DATA_FLAGS     Flags;	// 标志位PETHREAD                    Thread;	// 线程指针PFLT_IO_PARAMETER_BLOCK     Iopb;		// 参数IO_STATUS_BLOCK             IoStatus;	// 状态和信息struct _FLT_TAG_DATA_BUFFER *TagData;	// 重新分析点数据union {struct {LIST_ENTRY QueueLinks;PVOID      QueueContext[2];};PVOID FilterContext[4];};KPROCESSOR_MODE             RequestorMode;	// 启动I/O操作的进程的执行模式
} FLT_CALLBACK_DATA, *PFLT_CALLBACK_DATA;

参数（FLT_IO_PARAMETER_BLOCK）

typedef struct _FLT_IO_PARAMETER_BLOCK {ULONG          IrpFlags;UCHAR          MajorFunction;UCHAR          MinorFunction;UCHAR          OperationFlags;UCHAR          Reserved;PFILE_OBJECT   TargetFileObject;	// 目标文件/目录的文件对象指针PFLT_INSTANCE  TargetInstance;	// 目标MinifilterFLT_PARAMETERS Parameters;
} FLT_IO_PARAMETER_BLOCK, *PFLT_IO_PARAMETER_BLOCK;typedef union _FLT_PARAMETERS {struct {PIO_SECURITY_CONTEXT     SecurityContext;ULONG                    Options;USHORT POINTER_ALIGNMENT FileAttributes;USHORT                   ShareAccess;ULONG POINTER_ALIGNMENT  EaLength;PVOID                    EaBuffer;LARGE_INTEGER            AllocationSize;} Create;struct {PIO_SECURITY_CONTEXT     SecurityContext;ULONG                    Options;USHORT POINTER_ALIGNMENT Reserved;USHORT                   ShareAccess;PVOID                    Parameters;} CreatePipe;struct {PIO_SECURITY_CONTEXT     SecurityContext;ULONG                    Options;USHORT POINTER_ALIGNMENT Reserved;USHORT                   ShareAccess;PVOID                    Parameters;} CreateMailslot;struct {ULONG                   Length;ULONG POINTER_ALIGNMENT Key;LARGE_INTEGER           ByteOffset;PVOID                   ReadBuffer;PMDL                    MdlAddress;} Read;struct {ULONG                   Length;ULONG POINTER_ALIGNMENT Key;LARGE_INTEGER           ByteOffset;PVOID                   WriteBuffer;PMDL                    MdlAddress;} Write;struct {ULONG                                    Length;FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;PVOID                                    InfoBuffer;} QueryFileInformation;struct {ULONG                                    Length;FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;PFILE_OBJECT                             ParentOfTarget;union {struct {BOOLEAN ReplaceIfExists;BOOLEAN AdvanceOnly;};ULONG  ClusterCount;HANDLE DeleteHandle;};PVOID                                    InfoBuffer;} SetFileInformation;struct {ULONG                   Length;PVOID                   EaList;ULONG                   EaListLength;ULONG POINTER_ALIGNMENT EaIndex;PVOID                   EaBuffer;PMDL                    MdlAddress;} QueryEa;struct {ULONG Length;PVOID EaBuffer;PMDL  MdlAddress;} SetEa;struct {ULONG                                  Length;FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;PVOID                                  VolumeBuffer;} QueryVolumeInformation;struct {ULONG                                  Length;FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;PVOID                                  VolumeBuffer;} SetVolumeInformation;union {struct {ULONG                   Length;PUNICODE_STRING         FileName;FILE_INFORMATION_CLASS  FileInformationClass;ULONG POINTER_ALIGNMENT FileIndex;PVOID                   DirectoryBuffer;PMDL                    MdlAddress;} QueryDirectory;struct {ULONG                   Length;ULONG POINTER_ALIGNMENT CompletionFilter;ULONG POINTER_ALIGNMENT Spare1;ULONG POINTER_ALIGNMENT Spare2;PVOID                   DirectoryBuffer;PMDL                    MdlAddress;} NotifyDirectory;struct {ULONG                                                Length;ULONG POINTER_ALIGNMENT                              CompletionFilter;DIRECTORY_NOTIFY_INFORMATION_CLASS POINTER_ALIGNMENT DirectoryNotifyInformationClass;ULONG POINTER_ALIGNMENT                              Spare2;PVOID                                                DirectoryBuffer;PMDL                                                 MdlAddress;} NotifyDirectoryEx;} DirectoryControl;union {struct {PVPB           Vpb;PDEVICE_OBJECT DeviceObject;} VerifyVolume;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT FsControlCode;} Common;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT FsControlCode;PVOID                   InputBuffer;PVOID                   OutputBuffer;PMDL                    OutputMdlAddress;} Neither;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT FsControlCode;PVOID                   SystemBuffer;} Buffered;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT FsControlCode;PVOID                   InputSystemBuffer;PVOID                   OutputBuffer;PMDL                    OutputMdlAddress;} Direct;} FileSystemControl;union {struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT IoControlCode;} Common;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT IoControlCode;PVOID                   InputBuffer;PVOID                   OutputBuffer;PMDL                    OutputMdlAddress;} Neither;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT IoControlCode;PVOID                   SystemBuffer;} Buffered;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT IoControlCode;PVOID                   InputSystemBuffer;PVOID                   OutputBuffer;PMDL                    OutputMdlAddress;} Direct;struct {ULONG                   OutputBufferLength;ULONG POINTER_ALIGNMENT InputBufferLength;ULONG POINTER_ALIGNMENT IoControlCode;PVOID                   InputBuffer;PVOID                   OutputBuffer;} FastIo;} DeviceIoControl;struct {PLARGE_INTEGER          Length;ULONG POINTER_ALIGNMENT Key;LARGE_INTEGER           ByteOffset;PEPROCESS               ProcessId;BOOLEAN                 FailImmediately;BOOLEAN                 ExclusiveLock;} LockControl;struct {SECURITY_INFORMATION    SecurityInformation;ULONG POINTER_ALIGNMENT Length;PVOID                   SecurityBuffer;PMDL                    MdlAddress;} QuerySecurity;struct {SECURITY_INFORMATION SecurityInformation;PSECURITY_DESCRIPTOR SecurityDescriptor;} SetSecurity;struct {ULONG_PTR ProviderId;PVOID     DataPath;ULONG     BufferSize;PVOID     Buffer;} WMI;struct {ULONG                       Length;PSID                        StartSid;PFILE_GET_QUOTA_INFORMATION SidList;ULONG                       SidListLength;PVOID                       QuotaBuffer;PMDL                        MdlAddress;} QueryQuota;struct {ULONG Length;PVOID QuotaBuffer;PMDL  MdlAddress;} SetQuota;union {struct {PCM_RESOURCE_LIST AllocatedResources;PCM_RESOURCE_LIST AllocatedResourcesTranslated;} StartDevice;struct {DEVICE_RELATION_TYPE Type;} QueryDeviceRelations;struct {const GUID *InterfaceType;USHORT     Size;USHORT     Version;PINTERFACE Interface;PVOID      InterfaceSpecificData;} QueryInterface;struct {PDEVICE_CAPABILITIES Capabilities;} DeviceCapabilities;struct {PIO_RESOURCE_REQUIREMENTS_LIST IoResourceRequirementList;} FilterResourceRequirements;struct {ULONG                   WhichSpace;PVOID                   Buffer;ULONG                   Offset;ULONG POINTER_ALIGNMENT Length;} ReadWriteConfig;struct {BOOLEAN Lock;} SetLock;struct {BUS_QUERY_ID_TYPE IdType;} QueryId;struct {DEVICE_TEXT_TYPE       DeviceTextType;LCID POINTER_ALIGNMENT LocaleId;} QueryDeviceText;struct {BOOLEAN                                          InPath;BOOLEAN                                          Reserved[3];DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type;} UsageNotification;} Pnp;struct {FS_FILTER_SECTION_SYNC_TYPE    SyncType;ULONG                          PageProtection;PFS_FILTER_SECTION_SYNC_OUTPUT OutputInformation;ULONG                          Flags;ULONG                          AllocationAttributes;} AcquireForSectionSynchronization;struct {PLARGE_INTEGER EndingOffset;PERESOURCE     *ResourceToRelease;} AcquireForModifiedPageWriter;struct {PERESOURCE ResourceToRelease;} ReleaseForModifiedPageWriter;struct {PIRP                   Irp;PVOID                  FileInformation;PULONG                 Length;FILE_INFORMATION_CLASS FileInformationClass;} QueryOpen;struct {LARGE_INTEGER             FileOffset;ULONG                     Length;ULONG POINTER_ALIGNMENT   LockKey;BOOLEAN POINTER_ALIGNMENT CheckForReadOperation;} FastIoCheckIfPossible;struct {PIRP                           Irp;PFILE_NETWORK_OPEN_INFORMATION NetworkInformation;} NetworkQueryOpen;struct {LARGE_INTEGER           FileOffset;ULONG POINTER_ALIGNMENT Length;ULONG POINTER_ALIGNMENT Key;PMDL                    *MdlChain;} MdlRead;struct {PMDL MdlChain;} MdlReadComplete;struct {LARGE_INTEGER           FileOffset;ULONG POINTER_ALIGNMENT Length;ULONG POINTER_ALIGNMENT Key;PMDL                    *MdlChain;} PrepareMdlWrite;struct {LARGE_INTEGER FileOffset;PMDL          MdlChain;} MdlWriteComplete;struct {ULONG DeviceType;} MountVolume;struct {PVOID         Argument1;PVOID         Argument2;PVOID         Argument3;PVOID         Argument4;PVOID         Argument5;LARGE_INTEGER Argument6;} Others;
} FLT_PARAMETERS, *PFLT_PARAMETERS;

状态和信息（IO_STATUS_BLOCK）

typedef struct _IO_STATUS_BLOCK {union {NTSTATUS Status;	// 完成状态PVOID    Pointer;};ULONG_PTR Information;	// 依赖于请求的值，如果传输请求完成，则为传输的字节数；如果使用另一个STATUS_XXX完成传输请求，则为0
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

关联对象

typedef struct _FLT_RELATED_OBJECTS {USHORT        Size;USHORT        TransactionContext;PFLT_FILTER   Filter;PFLT_VOLUME   Volume;PFLT_INSTANCE Instance;PFILE_OBJECT  FileObject;		// 操作的文件对象PKTRANSACTION Transaction;
} FLT_RELATED_OBJECTS, *PFLT_RELATED_OBJECTS;