Jaa


Filter Manager Concepts: Part 3 – FLT_FILTER

Well, as you have probably guessed, FLT_FILTER is a structure that describes a minifilter. It is a pretty important structure and people usually become familiar with it once they discover that their minifilter is not unloading, which invariably happens at some point during development. In the grand scheme of things the FLT_FILTER is very similar to the DRIVER_OBJECT.

A thing worth mentioning is that a FLT_FILTER is linked into a specific frame based on its default altitude. This might trigger creation of a new frame (in fact loading a new filter is the only thing that can create a new frame).

Here is a picture of how FLT_FILTERs fit in the model:

Filters

You can see that a frame can contain one or more filters. It is possible that a frame has no filters at all if minifilters get unloaded since frames never go away (though i don’t show any empty frames in my picture).

Let’s look at one in the debugger:

 1: kd> !fltkd.filter fffff9800696c6a0
FLT_FILTER: fffff9800696c6a0 "luafv" "135000"
   FLT_OBJECT: fffff9800696c6a0  [02000000] Filter
      RundownRef               : 0x0000000000000008 (4)
      PointerCount             : 0x00000001
      PrimaryLink              : [fffff980012e2b50-fffff9800122ab70]
   Frame                    : fffff9800122aac0 "Frame 0"
   Flags                    : [00000006] FilteringInitiated NameProvider
   DriverObject             : fffffa800407e080
   FilterLink               : [fffff980012e2b50-fffff9800122ab70]
   PreVolumeMount           : fffff880053a32d8  (no symbol)
   PostVolumeMount          : 0000000000000000  (null)
   FilterUnload             : 0000000000000000  (null)
   InstanceSetup            : fffff88001b5b010  (no symbol)
   InstanceQueryTeardown    : 0000000000000000  (null)
   InstanceTeardownStart    : 0000000000000000  (null)
   InstanceTeardownComplete : 0000000000000000  (null)
   ActiveOpens              : (fffff9800696c838)  mCount=1
   Communication Port List  : (fffff9800696c888)  mCount=0
   Client Port List         : (fffff9800696c8d8)  mCount=0
   VerifierExtension        : fffff98007c8ebc0
   Operations               : fffff9800696c9d0
   OldDriverUnload          : 0000000000000000  (null)
   SupportedContexts        : (fffff9800696c7c0)
      VolumeContexts           : (fffff9800696c7c0)
      InstanceContexts         : (fffff9800696c7c8)
         ALLOCATE_CONTEXT_NODE: fffff980068dcd80 "luafv" [01] LookasideList (size=856)
      FileContexts             : (fffff9800696c7d0)
      StreamContexts           : (fffff9800696c7d8)
      StreamHandleContexts     : (fffff9800696c7e0)
         ALLOCATE_CONTEXT_NODE: fffff980068dcec0 "luafv" [01] LookasideList (size=24)
      TransactionContext       : (fffff9800696c7e8)
   PagedContextNodeList     : (fffff9800696c930)  mCount=0
   NonPagedContextNodeList  : (fffff9800696c980)  mCount=1
   InstanceList             : (fffff9800696c6f8)
      FLT_INSTANCE: fffff98006ff44c0 "luafv" "135000"

As you can see there are lot of fields for callbacks and storing contexts and some lists. We’ll go into all those later, when we start exploring the !fltkd extension.