|
|
/*++
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
NtfsExp.h
Abstract:
This module defines the exports from NtOfs.SYS for use exclusively by Transactions and Encryption.
********************************* *No other clients are supported.* *********************************
Author:
Mark Zbikowski [MarkZ] 7-Dec-1995 Jeff Havens [JHavens] Brian Andrew [BrianAn] Gary Kimura [GaryKi] Tom Miller [TomM]
Revision History:
--*/
#ifndef _NTFS_
//
// The MFT Segment Reference is an address in the MFT tagged with
// a circularly reused sequence number set at the time that the MFT
// Segment Reference was valid. Note that this format limits the
// size of the Master File Table to 2**48 segments. So, for
// example, with a 1KB segment size the maximum size of the master
// file would be 2**58 bytes, or 2**28 gigabytes.
//
typedef struct _FILE_REFERENCE {
//
// First a 48 bit segment number.
//
ULONG SegmentNumberLowPart; // offset = 0x000
USHORT SegmentNumberHighPart; // offset = 0x004
//
// Now a 16 bit nonzero sequence number. A value of 0 is
// reserved to allow the possibility of a routine accepting
// 0 as a sign that the sequence number check should be
// repressed.
//
USHORT SequenceNumber; // offset = 0x006
} FILE_REFERENCE, *PFILE_REFERENCE; // sizeof = 0x008
#endif
//
// Big picture view of the interaction between extensions and NtOfs:
//
// NtOfs exports a number of interfaces that give abstract access to
// on-disk structures and attempt to hide, as much as possible, the
// implementation details.
//
// V/Q/X are implemented as DLL's that link to NtOfs.Sys. NtOfs can load
// and function in absence of these DLL's.
//
// All communication between user-mode code and V/Q/X occurs via the
// Nt Io API which is routed through NtOfs. Client code will open either
// an NtOfs Volume, Directory, or File and will issue NtIo calls to the
// resultant handle.
//
// NtOfs will create an IrpContext, decode the file object appropriately,
// and call out to entry points in V/Q/X that are registered at load-time.
//
// V/Q/X will perform whatever actions are necessary utilizing NtOfs exports
// and then return from the original call from NtOfs an NTSTATUS code. NtOfs
// will perform the appropriate CompleteIrp calls, posting for STATUS_PENDING,
// etc.
//
// No exceptions can be raised across the NtOfs export or NtOfs import
// interfaces. All user-buffer access and validation will occur in the
// code that uses it. Since user buffers may disappear at any time, any
// client of these buffers must wrap access to the buffers in an exception
// clause.
//
// V/Q/X may perform activities in threads separate from the original
// requestor. For these cases, NtOfs will provide a means where calls separate
// from a user-mode request can be accepted. Typically, this means "cloning"
// an IrpContext.
//
�//
// Opaque handle definitions.
//
//
// ISSUE: Most NtOfs internal routines rely on having an IrpContext passed in
// along with FCB and SCB pointers. Rather than exposing FCB and IrpContext
// as separate contexts, should we wrap these up into a separate structure and
// pass it along?
//
typedef struct _FCB *OBJECT_HANDLE;typedef struct _SCB *ATTRIBUTE_HANDLE;typedef struct _SCB *INDEX_HANDLE;typedef struct _READ_CONTEXT *PREAD_CONTEXT;typedef ULONG SECURITY_ID;typedef struct _CI_CALL_BACK CI_CALL_BACK, *PCI_CALL_BACK;typedef struct _VIEW_CALL_BACK VIEW_CALL_BACK, *PVIEW_CALL_BACK;typedef struct _IRP_CONTEXT *PIRP_CONTEXT;
//
// Map Handle. This structure defines a byte range of the file which is mapped
// or pinned, and stores the Bcb returned from the Cache Manager.
//
typedef struct _MAP_HANDLE {
//
// Range being mapped or pinned
//
LONGLONG FileOffset; ULONG Length;
//
// Virtual address corresponding to FileOffset
//
PVOID Buffer;
//
// Bcb pointer returned from Cache Manager
//
PVOID Bcb;
} MAP_HANDLE, *PMAP_HANDLE;
//
// Quick Index Hint. This is stream offset information returned by
// NtOfsFindRecord, and taken as input to NtOfsUpdateRecord, to allow
// quick updates to index records in the event that they have not
// moved. This structure must always have the same size and alignment
// as QUICK_INDEX in ntfsstru.h.
//
typedef struct _QUICK_INDEX_HINT { LONGLONG HintData[3];} QUICK_INDEX_HINT, *PQUICK_INDEX_HINT;
//
// Index structures
//
typedef struct { ULONG KeyLength; PVOID Key;} INDEX_KEY, *PINDEX_KEY;
typedef struct { ULONG DataLength; PVOID Data;} INDEX_DATA, *PINDEX_DATA;
typedef struct { INDEX_KEY KeyPart; INDEX_DATA DataPart;} INDEX_ROW, *PINDEX_ROW;
//
// COLLATION_FUNCTION returns LessThan if Key1 precedes Key2
// EqualTo if Key1 is identical to Key2
// GreaterThan if Key1 follows Key2
//
typedef FSRTL_COMPARISON_RESULT (*PCOLLATION_FUNCTION) ( IN PINDEX_KEY Key1, IN PINDEX_KEY Key2, IN PVOID CollationData );
typedef struct _UPCASE_TABLE_AND_KEY {
//
// Pointer to a table of upcased unicode characters indexed by character to
// be upcased.
//
PWCH UpcaseTable;
//
// Size of UpcaseTable in unicode characters
//
ULONG UpcaseTableSize;
//
// Optional addtional pointer.
//
INDEX_KEY Key;
} UPCASE_TABLE_AND_KEY, *PUPCASE_TABLE_AND_KEY;
//
// Wait for new length block used to synchronize a thread with FileSize
// exceeding the specified Length.
//
typedef struct _WAIT_FOR_NEW_LENGTH {
//
// Link words for multiple waiters on the Scb.
//
LIST_ENTRY WaitList;
//
// Set event when FileSize exceeds this length.
//
LONGLONG Length;
//
// Event to set when new length achieved.
//
KEVENT Event;
//
// Irp to complete when new length achieved. (If Irp present, Event is
// ignored.)
//
PIRP Irp;
//
// Stream we are waiting on.
//
ATTRIBUTE_HANDLE Stream;
//
// Status code for operation that caused the new length to be satisfied.
// It may be STATUS_CANCELLED, STATUS_TIMEOUT or STATUS_SUCCESS
// or a request specific status.
//
NTSTATUS Status;
//
// Flags.
//
ULONG Flags;
} WAIT_FOR_NEW_LENGTH, *PWAIT_FOR_NEW_LENGTH;
#define NTFS_WAIT_FLAG_ASYNC (0x00000001)
//
// Standard collation functions for simple indices
//
FSRTL_COMPARISON_RESULTNtOfsCollateUlong ( // Both must be single Ulong
IN PINDEX_KEY Key1, IN PINDEX_KEY Key2, IN PVOID CollationData // Don't care, may be NULL
);
FSRTL_COMPARISON_RESULTNtOfsCollateUlongs ( // Lengths do not have to be equal
IN PINDEX_KEY Key1, IN PINDEX_KEY Key2, IN PVOID CollationData // Don't care, may be NULL
);
FSRTL_COMPARISON_RESULTNtOfsCollateSid ( IN PINDEX_KEY Key1, IN PINDEX_KEY Key2, IN PVOID CollationData // Don't care, may be NULL
);
FSRTL_COMPARISON_RESULTNtOfsCollateUnicode ( IN PINDEX_KEY Key1, IN PINDEX_KEY Key2, IN PVOID CollationData // PUPCASE_TABLE_AND_KEY (with no key)
);
//
// Standard match functions for simple indices
//
NTSTATUSNtOfsMatchAll ( IN PINDEX_ROW IndexRow, IN OUT PVOID MatchData // Don't care, may be NULL
);
NTSTATUSNtOfsMatchUlongExact ( IN PINDEX_ROW IndexRow, // Both must be single Ulong
IN OUT PVOID MatchData // PINDEX_KEY describing Ulong
);
NTSTATUSNtOfsMatchUlongsExact ( // Lengths do not have to be equal
IN PINDEX_ROW IndexRow, IN OUT PVOID MatchData // PINDEX_KEY describing Ulongs
);
NTSTATUSNtOfsMatchUnicodeExpression ( IN PINDEX_ROW IndexRow, IN OUT PVOID MatchData // PUPCASE_TABLE_AND_KEY with Uni expression (must have wildcards)
);
NTSTATUSNtOfsMatchUnicodeString ( IN PINDEX_ROW IndexRow, IN OUT PVOID MatchData // PUPCASE_TABLE_AND_KEY with Uni string (no wildcards)
);
//
// MATCH_FUNCTION returns
// STATUS_SUCCESS if the IndexRow matches
// STATUS_NO_MATCH if the IndexRow does not match, but the enumeration should
// continue
// STATUS_NO_MORE_MATCHES if the IndexRow does not match, and the enumeration
// should terminate
//
typedef NTSTATUS (*PMATCH_FUNCTION) (IN PINDEX_ROW IndexRow, IN OUT PVOID MatchData);
//
// CREATE_OPTIONS - common flags governing creation/opening of objects
//
typedef enum _CREATE_OPTIONS{ CREATE_NEW = 0, CREATE_OR_OPEN = 1, OPEN_EXISTING = 2} CREATE_OPTIONS;
//
// EXCLUSION - Form of exclusion desired when opening an object
//
typedef enum _EXCLUSION{ SHARED = 0, EXCLUSIVE} EXCLUSION;
//
// Additional Dos Attribute indicating Content Index status of an object.
// If this is set on a document, it suppresses indexing. It is inherited
// from a parent directory at create time. This is stored in the
// DUPLICATED_INFORMATION structure.
//
#define SUPPRESS_CONTENT_INDEX (0x20000000)
//
// Define the size of the index buffer/bucket for view indexes, in bytes.
//
#define NTOFS_VIEW_INDEX_BUFFER_SIZE (0x1000)
//
// Exported constants.
//
//
// NtOfsContentIndexSystemFile is the repository for all CI related data on the
// disk.
extern FILE_REFERENCE NtOfsContentIndexSystemFile;
#if defined(_NTFSPROC_)
#define NTFSAPI
#else
#define NTFSAPI //DECLSPEC_IMPORT
#endif
�////////////////////////////////////////////////////////////////////////////////
//
// Index API - These encapsulate the NtOfs BTree mechanisms.
//
//
// NtOfsCreateIndex creates or opens a named index attribute in an object. The
// ObjectHandle has been acquired exclusive and the returned handle is not
// acquired. The collation data is interpreted only by the CollationFunction.
//
// IndexHandles retain a "seek" position where enumerations (NtOfsReadRecords)
// may continue. This seek position may be updated by the routines as described
// below.
//
// If DeleteCollationData is 1, ExFreePool will be called on CollationData, either
// immediately if the index already exists, or when the index is deleted some time
// after the final close. If NtOfsCreateIndex returns an error, then CollationData
// must be deleted by the caller. If specified as 0, then ColloationData will not
// be deleted.
//
NTFSAPINTSTATUSNtOfsCreateIndex ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle, IN UNICODE_STRING Name, IN CREATE_OPTIONS CreateOptions, IN ULONG DeleteCollationData, IN ULONG CollationRule, IN PCOLLATION_FUNCTION CollationFunction, IN PVOID CollationData OPTIONAL, OUT INDEX_HANDLE *IndexHandle );
//
// NtOfsFindRecord finds a single record in an index stream for read-only access
// or in preparation for calling NtOfsUpdateRecord.
//
NTFSAPINTSTATUSNtOfsFindRecord ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle, IN PINDEX_KEY IndexKey, OUT PINDEX_ROW IndexRow, OUT PMAP_HANDLE MapHandle, IN OUT PQUICK_INDEX_HINT QuickIndexHint OPTIONAL );
//
// NtOfsFindRecord finds a single record in an index stream for read-only access
// or in preparation for calling NtOfsUpdateRecord.
//
NTFSAPINTSTATUSNtOfsFindLastRecord ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle, IN PINDEX_KEY MaxIndexKey, OUT PINDEX_ROW IndexRow, OUT PMAP_HANDLE MapHandle );
//
// NtOfsAddRecords performs bulk, logged inserts into an index. The index will
// be acquired exclusive for this call. Each record added must have a unique
// (with regards to the collation function) key. No maps are currently
// outstanding on this index. If SequentialInsertMode is nonzero, this is a hint
// to the index package to keep all BTree buffers as full as possible, by splitting
// as close to the end of the buffer as possible. If specified as zero, random
// inserts are assumed, and buffers are always split in the middle for better balance.
//
// This call may update the IndexHandle seek position
//
NTFSAPIVOIDNtOfsAddRecords ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle, IN ULONG Count, IN PINDEX_ROW IndexRow, IN ULONG SequentialInsertMode );
//
// NtOfsDeleteRecords performs bulk, logged deletion from an index. The index
// will be acquired exclusive for this call. No maps are currently outstanding
// on this index.
//
// This call may update the IndexHandle seek position
//
NTFSAPIVOIDNtOfsDeleteRecords ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle, IN ULONG Count, IN PINDEX_KEY IndexKey );
//
// NtOfsReadRecords applies a match function to a block of contiguous records in
// the BTree starting either at a given IndexKey or beginning where it last left
// off.
//
// IndexKey is an optional point at which to begin the enumeration. The
// seek position of IndexHandle is set to return the next logical record
// on the next NtOfsReadRecords call.
//
// NtOfsReadRecords will seek to the appropriate point in the BTree (as defined
// by the IndexKey or saved position and the CollateFunction) and begin calling
// MatchFunction for each record. It continues doing this while MatchFunction
// returns STATUS_SUCCESS. If MatchFunction returns STATUS_NO_MORE_MATCHES,
// NtOfsReadRecords will cache this result and not call MatchFunction again until
// called with a non-NULL IndexKey.
//
// NtOfsReadRecords returns the last status code returned by MatchFunction.
//
// The IndexHandle does not have to be acquired as it is acquired shared for the
// duration of the call. NtOfsReadRecords may
// return with STATUS_SUCCESS without filling the output buffer (say, every 10
// index pages) to reduce lock contention.
//
// NtOfsReadRecords will read up to Count rows, comprising up to BufferLength
// bytes in total and will fill in the Rows[] array for each row returned.
//
// Note that this call is self-synchronized, such that successive calls to
// the routine are guaranteed to make progress through the index and to return
// items in Collation order, in spite of Add and Delete record calls being
// interspersed with Read records calls.
//
NTFSAPINTSTATUSNtOfsReadRecords ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle, IN OUT PREAD_CONTEXT *ReadContext, IN OPTIONAL PINDEX_KEY IndexKey, IN PMATCH_FUNCTION MatchFunction, IN PVOID MatchData, IN OUT ULONG *Count, OUT PINDEX_ROW Rows, IN ULONG BufferLength, OUT PVOID Buffer );
NTFSAPIVOIDNtOfsFreeReadContext ( IN PREAD_CONTEXT ReadContext );
//
// NtOfsUpdateRecord updates a single record in place. It is guaranteed that the
// length of the data/key portion of the record does not change. The index will
// be acquired exclusive for this call.
//
// This call may update the IndexHandle seek position
//
NTFSAPIVOIDNtOfsUpdateRecord ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle, IN ULONG Count, IN PINDEX_ROW IndexRow, IN OUT PQUICK_INDEX_HINT QuickIndexHint OPTIONAL, IN OUT PMAP_HANDLE MapHandle OPTIONAL );
//
// NtOfsCloseIndex closes an index handle. The index must not be acquired for this
// call. No outstanding maps are allowed.
//
NTFSAPIVOIDNtOfsCloseIndex ( IN PIRP_CONTEXT IrpContext, IN INDEX_HANDLE IndexHandle );
//
// NtOfsDeleteIndex removes an index attribute from an object. The object will be
// acquired exclusive for this call.
//
NTFSAPIVOIDNtOfsDeleteIndex ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle, IN INDEX_HANDLE IndexHandle );
�////////////////////////////////////////////////////////////////////////////////
//
// Map API - These encapsulate the NtOfs/Cache manager interactions
//
//
// NtOfsInitializeMapHandle initializes a map handle so it can be safely
// released at any time.
//
// NTFSAPI
// VOID
// NtOfsInitializeMapHandle (
// IN PMAP_HANDLE Map
// );
//
#define NtOfsInitializeMapHandle( M ) { (M)->Bcb = NULL; }
//
// NtOfsMapAttribute maps a portion of the specified attribute and returns a pointer
// to the memory. The memory mapped may not span a mapping window. Multiple maps
// are allowed through different handles in different threads. The data is not
// preread nor is the memory pinned.
//
#ifndef _NTFSPROC_
NTFSAPIVOIDNtOfsMapAttribute ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Offset, IN ULONG Length, OUT PVOID *Buffer, OUT PMAP_HANDLE MapHandle );
#else
#ifdef MAPCOUNT_DBG
#define NtOfsMapAttribute(I,S,O,L,B,M) ( \
CcMapData((S)->FileObject, (PLARGE_INTEGER)&(O), (L), TRUE, &(M)->Bcb, (B)), \ (I)->MapCount++, \ (M)->FileOffset = (O), \ (M)->Length = (L), \ (M)->Buffer = *(PVOID *)(B) \)#else
#define NtOfsMapAttribute(I,S,O,L,B,M) ( \
CcMapData((S)->FileObject, (PLARGE_INTEGER)&(O), (L), TRUE, &(M)->Bcb, (B)), \ (M)->FileOffset = (O), \ (M)->Length = (L), \ (M)->Buffer = *(PVOID *)(B) \)#endif
#endif
//
// NtOfsPreparePinWrite maps and pins a portion of the specified attribute and
// returns a pointer to the memory. This is equivalent to doing a NtOfsMapAttribute
// followed by NtOfsPinRead and NtOfsDirty but is more efficient.
//
#ifndef _NTFSPROC_
NTFSAPIVOIDNtOfsPreparePinWrite ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Offset, IN ULONG Length, OUT PVOID *Buffer, OUT PMAP_HANDLE MapHandle );
#else
#ifdef MAPCOUNT_DBG
#define NtOfsPreparePinWrite(I,S,O,L,B,M) { \
if (((O) + (L)) > (S)->Header.AllocationSize.QuadPart) { \ ExRaiseStatus(STATUS_END_OF_FILE); \ } \ CcPreparePinWrite((S)->FileObject, (PLARGE_INTEGER)&(O), (L), FALSE, TRUE, &(M)->Bcb, (B)); \ (I)->MapCount++; \ (M)->FileOffset = (O); \ (M)->Length = (L); \ (M)->Buffer = (B); \}#else
#define NtOfsPreparePinWrite(I,S,O,L,B,M) { \
if (((O) + (L)) > (S)->Header.AllocationSize.QuadPart) { \ ExRaiseStatus(STATUS_END_OF_FILE); \ } \ CcPreparePinWrite((S)->FileObject, (PLARGE_INTEGER)&(O), (L), FALSE, TRUE, &(M)->Bcb, (B)); \ (M)->FileOffset = (O); \ (M)->Length = (L); \ (M)->Buffer = (B); \}#endif
#endif
//
// NtOfsPinRead pins a section of a map and read in all pages from the mapped
// attribute. Offset and Length must describe a byte range which is equal to
// or included by the original mapped range.
//
#ifndef _NTFSPROC_
NTFSAPIVOIDNtOfsPinRead( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Offset, IN ULONG Length, OUT PMAP_HANDLE MapHandle );
#else
#ifdef MAPCOUNT_DBG
#define NtOfsPinRead(I,S,O,L,M) { \
ASSERT((M)->Bcb != NULL); \ ASSERT(((O) >= (M)->FileOffset) && (((O) + (L)) <= ((M)->FileOffset + (M)->Length))); \ CcPinMappedData((S)->FileObject, (PLARGE_INTEGER)&(O), (L), TRUE, &(M)->Bcb); \ (I)->MapCount++; \ (M)->FileOffset = (O); \ (M)->Length = (L); \}#else
#define NtOfsPinRead(I,S,O,L,M) { \
ASSERT((M)->Bcb != NULL); \ ASSERT(((O) >= (M)->FileOffset) && (((O) + (L)) <= ((M)->FileOffset + (M)->Length))); \ CcPinMappedData((S)->FileObject, (PLARGE_INTEGER)&(O), (L), TRUE, &(M)->Bcb); \ (M)->FileOffset = (O); \ (M)->Length = (L); \}#endif
#endif
//
// NtOfsDirty marks a map as being dirty (eligible for lazy writer access) and
// marks the pages with an optional LSN for coordination with LFS. This call
// is invalid unless the map has been pinned.
//
// NTFSAPI
// NtOfsDirty (
// IN PIRP_CONTEXT IrpContext,
// IN PMAP_HANDLE MapHandle,
// PLSN Lsn OPTIONAL
// );
#define NtOfsDirty(I,M,L) {CcSetDirtyPinnedData((M)->Bcb,(L));}
//
// NtOfsReleaseMap unmaps/unpins a mapped portion of an attribute.
//
#ifndef _NTFSPROC_
NTFSAPIVOIDNtOfsReleaseMap ( IN PIRP_CONTEXT IrpContext, IN PMAP_HANDLE MapHandle );
#else
#ifdef MAPCOUNT_DBG
#define NtOfsReleaseMap(IC,M) { \
if ((M)->Bcb != NULL) { \ CcUnpinData((M)->Bcb); \ (IC)->MapCount--; \ (M)->Bcb = NULL; \ } \}#else
#define NtOfsReleaseMap(IC,M) { \
if ((M)->Bcb != NULL) { \ CcUnpinData((M)->Bcb); \ (M)->Bcb = NULL; \ } \}#endif
#endif
//
// NtOfsPutData writes data into an attribute in a recoverable fashion. The
// caller must have opened the attribute with LogNonresidentToo.
//
// NtOfsPutData will write the data atomically and update the mapped image,
// subject to the normal lazy commit of the transaction.
//
NTFSAPIVOIDNtOfsPutData ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Offset, IN ULONG Length, IN PVOID Data OPTIONAL );
�////////////////////////////////////////////////////////////////////////////////
//
// Attribute API - These encapsulate access to attributes on files/directories
// and summary catalogs
//
//
// NtOfsCreateAttribute will create or open a data attribute and return a handle
// that will allow mapping operations.
//
// For attributes that wish to have logging behavior, LogNonresidentToo must be
// set to true. See the discussion on NtOfsPutData (in the mapping section
// above).
//
NTFSAPINTSTATUSNtOfsCreateAttribute ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle, IN UNICODE_STRING Name, IN CREATE_OPTIONS CreateOptions, IN ULONG LogNonresidentToo, OUT ATTRIBUTE_HANDLE *AttributeHandle );
//
// NtOfsCreateAttributeEx will create or open an attribute and return a handle
// that will allow mapping operations. If a standard data attribute is to be
// used, call NtOfsCreateAttribute instead. This function is here for callers
// who need to use a different attribute type code.
//
// For attributes that wish to have logging behavior, LogNonresidentToo must be
// set to true. See the discussion on NtOfsPutData (in the mapping section
// above).
//
NTFSAPINTSTATUSNtOfsCreateAttributeEx ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle, IN UNICODE_STRING Name, IN ULONG AttributeTypeCode, IN CREATE_OPTIONS CreateOptions, IN ULONG LogNonresidentToo, OUT ATTRIBUTE_HANDLE *AttributeHandle );
//
// Valid AttributeTypeCode values for NtOfsCreateAttributeEx:
//
#define $LOGGED_UTILITY_STREAM (0x100)
//
// NtOfsCloseAttribute releases the attribute. The attribute is not acquired. No
// outstanding maps are active.
//
NTFSAPIVOIDNtOfsCloseAttribute ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE AttributeHandle );
//
// NtOfsDeleteAttribute releases all storage associated with the attribute. The
// object will be acquired exclusive. The attribute will be acquired exclusive.
// No outstanding maps are active.
//
NTFSAPIVOIDNtOfsDeleteAttribute ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle, IN ATTRIBUTE_HANDLE AttributeHandle );
//
// NtOfsQueryLength returns the current length of user data within the attribute.
// The attribute may be mapped. The attribute may be acquired.
//
NTFSAPILONGLONGNtOfsQueryLength ( IN ATTRIBUTE_HANDLE AttributeHandle );
//
// NtOfsSetLength sets the current EOF on the given attribute. The attribute
// may not be mapped to the view containing Length, or any subsequent view.
// The attribute will be acquired exclusive.
//
NTFSAPIVOIDNtOfsSetLength ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Length );//
// NtOfsWaitForNewLength allows the caller to wait for the specified length to
// be exceeded, or optionally timeout, if the specified Irp has not been cancelled.
//
NTFSAPINTSTATUSNtOfsWaitForNewLength ( IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Length, IN ULONG Async, IN PIRP Irp, IN PDRIVER_CANCEL CancelRoutine, IN PLARGE_INTEGER Timeout OPTIONAL );
//
// This routine may be called any time FileSize has changed to wake any threads
// waiting for a particular FileSize change. Or specify WakeAll to unconditionally
// wake all waiters.
//
VOIDNtOfsPostNewLength ( IN PIRP_CONTEXT IrpContext OPTIONAL, IN ATTRIBUTE_HANDLE Attribute, IN BOOLEAN WakeAll );
//
// NtOfsDecommit releases storage associated with a range of the attribute. It does
// not change the EOF marker nor does it change the logical position of data within
// the attribute. The range of the attribute being released may be mapped or
// pinned.
//
// Reads from decommitted ranges should return zero (although Query will never read
// from these ranges).
//
// Writes to decommitted pages should fail or be nooped (although Query will never
// write to these ranges).
//
// This call will purge, so none of the views overlapping the specified range may
// be mapped.
//
NTFSAPIVOIDNtOfsDecommit ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN LONGLONG Offset, IN LONGLONG Length );
//
// NtOfsFlushAttribute flushes all cached data to the disk and returns upon
// completion. If the attribute is LogNonresidentToo, then only the log file
// is flushed. Optionally, the range may be purged as well. If the attribute
// is purged, then there can be no mapped views.
//
NTFSAPIVOIDNtOfsFlushAttribute ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, IN ULONG Purge );
//
// NtOfsQueryAttributeSecurityId returns the security ID for the attribute if
// present.
//
NTFSAPIVOIDNtOfsQueryAttributeSecurityId ( IN PIRP_CONTEXT IrpContext, IN ATTRIBUTE_HANDLE Attribute, OUT SECURITY_ID *SecurityId );
�////////////////////////////////////////////////////////////////////////////////
//
// Concurrency control API
//
// As a rule, these routines are not required. All NtOfs routines are
// self-synchronized as atomic actions, or as parts of a top-level action when
// called within a top-level action routine.
//
// ISSUE: In particular, supporting the exclusive access call is an implementation
// problem for Ntfs. Wrapping top-level actions is the best way to preserve
// exclusive access across calls.
//
VOIDNtOfsAcquireObjectShared ( HANDLE ObjectHandle );
// VOID
// NtOfsAcquireObjectExclusive (
// HANDLE ObjectHandle
// );
VOIDNtOfsReleaseObject ( HANDLE ObjectHandle );
// Debugging routines
BOOLEANNtOfsIsObjectAcquiredExclusive ( HANDLE ObjectHandle );
BOOLEANNtOfsIsObjectAcquiredShared ( HANDLE ObjectHandle );
�////////////////////////////////////////////////////////////////////////////////
//
// File/Directory/Etc API
//
//
// NtOfsOpenByFileReference opens an object given a file reference. The file is
// assumed to exist; this call cannot be used to create a file. The returned
// handle is acquired according to the input exclusion.
//
NTFSAPINTSTATUSNtOfsOpenByFileReference ( IN PIRP_CONTEXT IrpContext, IN FILE_REFERENCE FileReference, IN EXCLUSION Exclusion, OUT OBJECT_HANDLE *ObjectHandle );
//
// NtOfsCreateRelativeObject opens or creates an object relative to a specified
// parent object. The parent will be acquired exclusive. The child is opened
// acquired according to the input exclusion.
//
// ISSUE: When creating an object, is the transaction committed before this
// call returns?
//
NTFSAPINTSTATUSNtOfsCreateRelativeObject ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ParentObjectHandle, IN UNICODE_STRING Name, IN CREATE_OPTIONS CreateOptions, IN EXCLUSION Exclusion, OUT OBJECT_HANDLE *ObjectHandle );
//
// NtOfsCloseObject releases the object handle.
//
NTFSAPINTSTATUSNtOfsCloseObject ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle );
//
// NtOfsDeleteObject deletes the object. No user-mode handle is attached to
// the object. No attributes are currently open. The object is acquired
// exclusive.
//
NTFSAPINTSTATUSNtOfsDeleteObject ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle );
//
// NtOfsDeleteAllAttributes deletes all attributes of the object. No attribute
// is open. The object is acquired exclusive.
//
NTFSAPINTSTATUSNtOfsDeleteAllAttributes ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle );
//
// NtOfsQueryPathFromRoot returns *A* path from the root to a node. In the
// presence of hard links, several paths may exist, however, only one needs
// to be returned. Memory for the file name is provided by the caller.
//
NTFSAPINTSTATUSNtOfsQueryPathFromRoot ( IN PIRP_CONTEXT IrpContext, IN FILE_REFERENCE FileReference, OUT UNICODE_STRING *PathName );
//
// NtOfsQueryFileName returns the final component in the path name into a
// caller-supplied buffer. In the presence of hard links, several names
// may exist, however, only one needs to be returned.
//
NTFSAPINTSTATUSNtOfsQueryFileName ( IN PIRP_CONTEXT IrpContext, IN FILE_REFERENCE FileReference, OUT UNICODE_STRING *FileName );
//
// NtOfsQueryFileReferenceFromName returns the file reference named by the path
//
NTFSAPINTSTATUSNtOfsQueryFileReferenceFromName ( IN PIRP_CONTEXT IrpContext, IN UNICODE_STRING Name, OUT FILE_REFERENCE *FileReference );
//
// This call must be very fast; it is a very common call made by CI/Query.
//
NTFSAPINTSTATUSNtOfsQueryFileReferenceFromHandle ( IN OBJECT_HANDLE Object, OUT FILE_REFERENCE *FileReference );
//
// NtOfsQueryObjectSecurityId returns the security Id associated with an object.
// The object is acquired shared or exclusive. This call must be very fast
//
NTFSAPINTSTATUSNtOfsQueryObjectSecurityId ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ObjectHandle, OUT SECURITY_ID *SecurityId );
�////////////////////////////////////////////////////////////////////////////////
//
// Scope API
//
//
// NtOfsIsAncestorOf must quickly tell if one file is an ancestor of the given
// child. In the presence of hard links, we may pick a "preferred" path (i.e.
// we don't have to travel to all ancestors). This call must be reasonably fast
// since this is a very frequent call from Query.
//
NTFSAPINTSTATUSNtOfsIsAncestorOf ( IN PIRP_CONTEXT IrpContext, IN FILE_REFERENCE Ancestor, IN FILE_REFERENCE Child );
//
// NtOfsGetParentFileReferenceFromHandle is used to retrieve the FileReference
// of the parent of the named object. With hard links the "first" parent may
// be chosen. This call needs to be reasonably efficient.
//
NTFSAPINTSTATUSNtOfsGetParentFileReferenceFromHandle ( IN PIRP_CONTEXT IrpContext, IN OBJECT_HANDLE ChildObject, OUT FILE_REFERENCE *ParentFileReference );
�////////////////////////////////////////////////////////////////////////////////
//
// Security API
//
// NtOfs maintains a "per-IrpContext" cache that speeds up security validation.
// Clients clear the cache (at the beginning of a query, say) and then do
// successive probes which may populate the cache.
//
//
// NtOfsClearSecurityCache clears the cache.
//
NTFSAPINTSTATUSNtOfsClearSecurityCache ( IN PIRP_CONTEXT IrpContext );
//
// NtOfsIsAccessGranted uses the Se routines to validate access and caches the
// result for the specified SecurityId and DesiredAccess. The cache is first
// probed to see if the access can be granted immediately. If the SecurityId is
// not found, the corresponding ACL is retrieved and tested with the supplied
// access state and DesiredAccess. The result of this test is cached and
// returned.
//
NTFSAPINTSTATUSNtOfsIsAccessGranted ( IN PIRP_CONTEXT IrpContext, IN SECURITY_ID SecurityId, IN ACCESS_MASK DesiredAccess, IN ACCESS_STATE *SecurityAccessState );
�////////////////////////////////////////////////////////////////////////////////
//
// Worker thread stuff. Worker threads are needed for building new indexes
//
�////////////////////////////////////////////////////////////////////////////////
//
// Miscellaneous information query/set
//
//
// Content Index may need to mark the volume as dirty to allow garbage collection
// of orphan objects by CHKDSK.
//
NTFSAPINTSTATUSNtOfsMarkVolumeCorrupt ( IN PIRP_CONTEXT IrpContext, IN ULONG NewState, IN ULONG StateMask, OUT ULONG *OldState );
//
// NtOfsQueryVolumeStatistics returns the current capacity and free space on a
// volume. Ci uses this for heuristics to decide on when to trigger master merge,
// when to suppress master merge, etc.
//
NTFSAPINTSTATUSNtOfsQueryVolumeStatistics ( IN PIRP_CONTEXT IrpContext, OUT LONGLONG *TotalClusters, OUT LONGLONG *FreeClusters );
//
// Query needs to retain some state in the NtOfs Ccb.
//
NTFSAPINTSTATUSNtOfsQueryHandleState ( IN PIRP_CONTEXT IrpContext, OUT VOID *OldData );
NTFSAPINTSTATUSNtOfsSetHandleState ( IN PIRP_CONTEXT IrpContext, IN VOID *Data );
//
// Generic unwrapping routines that get access to SCB/IRPC and FCB/IRPC
// pairs.
//
NTFSAPINTSTATUSNtOfsQueryAttributeHandle ( IN PIRP_CONTEXT IrpContext, OUT ATTRIBUTE_HANDLE *AttributeHandle );
NTFSAPINTSTATUSNtOfsQueryObjectHandle ( IN PIRP_CONTEXT IrpContext, OUT OBJECT_HANDLE *ObjectHandle );
//
// Create a context in which the caller can perform I/O in separate.
// threads. This means creating an IRP/IRP_CONTEXT. Each IrpContext corresponds
// to one I/O activity at a time. Multiple IrpContexts may be active in a thread
// at a single time.
//
NTFSAPINTSTATUSNtOfsCloneIrpContext ( IN PIRP_CONTEXT IrpContext, OUT PIRP_CONTEXT *NewIrpContext );
//
// NtOfsCompleteRequest completes an IrpContext that has been previously cloned.
// All other FsCtl Irps are completed by Ntfs.
//
NTFSAPINTSTATUSNtOfsCompleteRequest ( IN PIRP_CONTEXT IrpContext, NTSTATUS Status );
�////////////////////////////////////////////////////////////////////////////////
//
// Iterators. While each iterator is created through a separate API, each one
// must support two operations:
// Next - this fills a buffer with as many records as possible
// Close - this releases the iterator.
//
typedef struct _BASE_FILE_SEGMENT_ITERATOR BASE_FILE_SEGMENT_ITERATOR;
typedef struct _USN_ITERATOR USN_ITERATOR;
//
// The types of iterators are:
//
// Scope iterate over a directory (optionally RECURSIVE)
// (implemented in Query)
// View iterate over the rows in a view with a partial key match
// (implemented in View)
// BaseFileSegment iterate over all base file record segments
// (implemented in NtOfs)
// SummaryCatalog iterate over all rows in a summary catalog
// Usn iterate over all objects with Usn's in a specific range
// (implmented in NtOfs)
//
// Each iteration is passed a buffer which is filled (as much as possible) with
// a packed array of:
// FILE_REFERENCE
// DUPLICATED_INFORMATION
// STAT_INFORMATION
// for each enumerated object. The output length is the length in bytes that
// was filled in with the enumeration request.
NTFSAPINTSTATUSNtOfsCreateBaseFileSegmentIterator ( IN PIRP_CONTEXT IrpContext, OUT BASE_FILE_SEGMENT_ITERATOR *Iterator );
NTFSAPINTSTATUSNtOfsNextBaseFileSegmentIteration ( IN PIRP_CONTEXT IrpContext, IN BASE_FILE_SEGMENT_ITERATOR *Iterator, IN OUT ULONG *BufferLength, IN OUT PVOID Buffer );
NTFSAPINTSTATUSNtOfsCloseBaseFileSegmentIterator ( IN PIRP_CONTEXT IrpContext, IN BASE_FILE_SEGMENT_ITERATOR *Iterator );
NTFSAPINTSTATUSNtOfsCreateUsnIterator ( IN PIRP_CONTEXT IrpContext, IN USN BeginningUsn, IN USN EndingUsn, OUT USN_ITERATOR *Iterator );
NTFSAPINTSTATUSNtOfsNextUsnIteration ( IN PIRP_CONTEXT IrpContext, IN USN_ITERATOR *Iterator, IN OUT ULONG *BufferLength, IN OUT PVOID Buffer );
NTFSAPINTSTATUSNtOfsCloseUsnIterator ( IN PIRP_CONTEXT IrpContext, IN USN_ITERATOR *Iterator );
�////////////////////////////////////////////////////////////////////////////////
//
// Infrastructure support.
//
// V/C/X register callbacks with NtOfs when they are loaded. Until they are loaded
// NtOfs will call default routines (that do nothing).
//
typedef enum _NTFS_ADDON_TYPES { Encryption = 3} NTFS_ADDON_TYPES;
�////////////////////////////////////////////////////////////////////////////////
//
// Encryption
//
//
// Stream Create Status for FileDirFlag
//
#define STREAM_NEW_OR_EXIST_MASK 0x000f0000
#define FILE_DIR_TYPE_MASK 0x000000ff
#define FILE_NEW 0x00000001
#define FILE_EXISTING 0x00000002
#define DIRECTORY_NEW 0x00000004
#define DIRECTORY_EXISTING 0x00000008
#define EXISTING_FILE_ENCRYPTED 0x00000010
#define STREAM_NEW 0x00010000
#define STREAM_EXISTING 0x00020000
//
// Encryption flag for EncryptionFlag
//
#define STREAM_ENCRYPTED 0x00000001
#define FILE_ENCRYPTED 0x00000002
//
// Access flags
//
// NB -- These values are NOT arbitrary. Notice also that they are not
// in value order, they are grouped according to their meaning.
// Their values correspond to FILE_READ_DATA, etc. and
// TOKEN_HAS_BACKUP_PRIVILEGE, etc.
//
#define READ_DATA_ACCESS 0x01
#define WRITE_DATA_ACCESS 0x02
#define APPEND_DATA_ACCESS 0x04
#define EXECUTE_ACCESS 0x20
#define READ_ATTRIBUTES_ACCESS 0x80
#define WRITE_ATTRIBUTES_ACCESS 0x100
#define BACKUP_ACCESS 0x08
#define RESTORE_ACCESS 0x10
#define TRAVERSE_ACCESS 0x40
#define MANAGE_VOLUME_ACCESS 0x200
//
// Volume State
//
#define READ_ONLY_VOLUME 0x00000001
typedef NTSTATUS(*ENCRYPTED_FILE_CREATE) ( IN OBJECT_HANDLE FileHdl, IN OBJECT_HANDLE ParentDir OPTIONAL, IN PIO_STACK_LOCATION IrpSp, IN ULONG FileDirFlag, IN ULONG VolumeState, IN PIRP_CONTEXT IrpContext, IN PDEVICE_OBJECT VolDo, IN PVOID FileKeyContext, IN OUT PVOID *PKeyContext, IN OUT ULONG *ContextLength, IN OUT PVOID *PCreateContext, IN OUT PBOOLEAN Reserved );
typedef NTSTATUS(*ENCRYPTED_FILE_PRE_CREATE) ( IN PDEVICE_OBJECT VolDo, IN PIRP Irp, IN PFILE_OBJECT FileObject );
typedef NTSTATUS(*ENCRYPTED_FILE_POST_CREATE) ( IN PDEVICE_OBJECT VolDo, IN PIRP Irp, IN PFILE_OBJECT FileObject, IN NTSTATUS Status, IN OUT PVOID *PCreateContext );
typedef NTSTATUS(*ENCRYPTED_FILE_SYSTEM_CONTROL) ( IN PVOID PInputBuffer OPTIONAL, IN ULONG InputDataLength, OUT PVOID OutputBuffer OPTIONAL, IN OUT ULONG *OutputBufferLength OPTIONAL, IN ULONG EncryptionFlag, IN ULONG AccessFlag, IN ULONG VolumeState, IN ULONG FsControlCode, IN OBJECT_HANDLE FileHdl, IN PIRP_CONTEXT IrpContext, IN PDEVICE_OBJECT VolDo, IN ATTRIBUTE_HANDLE Attribute, IN OUT PVOID *PContext OPTIONAL, IN OUT ULONG *ContextLength OPTIONAL );
typedef NTSTATUS(*ENCRYPTED_FILE_PRE_FILE_SYSTEM_CONTROL) ( IN PDEVICE_OBJECT VolDo, IN PIRP Irp, IN PFILE_OBJECT FileObject );
typedef NTSTATUS(*ENCRYPTED_FILE_READ)( IN OUT PUCHAR InOutBuffer, IN PLARGE_INTEGER Offset, IN ULONG BufferSize, IN PVOID Context );
typedef NTSTATUS(*ENCRYPTED_FILE_WRITE)( IN PUCHAR InBuffer, OUT PUCHAR OutBuffer, IN PLARGE_INTEGER Offset, IN ULONG BufferSize, IN PUCHAR Context );
typedef VOID(*ENCRYPTED_FILE_CLEANUP)( IN OUT PVOID *Context );
#define ENCRYPTION_CURRENT_INTERFACE_VERSION 3
#define ENCRYPTION_ALL_STREAMS 0x00000001
#define ENCRYPTION_ALLOW_COMPRESSION 0x00000002
typedef struct _ENCRYPTION_CALL_BACK { ULONG InterfaceVersion; ULONG ImplementationFlags; ENCRYPTED_FILE_CREATE FileCreate; ENCRYPTED_FILE_PRE_CREATE PreCreate; ENCRYPTED_FILE_POST_CREATE PostCreate; ENCRYPTED_FILE_SYSTEM_CONTROL FileSystemControl_1; ENCRYPTED_FILE_SYSTEM_CONTROL FileSystemControl_2; ENCRYPTED_FILE_PRE_FILE_SYSTEM_CONTROL PreFileSystemControl; ENCRYPTED_FILE_READ AfterReadProcess; ENCRYPTED_FILE_WRITE BeforeWriteProcess; ENCRYPTED_FILE_CLEANUP CleanUp;} ENCRYPTION_CALL_BACK, *PENCRYPTION_CALL_BACK;
//
// NtOfsRegisterCallBacks supplies a call table to NtOfs. Each table has an
// interface version number. If the interface version does not exactly match
// what NtOfs expects, the call will fail.
//
NTFSAPINTSTATUSNtOfsRegisterCallBacks ( NTFS_ADDON_TYPES NtfsAddonType, PVOID CallBackTable );
|
