mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
493 lines
9.1 KiB
493 lines
9.1 KiB
/*++
|
|
|
|
Copyright (c) 2000-2001 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
filt.c
|
|
|
|
Abstract:
|
|
|
|
Extensions for dumping filter information.
|
|
|
|
Author:
|
|
|
|
Michael Courage (mcourage) 6-Apr-2000
|
|
|
|
Environment:
|
|
|
|
User Mode.
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
|
|
#include "precomp.h"
|
|
|
|
//
|
|
// Private globals.
|
|
//
|
|
|
|
PSTR g_pFiltqActions[] =
|
|
{
|
|
"QUEUE_IRP ",
|
|
"DEQUEUE_IRP ",
|
|
"START_WRITE ",
|
|
"FINISH_WRITE ",
|
|
"BLOCK_WRITE ",
|
|
"WAKE_WRITE ",
|
|
"BLOCK_PARTIAL_WRITE",
|
|
"WAKE_PARTIAL_WRITE "
|
|
|
|
};
|
|
|
|
C_ASSERT( DIM(g_pFiltqActions) == FILTQ_ACTION_COUNT );
|
|
|
|
|
|
//
|
|
// Public functions.
|
|
//
|
|
|
|
DECLARE_API( filter )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps a filter channel.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG_PTR address = 0;
|
|
ULONG result;
|
|
UL_FILTER_CHANNEL channel;
|
|
|
|
SNAPSHOT_EXTENSION_DATA();
|
|
|
|
//
|
|
// Snag the address from the command line.
|
|
//
|
|
|
|
address = GetExpression( args );
|
|
|
|
if (address == 0)
|
|
{
|
|
address = GetExpression( "&http!g_pFilterChannel" );
|
|
}
|
|
|
|
if (address != 0)
|
|
{
|
|
if (!ReadMemory(
|
|
address,
|
|
&address,
|
|
sizeof(address),
|
|
NULL
|
|
))
|
|
{
|
|
dprintf(
|
|
"filter: Cannot read memory @ %p\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (address == 0)
|
|
{
|
|
PrintUsage( "filter" );
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Read the filter.
|
|
//
|
|
|
|
if (!ReadMemory(
|
|
address,
|
|
&channel,
|
|
sizeof(channel),
|
|
&result
|
|
))
|
|
{
|
|
dprintf(
|
|
"filter: cannot read UL_FILTER_CHANNEL @ %p\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
|
|
DumpFilterChannel(
|
|
"",
|
|
"filter: ",
|
|
address,
|
|
&channel,
|
|
0
|
|
);
|
|
|
|
|
|
} // filter
|
|
|
|
|
|
DECLARE_API( fproc )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps a filter process.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG_PTR address = 0;
|
|
ULONG result;
|
|
UL_FILTER_PROCESS process;
|
|
|
|
SNAPSHOT_EXTENSION_DATA();
|
|
|
|
//
|
|
// Snag the address from the command line.
|
|
//
|
|
|
|
address = GetExpression( args );
|
|
|
|
if (address == 0)
|
|
{
|
|
PrintUsage( "fproc" );
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Read the filter proc.
|
|
//
|
|
|
|
if (!ReadMemory(
|
|
address,
|
|
&process,
|
|
sizeof(process),
|
|
&result
|
|
))
|
|
{
|
|
dprintf(
|
|
"fproc: cannot read UL_FILTER_PROCESS @ %p\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
|
|
DumpFilterProc(
|
|
"",
|
|
"fproc: ",
|
|
address,
|
|
&process,
|
|
0
|
|
);
|
|
|
|
|
|
} // fproc
|
|
|
|
|
|
DECLARE_API( fqlog )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the filter queue trace log.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG_PTR address = 0;
|
|
ULONG_PTR context = 0;
|
|
ULONG_PTR flags = 0;
|
|
ULONG_PTR entryAddress;
|
|
ULONG_PTR logPointer;
|
|
ULONG result;
|
|
TRACE_LOG logHeader;
|
|
LONGLONG numEntries;
|
|
FILTQ_TRACE_LOG_ENTRY logEntry;
|
|
PSTR pAction;
|
|
LONGLONG index;
|
|
ULONG offset1;
|
|
ULONG offset2;
|
|
CHAR invalidAction[sizeof("2047")];
|
|
PSTR fileName;
|
|
CHAR filePath[MAX_PATH];
|
|
|
|
SNAPSHOT_EXTENSION_DATA();
|
|
|
|
//
|
|
// Snag the optional context from the command line.
|
|
//
|
|
|
|
context = GetExpression( args );
|
|
|
|
//
|
|
// Find the log.
|
|
//
|
|
|
|
address = GetExpression( "&http!g_pFilterQueueTraceLog" );
|
|
|
|
if (address == 0)
|
|
{
|
|
dprintf( "fqlog: cannot find http!g_pFilterQueueTraceLog\n" );
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Read the pointer.
|
|
//
|
|
|
|
if (!ReadMemory(
|
|
address,
|
|
&logPointer,
|
|
sizeof(logPointer),
|
|
&result
|
|
))
|
|
{
|
|
dprintf(
|
|
"fqlog: cannot read PTRACE_LOG @ %p\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Read the log header.
|
|
//
|
|
|
|
if (!ReadMemory(
|
|
logPointer,
|
|
&logHeader,
|
|
sizeof(logHeader),
|
|
&result
|
|
))
|
|
{
|
|
dprintf(
|
|
"fqlog: cannot read TRACE_LOG @ %p\n",
|
|
logPointer
|
|
);
|
|
return;
|
|
}
|
|
|
|
dprintf(
|
|
"fqlog: log @ %p\n"
|
|
" Signature = %08lx '%c%c%c%c' (%s)\n"
|
|
" TypeSignature = %08lx '%c%c%c%c'\n"
|
|
" LogSize = %lu\n"
|
|
" NextEntry = %I64d\n"
|
|
" EntrySize = %lu\n"
|
|
" LogBuffer = %p\n",
|
|
address,
|
|
logHeader.Signature,
|
|
DECODE_SIGNATURE(logHeader.Signature),
|
|
logHeader.Signature == TRACE_LOG_SIGNATURE
|
|
? "OK"
|
|
: logHeader.Signature == TRACE_LOG_SIGNATURE_X
|
|
? "FREED"
|
|
: "INVALID",
|
|
logHeader.TypeSignature,
|
|
DECODE_SIGNATURE(logHeader.TypeSignature),
|
|
logHeader.LogSize,
|
|
logHeader.NextEntry,
|
|
logHeader.EntrySize,
|
|
logHeader.pLogBuffer
|
|
);
|
|
|
|
if (logHeader.pLogBuffer > ( (PUCHAR)address + sizeof(logHeader) ))
|
|
{
|
|
dprintf(
|
|
" ExtraData @ %p\n",
|
|
address + sizeof(logHeader)
|
|
);
|
|
}
|
|
|
|
if (logHeader.Signature != TRACE_LOG_SIGNATURE &&
|
|
logHeader.Signature != TRACE_LOG_SIGNATURE_X)
|
|
{
|
|
dprintf(
|
|
"fqlog: log @ %p has invalid signature %08lx:\n",
|
|
address,
|
|
logHeader.Signature
|
|
);
|
|
return;
|
|
}
|
|
|
|
if (logHeader.EntrySize != sizeof(logEntry)
|
|
|| logHeader.TypeSignature != FILTQ_TRACE_LOG_SIGNATURE)
|
|
{
|
|
dprintf(
|
|
"fqlog: log @ %p is not a filter queue trace log\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
|
|
if (logHeader.NextEntry == -1)
|
|
{
|
|
dprintf(
|
|
"fqlog: empty log @ %p\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Calculate the log size to dump.
|
|
//
|
|
|
|
if (logHeader.NextEntry < logHeader.LogSize)
|
|
{
|
|
numEntries = logHeader.NextEntry + 1;
|
|
index = 0;
|
|
}
|
|
else
|
|
{
|
|
numEntries = logHeader.LogSize;
|
|
index = (logHeader.NextEntry + 1) % logHeader.LogSize;
|
|
}
|
|
|
|
entryAddress = (ULONG_PTR)logHeader.pLogBuffer +
|
|
(ULONG_PTR)( index * sizeof(logEntry) );
|
|
|
|
if (entryAddress >=
|
|
( (ULONG_PTR)logHeader.pLogBuffer + (ULONG_PTR)( numEntries * sizeof(logEntry) ) ) )
|
|
{
|
|
dprintf(
|
|
"fqlog: log @ %p has invalid data\n",
|
|
address
|
|
);
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Dump the log.
|
|
//
|
|
|
|
for (;
|
|
numEntries > 0 ;
|
|
index++,
|
|
numEntries--,
|
|
entryAddress += sizeof(logEntry))
|
|
{
|
|
if (CheckControlC())
|
|
{
|
|
break;
|
|
}
|
|
|
|
if (index >= logHeader.LogSize)
|
|
{
|
|
index = 0;
|
|
entryAddress = (ULONG_PTR)logHeader.pLogBuffer;
|
|
}
|
|
|
|
if (!ReadMemory(
|
|
entryAddress,
|
|
&logEntry,
|
|
sizeof(logEntry),
|
|
NULL
|
|
))
|
|
{
|
|
dprintf(
|
|
"fqlog: cannot read memory @ %p\n",
|
|
entryAddress
|
|
);
|
|
return;
|
|
}
|
|
|
|
if (context == 0 ||
|
|
context == (ULONG_PTR)logEntry.pConnection)
|
|
{
|
|
|
|
//
|
|
// Grab the file name.
|
|
//
|
|
|
|
if (ReadMemory(
|
|
(ULONG_PTR)logEntry.pFileName,
|
|
filePath,
|
|
sizeof(filePath),
|
|
&result
|
|
))
|
|
{
|
|
fileName = strrchr( filePath, '\\' );
|
|
|
|
if (fileName != NULL)
|
|
{
|
|
fileName++;
|
|
}
|
|
else
|
|
{
|
|
fileName = filePath;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
sprintf(
|
|
filePath,
|
|
"%p",
|
|
logEntry.pFileName
|
|
);
|
|
|
|
fileName = filePath;
|
|
}
|
|
|
|
//
|
|
// And the action name.
|
|
//
|
|
|
|
if (logEntry.Action < FILTQ_ACTION_COUNT)
|
|
{
|
|
pAction = g_pFiltqActions[logEntry.Action];
|
|
}
|
|
else
|
|
{
|
|
sprintf( invalidAction, "%lu", (ULONG)logEntry.Action );
|
|
pAction = invalidAction;
|
|
}
|
|
|
|
|
|
dprintf(
|
|
"CPU=%lu Conn=%p Act=%s ReadIrps=%lu Writers=%lu, %s:%u\n",
|
|
logEntry.Processor,
|
|
logEntry.pConnection,
|
|
pAction,
|
|
logEntry.ReadIrps,
|
|
logEntry.Writers,
|
|
fileName,
|
|
logEntry.LineNumber
|
|
);
|
|
|
|
}
|
|
}
|
|
|
|
} // fqlog
|
|
|
|
|