函数
//得到对应卷的实例
PFLT_INSTANCE
XBFltGetVolumeInstance(
IN PFLT_FILTER pFilter,
IN PUNICODE_STRING pVolumeName
)
{
NTSTATUS status;
PFLT_INSTANCE pInstance = NULL;
PFLT_VOLUME pVolumeList[MAX_VOLUME_CHARS];
BOOLEAN bDone = FALSE;
ULONG uRet;
UNICODE_STRING uniName ={0};
ULONG index = 0;
WCHAR wszNameBuffer[MAX_PATH] = {0};
status = FltEnumerateVolumes(pFilter,
NULL,
0,
&uRet);
if(status != STATUS_BUFFER_TOO_SMALL)
{
return NULL;
}
status = FltEnumerateVolumes(pFilter,
pVolumeList,
uRet,
&uRet);
if(!NT_SUCCESS(status))
{
return NULL;
}
uniName.Buffer = wszNameBuffer;
if (uniName.Buffer == NULL)
{
for (index = 0;index< uRet; index++)
Flt Dereference(pVolumeList[index]);
return NULL;
}
uniName.MaximumLength = MAX_PATH*sizeof(WCHAR);
for (index = 0; index < uRet; index++)
{
uniName.Length = 0;
status = FltGetVolumeName( pVolumeList[index],
&uniName,
NULL);
if(!NT_SUCCESS(status))
continue;
if(RtlCompareUnicodeString(&uniName,
pVolumeName,
TRUE) != 0)
continue;
status = FltGetVolumeInstanceFromName(pFilter,
pVolumeList[index],
NULL,
&pInstance);
if(NT_SUCCESS(status))
{
Flt Dereference(pInstance);
break;
}
}
for (index = 0;index< uRet; index++)
Flt Dereference(pVolumeList[index]);
return pInstance;
}
以下是怎么使用
//获得文件所在盘的实例
PFLT_INSTANCE fileInstance = NULL;
UNICODE_STRING pVolumeNamec;
RtlInitUnicodeString(&pVolumeNamec, L\"\\\\Device\\\\HarddiskVolume2\");//所在的卷
fileInstance = XBFltGetVolumeInstance(gFilterHandle, &pVolumeNamec);
继续阅读与本文标签相同的文章
上一篇 :
开源大数据周刊-第81期
-
携程、阿里、京东、腾讯iOS春招面试过程以及面试题总结!
2026-05-19栏目: 教程
-
浏览器事件机制中 事件触发的三个阶段
2026-05-19栏目: 教程
-
德媒:德国5G安全标准“一视同仁”,5G建设不排除华为
2026-05-19栏目: 教程
-
简单了解 JavaScript的组成
2026-05-19栏目: 教程
-
阿里云如何备份虚拟机?
2026-05-19栏目: 教程