PRECORD_LIST SpyNewRecord ( VOID ) /*++ Routine Description: Allocates a new RECORD_LIST structure if there is enough memory to do so. A sequence number is updated for each request for a new record. NOTE: This code must be NON-PAGED because it can be called on the paging path or at DPC level. Arguments: None Return Value: Pointer to the RECORD_LIST allocated, or NULL if no memory is available. --*/ { PRECORD_LIST newRecord; ULONG initialRecordType; // // Allocate the buffer // newRecord = SpyAllocateBuffer( &initialRecordType ); if (newRecord == NULL) { // // We could not allocate a record, see if the static buffer is // in use. If not, we will use it // if (!InterlockedExchange( &MiniFSWatcherData.StaticBufferInUse, TRUE )) { newRecord = (PRECORD_LIST)MiniFSWatcherData.OutOfMemoryBuffer; initialRecordType |= RECORD_TYPE_FLAG_STATIC; } } // // If we got a record (doesn't matter if it is static or not), init it // if (newRecord != NULL) { // // Init the new record // newRecord->LogRecord.RecordType = initialRecordType; newRecord->LogRecord.Length = sizeof(LOG_RECORD); newRecord->LogRecord.SequenceNumber = InterlockedIncrement( &MiniFSWatcherData.LogSequenceNumber ); RtlZeroMemory( &newRecord->LogRecord.Data, sizeof( RECORD_DATA ) ); } return( newRecord ); }
VOID SpySetName ( __inout PRECORD_LIST RecordList, __in PDEVICE_OBJECT DeviceObject, __in_opt PFILE_OBJECT FileObject, __in ULONG LookupFlags, __in_opt PVOID Context ) /*++ Routine Description: This routine looks up the FileObject in the hash table. If the FileObject is found in the hash table, copy the associated file name to RecordList. Otherwise, calls NLGetFullPathName to try to get the name of the FileObject. If successful, copy the file name to the RecordList and insert into hash table. Arguments: RecordList - RecordList to copy name to. FileObject - the FileObject to look up. LookInFileObject - see routine description DeviceExtension - contains the volume name (e.g., "c:") and the next device object which may be needed. Return Value: None. --*/ { PFILESPY_DEVICE_EXTENSION devExt = DeviceObject->DeviceExtension; UINT_PTR hashIndex; KIRQL oldIrql; PHASH_ENTRY pHash; PHASH_ENTRY newHash; PLIST_ENTRY listHead; PNAME_CONTROL newName = NULL; PCHAR buffer = NULL; NTSTATUS status; BOOLEAN cacheName; UNREFERENCED_PARAMETER( Context ); try { if (FileObject == NULL) { SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &gEmptyUnicode ); leave; } hashIndex = HASH_FUNC(FileObject); INC_STATS(TotalContextSearches); listHead = &gHashTable[hashIndex]; // // Don't bother checking the hash if we are in create, we must always // generate a name. // if (!FlagOn(LookupFlags, NLFL_IN_CREATE)) { // // Acquire the hash lock // KeAcquireSpinLock( &gHashLockTable[hashIndex], &oldIrql ); pHash = SpyHashBucketLookup( &gHashTable[hashIndex], FileObject ); if (pHash != NULL) { // // Copy the found file name to the LogRecord // SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &pHash->Name ); KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql ); INC_STATS( TotalContextFound ); leave; } KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql ); } #if WINVER >= 0x0501 // // We can not allocate paged pool if this is a paging file. If it is // a paging file set a default name and return // #if __NDAS_FS__ NDASFS_ASSERT( FALSE ); #else if (FsRtlIsPagingFile( FileObject )) { SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &PagingFile ); leave; } #endif #endif // // We did not find the name in the hash. Allocate name control buffer // (for getting name) and a buffer for inserting this name into the // hash. // buffer = SpyAllocateBuffer( &gNamesAllocated, gMaxNamesToAllocate, NULL ); status = NLAllocateNameControl( &newName, &gFileSpyNameBufferLookasideList ); if ((buffer != NULL) && NT_SUCCESS(status)) { // // Init the new hash entry in case we need to use it // newHash = (PHASH_ENTRY)buffer; RtlInitEmptyUnicodeString( &newHash->Name, (PWCHAR)(buffer + sizeof(HASH_ENTRY)), RECORD_SIZE - sizeof(HASH_ENTRY) ); // // Retrieve the name // status = NLGetFullPathName( FileObject, newName, &devExt->NLExtHeader, LookupFlags | NLFL_USE_DOS_DEVICE_NAME, &gFileSpyNameBufferLookasideList, &cacheName ); if (NT_SUCCESS( status ) && cacheName) { // // We got a name and the name should be cached, save it in the // log record and the hash buffer. // SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &newName->Name ); RtlCopyUnicodeString( &newHash->Name, &newName->Name ); newHash->FileObject = FileObject; // // Acquire the hash lock // KeAcquireSpinLock( &gHashLockTable[hashIndex], &oldIrql ); // // Search again because it may have been stored in the hash table // since we did our last search and dropped the lock. // pHash = SpyHashBucketLookup( &gHashTable[hashIndex], FileObject ); if (pHash != NULL) { // // We found it in the hash table this time, don't need to // cache it again. // KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql ); leave; } // // It not found in the hash, add the new entry. // InsertHeadList( listHead, &newHash->List ); gHashCurrentCounters[hashIndex]++; if (gHashCurrentCounters[hashIndex] > gHashMaxCounters[hashIndex]) { gHashMaxCounters[hashIndex] = gHashCurrentCounters[hashIndex]; } // // Since we inserted the new hash entry, mark the buffer as empty // so we won't try and free it // buffer = NULL; KeReleaseSpinLock( &gHashLockTable[hashIndex], oldIrql ); } else { // // Either the name should not be cached or we couldn't get a // name, return whatever name they gave us // SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &newName->Name ); INC_STATS( TotalContextTemporary ); } } else { // // Set a default string even if there is no buffer. // SpyCopyFileNameToLogRecord( &RecordList->LogRecord, &OutOfBuffers ); } } finally { // // Free memory // if (buffer != NULL) { SpyFreeBuffer( buffer, &gNamesAllocated ); } if (newName != NULL) { NLFreeNameControl( newName, &gFileSpyNameBufferLookasideList ); } } }