FILE_OBJECT
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx
The FILE_OBJECT structure is used by the system to represent a file object. To user-mode protected subsystems, a file object represents an open instance of a file, device, directory, or volume. To device and intermediate drivers, a file object usually represents a device object. To drivers in the file system stack, a file object usually represents a directory or file.
A file object is partially opaque. Certain types of drivers, such as file system drivers and network transport drivers, use some of the fields of file objects.
typedef struct _FILE_OBJECT {
CSHORT Type;
CSHORT Size;
PDEVICE_OBJECT DeviceObject;
PVPB Vpb;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
PVOID PrivateCacheMap;
NTSTATUS FinalStatus;
struct _FILE_OBJECT *RelatedFileObject;
BOOLEAN LockOperation;
BOOLEAN DeletePending;
BOOLEAN ReadAccess;
BOOLEAN WriteAccess;
BOOLEAN DeleteAccess;
BOOLEAN SharedRead;
BOOLEAN SharedWrite;
BOOLEAN SharedDelete;
ULONG Flags;
UNICODE_STRING FileName;
LARGE_INTEGER CurrentByteOffset;
__volatile ULONG Waiters;
__volatile ULONG Busy;
PVOID LastLock;
KEVENT Lock;
KEVENT Event;
__volatile PIO_COMPLETION_CONTEXT CompletionContext;
KSPIN_LOCK IrpListLock;
LIST_ENTRY IrpList;
__volatile PVOID FileObjectExtension;
} FILE_OBJECT, *PFILE_OBJECT;
Members
- Type
-
A read-only member used by the system to indicate that the object is a file object. If the object is a file object, the value of this member is 5.
- Size
-
A read-only member that specifies the size, in bytes, of the file object. This size does not include the file object extension, if one is present.
- DeviceObject
-
A pointer to the device object on which the file is opened.
- Vpb
-
A pointer to the volume parameter block associated with the file object.
Note that if the Vpb member is non-NULL, the file resides on a mounted volume.
- FsContext
-
A pointer to whatever optional state a driver maintains about the file object; otherwise, NULL. For file system drivers, this member must point to aFSRTL_ADVANCED_FCB_HEADER header structure that is contained within a file-system-specific structure; otherwise system instability can result. Usually, this header structure is embedded in a file control block (FCB). However, on some file systems that support multiple data streams, such as NTFS, this header structure is a stream control block (SCB).
Note In a WDM device stack, only the functional device object (FDO) can use the two context pointers. File system drivers share this member across multiple opens to the same data stream. - FsContext2
-
A pointer to whatever additional state a driver maintains about the file object; otherwise, NULL.
Note This member is opaque for drivers in the file system stack because the underlying file system utilizes this member. - SectionObjectPointer
-
A pointer to the file object's read-only section object. This member is set only by file systems and used for Cache Manager interaction.
- PrivateCacheMap
-
An opaque member, set only by file systems, that points to handle-specific information and that is used for Cache Manager interaction.
- FinalStatus
-
A read-only member that is used, in certain synchronous cases, to indicate the final status of the file object's I/O request.
- RelatedFileObject
-
A pointer to a FILE_OBJECT structure used to indicate that the current file object has been opened relative to an already open file object. The file object pointed to by this member is usually a directory (meaning the current file has been opened relative to this directory). However, a file can be reopened relative to itself, and alternate data streams for a file can be opened relative to an already open primary data stream for that same file. The RelatedFileObject member is only valid during the processing of the IRP_MJ_CREATE requests.
- LockOperation
-
A read-only member. If FALSE, a lock operation (NtLockFile) has never been performed on the file object. If TRUE, at least one lock operation has been performed on the file object. Once set to TRUE, this member always remains TRUE (for example, releasing file locks on the file object does not reset this member to FALSE).
- DeletePending
-
A read-only member. If TRUE, a delete operation for the file associated with the file object exists. If FALSE, there currently is no pending delete operation for the file object.
- ReadAccess
-
A read-only member. If TRUE, the file associated with the file object has been opened for read access. If FALSE, the file has been opened without read access. This information is used when checking and/or setting the share access of the file.
- WriteAccess
-
A read-only member. If TRUE, the file associated with the file object has been opened for write access. If FALSE, the file has been opened without write access. This information is used when checking and/or setting the share access of the file.
- DeleteAccess
-
A read-only member. If TRUE, the file associated with the file object has been opened for delete access. If FALSE, the file has been opened without delete access. This information is used when checking and/or setting the share access of the file.
- SharedRead
-
A read-only member. If TRUE, the file associated with the file object has been opened for read sharing access. If FALSE, the file has been opened without read sharing access. This information is used when checking and/or setting the share access of the file.
- SharedWrite
-
A read-only member. If TRUE, the file associated with the file object has been opened for write sharing access. If FALSE, the file has been opened without write sharing access. This information is used when checking and/or setting the share access of the file.
- SharedDelete
-
A read-only member. If TRUE, the file associated with the file object has been opened for delete sharing access. If FALSE, the file has been opened without delete sharing access. This information is used when checking and/or setting the share access of the file.
- Flags
-
A read-only member used by the system to hold one or more (a bitwise inclusive OR combination) of the following private flag values.
Flag Meaning FO_FILE_OPEN
Deprecated.
FO_SYNCHRONOUS_IO
The file object is opened for synchronous I/O.
FO_ALERTABLE_IO
Any wait in the I/O manager, as a result of a request made to this file object, is alertable.
FO_NO_INTERMEDIATE_BUFFERING
The file associated with the file object cannot be cached or buffered in a driver's internal buffers.
FO_WRITE_THROUGH
System services, file system drivers, and drivers that write data to the file must transfer the data into the file before any requested write operation is considered complete.
FO_SEQUENTIAL_ONLY
The file associated with the file object was opened for sequential I/O operations only.
FO_CACHE_SUPPORTED
The file associated with the file object is cacheable. This flag should be set only by a file system driver, and only if theFsContext member points to a valid FSRTL_ADVANCED_FCB_HEADER structure.
FO_NAMED_PIPE
The file object represents a named pipe.
FO_STREAM_FILE
The file object represents a file stream.
FO_MAILSLOT
The file object represents a mailslot.
FO_GENERATE_AUDIT_ON_CLOSE
Deprecated.
FO_QUEUE_IRP_TO_THREAD
IRPs will not be queued to this file object.
FO_DIRECT_DEVICE_OPEN
The device targeted by this file object was opened directly.
FO_FILE_MODIFIED
The file associated with the file object has been modified.
FO_FILE_SIZE_CHANGED
The file associated with the file object has changed in size.
FO_CLEANUP_COMPLETE
The file system has completed its cleanup for this file object.
FO_TEMPORARY_FILE
The file associated with the file object is a temporary file.
FO_DELETE_ON_CLOSE
The file associated with the file object will be deleted by the file system upon close.
FO_OPENED_CASE_SENSITIVE
The file name case of the file associated with the file object is respected.
FO_HANDLE_CREATED
A file handle was created for file object.
FO_FILE_FAST_IO_READ
A fast I/O read was performed on this file object.
FO_RANDOM_ACCESS
The file associated with the file object was opened for random access.
FO_FILE_OPEN_CANCELLED
The create request for this file object was canceled before completing.
FO_VOLUME_OPEN
The file object represents a volume open request.
FO_REMOTE_ORIGIN
The create request for the file associated with the file object originated on a remote machine.
FO_SKIP_COMPLETION_PORT
For a file object associated with a port, determines if the system should skip queuing to the completion port when the IRP is completed synchronously with a non-error status return value.
FO_SKIP_SET_EVENT
Skip setting the event for the file object upon IRP completion.
FO_SKIP_SET_FAST_IO
Skip setting an event supplied to a system service when the fast I/O path is successful.
- FileName
-
A UNICODE_STRING structure whose Buffer member points to a read-only Unicode string that holds the name of the file opened on the volume. If the volume is being opened, the Length member of the UNICODE_STRING structure will be zero. Note that the file name in this string is valid only during the initial processing of an IRP_MJ_CREATE request. This file name should not be considered valid after the file system starts to process the IRP_MJ_CREATE request. The storage for the string pointed to by the Buffer member of the UNICODE_STRING structure is allocated in paged system memory. For more information about obtaining a file name, see FltGetFileNameInformation.
- CurrentByteOffset
-
A read-only member that specifies the file offset, in bytes, associated with the file object.
- Waiters
-
A read-only member used by the system to count the number of outstanding waiters on a file object opened for synchronous access.
- Busy
-
A read-only member used by the system to indicate whether a file object opened for synchronous access is currently busy.
- LastLock
-
An opaque pointer to the last lock applied to the file object.
- Lock
-
An opaque member used by the system to hold a file object event lock. The event lock is used to control synchronous access to the file object. Applicable only to file objects that are opened for synchronous access.
- Event
-
An opaque member used by the system to hold an event object for the file object. The event object is used to signal the completion of an I/O request on the file object if no user event was supplied or a synchronous API was called.
- CompletionContext
-
An opaque pointer to completion port information (port pointer and key) associated with the file object, if any.
- IrpListLock
-
An opaque pointer to a KSPIN_LOCK structure that serves as the spin lock used to synchronize access to the file object's IRP list.
- IrpList
-
An opaque pointer to the head of the IRP list associated with the file object.
- FileObjectExtension
-
An opaque pointer to the file object's file object extension (FOBX) structure. The FOBX structure contains various opaque contexts used internally as well as the per-file object contexts available through FsRtlXxx routines.
Remarks
Drivers can use the FsContext and FsContext2 members to maintain driver-determined state about an open file object. A driver cannot use these members unless the file object is accessible in the driver's I/O stack location of an IRP.
All remaining members in a file object are either opaque or read-only:
Opaque members within a file object should be considered inaccessible. Drivers with dependencies on object field locations or access to opaque members might not remain portable and interoperable with other drivers over time.
Drivers can use read-only members to acquire relevant information but must not modify read-only members and, if a pointer, the object that the member points to.
During the processing of an IRP_MJ_CREATE request, a file system driver calls the IoSetShareAccess routine (if the client is the first to open the file) or the IoCheckShareAccess routine (for subsequent clients that want to share the file). IoSetShareAccess and IoCheckShareAccess update theReadAccess, WriteAccess, and DeleteAccess members to indicate the access rights that are granted to the client if the client has exclusive access to the file. Additionally, IoCheckShareAccess updates the SharedRead, SharedWrite, and SharedDelete members to indicate the access rights that are simultaneously granted to two or more clients that share the file. If the driver for a device other than a file system has to monitor the access rights of clients, this driver typically stores access rights information in context buffers that are pointed to by the FsContext and FsContext2 members.
FILE_OBJECT的更多相关文章
- note : Get FilePathName from FILE_OBJECT
转自:http://blog.csdn.net/lostspeed/article/details/11738311 封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName 在 ...
- python读取excel一例-------从工资表逐行提取信息
在工作中经常要用到python操作excel,比如笔者公司中一个人事MM在发工资单的时候,需要从几百行的excel表中逐条的粘出信息,然后逐个的发送到员工的邮箱中.人事MM对此事不胜其烦,终于在某天请 ...
- Python读写文件
Python读写文件1.open使用open打开文件后一定要记得调用文件对象的close()方法.比如可以用try/finally语句来确保最后能关闭文件. file_object = open('t ...
- Windows内核开发中如何区分文件对象究竟是文件还是文件夹?
今天有同行问了一个问题,Windows文件过滤驱动里的如何去区分一个对象是文件还是文件夹?我花了1小时左右翻阅了一些微软的文档以及以前的遗留代码,发现在WDK的帮助文档中是这么定义的: FILE_OB ...
- Python的入门要点
一.输入 1.键盘输入 在python 2.7中,不用input(),而用 raw_input()读入一行键盘输入,并转化为字符串. s = map(int ,raw_input().split()) ...
- [转]C/C++ 实现文件透明加解密
今日遇见一个开超市的朋友,真没想到在高校开超市一个月可以达到月净利润50K,相比起我们程序员的工资,真是不可同日而语,这个世道啊,真是做程序员不如经商开超市, 我们高科技的从业者,真是造原子弹不如卖茶 ...
- Python 文件常见操作
# -*-coding:utf8 -*- ''''' Python常见文件操作示例 os.path 模块中的路径名访问函数 分隔 basename() 去掉目录路径, 返回文件名 dirname() ...
- Python实时获取贴吧邮箱名单并向其发送邮件
本人Python大菜鸟,今天用python写了一个脚本.主要功能是获取贴吧指定贴子评论中留下的邮箱,通过系统的crontab每一分钟自动检测新邮箱并向其发送邮件,检测机制是去查询数据库的记录,也就是不 ...
- 积累一点ctf需要掌握的常见脚本知识
1.暴力破解压缩包. 2.利用像素点还原图片. from PIL import Image import re if __name__ == '__main__': x = 887 //将像素点个数进 ...
随机推荐
- dubbo使用multicast注册方式消费者无法发现服务的一种情况(我遇到的情况)
今天做dubbo测试的时候,翻出以前的代码,使用multicast广播地址的方式消费者居然无法发现服务.我的情况是因为启用了vmware虚拟机的网卡,导致了消费者无法发现服务,禁用vmware网卡后可 ...
- 9.3.1 The assign and deassign procedural statements
IEEE Std 1364™-2001, IEEE Standard Verilog® Hardware Description Language The assign procedural cont ...
- https://blog.csdn.net/rubbertree/article/details/88877262
本文链接:https://blog.csdn.net/rubbertree/article/details/88877262 https://blog.csdn.net/mingtianhaiyouw ...
- VSCode 中文乱码
方式一 vscode 菜单栏: 文件 >> 首选项 >> 设置 搜索: "files.autoGuessEncoding": false, 改为: &qu ...
- 35-Ubuntu-组管理-01-添加组/删除组/确认组信息
组管理 提示: 创建组/删除组的终端命令都需要sudo执行,标准用户没有权限! 序号 命令 作用 01 sudo groupadd 组名 添加组 02 sudo groupdel 组名 删除组 03 ...
- [Code+#3]博弈论与概率统计
题目 记得曾经和稳稳比谁后抄这个题的题解,看来是我输了 不难发现\(p\)是给着玩的,只需要求一个总情况数除以\(\binom{n+m}{n}\)就好了 记\(i\)为无效的失败次数,即\(\rm A ...
- OpenGL的编译和使用
这里说个简单的使用OpenGL的方法, 准备工作 1:OpenGL代码,没有的话,可以去http://freeglut.sourceforge.net/index.php#download 这里下载一 ...
- python--模块导入与执行
定义:一个模块就是一个包含了python定义和声明的文件,文件名就是模块名字加上.py的后缀. 一.模块注意: 1.所有的模块都应该自觉的往上写 2.调用模块的时候都是最先在本地找 3.写模块的顺序是 ...
- JVM配置参数理解,Cannot load this JVM TI agent twice
基本参数 -Xms128m JVM初始分配的堆内存 -Xmx512m JVM最大允许分配的堆内存,按需分配 -XX:PermSize=64M JVM初始分配的非堆内存 -XX:MaxPermSize= ...
- 34. Thread类的常用方法
1.构造方法 Thread() 分配新的 Thread 对象. Thread(String name) 分配新的 Thread 对象并指定线程名字 2.方法 1)setName(String nam ...