FILE_OBJECT
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx
The FILE_OBJECT structure is used by the system to represent a file object. To user-mode protected subsystems, a file object represents an open instance of a file, device, directory, or volume. To device and intermediate drivers, a file object usually represents a device object. To drivers in the file system stack, a file object usually represents a directory or file.
A file object is partially opaque. Certain types of drivers, such as file system drivers and network transport drivers, use some of the fields of file objects.
typedef struct _FILE_OBJECT {
CSHORT Type;
CSHORT Size;
PDEVICE_OBJECT DeviceObject;
PVPB Vpb;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
PVOID PrivateCacheMap;
NTSTATUS FinalStatus;
struct _FILE_OBJECT *RelatedFileObject;
BOOLEAN LockOperation;
BOOLEAN DeletePending;
BOOLEAN ReadAccess;
BOOLEAN WriteAccess;
BOOLEAN DeleteAccess;
BOOLEAN SharedRead;
BOOLEAN SharedWrite;
BOOLEAN SharedDelete;
ULONG Flags;
UNICODE_STRING FileName;
LARGE_INTEGER CurrentByteOffset;
__volatile ULONG Waiters;
__volatile ULONG Busy;
PVOID LastLock;
KEVENT Lock;
KEVENT Event;
__volatile PIO_COMPLETION_CONTEXT CompletionContext;
KSPIN_LOCK IrpListLock;
LIST_ENTRY IrpList;
__volatile PVOID FileObjectExtension;
} FILE_OBJECT, *PFILE_OBJECT;
Members
- Type
-
A read-only member used by the system to indicate that the object is a file object. If the object is a file object, the value of this member is 5.
- Size
-
A read-only member that specifies the size, in bytes, of the file object. This size does not include the file object extension, if one is present.
- DeviceObject
-
A pointer to the device object on which the file is opened.
- Vpb
-
A pointer to the volume parameter block associated with the file object.
Note that if the Vpb member is non-NULL, the file resides on a mounted volume.
- FsContext
-
A pointer to whatever optional state a driver maintains about the file object; otherwise, NULL. For file system drivers, this member must point to aFSRTL_ADVANCED_FCB_HEADER header structure that is contained within a file-system-specific structure; otherwise system instability can result. Usually, this header structure is embedded in a file control block (FCB). However, on some file systems that support multiple data streams, such as NTFS, this header structure is a stream control block (SCB).
Note In a WDM device stack, only the functional device object (FDO) can use the two context pointers. File system drivers share this member across multiple opens to the same data stream. - FsContext2
-
A pointer to whatever additional state a driver maintains about the file object; otherwise, NULL.
Note This member is opaque for drivers in the file system stack because the underlying file system utilizes this member. - SectionObjectPointer
-
A pointer to the file object's read-only section object. This member is set only by file systems and used for Cache Manager interaction.
- PrivateCacheMap
-
An opaque member, set only by file systems, that points to handle-specific information and that is used for Cache Manager interaction.
- FinalStatus
-
A read-only member that is used, in certain synchronous cases, to indicate the final status of the file object's I/O request.
- RelatedFileObject
-
A pointer to a FILE_OBJECT structure used to indicate that the current file object has been opened relative to an already open file object. The file object pointed to by this member is usually a directory (meaning the current file has been opened relative to this directory). However, a file can be reopened relative to itself, and alternate data streams for a file can be opened relative to an already open primary data stream for that same file. The RelatedFileObject member is only valid during the processing of the IRP_MJ_CREATE requests.
- LockOperation
-
A read-only member. If FALSE, a lock operation (NtLockFile) has never been performed on the file object. If TRUE, at least one lock operation has been performed on the file object. Once set to TRUE, this member always remains TRUE (for example, releasing file locks on the file object does not reset this member to FALSE).
- DeletePending
-
A read-only member. If TRUE, a delete operation for the file associated with the file object exists. If FALSE, there currently is no pending delete operation for the file object.
- ReadAccess
-
A read-only member. If TRUE, the file associated with the file object has been opened for read access. If FALSE, the file has been opened without read access. This information is used when checking and/or setting the share access of the file.
- WriteAccess
-
A read-only member. If TRUE, the file associated with the file object has been opened for write access. If FALSE, the file has been opened without write access. This information is used when checking and/or setting the share access of the file.
- DeleteAccess
-
A read-only member. If TRUE, the file associated with the file object has been opened for delete access. If FALSE, the file has been opened without delete access. This information is used when checking and/or setting the share access of the file.
- SharedRead
-
A read-only member. If TRUE, the file associated with the file object has been opened for read sharing access. If FALSE, the file has been opened without read sharing access. This information is used when checking and/or setting the share access of the file.
- SharedWrite
-
A read-only member. If TRUE, the file associated with the file object has been opened for write sharing access. If FALSE, the file has been opened without write sharing access. This information is used when checking and/or setting the share access of the file.
- SharedDelete
-
A read-only member. If TRUE, the file associated with the file object has been opened for delete sharing access. If FALSE, the file has been opened without delete sharing access. This information is used when checking and/or setting the share access of the file.
- Flags
-
A read-only member used by the system to hold one or more (a bitwise inclusive OR combination) of the following private flag values.
Flag Meaning FO_FILE_OPEN
Deprecated.
FO_SYNCHRONOUS_IO
The file object is opened for synchronous I/O.
FO_ALERTABLE_IO
Any wait in the I/O manager, as a result of a request made to this file object, is alertable.
FO_NO_INTERMEDIATE_BUFFERING
The file associated with the file object cannot be cached or buffered in a driver's internal buffers.
FO_WRITE_THROUGH
System services, file system drivers, and drivers that write data to the file must transfer the data into the file before any requested write operation is considered complete.
FO_SEQUENTIAL_ONLY
The file associated with the file object was opened for sequential I/O operations only.
FO_CACHE_SUPPORTED
The file associated with the file object is cacheable. This flag should be set only by a file system driver, and only if theFsContext member points to a valid FSRTL_ADVANCED_FCB_HEADER structure.
FO_NAMED_PIPE
The file object represents a named pipe.
FO_STREAM_FILE
The file object represents a file stream.
FO_MAILSLOT
The file object represents a mailslot.
FO_GENERATE_AUDIT_ON_CLOSE
Deprecated.
FO_QUEUE_IRP_TO_THREAD
IRPs will not be queued to this file object.
FO_DIRECT_DEVICE_OPEN
The device targeted by this file object was opened directly.
FO_FILE_MODIFIED
The file associated with the file object has been modified.
FO_FILE_SIZE_CHANGED
The file associated with the file object has changed in size.
FO_CLEANUP_COMPLETE
The file system has completed its cleanup for this file object.
FO_TEMPORARY_FILE
The file associated with the file object is a temporary file.
FO_DELETE_ON_CLOSE
The file associated with the file object will be deleted by the file system upon close.
FO_OPENED_CASE_SENSITIVE
The file name case of the file associated with the file object is respected.
FO_HANDLE_CREATED
A file handle was created for file object.
FO_FILE_FAST_IO_READ
A fast I/O read was performed on this file object.
FO_RANDOM_ACCESS
The file associated with the file object was opened for random access.
FO_FILE_OPEN_CANCELLED
The create request for this file object was canceled before completing.
FO_VOLUME_OPEN
The file object represents a volume open request.
FO_REMOTE_ORIGIN
The create request for the file associated with the file object originated on a remote machine.
FO_SKIP_COMPLETION_PORT
For a file object associated with a port, determines if the system should skip queuing to the completion port when the IRP is completed synchronously with a non-error status return value.
FO_SKIP_SET_EVENT
Skip setting the event for the file object upon IRP completion.
FO_SKIP_SET_FAST_IO
Skip setting an event supplied to a system service when the fast I/O path is successful.
- FileName
-
A UNICODE_STRING structure whose Buffer member points to a read-only Unicode string that holds the name of the file opened on the volume. If the volume is being opened, the Length member of the UNICODE_STRING structure will be zero. Note that the file name in this string is valid only during the initial processing of an IRP_MJ_CREATE request. This file name should not be considered valid after the file system starts to process the IRP_MJ_CREATE request. The storage for the string pointed to by the Buffer member of the UNICODE_STRING structure is allocated in paged system memory. For more information about obtaining a file name, see FltGetFileNameInformation.
- CurrentByteOffset
-
A read-only member that specifies the file offset, in bytes, associated with the file object.
- Waiters
-
A read-only member used by the system to count the number of outstanding waiters on a file object opened for synchronous access.
- Busy
-
A read-only member used by the system to indicate whether a file object opened for synchronous access is currently busy.
- LastLock
-
An opaque pointer to the last lock applied to the file object.
- Lock
-
An opaque member used by the system to hold a file object event lock. The event lock is used to control synchronous access to the file object. Applicable only to file objects that are opened for synchronous access.
- Event
-
An opaque member used by the system to hold an event object for the file object. The event object is used to signal the completion of an I/O request on the file object if no user event was supplied or a synchronous API was called.
- CompletionContext
-
An opaque pointer to completion port information (port pointer and key) associated with the file object, if any.
- IrpListLock
-
An opaque pointer to a KSPIN_LOCK structure that serves as the spin lock used to synchronize access to the file object's IRP list.
- IrpList
-
An opaque pointer to the head of the IRP list associated with the file object.
- FileObjectExtension
-
An opaque pointer to the file object's file object extension (FOBX) structure. The FOBX structure contains various opaque contexts used internally as well as the per-file object contexts available through FsRtlXxx routines.
Remarks
Drivers can use the FsContext and FsContext2 members to maintain driver-determined state about an open file object. A driver cannot use these members unless the file object is accessible in the driver's I/O stack location of an IRP.
All remaining members in a file object are either opaque or read-only:
Opaque members within a file object should be considered inaccessible. Drivers with dependencies on object field locations or access to opaque members might not remain portable and interoperable with other drivers over time.
Drivers can use read-only members to acquire relevant information but must not modify read-only members and, if a pointer, the object that the member points to.
During the processing of an IRP_MJ_CREATE request, a file system driver calls the IoSetShareAccess routine (if the client is the first to open the file) or the IoCheckShareAccess routine (for subsequent clients that want to share the file). IoSetShareAccess and IoCheckShareAccess update theReadAccess, WriteAccess, and DeleteAccess members to indicate the access rights that are granted to the client if the client has exclusive access to the file. Additionally, IoCheckShareAccess updates the SharedRead, SharedWrite, and SharedDelete members to indicate the access rights that are simultaneously granted to two or more clients that share the file. If the driver for a device other than a file system has to monitor the access rights of clients, this driver typically stores access rights information in context buffers that are pointed to by the FsContext and FsContext2 members.
FILE_OBJECT的更多相关文章
- note : Get FilePathName from FILE_OBJECT
转自:http://blog.csdn.net/lostspeed/article/details/11738311 封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName 在 ...
- python读取excel一例-------从工资表逐行提取信息
在工作中经常要用到python操作excel,比如笔者公司中一个人事MM在发工资单的时候,需要从几百行的excel表中逐条的粘出信息,然后逐个的发送到员工的邮箱中.人事MM对此事不胜其烦,终于在某天请 ...
- Python读写文件
Python读写文件1.open使用open打开文件后一定要记得调用文件对象的close()方法.比如可以用try/finally语句来确保最后能关闭文件. file_object = open('t ...
- Windows内核开发中如何区分文件对象究竟是文件还是文件夹?
今天有同行问了一个问题,Windows文件过滤驱动里的如何去区分一个对象是文件还是文件夹?我花了1小时左右翻阅了一些微软的文档以及以前的遗留代码,发现在WDK的帮助文档中是这么定义的: FILE_OB ...
- Python的入门要点
一.输入 1.键盘输入 在python 2.7中,不用input(),而用 raw_input()读入一行键盘输入,并转化为字符串. s = map(int ,raw_input().split()) ...
- [转]C/C++ 实现文件透明加解密
今日遇见一个开超市的朋友,真没想到在高校开超市一个月可以达到月净利润50K,相比起我们程序员的工资,真是不可同日而语,这个世道啊,真是做程序员不如经商开超市, 我们高科技的从业者,真是造原子弹不如卖茶 ...
- Python 文件常见操作
# -*-coding:utf8 -*- ''''' Python常见文件操作示例 os.path 模块中的路径名访问函数 分隔 basename() 去掉目录路径, 返回文件名 dirname() ...
- Python实时获取贴吧邮箱名单并向其发送邮件
本人Python大菜鸟,今天用python写了一个脚本.主要功能是获取贴吧指定贴子评论中留下的邮箱,通过系统的crontab每一分钟自动检测新邮箱并向其发送邮件,检测机制是去查询数据库的记录,也就是不 ...
- 积累一点ctf需要掌握的常见脚本知识
1.暴力破解压缩包. 2.利用像素点还原图片. from PIL import Image import re if __name__ == '__main__': x = 887 //将像素点个数进 ...
随机推荐
- fatal error C1189: #error : "No Target Architecture" 解决办法一
在编译程序的时候发现报这个错误,在网上看到很多文章,说设置include路径,lib目录等等,都没有解决.最后调整了以下include文件的顺序,问题解决了.例如 从头文件a.h中截取的一段 type ...
- CSS:CSS 图片廊
ylbtech-CSS:CSS 图片廊 1.返回顶部 1. CSS 图片廊 以下是使用CSS创建图片廊: 图片廊 以下是使用 CSS 创建图片廊: 实例 <div class="res ...
- XML XPATH simpleXML
XPath 通过DOM结构定位节点,在数据量很大的情况下速度下降的很厉害.解决方法是XPath.Xpath的作用:用于快速定位节点 position()是节点的位置,节点的位置是从1开始 simple ...
- Quartus II 使用 modelsim 仿真
转自:http://www.cnblogs.com/emouse/archive/2012/07/08/2581223.html Quartus 中调用modelsim的流程 1. 设定仿真工具 as ...
- node 创建静态web服务器(上)
声明:本文仅用来做学习记录. 本文将使用node创建一个简单的静态web服务器. 准备工作: 首先,准备好一个类似图片中这样的页面 第一步: 创建 http 服务: const http = requ ...
- Vue 学习笔记之 —— 表单输入绑定
Vue 中文文档 https://cn.vuejs.org/ 不多说,直接上干货. v-model 指定,用来在input textarea 等表单元素上创建双向数据绑定,负责监听用户的输入事件,以及 ...
- scala 列表List
列表: 列表是不可变,也就是说不能通过赋值改变列表的元素: 列表有递归结构,而数据是连续的 List 类型:List() 同样也是List(String) 列表是基于Nil (是空的)和::(列表从前 ...
- ES6数组Api扩充
1. Array.of( ); ----将一组数据转换成一个数组: const num=201314; const a=Array.of(num); console.log(a); //数组 ...
- vue-cli 新手 搭建项目 一
新手入坑vue 搭建项目 一.安装 vue-cli 1.打开cmd 输入命令(已自行安装好npm node等) npm install --global vue-cli (全局安装) 二.创建项 ...
- R语言 判断
R语言判断 决策结构要求程序员指定要由程序评估或测试的一个或多个条件,以及如果条件被确定为真则要执行的一个或多个语句,如果条件为假则执行其他语句. 以下是在大多数编程语言中的典型决策结构的一般形式 R ...