//
// Go ahead and set the request up as successful
//
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
//
// Dump all accumulated buffers. We are in the system process so
// there's no need to queue a worker thread item
//
while( old = RegmonOldestStore()) {
RegmonWriteBootLog( old );//为什么在这里调用就是在系统进程内,而在IRP_MJ_CREATE里就不是在系统进程内??????????????????????
if( old == Store ) break;
}
break;
//
// See if the output buffer is really a user buffer that we
// can just dump data into.
//
if( IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER ) { // 值为3,直接向驱动程序提供用户缓冲区
outputBuffer = Irp->UserBuffer;
}
//
// Its a request from the GUI
//
RegmonDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
workitem_DeviceObject=NULL;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}