mirror of
https://github.com/gentilkiwi/mimikatz
synced 2024-12-18 04:04:42 +00:00
9e42ea3b28
[fix] mimidrv version
602 lines
16 KiB
C
602 lines
16 KiB
C
/*++
|
|
|
|
Copyright (c) 1989-2002 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
fltUserStructures.h
|
|
|
|
Abstract:
|
|
|
|
This contains structures, types, and defintiions that are common to both
|
|
USER mode and KERNEL mode environments.
|
|
|
|
Environment:
|
|
|
|
User mode
|
|
|
|
--*/
|
|
#ifndef __FLT_USER_STRUCTURES_H__
|
|
#define __FLT_USER_STRUCTURES_H__
|
|
|
|
#if FLT_MGR_BASELINE
|
|
|
|
//
|
|
// Disable warning for this file
|
|
//
|
|
|
|
#define FLTAPI NTAPI
|
|
|
|
#define FILTER_NAME_MAX_CHARS 255
|
|
#define FILTER_NAME_MAX_BYTES (FILTER_NAME_MAX_CHARS * sizeof( WCHAR ))
|
|
|
|
#define VOLUME_NAME_MAX_CHARS 1024
|
|
#define VOLUME_NAME_MAX_BYTES (VOLUME_NAME_MAX_CHARS * sizeof( WCHAR ))
|
|
|
|
#define INSTANCE_NAME_MAX_CHARS 255
|
|
#define INSTANCE_NAME_MAX_BYTES (INSTANCE_NAME_MAX_CHARS * sizeof( WCHAR ))
|
|
|
|
typedef HANDLE HFILTER;
|
|
typedef HANDLE HFILTER_INSTANCE;
|
|
typedef HANDLE HFILTER_VOLUME;
|
|
|
|
|
|
//
|
|
// Note: this may be removed in future when all translations from NTSTATUS to
|
|
// Win32 error codes are checked in. This is interim - since there the
|
|
// translation is not in for all filter manager error codes,
|
|
// apps will have to access NTSTATUS codes directly
|
|
//
|
|
|
|
typedef __success(return >= 0) LONG NTSTATUS;
|
|
typedef NTSTATUS *PNTSTATUS;
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Known File System Types
|
|
//
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
typedef enum _FLT_FILESYSTEM_TYPE {
|
|
|
|
FLT_FSTYPE_UNKNOWN, //an UNKNOWN file system type
|
|
FLT_FSTYPE_RAW, //Microsoft's RAW file system (\FileSystem\RAW)
|
|
FLT_FSTYPE_NTFS, //Microsoft's NTFS file system (\FileSystem\Ntfs)
|
|
FLT_FSTYPE_FAT, //Microsoft's FAT file system (\FileSystem\Fastfat)
|
|
FLT_FSTYPE_CDFS, //Microsoft's CDFS file system (\FileSystem\Cdfs)
|
|
FLT_FSTYPE_UDFS, //Microsoft's UDFS file system (\FileSystem\Udfs)
|
|
FLT_FSTYPE_LANMAN, //Microsoft's LanMan Redirector (\FileSystem\MRxSmb)
|
|
FLT_FSTYPE_WEBDAV, //Microsoft's WebDav redirector (\FileSystem\MRxDav)
|
|
FLT_FSTYPE_RDPDR, //Microsoft's Terminal Server redirector (\Driver\rdpdr)
|
|
FLT_FSTYPE_NFS, //Microsoft's NFS file system (\FileSystem\NfsRdr)
|
|
FLT_FSTYPE_MS_NETWARE, //Microsoft's NetWare redirector (\FileSystem\nwrdr)
|
|
FLT_FSTYPE_NETWARE, //Novell's NetWare redirector
|
|
FLT_FSTYPE_BSUDF, //The BsUDF CD-ROM driver (\FileSystem\BsUDF)
|
|
FLT_FSTYPE_MUP, //Microsoft's Mup redirector (\FileSystem\Mup)
|
|
FLT_FSTYPE_RSFX, //Microsoft's WinFS redirector (\FileSystem\RsFxDrv)
|
|
FLT_FSTYPE_ROXIO_UDF1, //Roxio's UDF writeable file system (\FileSystem\cdudf_xp)
|
|
FLT_FSTYPE_ROXIO_UDF2, //Roxio's UDF readable file system (\FileSystem\UdfReadr_xp)
|
|
FLT_FSTYPE_ROXIO_UDF3, //Roxio's DVD file system (\FileSystem\DVDVRRdr_xp)
|
|
FLT_FSTYPE_TACIT, //Tacit FileSystem (\Device\TCFSPSE)
|
|
FLT_FSTYPE_FS_REC, //Microsoft's File system recognizer (\FileSystem\Fs_rec)
|
|
FLT_FSTYPE_INCD, //Nero's InCD file system (\FileSystem\InCDfs)
|
|
FLT_FSTYPE_INCD_FAT, //Nero's InCD FAT file system (\FileSystem\InCDFat)
|
|
FLT_FSTYPE_EXFAT, //Microsoft's EXFat FILE SYSTEM (\FileSystem\exfat)
|
|
FLT_FSTYPE_PSFS, //PolyServ's file system (\FileSystem\psfs)
|
|
FLT_FSTYPE_GPFS //IBM General Parallel File System (\FileSystem\gpfs)
|
|
|
|
} FLT_FILESYSTEM_TYPE, *PFLT_FILESYSTEM_TYPE;
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// The different types information that can be return on an Filter.
|
|
//
|
|
// Note: Entries with "Aggregate" in the name return information for
|
|
// both LEGACY and MINI filters.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
//
|
|
// In xpsp2 we do not have the concept of enumerating legacy filters
|
|
// For this reason there is no FilterAggregateBasicInfo in the V1 version
|
|
// of the enum
|
|
//
|
|
|
|
typedef enum _FILTER_INFORMATION_CLASS {
|
|
|
|
FilterFullInformation,
|
|
FilterAggregateBasicInformation, //Added to XP SP2 via QFE
|
|
FilterAggregateStandardInformation //Longhorn and later
|
|
|
|
} FILTER_INFORMATION_CLASS, *PFILTER_INFORMATION_CLASS;
|
|
|
|
//
|
|
// The structures for the information returned from the query of
|
|
// information on a Filter.
|
|
//
|
|
|
|
typedef struct _FILTER_FULL_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
ULONG FrameID;
|
|
|
|
ULONG NumberOfInstances;
|
|
|
|
USHORT FilterNameLength;
|
|
WCHAR FilterNameBuffer[1];
|
|
|
|
} FILTER_FULL_INFORMATION, *PFILTER_FULL_INFORMATION;
|
|
|
|
|
|
//
|
|
// This structure returns information for both legacy filters and mini
|
|
// filters.
|
|
//
|
|
// NOTE: Support for this structures exists in all OS's that support
|
|
// filter manager except XP SP2. It was added later to XP SP2
|
|
// via a QFE.
|
|
//
|
|
|
|
typedef struct _FILTER_AGGREGATE_BASIC_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
//
|
|
// ABI - Aggregate Basic Information flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
#define FLTFL_AGGREGATE_INFO_IS_MINIFILTER 0x00000001
|
|
#define FLTFL_AGGREGATE_INFO_IS_LEGACYFILTER 0x00000002
|
|
|
|
union {
|
|
|
|
//
|
|
// Minifilter FULL information
|
|
//
|
|
|
|
struct {
|
|
|
|
ULONG FrameID;
|
|
|
|
ULONG NumberOfInstances;
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
USHORT FilterAltitudeLength;
|
|
USHORT FilterAltitudeBufferOffset;
|
|
|
|
} MiniFilter;
|
|
|
|
//
|
|
// Legacyfilter information
|
|
//
|
|
|
|
struct {
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
} LegacyFilter;
|
|
|
|
} Type;
|
|
|
|
} FILTER_AGGREGATE_BASIC_INFORMATION, *PFILTER_AGGREGATE_BASIC_INFORMATION;
|
|
|
|
|
|
//
|
|
// This structure returns information for both legacy filters and mini
|
|
// filters.
|
|
//
|
|
// NOTE: Support for this structures exists in Vista and Later
|
|
//
|
|
|
|
#if FLT_MGR_LONGHORN
|
|
typedef struct _FILTER_AGGREGATE_STANDARD_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
//
|
|
// ASI - Aggregate Standard Information flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
#define FLTFL_ASI_IS_MINIFILTER 0x00000001
|
|
#define FLTFL_ASI_IS_LEGACYFILTER 0x00000002
|
|
|
|
union {
|
|
|
|
//
|
|
// Minifilter FULL information
|
|
//
|
|
|
|
struct {
|
|
|
|
//
|
|
// ASIM - Aggregate Standard Information Minifilter flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
|
|
|
|
ULONG FrameID;
|
|
|
|
ULONG NumberOfInstances;
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
USHORT FilterAltitudeLength;
|
|
USHORT FilterAltitudeBufferOffset;
|
|
|
|
} MiniFilter;
|
|
|
|
//
|
|
// Legacyfilter information
|
|
//
|
|
|
|
struct {
|
|
|
|
//
|
|
// ASIL - Aggregate Standard Information LegacyFilter flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
USHORT FilterAltitudeLength;
|
|
USHORT FilterAltitudeBufferOffset;
|
|
|
|
} LegacyFilter;
|
|
|
|
} Type;
|
|
|
|
} FILTER_AGGREGATE_STANDARD_INFORMATION, *PFILTER_AGGREGATE_STANDARD_INFORMATION;
|
|
#endif // FLT_MGR_LONGHORN
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// The different types information that can be return for a Volume
|
|
//
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
typedef enum _FILTER_VOLUME_INFORMATION_CLASS {
|
|
|
|
FilterVolumeBasicInformation,
|
|
FilterVolumeStandardInformation //Longhorn and later
|
|
|
|
} FILTER_VOLUME_INFORMATION_CLASS, *PFILTER_VOLUME_INFORMATION_CLASS;
|
|
|
|
|
|
//
|
|
// Basic information about a volume (its name)
|
|
//
|
|
|
|
typedef struct _FILTER_VOLUME_BASIC_INFORMATION {
|
|
|
|
//
|
|
// Length of name
|
|
//
|
|
|
|
USHORT FilterVolumeNameLength;
|
|
|
|
//
|
|
// Buffer containing name (it's NOT NULL-terminated)
|
|
//
|
|
|
|
WCHAR FilterVolumeName[1];
|
|
|
|
} FILTER_VOLUME_BASIC_INFORMATION, *PFILTER_VOLUME_BASIC_INFORMATION;
|
|
|
|
//
|
|
// Additional volume information.
|
|
//
|
|
// NOTE: Only available in LONGHORN and later OS's
|
|
//
|
|
|
|
#if FLT_MGR_LONGHORN
|
|
typedef struct _FILTER_VOLUME_STANDARD_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
//
|
|
// VSI - VOlume Standard Information flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
|
|
//
|
|
// If set this volume is not current attached to a storage stack
|
|
//
|
|
|
|
#define FLTFL_VSI_DETACHED_VOLUME 0x00000001
|
|
|
|
//
|
|
// Identifies which frame this volume structure is in
|
|
//
|
|
|
|
ULONG FrameID;
|
|
|
|
//
|
|
// Identifies the type of file system being used on the volume
|
|
//
|
|
|
|
FLT_FILESYSTEM_TYPE FileSystemType;
|
|
|
|
//
|
|
// Length of name
|
|
//
|
|
|
|
USHORT FilterVolumeNameLength;
|
|
|
|
//
|
|
// Buffer containing name (it's NOT NULL-terminated)
|
|
//
|
|
|
|
WCHAR FilterVolumeName[1];
|
|
|
|
} FILTER_VOLUME_STANDARD_INFORMATION, *PFILTER_VOLUME_STANDARD_INFORMATION;
|
|
#endif // FLT_MGR_LONGHORN
|
|
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// The different types information that can be return on an Instance.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
typedef enum _INSTANCE_INFORMATION_CLASS {
|
|
|
|
InstanceBasicInformation,
|
|
InstancePartialInformation,
|
|
InstanceFullInformation,
|
|
InstanceAggregateStandardInformation //LONGHORN and later
|
|
|
|
} INSTANCE_INFORMATION_CLASS, *PINSTANCE_INFORMATION_CLASS;
|
|
|
|
|
|
//
|
|
// The structures for the information returned from the query of the information
|
|
// on the Instance.
|
|
//
|
|
|
|
typedef __struct_bcount(sizeof(INSTANCE_BASIC_INFORMATION) * InstanceNameLength) struct _INSTANCE_BASIC_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
USHORT InstanceNameLength;
|
|
USHORT InstanceNameBufferOffset;
|
|
|
|
} INSTANCE_BASIC_INFORMATION, *PINSTANCE_BASIC_INFORMATION;
|
|
|
|
typedef __struct_bcount(sizeof(INSTANCE_PARTIAL_INFORMATION) + InstanceNameLength + AltitudeLength) struct _INSTANCE_PARTIAL_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
USHORT InstanceNameLength;
|
|
USHORT InstanceNameBufferOffset;
|
|
|
|
USHORT AltitudeLength;
|
|
USHORT AltitudeBufferOffset;
|
|
|
|
} INSTANCE_PARTIAL_INFORMATION, *PINSTANCE_PARTIAL_INFORMATION;
|
|
|
|
typedef __struct_bcount(sizeof(INSTANCE_FULL_INFORMATION) + InstanceNameLength + AltitudeLength + VolumeNameLength + FilterNameLength) struct _INSTANCE_FULL_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
USHORT InstanceNameLength;
|
|
USHORT InstanceNameBufferOffset;
|
|
|
|
USHORT AltitudeLength;
|
|
USHORT AltitudeBufferOffset;
|
|
|
|
USHORT VolumeNameLength;
|
|
USHORT VolumeNameBufferOffset;
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
} INSTANCE_FULL_INFORMATION, *PINSTANCE_FULL_INFORMATION;
|
|
|
|
|
|
//
|
|
// This information class is used to return instance information about both
|
|
// legacy filters and minifilters.
|
|
//
|
|
|
|
#if FLT_MGR_LONGHORN
|
|
typedef struct _INSTANCE_AGGREGATE_STANDARD_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
//
|
|
// IASI - Instance Aggregate Standard Information flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
#define FLTFL_IASI_IS_MINIFILTER 0x00000001
|
|
#define FLTFL_IASI_IS_LEGACYFILTER 0x00000002
|
|
|
|
union {
|
|
|
|
//
|
|
// MiniFilter information
|
|
//
|
|
|
|
struct {
|
|
|
|
//
|
|
// IASIM - Instance Aggregate Standard Information Minifilter flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
|
|
//
|
|
// If set this volume is not current attached to a storage stack
|
|
//
|
|
|
|
#define FLTFL_IASIM_DETACHED_VOLUME 0x00000001
|
|
|
|
//
|
|
// Identifies which frame this volume structure is in
|
|
//
|
|
|
|
ULONG FrameID;
|
|
|
|
//
|
|
// The type of file system this instance is attached to
|
|
//
|
|
|
|
FLT_FILESYSTEM_TYPE VolumeFileSystemType;
|
|
|
|
//
|
|
// The name of this instance
|
|
//
|
|
|
|
USHORT InstanceNameLength;
|
|
USHORT InstanceNameBufferOffset;
|
|
|
|
//
|
|
// The altitude of this instance
|
|
//
|
|
|
|
USHORT AltitudeLength;
|
|
USHORT AltitudeBufferOffset;
|
|
|
|
//
|
|
// The volume name this instance is attached to
|
|
//
|
|
|
|
USHORT VolumeNameLength;
|
|
USHORT VolumeNameBufferOffset;
|
|
|
|
//
|
|
// The name of the minifilter associated with this instace
|
|
//
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
} MiniFilter;
|
|
|
|
//
|
|
// Legacyfilter information
|
|
//
|
|
|
|
struct {
|
|
|
|
//
|
|
// IASIL - Instance Aggregate Standard Information LegacyFilter flags
|
|
//
|
|
|
|
ULONG Flags;
|
|
|
|
//
|
|
// If set this volume is not current attached to a storage stack
|
|
//
|
|
|
|
#define FLTFL_IASIL_DETACHED_VOLUME 0x00000001
|
|
|
|
//
|
|
// The altitude of this attachment
|
|
//
|
|
|
|
USHORT AltitudeLength;
|
|
USHORT AltitudeBufferOffset;
|
|
|
|
//
|
|
// The volume name this filter is attached to
|
|
//
|
|
|
|
USHORT VolumeNameLength;
|
|
USHORT VolumeNameBufferOffset;
|
|
|
|
//
|
|
// The name of the filter associated with this attachment
|
|
//
|
|
|
|
USHORT FilterNameLength;
|
|
USHORT FilterNameBufferOffset;
|
|
|
|
} LegacyFilter;
|
|
|
|
} Type;
|
|
|
|
} INSTANCE_AGGREGATE_STANDARD_INFORMATION, *PINSTANCE_AGGREGATE_STANDARD_INFORMATION;
|
|
#endif // FLT_MGR_LONGHORN
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Message defintitions
|
|
//
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
typedef struct _FILTER_MESSAGE_HEADER {
|
|
|
|
//
|
|
// OUT
|
|
//
|
|
// Total buffer length in bytes, including the FILTER_REPLY_HEADER, of
|
|
// the expected reply. If no reply is expected, 0 is returned.
|
|
//
|
|
|
|
ULONG ReplyLength;
|
|
|
|
//
|
|
// OUT
|
|
//
|
|
// Unique Id for this message. This will be set when the kernel message
|
|
// satifies this FilterGetMessage or FilterInstanceGetMessage request.
|
|
// If replying to this message, this is the MessageId that should be used.
|
|
//
|
|
|
|
ULONGLONG MessageId;
|
|
|
|
//
|
|
// General filter-specific buffer data follows...
|
|
//
|
|
|
|
} FILTER_MESSAGE_HEADER, *PFILTER_MESSAGE_HEADER;
|
|
|
|
typedef struct _FILTER_REPLY_HEADER {
|
|
|
|
//
|
|
// IN.
|
|
//
|
|
// Status of this reply. This status will be returned back to the filter
|
|
// driver who is waiting for a reply.
|
|
//
|
|
|
|
NTSTATUS Status;
|
|
|
|
//
|
|
// IN
|
|
//
|
|
// Unique Id for this message. This id was returned in the
|
|
// FILTER_MESSAGE_HEADER from the kernel message to which we are replying.
|
|
//
|
|
|
|
ULONGLONG MessageId;
|
|
|
|
//
|
|
// General filter-specific buffer data follows...
|
|
//
|
|
|
|
} FILTER_REPLY_HEADER, *PFILTER_REPLY_HEADER;
|
|
|
|
#endif //FLT_MGR_BASELINE
|
|
|
|
#endif /* __FLT_USER_STRUCTURES_H__ */
|
|
|