Skip to content

Instantly share code, notes, and snippets.

@tyranid

tyranid/filter_manager_api.h Secret

Created January 2, 2021 07:52
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save tyranid/49d8a1b9e53bba4eac40df32e15d4a98 to your computer and use it in GitHub Desktop.
Save tyranid/49d8a1b9e53bba4eac40df32e15d4a98 to your computer and use it in GitHub Desktop.
Download ZIP
Basic header for file loading into IDA to support filter manager driver RE.
Raw
filter_manager_api.h
// Basic header for file loading into IDA to support filter manager driver RE.
typedef enum _FS_FILTER_SECTION_SYNC_TYPE
{
SyncTypeOther = 0,
SyncTypeCreateSection = 1
} FS_FILTER_SECTION_SYNC_TYPE;
typedef enum _FLT_INSTANCE_FLAGS
{
INSFL_CAN_BE_DETACHED = 0x01,
INSFL_DELETING = 0x02,
INSFL_INITING = 0x04
} FLT_INSTANCE_FLAGS, *PFLT_INSTANCE_FLAGS;
typedef enum _FLT_OBJECT_FLAGS
{
FLT_OBFL_DRAINING = 1,
FLT_OBFL_ZOMBIED = 2,
FLT_OBFL_TYPE_INSTANCE = 0x1000000,
FLT_OBFL_TYPE_FILTER = 0x2000000,
FLT_OBFL_TYPE_VOLUME = 0x4000000
} FLT_OBJECT_FLAGS, *PFLT_OBJECT_FLAGS;
typedef struct _FLT_OBJECT
{
volatile FLT_OBJECT_FLAGS Flags;
ULONG PointerCount;
PVOID RundownRef;
LIST_ENTRY PrimaryLink;
} FLT_OBJECT, *PFLT_OBJECT;
typedef struct _FLT_VOLUME
{
FLT_OBJECT Base;
DWORD Flags;
DWORD FileSystemType;
PDEVICE_OBJECT DeviceObject;
PDEVICE_OBJECT DiskDeviceObject;
struct _FLT_VOLUME * FrameZeroVolume;
struct _FLT_VOLUME * VolumeInNextFrame;
PVOID Frame;
UNICODE_STRING DeviceName;
UNICODE_STRING GuidName;
UNICODE_STRING CDODeviceName;
UNICODE_STRING CDODriverName;
} FLT_VOLUME, *PFLT_VOLUME;
typedef struct _FLT_INSTANCE
{
FLT_OBJECT Base;
ULONG OperationRundownRef;
PFLT_VOLUME Volume;
PVOID Filter;
FLT_INSTANCE_FLAGS Flags;
UNICODE_STRING Altitude;
UNICODE_STRING Name;
LIST_ENTRY FilterLink;
PVOID ContextLock;
PVOID Context; //PCONTEXT_NODE
PVOID TrackCompletionNodes; //PRACK_COMPLETION_NODES
PVOID CallbackNodes[50]; //PCALLBACK_NODE
} FLT_INSTANCE, *PFLT_INSTANCE;
struct FILTERMGR_EA {
ULONG NextEntryOffset;
UCHAR Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[0x100];
};
typedef struct _FLT_FILE_NAME_INFORMATION {
USHORT Size;
int NamesParsed;
int Format;
UNICODE_STRING Name;
UNICODE_STRING Volume;
UNICODE_STRING Share;
UNICODE_STRING Extension;
UNICODE_STRING Stream;
UNICODE_STRING FinalComponent;
UNICODE_STRING ParentDir;
} FLT_FILE_NAME_INFORMATION, *PFLT_FILE_NAME_INFORMATION;
typedef enum _FLT_PREOP_CALLBACK_STATUS {
FLT_PREOP_SUCCESS_WITH_CALLBACK,
FLT_PREOP_SUCCESS_NO_CALLBACK,
FLT_PREOP_PENDING,
FLT_PREOP_DISALLOW_FASTIO,
FLT_PREOP_COMPLETE,
FLT_PREOP_SYNCHRONIZE,
FLT_PREOP_DISALLOW_FSFILTER_IO
} FLT_PREOP_CALLBACK_STATUS, *PFLT_PREOP_CALLBACK_STATUS;
enum _FLT_POSTOP_CALLBACK_STATUS {
FLT_POSTOP_FINISHED_PROCESSING = 0,
FLT_POSTOP_MORE_PROCESSING_REQUIRED = 1
};
typedef DWORD DEVICE_TYPE;
typedef struct _FLT_VOLUME_PROPERTIES {
DEVICE_TYPE DeviceType;
ULONG DeviceCharacteristics;
ULONG DeviceObjectFlags;
ULONG AlignmentRequirement;
USHORT SectorSize;
USHORT Reserved0;
UNICODE_STRING FileSystemDriverName;
UNICODE_STRING FileSystemDeviceName;
UNICODE_STRING RealDeviceName;
} FLT_VOLUME_PROPERTIES, *PFLT_VOLUME_PROPERTIES;
typedef union _FLT_PARAMETERS {
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
DWORD_PTR FileAttributes;
USHORT ShareAccess;
DWORD_PTR EaLength;
PVOID EaBuffer;
LARGE_INTEGER AllocationSize;
} Create;
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
DWORD_PTR Reserved;
USHORT ShareAccess;
PVOID Parameters;
} CreatePipe;
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
DWORD_PTR Reserved;
USHORT ShareAccess;
PVOID Parameters;
} CreateMailslot;
struct {
ULONG Length;
ULONG Key;
LARGE_INTEGER ByteOffset;
PVOID ReadBuffer;
PMDL MdlAddress;
} Read;
struct {
ULONG Length;
DWORD_PTR Key;
LARGE_INTEGER ByteOffset;
PVOID WriteBuffer;
PMDL MdlAddress;
} Write;
struct {
ULONG Length;
DWORD_PTR FileInformationClass;
PVOID InfoBuffer;
} QueryFileInformation;
struct {
ULONG Length;
DWORD_PTR FileInformationClass;
PFILE_OBJECT ParentOfTarget;
ULONG ClusterCount;
HANDLE DeleteHandle;
PVOID InfoBuffer;
} SetFileInformation;
struct {
ULONG Length;
PVOID EaList;
ULONG EaListLength;
ULONG EaIndex;
PVOID EaBuffer;
PMDL MdlAddress;
} QueryEa;
struct {
ULONG Length;
PVOID EaBuffer;
PMDL MdlAddress;
} SetEa;
struct {
ULONG Length;
DWORD_PTR FsInformationClass;
PVOID VolumeBuffer;
} QueryVolumeInformation;
struct {
ULONG Length;
DWORD_PTR FsInformationClass;
PVOID VolumeBuffer;
} SetVolumeInformation;
union {
struct {
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS FileInformationClass;
DWORD_PTR FileIndex;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} QueryDirectory;
struct {
ULONG Length;
DWORD_PTR CompletionFilter;
DWORD_PTR Spare1;
DWORD_PTR Spare2;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} NotifyDirectory;
} DirectoryControl;
union {
struct {
PVOID Vpb;
PDEVICE_OBJECT DeviceObject;
} VerifyVolume;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR FsControlCode;
} Common;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR FsControlCode;
PVOID InputBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Neither;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR FsControlCode;
PVOID SystemBuffer;
} Buffered;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR FsControlCode;
PVOID InputSystemBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Direct;
} FileSystemControl;
union {
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR IoControlCode;
} Common;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR IoControlCode;
PVOID InputBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Neither;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR IoControlCode;
PVOID SystemBuffer;
} Buffered;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR IoControlCode;
PVOID InputSystemBuffer;
PVOID OutputBuffer;
PMDL OutputMdlAddress;
} Direct;
struct {
ULONG OutputBufferLength;
DWORD_PTR InputBufferLength;
DWORD_PTR IoControlCode;
PVOID InputBuffer;
PVOID OutputBuffer;
} FastIo;
} DeviceIoControl;
struct {
PLARGE_INTEGER Length;
ULONG Key;
LARGE_INTEGER ByteOffset;
PEPROCESS ProcessId;
BOOLEAN FailImmediately;
BOOLEAN ExclusiveLock;
} LockControl;
struct {
SECURITY_INFORMATION SecurityInformation;
ULONG Length;
PVOID SecurityBuffer;
PMDL MdlAddress;
} QuerySecurity;
struct {
SECURITY_INFORMATION SecurityInformation;
PSECURITY_DESCRIPTOR SecurityDescriptor;
} SetSecurity;
struct {
ULONG_PTR ProviderId;
PVOID DataPath;
ULONG BufferSize;
PVOID Buffer;
} WMI;
struct {
ULONG Length;
PSID StartSid;
PVOID SidList;
ULONG SidListLength;
PVOID QuotaBuffer;
PMDL MdlAddress;
} QueryQuota;
struct {
ULONG Length;
PVOID QuotaBuffer;
PMDL MdlAddress;
} SetQuota;
union {
struct {
PVOID AllocatedResources;
PVOID AllocatedResourcesTranslated;
} StartDevice;
struct {
DEVICE_RELATION_TYPE Type;
} QueryDeviceRelations;
struct {
GUID *InterfaceType;
USHORT Size;
USHORT Version;
PINTERFACE Interface;
PVOID InterfaceSpecificData;
} QueryInterface;
struct {
PDWORD Capabilities;
} DeviceCapabilities;
struct {
PVOID IoResourceRequirementList;
} FilterResourceRequirements;
struct {
ULONG WhichSpace;
PVOID Buffer;
ULONG Offset;
ULONG Length;
} ReadWriteConfig;
struct {
BOOLEAN Lock;
} SetLock;
struct {
DWORD IdType;
} QueryId;
struct {
DWORD DeviceTextType;
DWORD LocaleId;
} QueryDeviceText;
struct {
BOOLEAN InPath;
BOOLEAN Reserved[3];
DWORD Type;
} UsageNotification;
} Pnp;
struct {
FS_FILTER_SECTION_SYNC_TYPE SyncType;
ULONG PageProtection;
} AcquireForSectionSynchronization;
struct {
PLARGE_INTEGER EndingOffset;
PVOID *ResourceToRelease;
} AcquireForModifiedPageWriter;
struct {
PVOID ResourceToRelease;
} ReleaseForModifiedPageWriter;
struct {
LARGE_INTEGER FileOffset;
ULONG Length;
ULONG LockKey;
BOOLEAN CheckForReadOperation;
} FastIoCheckIfPossible;
struct {
PIRP Irp;
PVOID NetworkInformation;
} NetworkQueryOpen;
struct {
LARGE_INTEGER FileOffset;
ULONG Length;
ULONG Key;
PMDL *MdlChain;
} MdlRead;
struct {
PMDL MdlChain;
} MdlReadComplete;
struct {
LARGE_INTEGER FileOffset;
ULONG Length;
ULONG Key;
PMDL *MdlChain;
} PrepareMdlWrite;
struct {
LARGE_INTEGER FileOffset;
PMDL MdlChain;
} MdlWriteComplete;
struct {
ULONG DeviceType;
} MountVolume;
struct {
PVOID Argument1;
PVOID Argument2;
PVOID Argument3;
PVOID Argument4;
PVOID Argument5;
LARGE_INTEGER Argument6;
} Others;
} FLT_PARAMETERS, *PFLT_PARAMETERS;
typedef struct _FLT_IO_PARAMETER_BLOCK {
ULONG IrpFlags;
UCHAR MajorFunction;
UCHAR MinorFunction;
UCHAR OperationFlags;
UCHAR Reserved;
PFILE_OBJECT TargetFileObject;
PFLT_INSTANCE TargetInstance;
FLT_PARAMETERS Parameters;
} FLT_IO_PARAMETER_BLOCK, *PFLT_IO_PARAMETER_BLOCK;
typedef struct _FLT_TAG_DATA_BUFFER {
ULONG FileTag;
USHORT TagDataLength;
USHORT UnparsedNameLength;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
struct {
GUID TagGuid;
UCHAR DataBuffer[1];
} GenericGUIDReparseBuffer;
} DummyUnion;
} FLT_TAG_DATA_BUFFER, *PFLT_TAG_DATA_BUFFER;
typedef struct _FLT_CALLBACK_DATA {
ULONG Flags;
PVOID Thread;
PFLT_IO_PARAMETER_BLOCK Iopb;
IO_STATUS_BLOCK IoStatus;
struct _FLT_TAG_DATA_BUFFER *TagData;
PVOID FilterContext[4];
KPROCESSOR_MODE RequestorMode;
} FLT_CALLBACK_DATA, *PFLT_CALLBACK_DATA;
typedef enum _FLT_VOLUME_FLAGS
{
VOLFL_NETWORK_FILESYSTEM = 0x1,
VOLFL_PENDING_MOUNT_SETUP_NOTIFIES = 0x2,
VOLFL_MOUNT_SETUP_NOTIFIES_CALLED = 0x4,
VOLFL_MOUNTING = 0x8,
VOLFL_SENT_SHUTDOWN_IRP = 0x10,
VOLFL_ENABLE_NAME_CACHING = 0x20,
VOLFL_FILTER_EVER_ATTACHED = 0x40,
VOLFL_STANDARD_LINK_NOT_SUPPORTED = 0x80
} FLT_VOLUME_FLAGS, *PFLT_VOLUME_FLAGS;
typedef struct _FLT_RELATED_OBJECTS {
USHORT Size;
USHORT TransactionContext;
PVOID Filter;
PFLT_VOLUME Volume;
PFLT_INSTANCE Instance;
PFILE_OBJECT FileObject;
PVOID Transaction;
} FLT_RELATED_OBJECTS, *PFLT_RELATED_OBJECTS;
typedef const struct _FLT_RELATED_OBJECTS *PCFLT_RELATED_OBJECTS;
typedef ULONG FLT_INSTANCE_QUERY_TEARDOWN_FLAGS;
typedef ULONG FLT_INSTANCE_SETUP_FLAGS;
typedef USHORT FLT_CONTEXT_TYPE;
typedef USHORT FLT_CONTEXT_REGISTRATION_FLAGS;
typedef ULONG FLT_NORMALIZE_NAME_FLAGS;
typedef ULONG FLT_OPERATION_REGISTRATION_FLAGS;
typedef ULONG FLT_POST_OPERATION_FLAGS;
typedef ULONG FLT_REGISTRATION_FLAGS;
typedef void* PFLT_CONTEXT;
typedef enum _FLT_FILESYSTEM_TYPE
{
FLT_FSTYPE_UNKNOWN,
FLT_FSTYPE_RAW,
FLT_FSTYPE_NTFS,
FLT_FSTYPE_FAT,
FLT_FSTYPE_CDFS,
FLT_FSTYPE_UDFS,
FLT_FSTYPE_LANMAN,
FLT_FSTYPE_WEBDAV,
FLT_FSTYPE_RDPDR,
FLT_FSTYPE_NFS,
FLT_FSTYPE_MS_NETWARE,
FLT_FSTYPE_NETWARE,
FLT_FSTYPE_BSUDF,
FLT_FSTYPE_MUP,
FLT_FSTYPE_RSFX,
FLT_FSTYPE_ROXIO_UDF1,
FLT_FSTYPE_ROXIO_UDF2,
FLT_FSTYPE_ROXIO_UDF3,
FLT_FSTYPE_TACIT,
FLT_FSTYPE_FS_REC,
FLT_FSTYPE_INCD,
FLT_FSTYPE_INCD_FAT,
FLT_FSTYPE_EXFAT,
FLT_FSTYPE_PSFS,
FLT_FSTYPE_GPFS,
FLT_FSTYPE_NPFS,
FLT_FSTYPE_MSFS,
FLT_FSTYPE_CSVFS,
FLT_FSTYPE_REFS,
FLT_FSTYPE_OPENAFS
} FLT_FILESYSTEM_TYPE, *PFLT_FILESYSTEM_TYPE;
typedef void
(*PFLT_CONTEXT_CLEANUP_CALLBACK) (
PFLT_CONTEXT Context,
FLT_CONTEXT_TYPE ContextType
);
typedef PVOID
(*PFLT_CONTEXT_ALLOCATE_CALLBACK)(
POOL_TYPE PoolType,
SIZE_T Size,
FLT_CONTEXT_TYPE ContextType
);
typedef void
(*PFLT_CONTEXT_FREE_CALLBACK)(
PVOID Pool,
FLT_CONTEXT_TYPE ContextType
);
typedef struct _FLT_CONTEXT_REGISTRATION {
FLT_CONTEXT_TYPE ContextType;
FLT_CONTEXT_REGISTRATION_FLAGS Flags;
PFLT_CONTEXT_CLEANUP_CALLBACK ContextCleanupCallback;
SIZE_T Size;
ULONG PoolTag;
PFLT_CONTEXT_ALLOCATE_CALLBACK ContextAllocateCallback;
PFLT_CONTEXT_FREE_CALLBACK ContextFreeCallback;
PVOID Reserved1;
} FLT_CONTEXT_REGISTRATION, *PFLT_CONTEXT_REGISTRATION;
typedef NTSTATUS
(*PFLT_INSTANCE_SETUP_CALLBACK) (
PCFLT_RELATED_OBJECTS FltObjects,
FLT_INSTANCE_SETUP_FLAGS Flags,
DEVICE_TYPE VolumeDeviceType,
FLT_FILESYSTEM_TYPE VolumeFilesystemType
);
typedef NTSTATUS
(*PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK) (
PCFLT_RELATED_OBJECTS FltObjects,
FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
);
typedef FLT_PREOP_CALLBACK_STATUS
(*PFLT_PRE_OPERATION_CALLBACK) (
PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID *CompletionContext
);
typedef ULONG FLT_INSTANCE_TEARDOWN_FLAGS;
#define FLTFL_INSTANCE_TEARDOWN_MANUAL 0x00000001
#define FLTFL_INSTANCE_TEARDOWN_FILTER_UNLOAD 0x00000002
#define FLTFL_INSTANCE_TEARDOWN_MANDATORY_FILTER_UNLOAD 0x00000004
#define FLTFL_INSTANCE_TEARDOWN_VOLUME_DISMOUNT 0x00000008
#define FLTFL_INSTANCE_TEARDOWN_INTERNAL_ERROR 0x00000010
typedef void
(*PFLT_INSTANCE_TEARDOWN_CALLBACK) (
PCFLT_RELATED_OBJECTS FltObjects,
FLT_INSTANCE_TEARDOWN_FLAGS Reason
);
typedef enum _FLT_POSTOP_CALLBACK_STATUS {
FLT_POSTOP_FINISHED_PROCESSING,
FLT_POSTOP_MORE_PROCESSING_REQUIRED,
FLT_POSTOP_DISALLOW_FSFILTER_IO
} FLT_POSTOP_CALLBACK_STATUS, *PFLT_POSTOP_CALLBACK_STATUS;
typedef ULONG FLT_POST_OPERATION_FLAGS;
typedef ULONG FLT_FILTER_UNLOAD_FLAGS;
typedef NTSTATUS
(*PFLT_FILTER_UNLOAD_CALLBACK) (
FLT_FILTER_UNLOAD_FLAGS Flags
);
typedef FLT_POSTOP_CALLBACK_STATUS
(*PFLT_POST_OPERATION_CALLBACK) (
PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID CompletionContext,
FLT_POST_OPERATION_FLAGS Flags
);
typedef struct _FLT_OPERATION_REGISTRATION
{
UCHAR MajorFunction;
FLT_OPERATION_REGISTRATION_FLAGS Flags;
PFLT_PRE_OPERATION_CALLBACK PreOperation;
PFLT_POST_OPERATION_CALLBACK PostOperation;
void *Reserved1;
} FLT_OPERATION_REGISTRATION, *PFLT_OPERATION_REGISTRATION;
typedef ULONG FLT_FILE_NAME_OPTIONS;
typedef struct _FLT_NAME_CONTROL {
UNICODE_STRING Name;
} FLT_NAME_CONTROL, *PFLT_NAME_CONTROL;
typedef NTSTATUS
(*PFLT_GENERATE_FILE_NAME) (
PFLT_INSTANCE Instance,
PFILE_OBJECT FileObject,
PFLT_CALLBACK_DATA CallbackData,
FLT_FILE_NAME_OPTIONS NameOptions,
PBOOLEAN CacheFileNameInformation,
PFLT_NAME_CONTROL FileName
);
typedef struct _FILE_NAMES_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
typedef NTSTATUS
(*PFLT_NORMALIZE_NAME_COMPONENT) (
PFLT_INSTANCE Instance,
PCUNICODE_STRING ParentDirectory,
USHORT VolumeNameLength,
PCUNICODE_STRING Component,
PFILE_NAMES_INFORMATION ExpandComponentName,
ULONG ExpandComponentNameLength,
FLT_NORMALIZE_NAME_FLAGS Flags,
PVOID *NormalizationContext
);
typedef NTSTATUS
(*PFLT_NORMALIZE_NAME_COMPONENT_EX) (
PFLT_INSTANCE Instance,
PFILE_OBJECT FileObject,
PCUNICODE_STRING ParentDirectory,
USHORT VolumeNameLength,
PCUNICODE_STRING Component,
PFILE_NAMES_INFORMATION ExpandComponentName,
ULONG ExpandComponentNameLength,
FLT_NORMALIZE_NAME_FLAGS Flags,
PVOID *NormalizationContext
);
typedef void
(*PFLT_NORMALIZE_CONTEXT_CLEANUP) (
PVOID *NormalizationContext
);
typedef NTSTATUS
(*PFLT_TRANSACTION_NOTIFICATION_CALLBACK) (
PCFLT_RELATED_OBJECTS FltObjects,
PFLT_CONTEXT TransactionContext,
ULONG NotificationMask
);
typedef NTSTATUS
(*PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK) (
PFLT_INSTANCE Instance,
PFLT_CONTEXT SectionContext,
PFLT_CALLBACK_DATA Data
);
typedef struct _FLT_REGISTRATION {
USHORT Size;
USHORT Version;
ULONG Flags;
FLT_CONTEXT_REGISTRATION *ContextRegistration;
FLT_OPERATION_REGISTRATION *OperationRegistration;
PFLT_FILTER_UNLOAD_CALLBACK FilterUnloadCallback;
PFLT_INSTANCE_SETUP_CALLBACK InstanceSetupCallback;
PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK InstanceQueryTeardownCallback;
PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownStartCallback;
PFLT_INSTANCE_TEARDOWN_CALLBACK InstanceTeardownCompleteCallback;
PFLT_GENERATE_FILE_NAME GenerateFileNameCallback;
PFLT_NORMALIZE_NAME_COMPONENT NormalizeNameComponentCallback;
PFLT_NORMALIZE_CONTEXT_CLEANUP NormalizeContextCleanupCallback;
PFLT_TRANSACTION_NOTIFICATION_CALLBACK TransactionNotificationCallback;
PFLT_NORMALIZE_NAME_COMPONENT_EX NormalizeNameComponentExCallback;
PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK SectionNotificationCallback;
} FLT_REGISTRATION, *PFLT_REGISTRATION;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment