将文件内容从内核传递到用户模式的最快方法?
我将尝试简短但完整的描述性:
这是特定于 Windows 的。使用 Windows 驱动程序开发工具包 (DDK)。
我是第一次编写内核模式驱动程序 (KMD),之前没有内核模式经验。我目前正在使用 DDK 附带的“扫描仪”微型过滤器示例,并对其进行扩展以进行实践。 “扫描仪”微型过滤器是通用“防病毒”类型扫描驱动程序的基本轮廓,它挂钩文件创建/关闭并对关联文件进行操作,以在批准/拒绝请求的操作之前扫描“坏词”。
最终目标是在打开文件时使用用户模式应用程序扫描文件,决定微型过滤器是否应允许操作完成,而不会对尝试打开文件的进程或用户造成明显的减慢。文件。当尝试保存时,我还想再次扫描整个文件,以决定是否允许保存成功完成或拒绝保存。迷你过滤器示例为如何挂钩这些调用奠定了基础,但在实际“扫描”部分中有点薄弱。
我正在考虑扩展示例以扫描已打开的整个文件,例如生成哈希值,而不仅仅是前 1k(示例的限制)。我已修改示例以读取整个文件并使用原始示例中的相同机制发送它。此方法使用 FltReadFile 读取 KMD 内的文件,并使用 FltSendMessage 将缓冲区发送到用户模式组件。用户模式应用程序使用 GetQueuedCompletionStatus 从 KMD 获取通知并处理缓冲区。
然而,我注意到,与使用标准库(fstream)在 C++ 中正常打开/读取相比,这个过程似乎相当慢。此方法比简单地在简单的 C++ 用户应用程序中打开和读取文件花费的时间大约为 4-8 倍。我调整了缓冲区大小,看看它是否能带来明显的改进,虽然它可以稍微有所帮助,但好处似乎并不非常显着。
由于我希望“实时”扫描文件,因此这种传输速度非常令人失望且令人望而却步。是否有更快的方法将文件内容从内核模式驱动程序传输到用户模式应用程序?
I'll try to be brief, but fully descriptive:
This is Windows-specific. Using the Windows Driver Development Kit (DDK).
I am writing a Kernel Mode Driver (KMD) for the first time, having no prior experience in Kernel Mode. I am playing around currently with the "scanner" mini-filter sample which comes with the DDK, and expanding upon it for practice. The "scanner" mini-filter is a basic outline for a generic "anti-virus" type scanning driver which hooks file creates/closes and operates on the associated file to scan for a "bad word" before approving/denying the requested operation.
The end goal is to scan the file with the user-mode application when it is opened, deciding whether or not the mini-filter should allow the operation to complete, without noticeable slow-down to the process or user which is attempting to open the file. I will also want to scan the entire file again when a save is attempted to decide whether or not to allow the save to complete successfully or deny the save. The mini-filter sample lays out the groundwork for how to hook these calls, but is a bit weak in the actually "scanning" portion.
I am looking at expanding the sample to scan the entire file that has been opened, such as to generate a hash, rather than just the first 1k (the sample's limit). I have modified the sample to read the entirety of the file and send it using the same mechanisms within the original sample. This method uses FltReadFile to read the file within the KMD and FltSendMessage to send the buffer to the user-mode component. The user-mode application is using GetQueuedCompletionStatus to grab the notifications from the KMD and process the buffers.
However, I'm noticing that this process seems to be pretty slow compared to a normal open/read in C++ using the standard library (fstream). This method is taking between approximately 4-8 times longer than simplying opening and reading the file in a simple C++ user app. I have adjusted buffer sizes to see if it makes for a noticeable improvement, and while it can help slightly, the benefits have not appeared to be very significant.
Since I am looking to scan files in 'real-time', this rate of transfer is highly disappointing and prohibitive. Is there a faster way to transfer a file's contents from a Kernel-Mode Driver to a User-Mode Application?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我可以建议几种解决方案:
I can suggest several solutions: