Conversation
2、修复一些已知问题
There was a problem hiding this comment.
Pull request overview
This PR introduces an experimental Windows kernel minifilter driver for real-time file deletion monitoring, along with extensive supporting infrastructure. The feature requires Windows Test Mode to be enabled.
Changes:
- New kernel driver (Filerestore_sys) for intercepting file deletion operations
- User-mode daemon (MonitorDaemon) for managing kernel communication via shared memory IPC
- MFT snapshot storage system for preserving file metadata at deletion time
- USN recovery enhancements including batch mode and overwrite detection
- Removal of MemoryMappedResults in favor of simpler MFTCache approach
- Comprehensive test scripts for recovery performance analysis
Reviewed changes
Copilot reviewed 47 out of 51 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Filerestore_sys/Filerestore_sys/driver.c | Kernel driver entry point and filter registration |
| Filerestore_sys/Filerestore_sys/communication.c | FltMgr communication port and event buffering |
| Filerestore_sys/Filerestore_sys/filter.c | PreSetInformation callback for delete interception |
| Filerestore_sys/Filerestore_sys/common.h | Shared kernel/user-mode structures |
| Filerestore_CLI/src/fileRestore/KernelBridgeClient.* | User-mode driver communication |
| Filerestore_CLI/src/fileRestore/MonitorDaemon.* | Daemon process management and shared memory |
| Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.* | USN-based delete monitoring |
| Filerestore_CLI/src/fileRestore/MFTSnapshotStore.* | Persistent snapshot storage |
| Filerestore_CLI/src/commands/UsnRecoverCommands.cpp | Batch recovery and argument parsing improvements |
| auto_test/*.py, *.ps1 | Statistical analysis and recovery test automation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #include "driver.h" | ||
|
|
||
| /* Global context - zero-initialized */ | ||
| GLOBAL_CONTEXT g_Context = { 0 }; |
There was a problem hiding this comment.
Global variable g_Context is zero-initialized in C but uses types that may not be safely zeroed (KSPIN_LOCK, PFLT_FILTER, PFLT_PORT). While zero-initialization might work, it's safer to use explicit initialization in DriverEntry. The spin lock especially should be initialized using KeInitializeSpinLock before any use.
| __except (EXCEPTION_EXECUTE_HANDLER) { | ||
| /* Silent failure - never interfere with the original delete */ | ||
| if (nameInfo != NULL) { | ||
| FltReleaseFileNameInformation(nameInfo); | ||
| } | ||
| } |
There was a problem hiding this comment.
The exception handler at lines 164-169 silently swallows all exceptions without logging or tracking. This makes debugging difficult in production. Consider at least incrementing a counter or logging critical failures before returning.
新的内核部分代码(实验性,需要开系统测试模式)