过滤驱动 文件访问重定向方法

  在pre callback 中，使用IoReplaceFileObjectName 修改 Data->Iopb->TargetFileObject 文件路径， 然后：

                Data->IoStatus.Status = STATUS_REPARSE;
                Data->IoStatus.Information = IO_REPARSE;
                return FLT_PREOP_COMPLETE; // 返回 complete 因为 Status 是 reparse 因此IO管理器会重新进行一次文件访问。

这种 reparse 在其他类型的文件过滤驱动中也会用到。

To redirect a file-open or file-creation operation to another file, a file system filter driver does the following: 

In the handler of IRP_MJ_CREATE, obtains the file name (FileName field) from the FILE_OBJECT.
Replaces this name with the full name of the destination file.

This full name includes the name of the volume device object (for example, Device\HardDiskVolume0\Directory\MyFile.txt). You can substitute your own buffer to the existing FileName.Buffer present in the FILE_OBJECT. In this case, allocate your buffer from NonPaged pool memory, free the original FileName.Buffer by using ExFreePool, and then replace FileName.Buffer with your buffer.
Sets the status field of the IoStatus block to STATUS_REPARSE, and then sets the Information field to IO_REPARSE.
Completes the request.
Returns STATUS_REPARSE.
The IO Manager then triggers another file-open operation and sends an IRP_MJ_CREATE, taking into account the particular file name.

The destination file can be local or on a remote computer. To redirect the file-open operation to a remote file, use the following syntax for the file name: 
"\??\UNC\HostName\Share\File"

-or-
"\Device\Mup\HostName\Share\File"

-or-
"\Device\LanmanagerRedirector\HostName\Share\File" (assuming you are targeting a file on CIFS/SMB/LanManager)
The fact that the first create-file operation is performed relative to another file object does not matter. Do not modify the RelatedFileObject field of the FILE_OBJECT. To perform the reparse operation, the IO Manager considers only the FileName field and not the RelatedFileObject. Additionally, the IO Manager frees the RelatedFileObject, as appropriate, when it handles the STATUS_REPARSE status returned by the filter. Therefore, it is not the responsibility of the filter to free that file object.

There is a fixed limit concerning the number of nested reparse operations that the IO Manager can perform. This limit has been introduced to avoid infinite loops. The maximum number of nested reparse operations the system can perform is 32.

This reparsing method performed by the IO Manager has to be disassociated from reparse points. Reparse points have been introduced in NTFS, starting with Microsoft Windows 2000. Reparse points permit you to store information together with a file.