fltmgr什么时候会出现在文件系统栈上

FltRegisterFilter registers a minifilter driver.

NTSTATUS
  FltRegisterFilter(
    IN PDRIVER_OBJECT  Driver,
    IN CONST FLT_REGISTRATION  *Registration,
    OUT PFLT_FILTER  *RetFilter
    ); 

正常系统中如果没有minifilter驱动的话，fltmgr驱动不会生成device object挂在文件系统栈中

当有驱动调用FltRegisterFilter时，最终才会生成一个deviceobject 调用IoAttachDeviceToDeviceStackSafe挂到文件系统栈中，

调用栈如下：

 

ChildEBP RetAddr
f8af1930 f84a77a7 nt!IoAttachDeviceToDeviceStackSafe
f8af1990 f84a7d94 fltMgr!FltpAttachDeviceObject+0x7b
f8af19e8 f84abb9f fltMgr!FltpAttachToFileSystemDevice+0x120
f8af1b14 80569a4d fltMgr!FltpFsNotification+0x47
f8af1b2c 80569aea nt!IopNotifyAlreadyRegisteredFileSystems+0x25
f8af1b4c f84a0369 nt!IoRegisterFsRegistrationChange+0x8e
f8af1bb4 f84ac8ea fltMgr!FltpAttachFrame+0x107
f8af1c00 f84b3b8d fltMgr!FltpFindFrameForFilter+0xa8
f8af1c64 f8a6a4cc fltMgr!FltRegisterFilter+0x295
WARNING: Stack unwind information not available. Following frames may be wrong.