【半原创】Irp占坑保护文件不被删除
来源:互联网 发布:热血江湖衣服强化数据 编辑:程序博客网 时间:2024/05/16 13:53
Irp操作出自125096的博客
http://blog.csdn.net/qq125096885/article/details/53033896
这里提下 博主的例子中使用irpclose文件对象,这可能会造成蓝屏。
见链接:https://bbs.pediy.com/thread-215269.htm
所以这里把IrpCloseFile改为ObDereferenceObject即可
但是如果是需要实现无法删除,那么就不需要调用ObDereferenceObject
原因你猜~
此方法使用Irp去删除是无法删除的~
见代码~
#include <ntddk.h> #ifndef MAX_PATH #define MAX_PATH 260 #endif NTSTATUS ObOpenObjectByPointer(PVOID Object, ULONG HandleAttributes, PACCESS_STATE PassedAccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PHANDLE Handle);NTSTATUS ObCreateObject(KPROCESSOR_MODE ProbeMode, POBJECT_TYPE ObjectType, POBJECT_ATTRIBUTES ObjectAttributes, KPROCESSOR_MODE OwnershipMode, PVOID ParseContext, ULONG ObjectBodySize, ULONG PagedPoolCharge, ULONG NonPagedPoolCharge, PVOID *Object);NTSTATUS SeCreateAccessState(PACCESS_STATE AccessState, PVOID AuxData, ACCESS_MASK DesiredAccess, PGENERIC_MAPPING GenericMapping);typedef struct _AUX_ACCESS_DATA {PPRIVILEGE_SET PrivilegesUsed;GENERIC_MAPPING GenericMapping;ACCESS_MASK AccessesToAudit;ACCESS_MASK MaximumAuditMask;ULONG Unknown[256];} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;//获取设备对象 NTSTATUS GetDriveObject(PUNICODE_STRING pDriveName, PDEVICE_OBJECT *DeviceObject, PDEVICE_OBJECT *ReadDevice);//IRP打开文件 NTSTATUS IrpCreateFile(PUNICODE_STRING pFilePath, ACCESS_MASK DesiredAccess, PIO_STATUS_BLOCK pIoStatusBlock, PFILE_OBJECT *pFileObject);VOID DriverUnload(IN PDRIVER_OBJECT DriverObject){return;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){NTSTATUS status;DriverObject->DriverUnload = DriverUnload;UNICODE_STRING strFilePath;IO_STATUS_BLOCK IoStatusBlock = { 0 };PFILE_OBJECT pFileObject = NULL;RtlInitUnicodeString(&strFilePath, L"\\??\\c:\\test.exe");//打开文件 status = IrpCreateFile(&strFilePath, GENERIC_READ | DELETE, &IoStatusBlock, &pFileObject);if (NT_SUCCESS(status)){//关闭文件 发irp close会触发内存重复释放 应使用ObDereferenceObject// 如果不ObDereferenceObject 除关机.磁盘填0(怎么获取偏移是一个问题~)之外 无法删除文件// ObDereferenceObject(pFileObject);}return STATUS_SUCCESS;}//完成历程 NTSTATUS IoCompletionRoutineEx(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context){*Irp->UserIosb = Irp->IoStatus;if (Irp->UserEvent)KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);if (Irp->MdlAddress){IoFreeMdl(Irp->MdlAddress);Irp->MdlAddress = NULL;}IoFreeIrp(Irp);return STATUS_MORE_PROCESSING_REQUIRED;}//获取设备对象 NTSTATUS GetDriveObject(PUNICODE_STRING pDriveName, PDEVICE_OBJECT *DeviceObject, PDEVICE_OBJECT *ReadDevice){//定义变量 NTSTATUS status;OBJECT_ATTRIBUTES objectAttributes;HANDLE DeviceHandle = NULL;IO_STATUS_BLOCK ioStatus;PFILE_OBJECT pFileObject;//参数效验 if (pDriveName == NULL || DeviceObject == NULL || ReadDevice == NULL)return STATUS_INVALID_PARAMETER;// \\??\\C: //打开设备 InitializeObjectAttributes(&objectAttributes, pDriveName, OBJ_CASE_INSENSITIVE, NULL, NULL);status = IoCreateFile(&DeviceHandle, SYNCHRONIZE | FILE_ANY_ACCESS, &objectAttributes, &ioStatus, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE, NULL, 0, CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING);if (!NT_SUCCESS(status))return status;//获取文件对象 status = ObReferenceObjectByHandle(DeviceHandle, FILE_READ_DATA, *IoFileObjectType, KernelMode, &pFileObject, NULL);if (!NT_SUCCESS(status)){ZwClose(DeviceHandle);return status;}//效验结果 if (pFileObject->Vpb == 0 || pFileObject->Vpb->RealDevice == NULL){ObDereferenceObject(pFileObject);ZwClose(DeviceHandle);return STATUS_UNSUCCESSFUL;}//设置变量 *DeviceObject = pFileObject->Vpb->DeviceObject;*ReadDevice = pFileObject->Vpb->RealDevice;ObDereferenceObject(pFileObject);ZwClose(DeviceHandle);return STATUS_SUCCESS;}//IRP打开文件 NTSTATUS IrpCreateFile(PUNICODE_STRING pFilePath, ACCESS_MASK DesiredAccess, PIO_STATUS_BLOCK pIoStatusBlock, PFILE_OBJECT *pFileObject){NTSTATUS ntStatus;PIRP pIrp;KEVENT kEvent;static ACCESS_STATE AccessState;static AUX_ACCESS_DATA AuxData;OBJECT_ATTRIBUTES ObjectAttributes;PFILE_OBJECT pNewFileObject;IO_SECURITY_CONTEXT SecurityContext;PIO_STACK_LOCATION IrpSp;PDEVICE_OBJECT pDeviceObject = NULL;PDEVICE_OBJECT pReadDevice = NULL;UNICODE_STRING DriveName;wchar_t* pFileNameBuf = NULL;static wchar_t szFilePath[MAX_PATH] = { 0 };#define SYMBOLICLINKLENG 6 // \\??\\c: \\windows\\notepad.exe if (pFilePath == NULL || pIoStatusBlock == NULL || pFileObject == NULL || pFilePath->Length <= SYMBOLICLINKLENG)return STATUS_INVALID_PARAMETER;RtlZeroMemory(szFilePath, sizeof(szFilePath));RtlCopyMemory(szFilePath, pFilePath->Buffer, (SYMBOLICLINKLENG + 1) * sizeof(wchar_t));RtlInitUnicodeString(&DriveName, szFilePath);ntStatus = GetDriveObject(&DriveName, &pDeviceObject, &pReadDevice);if (!NT_SUCCESS(ntStatus))return ntStatus;RtlZeroMemory(szFilePath, sizeof(szFilePath));RtlCopyMemory(szFilePath, &pFilePath->Buffer[SYMBOLICLINKLENG], pFilePath->Length - SYMBOLICLINKLENG);RtlInitUnicodeString(&DriveName, szFilePath);pFileNameBuf = ExAllocatePool(NonPagedPool, DriveName.MaximumLength);if (pFileNameBuf == NULL)return STATUS_UNSUCCESSFUL;RtlZeroMemory(pFileNameBuf, DriveName.MaximumLength);RtlCopyMemory(pFileNameBuf, DriveName.Buffer, DriveName.Length);if (pDeviceObject == NULL || pReadDevice == NULL || pDeviceObject->StackSize <= 0)return STATUS_UNSUCCESSFUL;InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, NULL);ntStatus = ObCreateObject(KernelMode, *IoFileObjectType, &ObjectAttributes, KernelMode, NULL, sizeof(FILE_OBJECT), 0, 0, &pNewFileObject);if (!NT_SUCCESS(ntStatus))return ntStatus;pIrp = IoAllocateIrp(pDeviceObject->StackSize, FALSE);if (pIrp == NULL){ObDereferenceObject(pNewFileObject);return STATUS_INSUFFICIENT_RESOURCES;}KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);RtlZeroMemory(pNewFileObject, sizeof(FILE_OBJECT));pNewFileObject->Type = IO_TYPE_FILE;pNewFileObject->Size = sizeof(FILE_OBJECT);pNewFileObject->DeviceObject = pReadDevice;pNewFileObject->Flags = FO_SYNCHRONOUS_IO;RtlInitUnicodeString(&pNewFileObject->FileName, pFileNameBuf);KeInitializeEvent(&pNewFileObject->Lock, SynchronizationEvent, FALSE);KeInitializeEvent(&pNewFileObject->Event, NotificationEvent, FALSE);ntStatus = SeCreateAccessState(&AccessState, &AuxData, DesiredAccess, IoGetFileObjectGenericMapping());if (!NT_SUCCESS(ntStatus)){IoFreeIrp(pIrp);ObDereferenceObject(pNewFileObject);return ntStatus;}SecurityContext.SecurityQos = NULL;SecurityContext.AccessState = &AccessState;SecurityContext.DesiredAccess = DesiredAccess;SecurityContext.FullCreateOptions = 0;pIrp->MdlAddress = NULL;pIrp->AssociatedIrp.SystemBuffer = NULL;pIrp->Flags = IRP_CREATE_OPERATION | IRP_SYNCHRONOUS_API;pIrp->RequestorMode = KernelMode;pIrp->UserIosb = pIoStatusBlock;pIrp->UserEvent = &kEvent;pIrp->PendingReturned = FALSE;pIrp->Cancel = FALSE;pIrp->CancelRoutine = NULL;pIrp->Tail.Overlay.Thread = PsGetCurrentThread();pIrp->Tail.Overlay.AuxiliaryBuffer = NULL;pIrp->Tail.Overlay.OriginalFileObject = pNewFileObject;IrpSp = IoGetNextIrpStackLocation(pIrp);IrpSp->MajorFunction = IRP_MJ_CREATE;IrpSp->DeviceObject = pDeviceObject;IrpSp->FileObject = pNewFileObject;IrpSp->Parameters.Create.SecurityContext = &SecurityContext;IrpSp->Parameters.Create.Options = (FILE_OPEN_IF << 24) | 0;IrpSp->Parameters.Create.FileAttributes = FILE_ATTRIBUTE_NORMAL;IrpSp->Parameters.Create.ShareAccess = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;IrpSp->Parameters.Create.EaLength = 0;IoSetCompletionRoutine(pIrp, IoCompletionRoutineEx, 0, TRUE, TRUE, TRUE);ntStatus = IoCallDriver(pDeviceObject, pIrp);if (ntStatus == STATUS_PENDING)KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);ntStatus = pIoStatusBlock->Status;if (!NT_SUCCESS(ntStatus)){pNewFileObject->DeviceObject = NULL;ObDereferenceObject(pNewFileObject);}else{InterlockedIncrement(&pNewFileObject->DeviceObject->ReferenceCount);if (pNewFileObject->Vpb)InterlockedIncrement(&pNewFileObject->Vpb->ReferenceCount);*pFileObject = pNewFileObject;//ObDereferenceObject(pNewFileObject); }return ntStatus;}
删除的思路
1.找到这个FileObject ObDereferenceObject~
2.找跟句柄、对象无关的删除方法~
阅读全文
0 0
- 【半原创】Irp占坑保护文件不被删除
- 【原创】从内核层保护文件不被删除
- SSDT替换ZwSetInformationFile实现保护某文件不被删除
- 文件占坑,防止删除大法
- 阻止删除文件(文件占坑)的delphi代码
- 阻止删除文件(文件占坑)+nevergone逆向代码一份
- PHP保护内部文件不被访问
- 怎样保护“/tmp/mysql.sock ”不被删除
- 强制删除文件——直接发IRP到文件系统
- 保护Android resources文件不被反编译原理分析
- VC程序如何保护初始化文件不被别人修改
- IRP操作文件
- IRP操作文件
- Linux保证文件不被删除
- ring3文件占坑大法
- R3文件占坑大法
- 强制删除文件(1)——直接发IRP到文件系统
- 强制删除文件(1)——直接发IRP到文件系统
- 数据结构的三个问题
- QRegExp
- Term Dictionary和Index文件 (FST详细解析)-- 基于lucene4
- win7/10中以管理员身份运行bat脚本时,获取当前文件所在目录
- Java_内存
- 【半原创】Irp占坑保护文件不被删除
- Window系统下安装tomcat图文教程
- 子框架页面跳出到父框架页面代码
- 安装NERDTree
- mysql远程连接
- 推荐几款有趣的实用app
- Python解析MNIST数据集
- 任意次方的后三位,打鱼晒网,计算某年的天数!
- 转载几篇 Angular2 快速入门博文