loadImageNotifyRoutine中拿全路径

来源：互联网发布：mac卸载itools 编辑：程序博客网时间：2024/06/05 17:19
#include <ntifs.h>#include <ntddk.h>#include <Ntstrsafe.h>#include <fltKernel.h>//删除指针#define SafeFreeDelete(pData) { if(pData){ExFreePool(pData);pData=NULL;} }//减少对象引用计数#define SafeDereferenceObject(Object) { if(Object){ObDereferenceObject(Object);Object=NULL;} }//关闭句柄#define SafeCloseHandle(Handle) { if(Handle){ZwClose(Handle);Handle=NULL;} }//分配内存PUNICODE_STRING ExAllocateUnicodeStingPool(PUNICODE_STRING strBuff){PUNICODE_STRING AllocateString = NULL;if (MmIsAddressValid(strBuff) == FALSE || strBuff == NULL || strBuff->Buffer == NULL || strBuff->Length < sizeof(wchar_t)){ASSERT(FALSE);return NULL;}AllocateString = ExAllocatePool(NonPagedPool, sizeof(UNICODE_STRING) + strBuff->Length + sizeof(wchar_t));if (AllocateString == NULL){ASSERT(FALSE);return NULL;}RtlZeroMemory(AllocateString, sizeof(UNICODE_STRING) + strBuff->Length + sizeof(wchar_t));AllocateString->Length = strBuff->Length;AllocateString->MaximumLength = AllocateString->Length + sizeof(wchar_t);AllocateString->Buffer = (PWSTR)(((PUCHAR)AllocateString) + sizeof(UNICODE_STRING));RtlCopyMemory(AllocateString->Buffer, strBuff->Buffer, strBuff->Length);return AllocateString;}//获取符号链接对象NTSTATUS GetSymbolicLinkObject(PUNICODE_STRING pDeviceLinkName, PDEVICE_OBJECT* pDeviceObject, PFILE_OBJECT* pFileObject,PUNICODE_STRING* pDeviceVolumeName){NTSTATUS status = STATUS_UNSUCCESSFUL;OBJECT_ATTRIBUTES ObjectAttributes;HANDLE LinkHandle = NULL;do{ASSERT(pDeviceLinkName);ASSERT(pDeviceObject);ASSERT(pFileObject);ASSERT(pDeviceVolumeName);if (pDeviceLinkName==NULL || pDeviceObject==NULL || pFileObject==NULL || pDeviceVolumeName==NULL){return STATUS_UNSUCCESSFUL;}InitializeObjectAttributes(&ObjectAttributes, pDeviceLinkName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 0, 0);status = ZwOpenSymbolicLinkObject(&LinkHandle, FILE_READ_ATTRIBUTES, &ObjectAttributes);if (!NT_SUCCESS(status))break;status = STATUS_UNSUCCESSFUL;*pDeviceVolumeName = ExAllocatePool(NonPagedPool, PAGE_SIZE);if (*pDeviceVolumeName == NULL)break;RtlZeroMemory(*pDeviceVolumeName, PAGE_SIZE);(*pDeviceVolumeName)->Length = (*pDeviceVolumeName)->MaximumLength = PAGE_SIZE - sizeof(UNICODE_STRING);(*pDeviceVolumeName)->Buffer = (PWSTR)(((PUCHAR)(*pDeviceVolumeName)) + sizeof(UNICODE_STRING));status = ZwQuerySymbolicLinkObject(LinkHandle,(*pDeviceVolumeName), NULL);if (!NT_SUCCESS(status))break;status = IoGetDeviceObjectPointer((*pDeviceVolumeName), FILE_READ_ATTRIBUTES, pFileObject, pDeviceObject);if (!NT_SUCCESS(status))break;} while (FALSE);if (!NT_SUCCESS(status)){SafeFreeDelete((*pDeviceVolumeName));}SafeCloseHandle(LinkHandle);return status;}PUNICODE_STRING SymbolicLinkDeviceObjectToVolume(PDEVICE_OBJECT DeviceObject,PUNICODE_STRING pFileName){PUNICODE_STRING pVolume ;PUNICODE_STRING pName = NULL;NTSTATUS status;PDEVICE_OBJECT pDeviceObject;PFILE_OBJECT pFileObject=NULL;UNICODE_STRING unicodestring;static wchar_t szText[PAGE_SIZE];do {for (wchar_t Volume = L'A'; Volume <= L'Z'; Volume++){RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"\\??\\%c:",Volume);RtlInitUnicodeString(&unicodestring, szText);status = GetSymbolicLinkObject(&unicodestring, &pDeviceObject, &pFileObject, &pVolume);if (!NT_SUCCESS(status) || pFileObject == NULL)continue;//判断是否相等if (DeviceObject == pFileObject->DeviceObject){RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ%wZ", pVolume, pFileName);RtlInitUnicodeString(&unicodestring, szText);pName = ExAllocateUnicodeStingPool(&unicodestring);SafeFreeDelete(pVolume);SafeDereferenceObject(pFileObject);break;}SafeFreeDelete(pVolume);SafeDereferenceObject(pFileObject);}//status = IoVolumeDeviceToDosName(pFileObject->DeviceObject, pVolume);//if (!NT_SUCCESS(status))//{//if (KeAreAllApcsDisabled())//{//KdPrint(("error\n"));//}//SafeFreeDelete(pVolume);//}} while (FALSE);return pName;}//镜像加载通知回调函数VOID loadImageNotifyRoutine(PUNICODE_STRING  FullImageName, HANDLE  ProcessId, PIMAGE_INFO  pImageInfo){NTSTATUS status;do {if (pImageInfo == NULL){ASSERT(FALSE);break;}if (pImageInfo->SystemModeImage && pImageInfo->ImageAddressingMode == IMAGE_ADDRESSING_MODE_32BIT && PsGetCurrentProcess() == PsInitialSystemProcess){KdPrint(("%wZ\n", FullImageName));}//win7以上系统执行if (pImageInfo->ExtendedInfoPresent){PIMAGE_INFO_EX pImageInfoEx;pImageInfoEx = CONTAINING_RECORD(pImageInfo, IMAGE_INFO_EX, ImageInfo);if (pImageInfoEx == NULL || pImageInfoEx->Size != sizeof(IMAGE_INFO_EX)){ASSERT(FALSE);break;}//KeAreAllApcsDisabled()//2017年11月9日09:46:08 IoQueryFileDosDeviceName会卡住系统需要KeAreAllApcsDisabled判断是否禁用内核APC//status = IoQueryFileDosDeviceName(pImageInfoEx->FileObject, &fileNameInfo);PFLT_FILE_NAME_INFORMATION FileNameInformation = NULL;status = FltGetFileNameInformationUnsafe(pImageInfoEx->FileObject, NULL, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInformation);if (NT_SUCCESS(status)){KdPrint(("%wZ\n", &FileNameInformation->Name));FltReleaseFileNameInformation(FileNameInformation);}}#ifndef _WIN64else{if (FullImageName==NULL || ProcessId==NULL){KdPrint(("%wZ\n", FullImageName));break;}PFILE_OBJECT pFileObject = CONTAINING_RECORD(FullImageName, FILE_OBJECT, FileName);if (!MmIsAddressValid(pFileObject)|| pFileObject->Type !=5){KdPrint(("%wZ\n", FullImageName));break;//POBJECT_NAME_INFORMATION FileNameInfo; MmGetFileNameForSection (Process->SectionObject, &FileNameInfo);//L"\\SystemRoot\\System32\\ntdll.dll");}PUNICODE_STRING pName=SymbolicLinkDeviceObjectToVolume(pFileObject->DeviceObject,&pFileObject->FileName);if (pName){KdPrint(("%wZ\n", pName));SafeFreeDelete(pName);}}#endif} while (FALSE);return;}VOID DriverUnload(IN PDRIVER_OBJECT DriverObject){return;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){DriverObject->DriverUnload = DriverUnload;DbgBreakPoint();PsSetLoadImageNotifyRoutine(loadImageNotifyRoutine);return STATUS_SUCCESS;}
阅读全文
0 0