win7 隐藏驱动编译于安装
来源:互联网 发布:伦拜亚斯体测数据 编辑:程序博客网 时间:2024/05/18 20:50
为了实现Win7下面,对目标文件夹隐藏,经过调试,一下代码可以实现相关的功能。
/*++Copyright (c) 1999 - 2002 Microsoft CorporationModule Name: passThrough.cAbstract: This is the main module of the passThrough miniFilter driver. This filter hooks all IO operations for both pre and post operation callbacks. The filter passes through the operations.Environment: Kernel mode--*/#include <fltKernel.h>#include <dontuse.h>#include <suppress.h>#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")PFLT_FILTER gFilterHandle;ULONG_PTR OperationStatusCtx = 1;#define PTDBG_TRACE_ROUTINES 0x00000001#define PTDBG_TRACE_OPERATION_STATUS 0x00000002ULONG gTraceFlags = 0;#define PT_DBG_PRINT( _dbgLevel, _string ) \ (FlagOn(gTraceFlags,(_dbgLevel)) ? \ DbgPrint _string : \ ((int)0))/************************************************************************* Prototypes*************************************************************************/DRIVER_INITIALIZE DriverEntry;NTSTATUSDriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath );NTSTATUSPtInstanceSetup ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_SETUP_FLAGS Flags, __in DEVICE_TYPE VolumeDeviceType, __in FLT_FILESYSTEM_TYPE VolumeFilesystemType );VOIDPtInstanceTeardownStart ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_TEARDOWN_FLAGS Flags );VOIDPtInstanceTeardownComplete ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_TEARDOWN_FLAGS Flags );NTSTATUSPtUnload ( __in FLT_FILTER_UNLOAD_FLAGS Flags );NTSTATUSPtInstanceQueryTeardown ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags );FLT_PREOP_CALLBACK_STATUSPtPreOperationPassThrough ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext );VOIDPtOperationStatusCallback ( __in PCFLT_RELATED_OBJECTS FltObjects, __in PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, __in NTSTATUS OperationStatus, __in PVOID RequesterContext );FLT_POSTOP_CALLBACK_STATUSPtPostOperationPassThrough ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags );FLT_PREOP_CALLBACK_STATUSPtPreOperationNoPostOperationPassThrough ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext );BOOLEANPtDoRequestOperationStatus( __in PFLT_CALLBACK_DATA Data );//// Assign text sections for each routine.//#ifdef ALLOC_PRAGMA#pragma alloc_text(INIT, DriverEntry)#pragma alloc_text(PAGE, PtUnload)#pragma alloc_text(PAGE, PtInstanceQueryTeardown)#pragma alloc_text(PAGE, PtInstanceSetup)#pragma alloc_text(PAGE, PtInstanceTeardownStart)#pragma alloc_text(PAGE, PtInstanceTeardownComplete)#endif//// operation registration//CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_DIRECTORY_CONTROL, 0, NULL, PtPostOperationPassThrough }, { IRP_MJ_OPERATION_END }};//// This defines what we want to filter with FltMgr//CONST FLT_REGISTRATION FilterRegistration = { sizeof( FLT_REGISTRATION ), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags NULL, // Context Callbacks, // Operation callbacks PtUnload, // MiniFilterUnload PtInstanceSetup, // InstanceSetup PtInstanceQueryTeardown, // InstanceQueryTeardown PtInstanceTeardownStart, // InstanceTeardownStart PtInstanceTeardownComplete, // InstanceTeardownComplete NULL, // GenerateFileName NULL, // GenerateDestinationFileName NULL // NormalizeNameComponent};PWCHAR prefixName = L"invisible";ULONG prefixLength = 9;NTSTATUSPtInstanceSetup ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_SETUP_FLAGS Flags, __in DEVICE_TYPE VolumeDeviceType, __in FLT_FILESYSTEM_TYPE VolumeFilesystemType )/*++Routine Description: This routine is called whenever a new instance is created on a volume. This gives us a chance to decide if we need to attach to this volume or not. If this routine is not defined in the registration structure, automatic instances are alwasys created.Arguments: FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance and its associated volume. Flags - Flags describing the reason for this attach request.Return Value: STATUS_SUCCESS - attach STATUS_FLT_DO_NOT_ATTACH - do not attach--*/{ UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( Flags ); UNREFERENCED_PARAMETER( VolumeDeviceType ); UNREFERENCED_PARAMETER( VolumeFilesystemType ); PAGED_CODE(); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtInstanceSetup: Entered\n") ); return STATUS_SUCCESS;}NTSTATUSPtInstanceQueryTeardown ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags )/*++Routine Description: This is called when an instance is being manually deleted by a call to FltDetachVolume or FilterDetach thereby giving us a chance to fail that detach request. If this routine is not defined in the registration structure, explicit detach requests via FltDetachVolume or FilterDetach will always be failed.Arguments: FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance and its associated volume. Flags - Indicating where this detach request came from.Return Value: Returns the status of this operation.--*/{ UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( Flags ); PAGED_CODE(); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtInstanceQueryTeardown: Entered\n") ); return STATUS_SUCCESS;}VOIDPtInstanceTeardownStart ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_TEARDOWN_FLAGS Flags )/*++Routine Description: This routine is called at the start of instance teardown.Arguments: FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance and its associated volume. Flags - Reason why this instance is been deleted.Return Value: None.--*/{ UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( Flags ); PAGED_CODE(); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtInstanceTeardownStart: Entered\n") );}VOIDPtInstanceTeardownComplete ( __in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_TEARDOWN_FLAGS Flags )/*++Routine Description: This routine is called at the end of instance teardown.Arguments: FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance and its associated volume. Flags - Reason why this instance is been deleted.Return Value: None.--*/{ UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( Flags ); PAGED_CODE(); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtInstanceTeardownComplete: Entered\n") );}/************************************************************************* MiniFilter initialization and unload routines.*************************************************************************/NTSTATUSDriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath )/*++Routine Description: This is the initialization routine for this miniFilter driver. This registers with FltMgr and initializes all global data structures.Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry.Return Value: Returns STATUS_SUCCESS.--*/{ NTSTATUS status; UNREFERENCED_PARAMETER( RegistryPath ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!DriverEntry: Entered\n") ); // // Register with FltMgr to tell it our callback routines // status = FltRegisterFilter( DriverObject, &FilterRegistration, &gFilterHandle ); ASSERT( NT_SUCCESS( status ) ); if (NT_SUCCESS( status )) { // // Start filtering i/o // status = FltStartFiltering( gFilterHandle ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( gFilterHandle ); } }KdPrint(("hello driver!")); return status;}NTSTATUSPtUnload ( __in FLT_FILTER_UNLOAD_FLAGS Flags )/*++Routine Description: This is the unload routine for this miniFilter driver. This is called when the minifilter is about to be unloaded. We can fail this unload request if this is not a mandatory unloaded indicated by the Flags parameter.Arguments: Flags - Indicating if this is a mandatory unload.Return Value: Returns the final status of this operation.--*/{ UNREFERENCED_PARAMETER( Flags ); PAGED_CODE();KdPrint(("hello drive1r! unload ")); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtUnload: Entered\n") ); FltUnregisterFilter( gFilterHandle ); return STATUS_SUCCESS;}/************************************************************************* MiniFilter callback routines.*************************************************************************/FLT_PREOP_CALLBACK_STATUSPtPreOperationPassThrough ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext )/*++Routine Description: This routine is the main pre-operation dispatch routine for this miniFilter. Since this is just a simple passThrough miniFilter it does not do anything with the callbackData but rather return FLT_PREOP_SUCCESS_WITH_CALLBACK thereby passing it down to the next miniFilter in the chain. This is non-pageable because it could be called on the paging pathArguments: Data - Pointer to the filter callbackData that is passed to us. FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance, its associated volume and file object. CompletionContext - The context for the completion routine for this operation.Return Value: The return value is the status of the operation.--*/{ NTSTATUS status; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( CompletionContext ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtPreOperationPassThrough: Entered\n") );KdPrint(("hello pre!")); // // See if this is an operation we would like the operation status // for. If so request it. // // NOTE: most filters do NOT need to do this. You only need to make // this call if, for example, you need to know if the oplock was // actually granted. // if (PtDoRequestOperationStatus( Data )) { status = FltRequestOperationStatusCallback( Data, PtOperationStatusCallback, (PVOID)(++OperationStatusCtx) ); if (!NT_SUCCESS(status)) { PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS, ("PassThrough!PtPreOperationPassThrough: FltRequestOperationStatusCallback Failed, status=%08x\n", status) ); } } return FLT_PREOP_SUCCESS_WITH_CALLBACK;}VOIDPtOperationStatusCallback ( __in PCFLT_RELATED_OBJECTS FltObjects, __in PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, __in NTSTATUS OperationStatus, __in PVOID RequesterContext )/*++Routine Description: This routine is called when the given operation returns from the call to IoCallDriver. This is useful for operations where STATUS_PENDING means the operation was successfully queued. This is useful for OpLocks and directory change notification operations. This callback is called in the context of the originating thread and will never be called at DPC level. The file object has been correctly referenced so that you can access it. It will be automatically dereferenced upon return. This is non-pageable because it could be called on the paging pathArguments: FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance, its associated volume and file object. RequesterContext - The context for the completion routine for this operation. OperationStatus -Return Value: The return value is the status of the operation.--*/{ UNREFERENCED_PARAMETER( FltObjects ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtOperationStatusCallback: Entered\n") );KdPrint(("hello driver callbacks!")); PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS, ("PassThrough!PtOperationStatusCallback: Status=%08x ctx=%p IrpMj=%02x.%02x \"%s\"\n", OperationStatus, RequesterContext, ParameterSnapshot->MajorFunction, ParameterSnapshot->MinorFunction, FltGetIrpName(ParameterSnapshot->MajorFunction)) );}FLT_POSTOP_CALLBACK_STATUSPtPostOperationPassThrough ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags )/*++Routine Description: This routine is the post-operation completion routine for this miniFilter. This is non-pageable because it may be called at DPC level.Arguments: Data - Pointer to the filter callbackData that is passed to us. FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance, its associated volume and file object. CompletionContext - The completion context set in the pre-operation routine. Flags - Denotes whether the completion is successful or is being drained.Return Value: The return value is the status of the operation.--*/{ ULONG length; ULONG nextOffset = 0; ULONG previousEntryWasDeleted = 0; PCHAR queryBuffer = 0; int modified = 0; int removedAllEntries = 1; PFILE_ID_BOTH_DIR_INFORMATION currentFileInfo = 0; PFILE_ID_BOTH_DIR_INFORMATION nextFileInfo = 0; PFILE_ID_BOTH_DIR_INFORMATION previousFileInfo = 0; UNICODE_STRING fileName; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( CompletionContext );UNREFERENCED_PARAMETER( Data ); UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( CompletionContext ); UNREFERENCED_PARAMETER( Flags );KdPrint(("hello driver post!")); if( FlagOn( Flags, FLTFL_POST_OPERATION_DRAINING ) ) {KdPrint(("hello driver post oops!")); return FLT_POSTOP_FINISHED_PROCESSING; } if( Data->Iopb->MinorFunction == IRP_MN_QUERY_DIRECTORY && Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass == FileIdBothDirectoryInformation && Data->Iopb->Parameters.DirectoryControl.QueryDirectory.Length > 0 && NT_SUCCESS(Data->IoStatus.Status) ) { currentFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer; previousFileInfo = currentFileInfo; do { nextOffset = currentFileInfo->NextEntryOffset; nextFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)(currentFileInfo) + nextOffset); if(_wcsnicmp(currentFileInfo->FileName,prefixName,wcslen(prefixName))==0){ if( nextOffset == 0 ) { previousFileInfo->NextEntryOffset = 0;KdPrint((" show no files")); } else { previousFileInfo->NextEntryOffset = (ULONG)((PCHAR)currentFileInfo - (PCHAR)previousFileInfo) + nextOffset; } modified = 1; previousEntryWasDeleted = 1; } else { removedAllEntries = 0; if( !previousEntryWasDeleted ) { previousFileInfo = currentFileInfo; } previousEntryWasDeleted = 0; } currentFileInfo = nextFileInfo; } while( nextOffset != 0 );//modified = 1;//removedAllEntries = 1; if( modified ) { if( removedAllEntries ) { Data->IoStatus.Status = STATUS_NO_MORE_FILES; } else { FltSetCallbackDataDirty( Data ); } } } PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtPostOperationPassThrough: Entered\n") ); return FLT_POSTOP_FINISHED_PROCESSING;}FLT_PREOP_CALLBACK_STATUSPtPreOperationNoPostOperationPassThrough ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext )/*++Routine Description: This routine is the main pre-operation dispatch routine for this miniFilter. Since this is just a simple passThrough miniFilter it does not do anything with the callbackData but rather return FLT_PREOP_SUCCESS_WITH_CALLBACK thereby passing it down to the next miniFilter in the chain. This is non-pageable because it could be called on the paging pathArguments: Data - Pointer to the filter callbackData that is passed to us. FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing opaque handles to this filter, instance, its associated volume and file object. CompletionContext - The context for the completion routine for this operation.Return Value: The return value is the status of the operation.--*/{ UNREFERENCED_PARAMETER( Data ); UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( CompletionContext ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!PtPreOperationNoPostOperationPassThrough: Entered\n") );KdPrint(("hello d2234river!")); return FLT_PREOP_SUCCESS_NO_CALLBACK;}BOOLEANPtDoRequestOperationStatus( __in PFLT_CALLBACK_DATA Data )/*++Routine Description: This identifies those operations we want the operation status for. These are typically operations that return STATUS_PENDING as a normal completion status.Arguments:Return Value: TRUE - If we want the operation status FALSE - If we don't--*/{ PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; // // return boolean state based on which operations we are interested in // return (BOOLEAN) // // Check for oplock operations // (((iopb->MajorFunction == IRP_MJ_FILE_SYSTEM_CONTROL) && ((iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_FILTER_OPLOCK) || (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_BATCH_OPLOCK) || (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_1) || (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_2))) || // // Check for directy change notification // ((iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL) && (iopb->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY)) );}驱动编译环境为
windows win7 x86 checked Build Environment
驱动的inf文件为
;;;;;; PassThrough;;;;;;;;; Copyright (c) 1999 - 2001, Microsoft Corporation;;;[Version]Signature = "$Windows NT$"Class = "ActivityMonitor" ;This is determined by the work this filter driver doesClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the ClassProvider = %Msft%DriverVer = 06/16/2007,1.0.0.1CatalogFile = passthrough.cat[DestinationDirs]DefaultDestDir = 12MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers;;;; Default install sections;;[DefaultInstall]OptionDesc = %ServiceDescription%CopyFiles = MiniFilter.DriverFiles[DefaultInstall.Services]AddService = %ServiceName%,,MiniFilter.Service;;;; Default uninstall sections;;[DefaultUninstall]DelFiles = MiniFilter.DriverFiles[DefaultUninstall.Services]DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting;; Services Section;[MiniFilter.Service]DisplayName = %ServiceName%Description = %ServiceDescription%ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\Dependencies = "FltMgr"ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVERStartType = 3 ;SERVICE_DEMAND_STARTErrorControl = 1 ;SERVICE_ERROR_NORMALLoadOrderGroup = "FSFilter Activity Monitor"AddReg = MiniFilter.AddRegistry;; Registry Modifications;[MiniFilter.AddRegistry]HKR,,"DebugFlags",0x00010001 ,0x0HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%;; Copy Files;[MiniFilter.DriverFiles]%DriverName%.sys[SourceDisksFiles]passthrough.sys = 1,,[SourceDisksNames]1 = %DiskId1%,,,;;;; String Section;;[Strings]Msft = "Microsoft Corporation"ServiceDescription = "PassThrough Mini-Filter Driver"ServiceName = "PassThrough"DriverName = "PassThrough"DiskId1 = "PassThrough Device Installation Disk";Instances specific information.DefaultInstance = "PassThrough Instance"Instance1.Name = "PassThrough Instance"Instance1.Altitude = "370030"Instance1.Flags = 0x0 ; Allow all attachments编译的source文件为
TARGETNAME=passThroughTARGETTYPE=DRIVERDRIVERTYPE=FSTARGETLIBS= $(TARGETLIBS) \ $(IFSKIT_LIB_PATH)\fltMgr.libSOURCES=passThrough.c \ passThrough.rc
编译用的makefile为
!IF 0Copyright (C) Microsoft Corporation, 1999 - 2002Module Name: makefile.Notes: DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source file to this component. This file merely indirects to the real make file that is shared by all the components of Windows NT (DDK)!ENDIF!INCLUDE $(NTMAKEENV)\makefile.def
- win7 隐藏驱动编译于安装
- win7下编译驱动
- win7安装AHCI驱动
- win7的telnet的安装于使用
- win7下access驱动安装
- win7禁止自动安装驱动
- 编译安装3945驱动
- Win7下编译Qt5.4OCI驱动和MySQL驱动
- maple驱动不能安装问题:xp 、win7
- Win7下如何安装双显卡驱动.
- win7下mini2440 USB下载驱动安装
- win7下的HP1010打印机驱动安装
- Win7/Win8无数字签名驱动无法安装
- win7下mini2440 USB下载驱动安装
- win7下面dnw驱动的安装方法.
- win7下如何安装小米手机驱动
- win7下mini2440 USB下载驱动安装
- CK100在win7安装驱动方法
- Timer
- springMVC中在过滤器中使用spring bean
- Codeforces Round #203 (Div. 2)A
- 与系统music同步播放器Demo
- set -o vi
- win7 隐藏驱动编译于安装
- HDU1853 Cyclic Tour KM算法 模版题
- 利用alias,简化grunt配置文件
- 专业学习小成果
- 近期C程序小结
- android四大组件之 ContentProvider
- 如何做科研
- amCharts使用过程中出现的Invalid negative value for <rect> attribute width错误
- 计算机视觉&模式识别Survey
