挂接file system
来源:互联网 发布:lol淘宝代练靠谱吗 编辑:程序博客网 时间:2024/05/06 12:29
#include "Hookfilesystem.h"
HANDLE hFileHandle;
OBJECT_ATTRIBUTES ObjectAttrib;
PDEVICE_OBJECT pFileDeviceObject;
struct _DRIVER_OBJECT *pDeviceObject;
PDRIVER_DISPATCH RealCreateDispatch;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject ,IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING uninameString,unilinkString;
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
RtlInitUnicodeString(&uninameString,L"//Device//Shadow3");
ntStatus = IoCreateDevice(DriverObject,
0,
&uninameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&pDeviceObject
);
if(!NT_SUCCESS(ntStatus)) //如果创建设备失败,则直接退出
return ntStatus;
//创建Win32可见的符号连接
RtlInitUnicodeString( &unilinkString, L"//DosDevices//shadow3" );
ntStatus = IoCreateSymbolicLink(&unilinkString ,&uninameString);
if(!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
//设置Dispatch
DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispatch;
//设置Unload
DriverObject->DriverUnload = DriverUnload;
//Hook File System
HookFileSystem();
return 0;
}
NTSTATUS
DriverDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest (Irp,IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
void DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRING uniNameString;
RtlInitUnicodeString(&uniNameString, L"//DosDevices//shadow3");
IoDeleteSymbolicLink(&uniNameString); //删除win32可见
IoDeleteDevice(pDriverObject->DeviceObject); //删除设备
return ;
}
void HookFileSystem(void)
{
UNICODE_STRING uniDeviceName;
NTSTATUS Ntstatus;
IO_STATUS_BLOCK IoStatusBlock;
PVOID pFileObject;
RtlInitUnicodeString(&uniDeviceName ,L"//DosDevices//C://");
InitializeObjectAttributes(&ObjectAttrib ,&uniDeviceName ,OBJ_CASE_INSENSITIVE, NULL, NULL);
//打开一个设备
Ntstatus = ZwCreateFile(
&hFileHandle,
SYNCHRONIZE|FILE_ANY_ACCESS,
&ObjectAttrib,
&IoStatusBlock,
0,
0,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE,
0,
0
);
if(!NT_SUCCESS(Ntstatus))
{
DbgPrint("ZwCreateFile Failed,ntstatus:%ld/n",Ntstatus);
return;
}
//通过文件句柄得到与之向对应的文件对象
Ntstatus = ObReferenceObjectByHandle(hFileHandle,FILE_READ_DATA,0,0,&pFileObject,NULL);
if(!NT_SUCCESS(Ntstatus))
{
ZwClose(hFileHandle);
DbgPrint("ObReferenceObjectByHandle Failed,ntstatus:%ld/n",Ntstatus);
return;
}
//在通过该文件对象查找相对应的文件设备
pFileDeviceObject = IoGetRelatedDeviceObject(pFileObject);
//文件对象引用计数器减一
ObDereferenceObject(pFileObject);
ZwClose(hFileHandle);
if(pFileDeviceObject==NULL)
{
DbgPrint("Get File Object Failed/n");
return ;
}
pDeviceObject = pFileDeviceObject->DriverObject;
if(pDeviceObject->MajorFunction[IRP_MJ_CREATE] == HookCreateDispatch)
{
DbgPrint("already hook IRP_MJ_CREATE/n");
return ;
}
//保存IRP_MJ_CREATE处理的地址
RealCreateDispatch = pDeviceObject->MajorFunction[IRP_MJ_CREATE];
//Hook Create DisPatch
pDeviceObject->MajorFunction[IRP_MJ_CREATE] = HookCreateDispatch;
return;
}
NTSTATUS
HookCreateDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
// DbgPrint("hook success/r/n");
PIO_STACK_LOCATION pIocurrentstack;
PFILE_OBJECT pFileObject;
DbgPrint("DeviceName:%S/r/n",DeviceObject->DriverObject->DriverName.Buffer);
pIocurrentstack = IoGetCurrentIrpStackLocation(Irp);
pFileObject = pIocurrentstack->FileObject;
DbgPrint("FileName:%S/r/n",pFileObject->FileName.Buffer);
_asm
{
push Irp
push DeviceObject
call RealCreateDispatch
}
return 0;
}
hookfilesystem.h
代码 #ifndef _INCLUDE_
#define _INCLUDE_
#include <ntddk.h>
NTSTATUS
DriverDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
void DriverUnload(IN PDRIVER_OBJECT DriverObject);
void HookFileSystem(void);
NTSTATUS
HookCreateDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
#endif
- 挂接file system
- file system
- file system
- File system
- File System Drivers & File System Filter Drivers
- The proc File System:
- The System.map File
- mount file system
- mount file system
- Google File System(中文翻译)
- embedded system (control file )
- The Google File System
- unix file system
- Apollo Local File System
- File System Comparison
- The Google File System
- File System Essay
- Linux file system hierarchy
- 正则表达式快速入门
- FK warcraft
- php.ini中文翻译
- 软件工程中的十三种文档
- 2007.12.25 2个意外惊喜
- 挂接file system
- 测试
- 关于enum应用的总结
- linux图形界面汉诺塔源程序(c,oop)·[刚写完,分享]
- 驱 动 版 Hello World
- 内存初始化函数memset()
- 圣诞节这一天
- 我晕。。我的blog居然还有99次访问
- Port GameState Demo(use OIS) to OGRE1.4.5
