注册MiniFilter简单的隐藏自身

来源：互联网发布：淘宝关键词的大中小词编辑：程序博客网时间：2024/05/16 05:36

#ifndef MINFILTER_HEADER_FILE#define MINFILTER_HEADER_FILE#pragma once#include <fltKernel.h>#include <ntddk.h>#include <Ntstrsafe.h>#ifndef MAX_PATH#define MAX_PATH260#endif//设置注册表键值NTSTATUS SetValueKey(HANDLE hRegister, PUNICODE_STRING pValueName, ULONG Type, wchar_t* pValueData);//符号链接NTSTATUS FileMonQuerySymbolicLink(IN PUNICODE_STRING SymbolicLinkName, OUT PUNICODE_STRING LinkTarget);//NT路径转换DOS路径NTSTATUS NtFileNameToDosFileName(IN PUNICODE_STRING ustrDeviceName, OUT PUNICODE_STRING ustrDosName);//DOS路径转换NT路径NTSTATUS DosFileNameToNtFileName(IN PUNICODE_STRING ustrDosName, OUT PUNICODE_STRING ustrDeviceName);//注册MiniFilter隐藏文件NTSTATUS RegisterMiniFilter(PDRIVER_OBJECT DriverObject, PUNICODE_STRING pRegistryPath, PUNICODE_STRING pHideFilePath);#endif

#include "MiniFilter.h"PFLT_FILTERg_FilterHandle;//微过滤驱动句柄UNICODE_STRINGg_strMiniFilterHideFile;//MiniFilter隐藏文件//目录控制FLT_POSTOP_CALLBACK_STATUS PtPostDirCtrlPassThrough(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags);NTSTATUS MiniFilterUnload(FLT_FILTER_UNLOAD_FLAGS Flags);CONST FLT_OPERATION_REGISTRATION MiniFilterCallbacks[] ={{ IRP_MJ_DIRECTORY_CONTROL, 0, NULL, PtPostDirCtrlPassThrough },//目录控制{ IRP_MJ_OPERATION_END }};CONST FLT_REGISTRATION FilterRegistration ={sizeof(FLT_REGISTRATION),FLT_REGISTRATION_VERSION,0,NULL,MiniFilterCallbacks,MiniFilterUnload,NULL,NULL,NULL,NULL,NULL,NULL,NULL};//注册MiniFilter隐藏文件NTSTATUS RegisterMiniFilter(PDRIVER_OBJECT DriverObject, PUNICODE_STRING pRegistryPath, PUNICODE_STRING pHideFilePath){//定义变量UNICODE_STRING UnicodeDriverServerName;UNICODE_STRING UnicodeValue;UNICODE_STRING UnicodeSzText;UNICODE_STRING UnicodeSzServerNameInstances;UNICODE_STRING RegistryPath;ULONG ulValue;HANDLE hRegister;HANDLE hSubTempRegister;ULONG ulResult;NTSTATUS ntStatus;static wchar_t szInstances[MAX_PATH] = { 0 };static wchar_t szServerNameInstances[MAX_PATH] = { 0 };//初始化objectAttributes  OBJECT_ATTRIBUTES objectAttributes;wchar_t* pFind = NULL;ULONG  nAltitude = 399998;int i = 0;//参数效验if (MmIsAddressValid(DriverObject) == FALSE || MmIsAddressValid(pRegistryPath) == FALSE || MmIsAddressValid(pHideFilePath) == FALSE)return STATUS_INVALID_PARAMETER;//路径转换ntStatus = DosFileNameToNtFileName(pHideFilePath, &g_strMiniFilterHideFile);if (!NT_SUCCESS(ntStatus))return ntStatus;//如果MiniFilter注册失败，在执行下面的写注册表操作//STATUS_OBJECT_NAME_NOT_FOUNDntStatus = FltRegisterFilter(DriverObject, &FilterRegistration, &g_FilterHandle);if (NT_SUCCESS(ntStatus)){ntStatus = FltStartFiltering(g_FilterHandle);if (!NT_SUCCESS(ntStatus)){FltUnregisterFilter(g_FilterHandle);}else{KdPrint(("FltRegisterFilter OK\n"));}return ntStatus;}RegistryPath.Length = pRegistryPath->Length;RegistryPath.MaximumLength = RegistryPath.Length + sizeof(wchar_t);RegistryPath.Buffer = ExAllocatePool(NonPagedPool, RegistryPath.MaximumLength);if (RegistryPath.Buffer == NULL){return STATUS_SUCCESS;}RtlZeroMemory(RegistryPath.Buffer, RegistryPath.MaximumLength);RtlCopyMemory(RegistryPath.Buffer, pRegistryPath->Buffer, pRegistryPath->Length);//打开注册表项目  InitializeObjectAttributes(&objectAttributes, &RegistryPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);ntStatus = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes);;if (!NT_SUCCESS(ntStatus))return ntStatus;////Group//RtlInitUnicodeString(&UnicodeValue, L"Group");//ntStatus=SetValueKey(hRegister, &UnicodeValue,REG_SZ, L"Boot Bus Extender");//DependOnServiceRtlInitUnicodeString(&UnicodeValue, L"DependOnService");ntStatus = SetValueKey(hRegister, &UnicodeValue, REG_SZ, L"FltMgr");ZwClose(hRegister);//InstancesRtlStringCbPrintfExW(szServerNameInstances, sizeof(szServerNameInstances), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ\\Instances", &RegistryPath);RtlInitUnicodeString(&UnicodeSzServerNameInstances, szServerNameInstances);InitializeObjectAttributes(&objectAttributes, &UnicodeSzServerNameInstances, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);ntStatus = ZwCreateKey(&hSubTempRegister, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &ulResult);if (!NT_SUCCESS(ntStatus))return ntStatus;ZwFlushKey(hSubTempRegister);//获取服务名pFind = wcsrchr(RegistryPath.Buffer, '\\');if (pFind)RtlInitUnicodeString(&UnicodeDriverServerName, pFind + sizeof(char));else{ZwClose(hSubTempRegister);return STATUS_UNSUCCESSFUL;}//DefaultInstanceRtlInitUnicodeString(&UnicodeValue, L"DefaultInstance");RtlStringCbPrintfExW(szInstances, sizeof(szInstances), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ Instance", &UnicodeDriverServerName);SetValueKey(hSubTempRegister, &UnicodeValue, REG_SZ, szInstances);ZwClose(hSubTempRegister);//ProtectFile InstanceRtlStringCbPrintfExW(szInstances, sizeof(szInstances), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ\\%wZ Instance", &UnicodeSzServerNameInstances, &UnicodeDriverServerName);RtlInitUnicodeString(&UnicodeSzText, szInstances);InitializeObjectAttributes(&objectAttributes, &UnicodeSzText, OBJ_CASE_INSENSITIVE, NULL, NULL);ntStatus = ZwCreateKey(&hSubTempRegister, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &ulResult);if (!NT_SUCCESS(ntStatus))return ntStatus;//AltitudeRtlInitUnicodeString(&UnicodeValue, L"Altitude");SetValueKey(hSubTempRegister, &UnicodeValue, REG_SZ, L"399999");//FlagsRtlInitUnicodeString(&UnicodeValue, L"Flags");ulValue = 0;SetValueKey(hSubTempRegister, &UnicodeValue, REG_DWORD, (wchar_t*)&ulValue);for (i = 0; i < 10; i++){ntStatus = FltRegisterFilter(DriverObject, &FilterRegistration, &g_FilterHandle);if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION){//2、数字转换成字符串  UNICODE_STRING AltitudeUnicode;AltitudeUnicode.Buffer = (PWSTR)ExAllocatePool(NonPagedPool, MAX_PATH);if (AltitudeUnicode.Buffer == NULL)return STATUS_UNSUCCESSFUL;RtlZeroMemory(AltitudeUnicode.Buffer, MAX_PATH);AltitudeUnicode.MaximumLength = MAX_PATH;ntStatus = RtlIntegerToUnicodeString(nAltitude--, 10, &AltitudeUnicode);if (!NT_SUCCESS(ntStatus)){RtlFreeUnicodeString(&AltitudeUnicode);return ntStatus;}//AltitudeRtlInitUnicodeString(&UnicodeValue, L"Altitude");SetValueKey(hSubTempRegister, &UnicodeValue, REG_SZ, AltitudeUnicode.Buffer);RtlFreeUnicodeString(&AltitudeUnicode);}else if (NT_SUCCESS(ntStatus)){break;}else{return ntStatus;}}if (hSubTempRegister){ZwClose(hSubTempRegister);}ntStatus = FltStartFiltering(g_FilterHandle);if (!NT_SUCCESS(ntStatus)){FltUnregisterFilter(g_FilterHandle);}else{KdPrint(("FltRegisterFilter OK\n"));}return ntStatus;}NTSTATUS MiniFilterUnload(FLT_FILTER_UNLOAD_FLAGS Flags){UNREFERENCED_PARAMETER(Flags);PAGED_CODE();FltUnregisterFilter(g_FilterHandle);return STATUS_SUCCESS;}FLT_POSTOP_CALLBACK_STATUS PtPostDirCtrlPassThrough(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags){//定义变量BOOLEAN modified = FALSE;BOOLEAN removedAllEntries = TRUE;NTSTATUS status = FLT_POSTOP_FINISHED_PROCESSING;wchar_t *fullPathLongName = NULL;ULONG nextOffset = 0;UNICODE_STRING strFileName;UNICODE_STRING strFilePathName;wchar_t* pFileName = NULL;wchar_t* pBuff = NULL;ULONG uBuflen;PFLT_FILE_NAME_INFORMATION nameInfo = NULL;UNREFERENCED_PARAMETER(CompletionContext);if (FlagOn(Flags, FLTFL_POST_OPERATION_DRAINING) ||Data->Iopb->MinorFunction != IRP_MN_QUERY_DIRECTORY ||Data->Iopb->Parameters.DirectoryControl.QueryDirectory.Length <= 0 ||!NT_SUCCESS(Data->IoStatus.Status)){return FLT_POSTOP_FINISHED_PROCESSING;}status = FltGetFileNameInformation(Data, FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &nameInfo);if (!NT_SUCCESS(status))goto LAST_CODE;status = FltParseFileNameInformation(nameInfo);if (!NT_SUCCESS(status))goto LAST_CODE;//分配内存fullPathLongName = ExAllocatePool(NonPagedPool, PAGE_SIZE);if (fullPathLongName == NULL)goto LAST_CODE;RtlZeroMemory(fullPathLongName, PAGE_SIZE);RtlCopyMemory(fullPathLongName, nameInfo->Name.Buffer, nameInfo->Name.Length);RtlInitUnicodeString(&strFilePathName, fullPathLongName);if (strFilePathName.Buffer[strFilePathName.Length / sizeof(wchar_t) - sizeof(char)] != '\\'){strFilePathName.Buffer[strFilePathName.Length / sizeof(wchar_t)] = '\\';}//KdPrint(("当前文件路径%wZ\n", &strFilePathName));//WindowsXP及其以下版本，需要过滤 FileBothDirectoryInformation 类型的信息 if (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass == FileBothDirectoryInformation){PFILE_BOTH_DIR_INFORMATION currentFileInfo = 0;PFILE_BOTH_DIR_INFORMATION nextFileInfo = 0;PFILE_BOTH_DIR_INFORMATION previousFileInfo = 0;/*这里得到一个缓存区，这个缓存里面就保留着文件夹中所有的文件信息。然后，根据这个缓存的结构遍历处理，过滤掉要隐藏的文件名就能达到隐藏的目的了。*/if (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress != NULL){currentFileInfo = (PFILE_BOTH_DIR_INFORMATION)MmGetSystemAddressForMdlSafe(Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress,NormalPagePriority);}else{currentFileInfo = (PFILE_BOTH_DIR_INFORMATION)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer;}if (currentFileInfo == NULL)return FLT_POSTOP_FINISHED_PROCESSING;previousFileInfo = currentFileInfo;do{nextOffset = currentFileInfo->NextEntryOffset;//得到下一个结点的偏移地址nextFileInfo = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)(currentFileInfo)+nextOffset); //后继结点指针      if (currentFileInfo->FileNameLength <= 0)break;//文件名pFileName = (wchar_t *)ExAllocatePool(NonPagedPool, currentFileInfo->FileNameLength + sizeof(wchar_t));if (pFileName == NULL)break;RtlZeroMemory(pFileName, currentFileInfo->FileNameLength + sizeof(wchar_t));RtlCopyMemory(pFileName, currentFileInfo->FileName, currentFileInfo->FileNameLength);RtlInitUnicodeString(&strFileName, pFileName);//分配内存uBuflen = strFileName.MaximumLength + MAX_PATH;pBuff = ExAllocatePool(NonPagedPool, uBuflen);if (pBuff == NULL)break;RtlZeroMemory(pBuff, uBuflen);RtlStringCbPrintfExW(pBuff, uBuflen, NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%s%wZ", fullPathLongName, &strFileName);RtlInitUnicodeString(&strFilePathName, pBuff);ExFreePool(pFileName);//KdPrint(("1111111当前文件%wZ\n", &strFilePathName));if (RtlEqualUnicodeString(&g_strMiniFilterHideFile, &strFilePathName, TRUE)){if (nextOffset == 0){previousFileInfo->NextEntryOffset = 0;}else//更改前驱结点中指向下一结点的偏移量，略过要隐藏的文件的文件结点，达到隐藏目的{previousFileInfo->NextEntryOffset = (ULONG)((PCHAR)currentFileInfo - (PCHAR)previousFileInfo) + nextOffset;}modified = TRUE;}else{removedAllEntries = FALSE;previousFileInfo = currentFileInfo;  //前驱结点指针后移 }currentFileInfo = nextFileInfo; //当前指针后移 if (pBuff)ExFreePool(pBuff);} while (nextOffset != 0);}////Windows Vista或Windows7或更高版本的Windows的操作系统，//它们返回的结构不再是FileBothDirectoryInformation. 而是FileIdBothDirectoryInformationelse if (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass == FileIdBothDirectoryInformation){//这里得到一个缓存区，这个缓存里面就保留着文件夹中所有的文件信息。然后，//根据这个缓存的结构遍历处理，过滤掉要隐藏的文件名就能达到隐藏的目的了。PFILE_ID_BOTH_DIR_INFORMATION currentFileIdInfo = 0;PFILE_ID_BOTH_DIR_INFORMATION nextFileIdInfo = 0;PFILE_ID_BOTH_DIR_INFORMATION previousFileIdInfo = 0;wchar_t* pFileName = NULL;if (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress != NULL){currentFileIdInfo = (PFILE_ID_BOTH_DIR_INFORMATION)MmGetSystemAddressForMdlSafe(Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress,NormalPagePriority);}else{currentFileIdInfo = (PFILE_ID_BOTH_DIR_INFORMATION)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer;}if (currentFileIdInfo == NULL)return FLT_POSTOP_FINISHED_PROCESSING;previousFileIdInfo = currentFileIdInfo;do{nextOffset = currentFileIdInfo->NextEntryOffset; //得到下一个结点的偏移地址   nextFileIdInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((PCHAR)(currentFileIdInfo)+nextOffset);  //后继结点指针     //文件名pFileName = (wchar_t *)ExAllocatePool(NonPagedPool, currentFileIdInfo->FileNameLength + sizeof(wchar_t));if (pFileName == NULL)break;RtlZeroMemory(pFileName, currentFileIdInfo->FileNameLength + sizeof(wchar_t));RtlCopyMemory(pFileName, currentFileIdInfo->FileName, currentFileIdInfo->FileNameLength);RtlInitUnicodeString(&strFileName, pFileName);//分配内存uBuflen = strFileName.MaximumLength + MAX_PATH;pBuff = ExAllocatePool(NonPagedPool, uBuflen);if (pBuff == NULL)break;RtlZeroMemory(pBuff, uBuflen);RtlStringCbPrintfExW(pBuff, uBuflen, NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%s%wZ", fullPathLongName, &strFileName);RtlInitUnicodeString(&strFilePathName, pBuff);ExFreePool(pFileName);//KdPrint(("22222当前文件%wZ\n", &strFilePathName));if (RtlEqualUnicodeString(&g_strMiniFilterHideFile, &strFilePathName, TRUE)){if (nextOffset == 0){previousFileIdInfo->NextEntryOffset = 0;}else//更改前驱结点中指向下一结点的偏移量，略过要隐藏的文件的文件结点，达到隐藏目的{previousFileIdInfo->NextEntryOffset = (ULONG)((PCHAR)currentFileIdInfo - (PCHAR)previousFileIdInfo) + nextOffset;}modified = TRUE;}else{removedAllEntries = FALSE;previousFileIdInfo = currentFileIdInfo;}currentFileIdInfo = nextFileIdInfo;if (pBuff)ExFreePool(pBuff);} while (nextOffset != 0);}LAST_CODE:if (nameInfo){FltReleaseFileNameInformation(nameInfo);}if (modified){if (removedAllEntries)Data->IoStatus.Status = STATUS_NO_SUCH_FILE;//File Not FoundelseFltSetCallbackDataDirty(Data);}if (fullPathLongName){ExFreePool(fullPathLongName);}return FLT_POSTOP_FINISHED_PROCESSING;}//注销MiniFilterNTSTATUS LogOutMiniFilter(){NTSTATUS status = STATUS_UNSUCCESSFUL;if (g_FilterHandle){FltUnregisterFilter(g_FilterHandle);status = STATUS_SUCCESS;}return status;}//设置注册表键值NTSTATUS SetValueKey(HANDLE hRegister, PUNICODE_STRING pValueName, ULONG Type, wchar_t* pValueData){//定义变量size_t pcch;NTSTATUS ntstatus;USHORT cbszSize;//参数效验if (hRegister == NULL || MmIsAddressValid(pValueName) == FALSE || MmIsAddressValid(pValueData) == FALSE || Type > REG_QWORD_LITTLE_ENDIAN)return STATUS_INVALID_PARAMETER;switch (Type){case REG_SZ:{//获取长度RtlStringCchLengthW(pValueData, NTSTRSAFE_MAX_CCH, &pcch);if (pcch <= 0)return STATUS_UNSUCCESSFUL;cbszSize = (USHORT)(pcch * sizeof(wchar_t)) + sizeof(wchar_t);}break;case REG_DWORD:{cbszSize = sizeof(ULONG);}break;default:return STATUS_INVALID_PARAMETER;}//设置子健ntstatus = ZwSetValueKey(hRegister, pValueName, 0, Type, pValueData, cbszSize);ZwFlushKey(hRegister);return ntstatus;}//DOS路径转换NT路径NTSTATUS DosFileNameToNtFileName(IN PUNICODE_STRING ustrDosName, OUT PUNICODE_STRING ustrDeviceName){//定义变量NTSTATUS status;HANDLE hFile;OBJECT_ATTRIBUTES oa;IO_STATUS_BLOCK sb;PFILE_OBJECT FileObject;UNICODE_STRING volumeDosName;UNICODE_STRING pLinkTarget;static wchar_t szText[MAX_PATH] = { 0 };//参数效验if (MmIsAddressValid(ustrDosName) == FALSE || MmIsAddressValid(ustrDeviceName) == FALSE)return STATUS_INVALID_PARAMETER;InitializeObjectAttributes(&oa, ustrDosName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwOpenFile(&hFile, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &oa, &sb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);if (!NT_SUCCESS(status))return status;status = ObReferenceObjectByHandle(hFile, FILE_READ_ATTRIBUTES, *IoFileObjectType, KernelMode, (PVOID*)&FileObject, NULL);ZwClose(hFile);if (!NT_SUCCESS(status))return status;//获取盘符volumeDosName.Length = MAX_PATH;volumeDosName.MaximumLength = MAX_PATH;volumeDosName.Buffer = (PWSTR)ExAllocatePool(PagedPool, MAX_PATH);if (volumeDosName.Buffer == NULL)return STATUS_UNSUCCESSFUL;status = IoVolumeDeviceToDosName(FileObject->DeviceObject, &volumeDosName);if (!NT_SUCCESS(status))return status;RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"\\??\\%wZ", &volumeDosName);ExFreePool(volumeDosName.Buffer);RtlInitUnicodeString(&volumeDosName, szText);status = FileMonQuerySymbolicLink(&volumeDosName, &pLinkTarget);if (!NT_SUCCESS(status))return status;//设置变量ustrDeviceName->Length = ustrDeviceName->MaximumLength = pLinkTarget.Length + FileObject->FileName.Length;ustrDeviceName->Buffer = ExAllocatePool(NonPagedPool, ustrDeviceName->MaximumLength);if (ustrDeviceName->Buffer){RtlZeroMemory(ustrDeviceName->Buffer, ustrDeviceName->MaximumLength);RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ%wZ", &pLinkTarget, &FileObject->FileName);RtlInitUnicodeString(&volumeDosName, szText);RtlCopyMemory(ustrDeviceName->Buffer, volumeDosName.Buffer, volumeDosName.Length);status = STATUS_SUCCESS;}else{status = STATUS_UNSUCCESSFUL;}ExFreePool(pLinkTarget.Buffer);return status;}//NT路径转换DOS路径NTSTATUS NtFileNameToDosFileName(IN PUNICODE_STRING ustrDeviceName, OUT PUNICODE_STRING ustrDosName){NTSTATUS status;HANDLE hFile;OBJECT_ATTRIBUTES oa;IO_STATUS_BLOCK sb;//参数效验if (MmIsAddressValid(ustrDosName) == FALSE || MmIsAddressValid(ustrDeviceName) == FALSE)return STATUS_INVALID_PARAMETER;InitializeObjectAttributes(&oa, ustrDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwOpenFile(&hFile, FILE_READ_ATTRIBUTES | SYNCHRONIZE, &oa, &sb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);if (NT_SUCCESS(status)){PFILE_OBJECT FileObject;status = ObReferenceObjectByHandle(hFile, FILE_READ_ATTRIBUTES, *IoFileObjectType, KernelMode, (PVOID*)&FileObject, NULL);if (NT_SUCCESS(status)){POBJECT_NAME_INFORMATION lpName;status = IoQueryFileDosDeviceName(FileObject, &lpName);if (NT_SUCCESS(status)){RtlCopyUnicodeString(ustrDosName, &lpName->Name);ExFreePool(lpName);status = STATUS_SUCCESS;}ObDereferenceObject(FileObject);}ZwClose(hFile);}return status;}//符号链接NTSTATUS FileMonQuerySymbolicLink(IN PUNICODE_STRING SymbolicLinkName, OUT PUNICODE_STRING LinkTarget){//定义变量OBJECT_ATTRIBUTES oa;NTSTATUS status;HANDLE h;//参数效验if (MmIsAddressValid(SymbolicLinkName) == FALSE || MmIsAddressValid(LinkTarget) == FALSE)return STATUS_INVALID_PARAMETER;LinkTarget->MaximumLength = MAX_PATH * sizeof(WCHAR);LinkTarget->Length = 0;LinkTarget->Buffer = ExAllocatePool(NonPagedPool, LinkTarget->MaximumLength);if (LinkTarget->Buffer == NULL)return STATUS_INSUFFICIENT_RESOURCES;RtlZeroMemory(LinkTarget->Buffer, LinkTarget->MaximumLength);//调用ZwOpenSymbolcLink对象对所有A----Z字母进行打开链接对象，并调用ZwQuerySymbilicLink来获得对应的设备对象名InitializeObjectAttributes(&oa, SymbolicLinkName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 0, 0);status = ZwOpenSymbolicLinkObject(&h, GENERIC_READ, &oa);if (!NT_SUCCESS(status))return status;//然后通过h，并调用ZwQuerySymbolicLinkObject函数来得到符号链接对象status = ZwQuerySymbolicLinkObject(h, LinkTarget, NULL);ZwClose(h);if (!NT_SUCCESS(status))ExFreePool(LinkTarget->Buffer);return status;}

#include "MiniFilter.h"VOID DriverUnload(IN PDRIVER_OBJECT DriverObject){return;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){DriverObject->DriverUnload = DriverUnload;DbgBreakPoint();NTSTATUS status;UNICODE_STRING strHideFile;RtlInitUnicodeString(&strHideFile, L"\\??\\c:\\windows\\notepad.exe");status= RegisterMiniFilter(DriverObject, RegistryPath,&strHideFile);return STATUS_SUCCESS;}

0 0