📄 myfilespy.c
字号:
#include <ntifs.h>
//常量定义;
#define DEVICE_TYPE_GUI 100
#define DEVICE_TYPE_HOOK 101
#define DEVICE_IO_CTL_HOOK 1234
#define DEVICE_IO_CTL_SET 1111
#define DEVICE_IO_CTL_GET 2222
#define DEVICE_IO_CTL_KILL 3333
//字符串常量定义;
#define NT_DEVICE_NAME L"\\Device\\MyFileSpy"
#define DOS_DEVICE_NAME L"\\DosDevices\\MyFileSpy"
#define DOS_DEVICE_DISK L"\\DosDevices\\C:\\"
//程序宏定义;
#define VALID_FAST_IO_DISPATCH_HANDLER( HookExt,Handler ) \
HookExt->DeviceType!=DEVICE_TYPE_GUI&&HookExt->FileSystem->DriverObject->FastIoDispatch&&HookExt->FileSystem->DriverObject->FastIoDispatch->Handler
//自定义结构;
typedef struct {
ULONG DeviceType;
PDEVICE_OBJECT FileSystem;
}HOOK_EXTENSION, *PHOOK_EXTENSION;
//全局变量定义;
PDEVICE_OBJECT GUIDevice;
PDEVICE_OBJECT HookDevice;
//快速IO处理程序;
BOOLEAN
FastIoCheckifPossible(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN BOOLEAN CheckForReadOperation,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoCheckifPossible\n");
//不明白的语句,检测DeviceObject参数的有效性;
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoCheckIfPossible)) return RetVal;
//调用原来的FastIODispatch;
RetVal=HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoCheckIfPossible(
FileObject, FileOffset, Length,
Wait, LockKey, CheckForReadOperation, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoRead(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoRead\n");
//不明白的语句,检测DeviceObject参数的有效性;
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoRead)) return RetVal;
//调用原来的FastIODispatch;
RetVal=HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoRead(
FileObject, FileOffset, Length,
Wait, LockKey, Buffer, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoWrite(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoWrite\n");
//不明白的语句,检测DeviceObject参数的有效性;
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoWrite)) return RetVal;
//调用原来的FastIODispatch;
RetVal=HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoWrite(
FileObject, FileOffset, Length,
Wait, LockKey, Buffer, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoQueryBasicInfo(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_BASIC_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoQueryBasicInfo\n");
//不明白的语句,检测DeviceObject参数的有效性;
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoQueryBasicInfo)) return RetVal;
//调用原来的FastIODispatch;
RetVal=HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoQueryBasicInfo(
FileObject, Wait, Buffer, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoQueryStandardInfo(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT PFILE_STANDARD_INFORMATION Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoQueryBasicInfo\n");
//不明白的语句,检测DeviceObject参数的有效性;
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoQueryStandardInfo)) return RetVal;
//调用原来的FastIODispatch;
RetVal=HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoQueryStandardInfo(
FileObject, Wait, Buffer, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoLock(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
PEPROCESS ProcessId,
ULONG Key,
BOOLEAN FailImmediately,
BOOLEAN ExclusiveLock,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoLock\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoLock)) return RetVal;
//调用原来的FastIODispatch;
RetVal = HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoLock(
FileObject, FileOffset, Length, ProcessId, Key, FailImmediately,
ExclusiveLock, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoUnlockSingle(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
PEPROCESS ProcessId,
ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoUnlockSingle\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoUnlockSingle)) return RetVal;
//调用原来的FastIODispatch;
RetVal = HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoUnlockSingle(
FileObject, FileOffset, Length, ProcessId, Key,
IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoUnlockAll(
IN PFILE_OBJECT FileObject,
PEPROCESS ProcessId,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoUnlockAll\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoUnlockAll)) return RetVal;
//调用原来的FastIODispatch;
RetVal = HookExt->FileSystem->DriverObject->FastIoDispatch->FastIoUnlockAll(
FileObject, ProcessId, IoStatus, HookExt->FileSystem );
return RetVal;
}
BOOLEAN
FastIoUnlockAllByKey(
IN PFILE_OBJECT FileObject,
PEPROCESS ProcessId, ULONG Key,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoUnlockAllByKey\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoUnlockAllByKey)) return RetVal;
//调用原来的FastIODispatch;
return RetVal;
}
BOOLEAN
FastIoDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutbufBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoDeviceControl\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
//继续检测程序;
if(VALID_FAST_IO_DISPATCH_HANDLER(HookExt,FastIoDeviceControl)) return RetVal;
//调用原来的FastIODispatch;
return RetVal;
}
VOID
FastIoAcquireFile(
PFILE_OBJECT FileObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoAcquireFile\n");
//if( !DeviceObject ) return RetVal;
//HookExt=DeviceObject->DeviceExtension;
return;
}
VOID
FastIoReleaseFile(
PFILE_OBJECT FileObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoReleaseFile\n");
//if( !DeviceObject ) return RetVal;
//HookExt=DeviceObject->DeviceExtension;
return;
}
VOID
FastIoDetachDevice(
PDEVICE_OBJECT SourceDevice,
PDEVICE_OBJECT TargetDevice
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoDetachDevice\n");
//if( !DeviceObject ) return RetVal;
//HookExt=DeviceObject->DeviceExtension;
return;
}
// These are new NT 4.0 Fast I/O calls
BOOLEAN
FastIoQueryNetworkOpenInfo(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
OUT struct _FILE_NETWORK_OPEN_INFORMATION *Buffer,
OUT struct _IO_STATUS_BLOCK *IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoQueryNetworkOpenInfo\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoAcquireForModWrite(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER EndingOffset,
OUT struct _ERESOURCE **ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoAcquireForModWrite\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlRead(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlRead\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlReadComplete(
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlReadComplete\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoPrepareMdlWrite(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoPrepareMdlWrite\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlWriteComplete(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlWriteComplete\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoReadCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
OUT struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoReadCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoWriteCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN struct _COMPRESSED_DATA_INFO *CompressedDataInfo,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -