📄 myfilespy.c
字号:
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoWriteCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlReadCompleteCompressed(
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlReadCompleteCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlWriteCompleteCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlWriteCompleteCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoQueryOpen(
IN struct _IRP *Irp,
OUT PFILE_NETWORK_OPEN_INFORMATION NetworkInformation,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoQueryOpen\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoReleaseForModWrite(
IN PFILE_OBJECT FileObject,
IN struct _ERESOURCE *ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoReleaseForModWrite\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoAcquireForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoAcquireForCcFlush\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoReleaseForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoReleaseForCcFlush\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
//快速IO例程列表;
FAST_IO_DISPATCH FastIoHook=
{
sizeof(FAST_IO_DISPATCH),
FastIoCheckifPossible,
FastIoRead,
FastIoWrite,
FastIoQueryBasicInfo,
FastIoQueryStandardInfo,
FastIoLock,
FastIoUnlockSingle,
FastIoUnlockAll,
FastIoUnlockAllByKey,
FastIoDeviceControl,
FastIoAcquireFile,
FastIoReleaseFile,
FastIoDetachDevice,
// new for NT 4.0
FastIoQueryNetworkOpenInfo,
FastIoAcquireForModWrite,
FastIoMdlRead,
FastIoMdlReadComplete,
FastIoPrepareMdlWrite,
FastIoMdlWriteComplete,
FastIoReadCompressed,
FastIoWriteCompressed,
FastIoMdlReadCompleteCompressed,
FastIoMdlWriteCompleteCompressed,
FastIoQueryOpen,
FastIoReleaseForModWrite,
FastIoAcquireForCcFlush,
FastIoReleaseForCcFlush
};
//内部函数(子程序);
NTSTATUS
HookDisk(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING FileNameUnicodeStr;
OBJECT_ATTRIBUTES ObjectAttrib;
NTSTATUS NtStatus;
HANDLE NtFileHandle;
IO_STATUS_BLOCK IOStatus;
PFILE_OBJECT FileObject;
PDEVICE_OBJECT FileSysDevice;
PDEVICE_OBJECT TopDevice;
DbgPrint("-------------------Entry HookDisk\n");
RtlInitUnicodeString( &FileNameUnicodeStr, DOS_DEVICE_DISK);
//初始化对象属性;
InitializeObjectAttributes( &ObjectAttrib,&FileNameUnicodeStr,
OBJ_CASE_INSENSITIVE,NULL, NULL);
//打开文件根目录;
NtStatus = ZwCreateFile( &NtFileHandle, SYNCHRONIZE|FILE_ANY_ACCESS,
&ObjectAttrib, &IOStatus, NULL, 0,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE,
NULL, 0 );
if( !NT_SUCCESS( NtStatus ) )
{
DbgPrint("ZwCreateFile fail\n");
return NtStatus;
}
//从文件句柄中得到文件对象指针;
NtStatus = ObReferenceObjectByHandle( NtFileHandle, FILE_READ_DATA,
NULL, KernelMode, &FileObject, NULL );
if( !NT_SUCCESS( NtStatus ))
{
DbgPrint("ObReferenceObjectByHandle fail\n");
ZwClose( NtFileHandle );
return NtStatus;
}
//得到与该文件对象相关联的文件系统设备对象;
FileSysDevice = IoGetRelatedDeviceObject( FileObject );
if( ! FileSysDevice )
{
DbgPrint("IoGetRelatedDeviceObject fail\n");
ObDereferenceObject( FileObject );
ZwClose( NtFileHandle );
return NtStatus;
}
//创建一个设备,准备用于挂接该文件系统。
NtStatus = IoCreateDevice( DriverObject,
sizeof(HOOK_EXTENSION),
NULL,//没有名字;
FileSysDevice->DeviceType,//与父文件设备相同;
0,
FALSE,//不独占;
&HookDevice );
if( !NT_SUCCESS(NtStatus) )
{
DbgPrint("IoCreateDevice fail\n");
ObDereferenceObject( FileObject );
ZwClose( NtFileHandle );
return NtStatus;
}
//DDK 文档指出,如果从Dispatch 例程里创建的设备需要表明设备未初始化;
HookDevice->Flags &= ~DO_DEVICE_INITIALIZING;
//设置设备标志;
((PHOOK_EXTENSION)HookDevice->DeviceExtension)->DeviceType=DEVICE_TYPE_HOOK;
//填写父设备FileSystem域;
((PHOOK_EXTENSION)HookDevice->DeviceExtension)->FileSystem=FileSysDevice;
//挂接设备(Attach),现在我们就可以接受Irp了;
//好象可以被TopDevice=IoAttachDeviceToDeviceStack( HookDevice, FileSysDevice )代替;
NtStatus=IoAttachDeviceByPointer( HookDevice, FileSysDevice );
if( !NT_SUCCESS(NtStatus) )
{
DbgPrint("IoAttachDeviceToDeviceStack fail\n");
ObDereferenceObject( FileObject );
ZwClose( NtFileHandle );
return NtStatus;
}
DbgPrint("IoAttachDeviceToDeviceStack Ok,FileSystem=%x\n",FileSysDevice);
//减少引用计数;
ObDereferenceObject( FileObject );
//关闭句柄;
ZwClose( NtFileHandle );
DbgPrint("-------------------Quit HookDisk\n");
return NtStatus;
}
VOID
//UnLoad例程;
Unload(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING Win32DeviceName;
RtlInitUnicodeString(&Win32DeviceName,DOS_DEVICE_NAME);
if (HookDevice)
{
IoDetachDevice(((PHOOK_EXTENSION)HookDevice->DeviceExtension)->FileSystem );
IoDeleteDevice(HookDevice);
}
IoDeleteDevice(GUIDevice);
IoDeleteSymbolicLink(&Win32DeviceName);
DbgPrint (("Unload OK\n"));
}
//用户接口Dispatch处理程序;
NTSTATUS
GUIDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PHOOK_EXTENSION HookExt;
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
DbgPrint(("-------------------Entry GUIDispatch\n"));
//假设成功完成Dispatch;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//得到Irp的I/O栈指针;
irpStack = IoGetCurrentIrpStackLocation (Irp);
//得到输入输出缓冲区相关数据;
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
//得到DeviceIoControl控制代码(自定义);
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
//得到设备扩展(一个自定义结构);
HookExt=DeviceObject->DeviceExtension;
//处理Dispatch函数;
switch (irpStack->MajorFunction)
{
case IRP_MJ_CREATE:
DbgPrint (("IRP_MJ_CREATE\n"));
break;
case IRP_MJ_CLOSE:
DbgPrint (("IRP_MJ_CLOSE\n"));
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint (("IRP_MJ_DEVICE_CONTROL\n"));
//通过MDL(MemoryDescriptorList)得到输出缓冲区;
if( Irp->MdlAddress ) outputBuffer = MmGetSystemAddressForMdl( Irp->MdlAddress );
switch (ioControlCode)
{
case DEVICE_IO_CTL_HOOK:
DbgPrint (("DEVICE_IO_CTL_HOOK\n"));
HookDisk(DeviceObject->DriverObject);
break;
}
break;
default:
DbgPrint(("IRP_MJ_UNKNOWN\n"));
break;
}
//通知IO管理器,已经完成IO调用;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
DbgPrint(("-------------------Quit GUIDispatch\n"));
return STATUS_SUCCESS;
}
//Irp Dispatch例程;
NTSTATUS
MyDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
PHOOK_EXTENSION HookExt = DeviceObject->DeviceExtension;
//如果是自己的调用
if( HookExt->DeviceType==DEVICE_TYPE_GUI) return GUIDispatch( DeviceObject, Irp );
//如果是文件系统HOOK
DbgPrint(("-------------------Entry HookDispatch\n"));
switch( currentIrpStack->MajorFunction )
{
case IRP_MJ_CREATE:
DbgPrint(("IRP_MJ_CREATE\n"));
break;
case IRP_MJ_READ:
DbgPrint(("IRP_MJ_READ\n"));
break;
case IRP_MJ_WRITE:
DbgPrint(("IRP_MJ_WRITE\n"));
break;
case IRP_MJ_CLOSE:
DbgPrint(("IRP_MJ_CLOSE\n"));
break;
case IRP_MJ_FLUSH_BUFFERS:
DbgPrint(("IRP_MJ_FLUSH_BUFFERS\n"));
break;
case IRP_MJ_QUERY_INFORMATION:
DbgPrint(("IRP_MJ_QUERY_INFORMATION\n"));
break;
case IRP_MJ_SET_INFORMATION:
DbgPrint(("IRP_MJ_SET_INFORMATION\n"));
break;
case IRP_MJ_QUERY_EA:
DbgPrint(("IRP_MJ_QUERY_EA\n"));
break;
case IRP_MJ_SET_EA:
DbgPrint(("IRP_MJ_SET_EA\n"));
break;
case IRP_MJ_QUERY_VOLUME_INFORMATION:
DbgPrint(("IRP_MJ_QUERY_VOLUME_INFORMATION\n"));
break;
case IRP_MJ_SET_VOLUME_INFORMATION:
DbgPrint(("IRP_MJ_SET_VOLUME_INFORMATION\n"));
break;
case IRP_MJ_DIRECTORY_CONTROL:
DbgPrint(("case IRP_MJ_DIRECTORY_CONTROL\n"));
break;
case IRP_MJ_FILE_SYSTEM_CONTROL:
DbgPrint(("IRP_MJ_FILE_SYSTEM_CONTROL\n"));
break;
case IRP_MJ_SHUTDOWN:
DbgPrint(("IRP_MJ_SHUTDOWN\n"));
break;
case IRP_MJ_LOCK_CONTROL:
DbgPrint(("IRP_MJ_LOCK_CONTROL\n"));
break;
case IRP_MJ_CLEANUP:
DbgPrint(("IRP_MJ_CLEANUP\n"));
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint(("IRP_MJ_DEVICE_CONTROL\n"));
break;
case IRP_MJ_QUERY_SECURITY:
DbgPrint(("IRP_MJ_QUERY_SECURITY\n"));
break;
case IRP_MJ_SET_SECURITY:
DbgPrint(("IRP_MJ_SET_SECURITY\n"));
break;
case IRP_MJ_POWER:
DbgPrint(("IRP_MJ_POWER\n"));
break;
case IRP_MJ_PNP:
DbgPrint(("IRP_MJ_PNP\n"));
break;
default:
DbgPrint(("IRP_MJ_UNKOWN\n"));
break;
}
//不做处理,直接给FileSystem处理
//手动复制IrpStack
*nextIrpStack = *currentIrpStack;
//好象可以用IoCopyCurrentIrpStackLocationToNext代替
DbgPrint(("-------------------Quit HookDispatch\n"));
return IoCallDriver( HookExt->FileSystem, Irp );
}
//驱动程序入口;
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
//可用变量定义;
NTSTATUS Status;
UNICODE_STRING NtDeviceName;
UNICODE_STRING Win32DeviceName;
ULONG i;
//初始化Unicode字符串, 创建设备对象;
RtlInitUnicodeString(&NtDeviceName,NT_DEVICE_NAME);
Status=IoCreateDevice( DriverObject,sizeof(HOOK_EXTENSION),&NtDeviceName,
FILE_DEVICE_DISK_FILE_SYSTEM,0,TRUE,&GUIDevice );
//其实无须用HOOK_EXTRNSION结构,可以用全局变量GUIDevice来标识GUI Device;
if (!NT_SUCCESS(Status))
{
DbgPrint(("IoCreateDevice faild\n"));
return Status;
}
//设置设备类型为:DEVICE_TYPE_GUI(应用程序接口设备)标识GUI Device;
((PHOOK_EXTENSION)GUIDevice->DeviceExtension)->DeviceType=DEVICE_TYPE_GUI;
//初始化Unicode字符串, 创建Win32符号连接,以便Win32程序能够访问;
RtlInitUnicodeString(&Win32DeviceName,DOS_DEVICE_NAME);
Status=IoCreateSymbolicLink(&Win32DeviceName,&NtDeviceName);
if (!NT_SUCCESS(Status))
{
DbgPrint (("IoCreateSymbolicLink faild\n"));
IoDeleteDevice( GUIDevice );
return Status;
}
//填写驱动程序Dispatch函数;
for( i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ )
{
DriverObject->MajorFunction[i] = MyDispatch;
}
//为了调试(DriverMonitor),特殊处理Unload,以后只提供通过DeviceIoControl来实现。
DriverObject->DriverUnload =Unload;
//挂接快速IO;
DriverObject->FastIoDispatch = &FastIoHook;
DbgPrint (("DriverEntry Ok\n"));
return Status;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -