📄 pgpwdnt.c
字号:
//----------------------------------------------------------------------
NTSTATUS PGPWDNTDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
//
// Determine if its a request from the GUI to us, or one that is
// directed at a file system driver that we've hooked
//
if ( GUIDevice != DeviceObject ) {
return( PGPWDNTHookRoutine( DeviceObject, Irp ));
} else {
return( PGPWDNTDeviceRoutine( DeviceObject, Irp ));
}
}
//----------------------------------------------------------------------
// D R I V E R - E N T R Y A N D H O O K R O U T I N E S
//----------------------------------------------------------------------
//----------------------------------------------------------------------
//
// HookDrive
//
// Hook the drive specified by determining which device object to
// attach to. The algorithm used here is similar to the one used
// internally by NT to determine which device object a file system request
// is directed at.
//
//----------------------------------------------------------------------
BOOLEAN HookDrive( IN USHORT Drive, IN PDRIVER_OBJECT DriverObject,
IN HANDLE VolumeHandle )
{
PDEVICE_OBJECT fileSysDevice;
PDEVICE_OBJECT hookDevice;
NTSTATUS ntStatus;
PFILE_OBJECT fileObject;
IO_STATUS_BLOCK ioStatus;
PHOOK_EXTENSION hookExtension;
UCHAR fsAttribInformation[256];
//
// Got the file handle, so now look-up the file-object it refers to
//
ntStatus = ObReferenceObjectByHandle( VolumeHandle, FILE_READ_DATA,
NULL, KernelMode, &fileObject, NULL );
if( !NT_SUCCESS( ntStatus )) {
DbgPrint(("PGPWDNT: Could not get fileobject from handle: %c\n", 'A'+Drive ));
return FALSE;
}
//
// Next, find out what device is associated with the file object by getting its related
// device object
//
fileSysDevice = IoGetRelatedDeviceObject( fileObject );
if ( ! fileSysDevice ) {
DbgPrint(("PGPWDNT: Could not get related device object: %c\n", 'A'+Drive ));
ObDereferenceObject( fileObject );
return FALSE;
}
//
// The file system's device hasn't been hooked already, so make a hooking device
// object that will be attached to it.
//
ntStatus = IoCreateDevice( DriverObject,
sizeof(HOOK_EXTENSION),
NULL,
fileSysDevice->DeviceType,
0,
FALSE,
&hookDevice );
if ( !NT_SUCCESS(ntStatus) ) {
DbgPrint(("PGPWDNT: failed to create associated device: %c\n", 'A'+Drive ));
ObDereferenceObject( fileObject );
return FALSE;
}
//
// Clear the device's init flag as per NT DDK KB article on creating device
// objects from a dispatch routine
//
hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;
//
// Setup the device extensions. The drive letter and file system object are stored
// in the extension.
//
hookExtension = hookDevice->DeviceExtension;
hookExtension->LogicalDrive = 'A'+Drive;
hookExtension->FileSystem = fileSysDevice;
hookExtension->IsNTFS = FALSE;
hookExtension->IsAnsi = FALSE;
//
// Determine which file system this is. If this fails, assume its NOT NTFS
//
ntStatus = ZwQueryVolumeInformationFile( VolumeHandle, &ioStatus, fsAttribInformation,
sizeof(fsAttribInformation), FileFsAttributeInformation );
if( !NT_SUCCESS( ntStatus )) {
DbgPrint(("PGPWDNT: Could not get volume attributes: %x\n", ntStatus));
} else if( RtlCompareMemory( ((PFILE_FS_ATTRIBUTE_INFORMATION)fsAttribInformation)->FileSystemName, L"NTFS", 8 ) == 8) {
hookExtension->IsNTFS = TRUE;
DbgPrint((" => Its an NTFS volume\n"));
}
//
// Finally, attach to the device. The second we're successfully attached, we may
// start receiving IRPs targetted at the device we've hooked.
//
ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );
if ( !NT_SUCCESS(ntStatus) ) {
//
// Couldn't attach for some reason
//
DbgPrint(("PGPWDNT: Connect with Filesystem failed: %c (%x) =>%x\n",
'A'+Drive, fileSysDevice, ntStatus ));
//
// Derefence the object and get out
//
ObDereferenceObject( fileObject );
return FALSE;
}
//
// Note which device this is
//
LDriveDevices[Drive] = hookDevice;
//
// Dereference the object
//
ObDereferenceObject( fileObject );
return TRUE;
}
//----------------------------------------------------------------------
//
// DriverEntry
//
// Installable driver initialization. Here we just set ourselves up.
//
//----------------------------------------------------------------------
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
NTSTATUS ntStatus;
WCHAR deviceNameBuffer[] = L"\\Device\\PGPWDNT";
UNICODE_STRING deviceNameUnicodeString;
WCHAR deviceLinkBuffer[] = L"\\DosDevices\\PGPWDNT";
UNICODE_STRING deviceLinkUnicodeString;
WCHAR volumeBuffer[] = L"\\DosDevices\\X:\\";
UNICODE_STRING volumeBufferUnicodeString;
USHORT drive;
HANDLE volumeHandle;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatus;
BOOLEAN errorMode;
FILE_FS_DEVICE_INFORMATION fsDeviceInformation;
DbgPrint (("PGPWDNT.SYS: entering DriverEntry\n"));
//
// If not NT 4.0 Final Release, shorten the Fast I/O table so that PGPWDNT
// will work on the Betas and Release Candidates
//
if( *NtBuildNumber < NT4FINAL ) {
FastIOHook.SizeOfFastIoDispatch = (ULONG) &FastIOHook.FastIoQueryNetworkOpenInfo -
(ULONG) &FastIOHook;
}
//
// Setup the device name
//
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
//
// Create the device used for GUI communications
//
ntStatus = IoCreateDevice ( DriverObject,
0,
&deviceNameUnicodeString,
FILE_DEVICE_WD,
0,
TRUE,
&GUIDevice );
//
// If successful, make a symbolic link that allows for the device
// object's access from Win32 programs
//
if (NT_SUCCESS(ntStatus)) {
//
// Create a symbolic link that the GUI can specify to gain access
// to this driver/device
//
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
if (!NT_SUCCESS(ntStatus)) {
DbgPrint (("PGPWDNT.SYS: IoCreateSymbolicLink failed\n"));
// FIX
ntStatus = STATUS_SUCCESS;
}
//
// Create dispatch points for all routines that must be handled.
// All entry points are registered since we might filter a
// file system that processes all of them.
//
DriverObject->MajorFunction[IRP_MJ_READ] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_WRITE] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_FLUSH_BUFFERS] =
DriverObject->MajorFunction[IRP_MJ_QUERY_INFORMATION] =
DriverObject->MajorFunction[IRP_MJ_SET_INFORMATION] =
DriverObject->MajorFunction[IRP_MJ_QUERY_EA] =
DriverObject->MajorFunction[IRP_MJ_SET_EA] =
DriverObject->MajorFunction[IRP_MJ_QUERY_VOLUME_INFORMATION] =
DriverObject->MajorFunction[IRP_MJ_SET_VOLUME_INFORMATION] =
DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL] =
DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] =
DriverObject->MajorFunction[IRP_MJ_QUERY_SECURITY] =
DriverObject->MajorFunction[IRP_MJ_SET_SECURITY] =
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_LOCK_CONTROL] =
DriverObject->MajorFunction[IRP_MJ_CLEANUP] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = PGPWDNTDispatch;
//
// Set up the Fast I/O dispatch table
//
DriverObject->FastIoDispatch = &FastIOHook;
}
//
// If something went wrong, cleanup the device object and don't load
//
if (!NT_SUCCESS(ntStatus)) {
DbgPrint(("PGPWDNT: Failed to create our device!\n"));
if( GUIDevice ) {
IoDeleteDevice( GUIDevice );
}
return ntStatus;
}
//
// Disable hard errors so that we don't pop-up when touching removable media
//
errorMode = IoSetThreadHardErrorMode( FALSE );
//
// Need to check each drive to see if its a local hard disk
//
RtlInitUnicodeString (&volumeBufferUnicodeString,
volumeBuffer );
for(drive = 2; drive < 26; drive++ ) {
LDriveDevices[drive] = NULL;
volumeBufferUnicodeString.Buffer[12] = drive+'A';
InitializeObjectAttributes( &objectAttributes, &volumeBufferUnicodeString,
OBJ_CASE_INSENSITIVE, NULL, NULL );
ntStatus = ZwCreateFile( &volumeHandle, FILE_ANY_ACCESS,
&objectAttributes, &ioStatus, NULL, 0, FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT|FILE_DIRECTORY_FILE,
NULL, 0 );
if( !NT_SUCCESS( ntStatus ) ) {
DbgPrint(("PGPWDNT: Could not open drive %c: %x\n", 'A'+drive, ntStatus ));
} else {
//
// Opened the volume. Now go and query it to see if its a local drive
//
ntStatus = ZwQueryVolumeInformationFile( volumeHandle, &ioStatus, &fsDeviceInformation,
sizeof(fsDeviceInformation), FileFsDeviceInformation );
if( NT_SUCCESS( ntStatus )) {
//
// Alright, see if its the correct type
//
if( fsDeviceInformation.DeviceType == FILE_DEVICE_DISK && !(fsDeviceInformation.Characteristics &
(FILE_REMOVABLE_MEDIA|FILE_READ_ONLY_DEVICE|FILE_FLOPPY_DISKETTE|FILE_WRITE_ONCE_MEDIA|
FILE_REMOTE_DEVICE|FILE_VIRTUAL_VOLUME))) {
DbgPrint(("Volume %C must be filtered\n", 'A'+drive ));
//
// It is, so hook it.
//
HookDrive( drive, DriverObject, volumeHandle );
}
ZwClose( volumeHandle );
}
}
}
//
// Save away system process
//
SystemProcess = PsGetCurrentProcess();
IoSetThreadHardErrorMode( errorMode );
return STATUS_SUCCESS;
}
/*__Editor_settings____
Local Variables:
tab-width: 4
End:
vi: ts=4 sw=4
vim: si
_____________________*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -