wap32.asm

WIN2000下利用汇编做文件过滤驱动程序

include IFSDDK.inc
locals
.586p
.model flat,STDCALL

.data

  gGUIDriverObject	dd 0
  gGUIDeviceObject	dd 0

  gDriverObject		dd 26 dup(0) ;查找调用地址
  gDeviceObject		dd 26 dup(0) ;分析查找路径
  gCreate		dd 26 dup(0) ;函数地址
  gUnload		dd 26 dup(0) ;函数地址

  gObjectAttrib		OBJECT_ATTRIB < size OBJECT_ATTRIB,0,OBJ_CASE_INSENSITIVE,0,0,0>
  gDeviceName		dw '\','D','e','v','i','c','e','\','W','A','P',0,0
  gSymbolLink		dw '\','D','o','s','D','e','v','i','c','e','s','\','W','A','P',0,0  
  gDiskSymbolLink	dw '\','D','o','s','D','e','v','i','c','e','s','\','X',':','\',0,0  
  
  Msg00			db 'DriverName: %s  ',0
  Msg01			db 'LogDisk: %c:',0
  Msg02			DB '%s',0ah,0,0

.code

HOOK_EXT struc
  heDeviceObject	dd ?
  heTargetObject	dd ?
HOOK_EXT ends

extrn _RtlInitUnicodeString@8: proc
extrn _IoCreateDevice@28: proc
extrn _IoDeleteDevice@4: proc
extrn _IoCreateSymbolicLink@8: proc
extrn _IoDeleteSymbolicLink@4: proc
extrn _DbgPrint: proc
extrn _IoCompleteRequest@8: proc
extrn _ZwCreateFile@44: proc
extrn _ZwClose@4: proc
extrn _ObReferenceObjectByHandle@24: proc
extrn _ObDereferenceObject@4: proc
extrn _IoGetRelatedDeviceObject@4: proc
extrn _IoGetDeviceObjectPointer@16: proc
extrn _RtlUnicodeStringToAnsiString@12: proc
extrn _RtlFreeAnsiString@4: proc


public _DriverEntry@8
_DriverEntry@8 proc uses ebx esi edi,pDriverObject:dword,pRegPath:dword
	
	local	DeviceName: UNICODE_STRING
	local   SymbolLink: UNICODE_STRING
			
	lea	esi,DeviceName
	call	_RtlInitUnicodeString@8,esi,OFF gDeviceName
	mov	ebx,pDriverObject
	call	_IoCreateDevice@28,ebx,size HOOK_EXT,esi,FILE_DEVICE_DISK_FILE_SYSTEM,0,FALSE,OFF gGUIDeviceObject
	test	eax,eax   
	jge	short @@CreateDeviceOk
	ret 
@@CreateDeviceOk:
	lea     edi,SymbolLink
	call	_RtlInitUnicodeString@8,edi,OFF gSymbolLink
	call	_IoCreateSymbolicLink@8,edi,esi
	test	eax,eax
	jge	short @@CreateSymbolLinkOk
	mov     ebx,eax
	call	_IoDeleteDevice@4,gGUIDeviceObject
	mov     eax,ebx
	ret
@@CreateSymbolLinkOk:	
	mov	eax,OFF Dispatch
	mov	[ebx.doMajorFunction+IRP_MJ_CREATE*4],eax
	mov	[ebx.doMajorFunction+IRP_MJ_CLOSE*4],eax
	mov	[ebx.doMajorFunction+IRP_MJ_DEVICE_CONTROL*4],eax
	mov     [ebx.doDriverUnload],OFF Unload
	call	HookFileSystem
	xor	eax,eax
        ret
_DriverEntry@8 endp

Dispatch proc uses ebx esi edi,pDeviceObject:dword,pIrp:dword
	
	xor	eax,eax
	mov	ecx,pDeviceObject
	cmp	ecx,gGUIDeviceObject
	jnz	short @@CompleteIrp
	mov	ebx,pIrp
	;得到当前IRP栈位置IoGetCurrentIrpStackLocation()
	mov	esi,[ebx+60h]	
	movzx	ecx,[esi.ioslMajorFunction]
	cmp	ecx,IRP_MJ_DEVICE_CONTROL
	jnz	short @@CompleteIrp
	mov	eax,STATUS_INVALID_PARAMETER
	;验证参数，输入输出缓冲区长度，系统缓冲区是否可写
	mov	ecx,[esi.ioslInputBufferLength]
	cmp	ecx,1000h
	jb	short @@CompleteIrp
	mov	ecx,[esi.ioslOutputBufferLength]
	cmp	ecx,1000h
	jb	short @@CompleteIrp
	mov	edi,[ebx+0ch]	;//Get SystemBuffer in pCurrentIrpStackLocation
	test	edi,edi
	jg	short @@CompleteIrp
	;ebx=pIrp esi=pCurrentIrpStackLocation,edi=SystemBuffer
	mov	ecx,[esi.ioslIoControlCode]
@@IsHookDisk:
	cmp	ecx,81230000h
	jnz	short @@IsUnHookDisk
	call	HookFileSystem
	jmp	short @@CompleteIrp
@@IsUnHookDisk:
	cmp	ecx,81230004h
	jnz	short @@IsStartFilter
	int	3
	jmp	short @@CompleteIrp
@@IsStartFilter:
	cmp	ecx,81230008h
	jnz	short @@IsStopFilter
	int	3
	jmp	short @@CompleteIrp
@@IsStopFilter:
	cmp	ecx,8123000ch
	jnz	short @@CompleteIrp
	int	3;
	jmp	short @@CompleteIrp	
@@CompleteIrp:
	mov	ebx,eax
	call	_IoCompleteRequest@8,pIrp,IO_NO_INCREMENT
	mov	eax,ebx
	xor	eax,eax
	ret
Dispatch endp

Unload proc uses ebx esi edi,pDriverObject:dword

	local	SymbolLink: UNICODE_STRING	
	
	;做复原工作	
	mov	edi,OFF gDriverObject
	mov	ecx,26
	xor	edx,edx
@@RepRestore:
	mov	ebx,[edi+edx*4]
	or	ebx,ebx
	jz	short @@RestoreNext
	mov	eax,[edx*4+OFF gCreate]		
	or	eax,eax
	jz	short @@RestoreNext
	mov	[ebx.doMajorFunction+IRP_MJ_CREATE*4],eax	
@@RestoreNext:
	inc	edx
	loop	short @@RepRestore

	lea	edi,SymbolLink
	call	_RtlInitUnicodeString@8,edi,OFF gSymbolLink
	call	_IoDeleteSymbolicLink@4,edi
	call	_IoDeleteDevice@4,gGUIDeviceObject	
	ret		
Unload endp

;ebx=pIrp esi=pCurrentIrpStackLocation,edi=SystemBuffer
HookFileSystem proc uses ebx esi edi
	mov	ecx,26
	xor	edi,edi
@@RepHookXXX:	
	mov	esi,ecx
	mov	edx,edi
	call	GetDeviceObject
	mov	ecx,esi
	test	eax,eax
	jz	short @@NoFindDriver
	;保存设备对象DEVICE OBJECT
	mov	[edi*4+OFF gDeviceObject],eax
	;保存驱动程序对象DRIVER OBJECT
	mov	ebx,[eax.doDriverObject]
	mov	[edi*4+OFF gDriverObject],ebx
	;挂接MJ_IRP_CREATE
@@HookCreate:	
	mov	eax,[ebx.doMajorFunction+IRP_MJ_CREATE*4]
	;是否已经被挂接
	cmp	eax,OFF HookCreate
	jz	short @@NoFindDriver
	mov	[edi*4+OFF gCreate],eax
	mov	[ebx.doMajorFunction+IRP_MJ_CREATE*4],OFF HookCreate
@@NoFindDriver:	
	inc	edi
	loop	short @@RepHookXXX
	ret
HookFileSystem endp	
	
;edx=Log disk index : eax=pDeviceObject,eax=0 No Found
GetDeviceObject proc uses ebx esi edi

	local	SymbolLink: UNICODE_STRING
	local	hFile: dword
	local	IoStatus: IO_STATUS_BLOCK
	local	pFileObject: dword

	;构造对象名字串
	lea	esi,gDiskSymbolLink
	add	edx,'A'
	mov	[esi+12*2],dl	
	lea	edi,SymbolLink
	call	_RtlInitUnicodeString@8,edi,esi
	;填写对象属性域
	lea	esi,gObjectAttrib
	mov	[esi.oaObjectName],edi
	;打开这个设备文件
	lea	edi,hFile
	lea	ebx,IoStatus
	call	_ZwCreateFile@44,edi,SYNCHRONIZE or FILE_ANY_ACCESS,esi,ebx,0,0,FILE_SHARE_READ or FILE_SHARE_WRITE,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT or FILE_DIRECTORY_FILE,0,0
	test	eax,eax
	jnl	short @@OpenFileOk
	xor	eax,eax
	jmp	short @@FailExit
@@OpenFileOk:
	;从文件句柄中得到文件对象指针
	lea	esi,pFileObject
	call	_ObReferenceObjectByHandle@24,dword ptr[edi],FILE_READ_DATA,0,0,esi,0
	test	eax,eax
	jnl	short @@ReferenceObjectOk
	call    _ZwClose@4,dword ptr[edi]
	xor	eax,eax
	jmp	short @@FailExit
@@ReferenceObjectOk:
	;从文件对象中得到关联设备对象
	call	_IoGetRelatedDeviceObject@4,dword ptr [esi]
	mov	ebx,eax
	call	_ObDereferenceObject@4,dword ptr[esi]
	call	_ZwClose@4,dword ptr[edi]	
	test	ebx,ebx
	jnz	short @@GetRelatedDeviceOk
	xor	eax,eax
	jmp	short @@FailExit
@@GetRelatedDeviceOk:
	mov	eax,ebx
@@FailExit:	
	ret
GetDeviceObject endp

;MJ_IRP_CREATE挂接例程的处理
HookCreate proc uses ebx esi edi,pDeviceObject:dword,pIrp:dword

	local	DriverName: ANSI_STRING	
	local	FileName: ANSI_STRING
	local	RegEsp:	dword
	
	mov	esi,pDeviceObject
	mov	esi,[esi.doDriverObject]
	lea	esi,[esi.doDriverName]
	lea	edi,DriverName
	call	_RtlUnicodeStringToAnsiString@12,edi,esi,TRUE		
	mov	edx,[edi.asBuffer]

	mov	RegEsp,esp
	call	_DbgPrint,OFF Msg00,edx
	mov	esp,RegEsp

	call	_RtlFreeAnsiString@4,edi
	
	call	FindObject,pDeviceObject,OFF gDeviceObject	
	or	eax,eax
	jz	short @@NoIsLogDisk
	add	edx,'A'
	jmp	short @@IsLogDisk
@@NoIsLogDisk:
	mov	edx,'?'
@@IsLogDisk:

	mov	RegEsp,esp
	call	_DbgPrint,OFF Msg01,edx
	mov	esp,RegEsp

	mov	esi,pIrp
	;得到当前IRP栈位置IoGetCurrentIrpStackLocation()
	mov	esi,[esi+60h]	
	mov	esi,[esi.ioslFileObject]
	lea	esi,[esi.foFileName]
	or	esi,esi
	jz	short @@ExitDbg
	lea	edi,FileName
	call	_RtlUnicodeStringToAnsiString@12,edi,esi,TRUE
	mov	edx,[edi.asBuffer]

	mov	RegEsp,esp
	call	_DbgPrint,OFF Msg02,edx
	mov	esp,RegEsp

	call	_RtlFreeAnsiString@4,edi
	
@@ExitDbg:

	mov	eax,pDeviceObject
	mov	eax,[eax.doDriverObject]
	call	FindObject,eax,OFF gDriverObject
	test	eax,eax
	jnz	short @@DriverCreate
	int	3;
@@DriverCreate:
	call	[edx*4+OFF gCreate],pDeviceObject,pIrp	
	ret
HookCreate endp

;在26对象数组里查找包含其的索引 eax=bool edx=index
FindObject proc uses ebx,pObject:dword,pObjectList:dword
	mov	eax,pObject
	mov	ebx,pObjectList
	mov	ecx,26
	xor	edx,edx
@@RepFindObject:
	cmp	[ebx+edx*4],eax
	jz	short @@FoundObject
	inc	edx
	loop	short @@RepFindObject
	xor	eax,eax
	ret
@@FoundObject:
	ret
FindObject endp


end _DriverEntry@8