文件过滤驱动是否能在系统启动的时候创建读写自己的日志文件.txt

文件系统驱动开发的文档资料（IFS DDK）

文件过滤驱动是否能在系统启动的时候创建读写自己的日志文件?百分相送，需要完整的例子。

文件过滤驱动是否能在系统启动的时候创建读写自己的日志文件，例如拦截IRP_MJ_CREATE,当系统调用KERNEL32.dll时候进入我的MyCreate函数中，这个时候我将文件名写入日志，这个时候会蓝屏并自动reboot,有谁知道为什么？怎么解决这个问题？[b]百分相送，需要完整的例子。[/b][email]filter@redsec.org[/email] 

注释：当启动启动完也就是显示出桌面的时候读写日志文件操作一切正常，读写操作用ZwCreateFile,ZwWriteFile,ZwReadFile函数完成。 
驱动启动类型为start:0 
=========================
typedef struct _FILELIST { 
TCHAR szFullPathName[PATH_LEN + 1]; 
LIST_ENTRY FileListNext; 
}FILELIST, *PFILELIST; 

typedef struct _GLOBALS_FILELIST_INFO { 
HANDLE g_FileListHandle; 
PVOID g_ThreadObject; 
BOOLEAN g_ThreadShouldStop; 
KEVENT g_FileListEvent; 
LIST_ENTRY g_FileListHead; 
KSPIN_LOCK g_FileListSpinLock; 
}GLOBALS_FILELIST_INFO, *PGLOBALS_FILELIST_INFO; 

static GLOBALS_FILELIST_INFO g_FileList_Info; 


VOID 
FileListThread (IN PVOID Context) 
{ 
ULONG uWriteSize = PATH_LEN * sizeof(TCHAR); 
PLIST_ENTRY ListEntry = NULL; 
PFILELIST pFileListNode = NULL; 
IO_STATUS_BLOCK IoStatusBlock; 
PGLOBALS_FILELIST_INFO pFileListInfo = (PGLOBALS_FILELIST_INFO)Context; 

KeSetPriorityThread( 
KeGetCurrentThread(), 
LOW_REALTIME_PRIORITY); 


while( TRUE ) 
{ 
KeWaitForSingleObject( 
&pFileListInfo->g_FileListEvent, 
Executive, 
KernelMode, 
FALSE, 
NULL ); 

while( ListEntry = ExInterlockedRemoveHeadList ( 
&pFileListInfo->g_FileListHead, 
&pFileListInfo->g_FileListSpinLock) ) 
{ 
pFileListNode = (PFILELIST)CONTAINING_RECORD(ListEntry, FILELIST, FileListNext); 

ZwWriteFile( 
pFileListInfo->g_FileListHandle, 
NULL, 
NULL, 
NULL, 
&IoStatusBlock, 
pFileListNode->szFullPathName, 
uWriteSize, 
NULL, 
NULL ); 

ExFreePool(pFileListNode); 
} 
if( pFileListInfo->g_ThreadShouldStop ) { 
ZwClose(pFileListInfo->g_FileListHandle); 
PsTerminateSystemThread(STATUS_SUCCESS); 
} 
} 
} 


NTSTATUS FileListOpenFile(WCHAR *wFileName) 
{ 
NTSTATUS ntstatus = STATUS_SUCCESS; 
UNICODE_STRING uniFileName; 
IO_STATUS_BLOCK IoStatusBlock; 
OBJECT_ATTRIBUTES ObjectAttributes; 

RtlInitUnicodeString(&uniFileName, wFileName); 

InitializeObjectAttributes( 
&ObjectAttributes, 
&uniFileName, 
OBJ_CASE_INSENSITIVE, 
NULL, 
NULL 
); 

ntstatus = ZwCreateFile(&g_FileList_Info.g_FileListHandle, 
GENERIC_READ | GENERIC_WRITE, 
&ObjectAttributes, 
&IoStatusBlock, 
0, 
FILE_ATTRIBUTE_NORMAL, 
FILE_SHARE_READ | FILE_SHARE_WRITE, 
FILE_OVERWRITE_IF, 
FILE_SYNCHRONOUS_IO_NONALERT, 
NULL, 
0 
); 

if( !NT_SUCCESS(ntstatus) ) { 
//DbgPrint("Cannot ZwCreateFile %S : 0x%x\n", wFileName, ntstatus); 
} 
return ntstatus; 
} 

NTSTATUS 
DriverEntry( 
IN PDRIVER_OBJECT DriverObject, 
IN PUNICODE_STRING RegistryPath 
) 
{ 
............. 


ntStatus = FileListOpenFile(wFileName); 
if (!NT_SUCCESS(ntStatus)){ 
//DbgPrint("Cannot Open FileList.lst\n"); 
} 

KeInitializeSpinLock(&g_FileList_Info.g_FileListSpinLock); 
KeInitializeEvent( 
&g_FileList_Info.g_FileListEvent, 
SynchronizationEvent, 
FALSE ); 
InitializeListHead(&g_FileList_Info.g_FileListHead); 

g_FileList_Info.g_ThreadShouldStop = FALSE; 

ntStatus = PsCreateSystemThread( 
&thread_handle, 
(ACCESS_MASK) 0L, 
NULL, 
NULL, 
NULL, 
FileListThread, 
&g_FileList_Info ); 
if (!NT_SUCCESS(ntStatus)){ 
//DbgPrint("FileMon: Create System Thread Failed\n"); 
} 

ntStatus = ObReferenceObjectByHandle( 
thread_handle, 
THREAD_ALL_ACCESS, 
NULL, 
KernelMode, 
&g_FileList_Info.g_ThreadObject, 
NULL ); 
if (!NT_SUCCESS(ntStatus)) 
{ 
ZwClose(thread_handle); 
g_FileList_Info.g_ThreadShouldStop = TRUE; 

KeSetEvent( 
&g_FileList_Info.g_FileListEvent, 
(KPRIORITY) 0, 
FALSE); 
} 

ZwClose(thread_handle); 
} 

IRP_MJ_CREATE Routine 里加入下面代码 

if( IsTerminateThread == FALSE ) 
{ 
pFileListNode = (PFILELIST)ExAllocatePool(NonPagedPool, sizeof(FILELIST)); 
if( pFileListNode != NULL ) 
{ 
memset(pFileListNode->szFullPathName, 0, sizeof(pFileListNode->szFullPathName)); 

// fullPathName 是在IRP_MJ_CREATE中得到的文件完整路径 
_tcsncpy(pFileListNode->szFullPathName, fullPathName, PATH_LEN); 

ExInterlockedInsertTailList( 
&g_FileList_Info.g_FileListHead, 
&pFileListNode->FileListNext, 
&g_FileList_Info.g_FileListSpinLock ); 

KeSetEvent( 
&g_FileList_Info.g_FileListEvent, 
(KPRIORITY) 0, 
FALSE); 
} 
else 
{ 
g_FileList_Info.g_ThreadShouldStop = TRUE; 

KeSetEvent( 
&g_FileList_Info.g_FileListEvent, 
(KPRIORITY) 0, 
FALSE); 
}