fileinfo.c

一文件过滤与加密,系统监视以及控制的东东,自己看

/******************************************************************/
/*                                                                */
/*  Winpooch : Windows Watchdog                                   */
/*  Copyright (C) 2004-2006  Benoit Blanchon                      */
/*                                                                */
/*  This program is free software; you can redistribute it        */
/*  and/or modify it under the terms of the GNU General Public    */
/*  License as published by the Free Software Foundation; either  */
/*  version 2 of the License, or (at your option) any later       */
/*  version.                                                      */
/*                                                                */
/*  This program is distributed in the hope that it will be       */
/*  useful, but WITHOUT ANY WARRANTY; without even the implied    */
/*  warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR       */
/*  PURPOSE.  See the GNU General Public License for more         */
/*  details.                                                      */
/*                                                                */
/*  You should have received a copy of the GNU General Public     */
/*  License along with this program; if not, write to the Free    */
/*  Software Foundation, Inc.,                                    */
/*  675 Mass Ave, Cambridge, MA 02139, USA.                       */
/*                                                                */
/******************************************************************/


/******************************************************************/
/* Build configuration                                            */
/******************************************************************/

#define	TRACE_LEVEL	1 // error level
#define APPEND_TERMINAL_NULL	0

/******************************************************************/
/* Includes                                                       */
/******************************************************************/

// module's interface
#include "FileInfo.h"

// ddk's header
#include <ddk/ntapi.h>

// project's headers
#include "Hooks.h"
#include "Malloc.h"
#include "NtUndoc.h"
#include "ProcInfo.h"
#include "SystInfo.h"
#include "Trace.h"
#include "WatchedObjects.h"


/******************************************************************/
/* Internal functions                                             */
/******************************************************************/

BOOL _FileInfo_CheckPrefix (UNICODE_STRING * pusPath, LPCWSTR wszPrefix) ;


/******************************************************************/
/* Exported function                                              */
/******************************************************************/

NTSTATUS FileInfo_NtPathToDosPath (HANDLE		hProcess,
				   HANDLE		hDirectory,
				   PUNICODE_STRING	pusNtPath,
				   PUNICODE_STRING	pusDosPath) 
{
  ASSERT (pusDosPath!=NULL) ;
  ASSERT (pusDosPath->Buffer!=NULL) ;

  if( pusNtPath==NULL || pusNtPath->Buffer==NULL )
    {
      TRACE_WARNING (TEXT("NT Path is NULL\n")) ;
      pusDosPath->Buffer[0] = 0 ;
      pusDosPath->Length = 0 ;
      return STATUS_OBJECT_PATH_INVALID ;
    }

  TRACE_INFO (TEXT("pusNtPath->Length = %d\n"), pusNtPath->Length) ;
  TRACE_INFO (TEXT("pusNtPath->MaximumLength = %d\n"), pusNtPath->MaximumLength) ;
  TRACE_INFO (TEXT("pusNtPath->Buffer = %ls\n"), pusNtPath->Buffer) ;
  
  if( _FileInfo_CheckPrefix(pusNtPath,L"\\??\\") ) 
    {
      if( pusNtPath->Buffer[5]==L':' ) 
	{
	  UNICODE_STRING	usTemp ;
	  
	  usTemp.Length		= pusNtPath->Length-4*sizeof(WCHAR) ;
	  usTemp.MaximumLength	= pusNtPath->MaximumLength-4*sizeof(WCHAR) ;
	  usTemp.Buffer		= pusNtPath->Buffer+4 ;
	  
	  //TRACE_INFO (TEXT("Removing prefix \\??\\ on absolute path\n")) ;
	  
	  RtlCopyUnicodeString (pusDosPath, &usTemp) ;
#if APPEND_TERMINAL_NULL
	  pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
	}
      else
	{
	  RtlCopyUnicodeString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL
	  pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
	}

      return STATUS_SUCCESS ;
    }


  if( _FileInfo_CheckPrefix(pusNtPath,L"\\SystemRoot\\") ) 
    {
      UNICODE_STRING	usTemp ;
     
      //TRACE_INFO (TEXT("Changing prefix \\SystemRoot\n")) ;
      
      if( hProcess && STATUS_SUCCESS==ProcInfo_GetSystemRoot(hProcess, pusDosPath) )
	{

	}
      else if( STATUS_SUCCESS==SystInfo_GetSystemRoot(pusDosPath) )
	{

	}
      else 
	{
	  TRACE_WARNING (TEXT("SystInfo_GetSystemRoot failed\n")) ;
	  RtlInitUnicodeString (&usTemp, L"%systemroot%") ;
	  RtlCopyUnicodeString (pusDosPath, &usTemp) ;
	} 

      usTemp.Length		= pusNtPath->Length-11*sizeof(WCHAR) ;
      usTemp.MaximumLength	= pusNtPath->MaximumLength-11*sizeof(WCHAR) ;
      usTemp.Buffer		= pusNtPath->Buffer+11 ;

      RtlAppendUnicodeStringToString (pusDosPath, &usTemp) ;
#if APPEND_TERMINAL_NULL
      pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
      return STATUS_SUCCESS ;   
    }

  if( _FileInfo_CheckPrefix(pusNtPath,L"\\Device\\") ) 
   {
     RtlCopyUnicodeString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL
     pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
     return STATUS_SUCCESS ;
   }

  if( pusNtPath->Buffer[1]==L':' )
    {
      RtlCopyUnicodeString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL  
      pusDosPath->Buffer[pusDosPath->Length/2] = 0 ; 
#endif
      return STATUS_SUCCESS ;  
    }


  TRACE_WARNING (TEXT("Difficulty : %ls (length=%u)\n"), pusNtPath->Buffer, pusNtPath->Length) ;
  
  if( hDirectory!=NULL )
    { 
      UNICODE_STRING	usDirectory ;
      NTSTATUS		nStatus ;
      WCHAR		wszDirectory[MAX_PATH] ;

      TRACE_WARNING (TEXT("Trying to complete with directory handle\n")) ;
	      
      usDirectory.Length = 0 ;
      usDirectory.MaximumLength = MAX_PATH * sizeof(WCHAR) ;
      usDirectory.Buffer = wszDirectory ;
      
      nStatus = FileInfo_GetPath (hDirectory, &usDirectory) ;	 
      
      if( nStatus==STATUS_SUCCESS )
	{ 
	  TRACE_WARNING (TEXT("Directory = %ls\n"), usDirectory.Buffer) ;
	  RtlAppendUnicodeToString(&usDirectory, L"\\") ;
	  RtlAppendUnicodeStringToString (&usDirectory, pusNtPath) ;
	  RtlCopyUnicodeString (pusDosPath, &usDirectory) ;
#if APPEND_TERMINAL_NULL
	  pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
	}
      else
	{
	  TRACE_WARNING (TEXT("FileInfo_GetPath failed (status=0x%08X)\n"), nStatus) ;
	  RtlCopyUnicodeString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL
	  pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
	}
    }
  else if( hProcess!=NULL )
    {
      NTSTATUS nStatus ;
      
      TRACE_WARNING (TEXT("Trying to complete with current directory\n")) ;
      
      nStatus = ProcInfo_GetCurDirDosPath (hProcess, pusDosPath) ;
      
      if( nStatus==STATUS_SUCCESS )
	{
	  RtlAppendUnicodeStringToString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL
	  pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif  
	}
      else
	{
	  TRACE_ERROR (TEXT("Failed to get current directory\n")) ;
	  RtlCopyUnicodeString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL
	  pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;
#endif
	}
    }
  else
    {			       
      TRACE_WARNING (TEXT("No directory\n")) ;
      RtlCopyUnicodeString (pusDosPath, pusNtPath) ;
#if APPEND_TERMINAL_NULL
      pusDosPath->Buffer[pusDosPath->Length/2] = 0 ;    
#endif
    }
  
  TRACE_WARNING (TEXT("Result : %ls\n"), pusDosPath->Buffer) ;

  return STATUS_SUCCESS ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _FileInfo_CheckPrefix (UNICODE_STRING* pusPath, LPCWSTR wszPrefix)
{
  int i ;

  ASSERT (pusPath!=NULL) ;
  ASSERT (pusPath->Buffer!=NULL) ;
  ASSERT (wszPrefix!=NULL) ;

  for( i=0 ; wszPrefix[i] ; i++ )
    {
      if( i>=pusPath->Length ) return FALSE ;
      if( pusPath->Buffer[i]==0 ) return FALSE ;

      if( RtlUpcaseUnicodeChar(pusPath->Buffer[i])  !=
	  RtlUpcaseUnicodeChar(wszPrefix[i]) ) 
	return FALSE ;
    }
      
  return TRUE;
}

/******************************************************************/
/* Exported function                                              */
/******************************************************************/
/*
HANDLE FileInfo_GetRootDirectory (HANDLE hFile)
{
  PVOID		pObject=NULL ;
  OBJECT_HEADER *pHeader ;
  OBJECT_CREATE_INFO	*pCreateInfo=NULL ;
  NTSTATUS	nStatus ;
  HANDLE	hRootDir = NULL ;

  nStatus = ObReferenceObjectByHandle (hFile, GENERIC_ALL,
				       NULL, KernelMode, &pObject,
				       NULL) ;    

  if( nStatus!=STATUS_SUCCESS || pObject==NULL )
    {
      TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), 
		   nStatus) ;
      return NULL ;
    }
    
  pHeader = (OBJECT_HEADER*)((BYTE*)pObject-0x18) ;

  if( pHeader->ObjectFlags & OB_FLAG_CREATE_INFO )
    {
      pCreateInfo = pHeader->ObjectCreateInfo ;

      if( pCreateInfo != NULL )
	{
	  hRootDir = pCreateInfo->RootDirectory ;
	}