fileinfo.c

一文件过滤与加密,系统监视以及控制的东东,自己看

      else TRACE_WARNING (TEXT("ObjectCreateInfo is NULL\n")) ;
    }
  else TRACE_WARNING (TEXT("OB_FLAG_CREATE_INFO not set\n")) ;
  
  ObDereferenceObject (pObject) ;

  return hRootDir ;
}
*/

/******************************************************************/
/* Exported function                                              */
/******************************************************************/
/*
NTSTATUS FileInfo_GetNtPath (HANDLE hFile, PUNICODE_STRING pusPath)
{
  NTSTATUS nStatus ;
  IO_STATUS_BLOCK	iosb ;
  FILE_NAME_INFORMATION *pFni ;
  ULONG	nSize = sizeof(FILE_NAME_INFORMATION)+MAX_PATH*sizeof(WCHAR) ;
  UNICODE_STRING	usTemp ;

  pFni = MALLOC (nSize) ;
  
  nStatus = ZwQueryInformationFile (hFile, &iosb,
				    pFni, nSize,
				    FileNameInformation) ;

  if( nStatus!=STATUS_SUCCESS )
    {
      TRACE_ERROR (TEXT("ZwQueryInformationFile failed (status=0x%08X)\n"),
		   nStatus) ;
      return nStatus ;
    }

  RtlInitUnicodeString (&usTemp, pFni->FileName) ;
 
  RtlCopyUnicodeString (pusPath, &usTemp) ;

  FREE (pFni) ;

  //pusPath->Buffer[pusPath->Length/2+1] = 0 ;

  return STATUS_SUCCESS ;
}
*/


/******************************************************************/
/* Exported function                                              */
/******************************************************************/
/*
NTSTATUS FileInfo_GetDosPath (HANDLE hFile, PUNICODE_STRING pusDosPath) 
{
  NTSTATUS		nStatus ;
  UNICODE_STRING	usNtPath ;
  WCHAR			wszBuffer[MAX_PATH] ;

 

  usNtPath.Length = 0 ;
  usNtPath.MaximumLength = sizeof(WCHAR) * MAX_PATH ;
  usNtPath.Buffer = wszBuffer ;

  nStatus = FileInfo_GetNtPath (hFile, &usNtPath) ;

  if( nStatus != STATUS_SUCCESS )
    {
      TRACE_ERROR (TEXT("FileInfo_GetNtPath failed (status=0x%08X)\n"), nStatus) ;
      return nStatus ;
    }    

  nStatus = FileInfo_NtPathToDosPath (NULL, 
				      NULL, 
				      &usNtPath, 
				      pusDosPath) ;

  if( nStatus != STATUS_SUCCESS )
    {
      TRACE_ERROR (TEXT("FileInfo_GetNtPath failed (status=0x%08X)\n"), nStatus) ;
      return nStatus ;
    }

  //pusDosPath->Buffer[pusDosPath->Length/2+1] = 0 ;

  return STATUS_SUCCESS ;
}

*/


/******************************************************************/
/* Exported function                                              */
/******************************************************************/

NTSTATUS FileInfo_GetPath (IN HANDLE hFile, 
			   OUT PUNICODE_STRING pusFilePath) 
{
  UNICODE_STRING	usFilePath ;
  ULONG			nSize ;
  NTSTATUS		nStatus ;
  FILE_NAME_INFORMATION *pFni ;
  IO_STATUS_BLOCK	iosb ;
  LARGE_INTEGER		liFileTime ;
  WOTFILE		*pWotFileData ;
  PVOID			pObject=NULL ;

  // verify params
  ASSERT (hFile!=NULL) ;
  ASSERT (pusFilePath!=NULL) ;
  ASSERT (pusFilePath->Buffer!=NULL) ;
  ASSERT (pusFilePath->MaximumLength>0) ;

  //
  // 1. Get object pointer
  //

  nStatus = ObReferenceObjectByHandle (hFile, GENERIC_ALL, NULL, KernelMode, &pObject, NULL) ;    
  
  if( nStatus!=STATUS_SUCCESS || pObject==NULL )
    {
      TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
      return nStatus ;
    }
  
  //
  // 2. Try to look in watched object list
  //

  nStatus = WatchObjs_Lock () ;
  if( nStatus != STATUS_SUCCESS ) return nStatus ;  

  nStatus = WatchObjs_GetFromPointer (pObject, WOT_FILE, (void**)&pWotFileData, &nSize) ;
  
  if( nStatus==STATUS_SUCCESS )
    {    
      usFilePath.Buffer		= pWotFileData->wszFilePath ;
      usFilePath.Length		= nSize - sizeof(WOTFILE) ;
      usFilePath.MaximumLength	= nSize - sizeof(WOTFILE) ;

      RtlCopyUnicodeString (pusFilePath, &usFilePath) ;

      WatchObjs_Unlock () ;
      ObDereferenceObject (pObject) ;

      return STATUS_SUCCESS ;
    }

  WatchObjs_Unlock () ;

  //
  // 3. If not found, try to get file path thru Windows native API
  //

  nSize = sizeof(FILE_NAME_INFORMATION)+MAX_PATH*sizeof(WCHAR) ;
      
  pFni = MALLOC (nSize) ;

  if( pFni == NULL )
    {
      TRACE_ERROR (TEXT("Failed to allocate strcuture FILE_NAME_INFORMATION (%u bytes)\n"), nSize) ;
      ObDereferenceObject (pObject) ;
      return STATUS_INSUFFICIENT_RESOURCES ;
    }
  
  nStatus = ZwQueryInformationFile (hFile, &iosb,
				    pFni, nSize,
				    FileNameInformation) ;
  
  if( nStatus!=STATUS_SUCCESS )
    {
      TRACE_ERROR (TEXT("ZwQueryInformationFile failed (status=0x%08X)\n"),
		   nStatus) ;
      FREE (pFni) ;
      ObDereferenceObject (pObject) ;
      return nStatus ;
    }
  
  usFilePath.Buffer		= pFni->FileName ;   
  usFilePath.Length		= pFni->FileNameLength ;
  usFilePath.MaximumLength	= pFni->FileNameLength ; 
       
  //
  // 4. Convert NT file path to DOS file path
  //

  nStatus = FileInfo_NtPathToDosPath (NULL, NULL, &usFilePath, pusFilePath) ;

  FREE (pFni) ; 
      
  if( nStatus != STATUS_SUCCESS )
    TRACE_WARNING (TEXT("FileInfo_NtPathToDosPath failed (status=0x%08X)\n"), nStatus) ;

  //
  // 5. Set file name in watched object list
  //
  
  nStatus = FileInfo_GetLastWriteTimeFromHandle (hFile, &liFileTime) ;
  if( nStatus!=STATUS_SUCCESS )
    TRACE_ERROR (TEXT("FileInfo_GetLastWriteTimeFromHandle failed (status=0x%08X)\n"), nStatus) ;

  nStatus = WatchObjs_Lock () ;
  
  if( nStatus == STATUS_SUCCESS )
    {
      nStatus = WatchObjs_AddWotFile (pObject, &liFileTime, pusFilePath) ;
      WatchObjs_Unlock () ;
    }

  if( nStatus!=STATUS_SUCCESS )
    TRACE_WARNING (TEXT("FileInfo_AssocFileName failed (status=0x%08X)\n"), nStatus) ;

  //
  // 5. Release object pointer (WatchObjs must be unlocked before this)
  //
  
  ObDereferenceObject (pObject) ;

  return STATUS_SUCCESS ;
}



NTSTATUS FileInfo_GetLastWriteTime (IN LPCWSTR		wszFilePath,
				    OUT LARGE_INTEGER	* pliTime) 
{
  HANDLE			hFile ;
  PROC				pfnIoCreateFile ;
  UNICODE_STRING		usFilePath ;
  OBJECT_ATTRIBUTES		oa ;
  IO_STATUS_BLOCK		iostatus ;
  NTSTATUS			nStatus ;
  FILE_BASIC_INFORMATION	fbi ;

  pliTime->QuadPart = 0 ;
 
  pfnIoCreateFile = Hooks_GetStubAddress (HOOKS_IOCREATEFILE) ;

  if( pfnIoCreateFile==NULL )
    pfnIoCreateFile = (PROC)IoCreateFile ;

  RtlInitUnicodeString (&usFilePath, wszFilePath) ;
  InitializeObjectAttributes (&oa, &usFilePath, OBJ_KERNEL_HANDLE, NULL, NULL) ;

  nStatus = (NTSTATUS)pfnIoCreateFile (&hFile, GENERIC_READ, &oa,
				       &iostatus, 0, 0,
				       FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
				       FILE_OPEN, 0, NULL, 0,
				       CreateFileTypeNone, NULL, 0) ;
  
  if( FAILED(nStatus) ) 
    {
      TRACE_ERROR(TEXT("IoCreateFile failed (status=0x%08X)\n"), nStatus) ;
      return nStatus ;
    }

  nStatus = ZwQueryInformationFile (hFile, &iostatus,
				    &fbi, sizeof(fbi),
				    FileBasicInformation) ;

  if( FAILED(nStatus) ) 
    TRACE_ERROR(TEXT("ZwQueryInformationFile failed (status=0x%08X)\n"), nStatus) ;

  if( SUCCEEDED(nStatus) )
    *pliTime = fbi.LastWriteTime ;
  
  ZwClose (hFile) ;
  
  return nStatus ;
}


NTSTATUS FileInfo_GetLastWriteTimeFromHandle (IN HANDLE		hFile,
					      OUT LARGE_INTEGER	* pliTime) 
{
  IO_STATUS_BLOCK		iostatus ;
  NTSTATUS			nStatus ;
  FILE_BASIC_INFORMATION	fbi ;

  pliTime->QuadPart = 0 ;

  nStatus = ZwQueryInformationFile (hFile, &iostatus,
				    &fbi, sizeof(fbi),
				    FileBasicInformation) ;

  if( FAILED(nStatus) ) 
    TRACE_ERROR(TEXT("ZwQueryInformationFile failed (status=0x%08X)\n"), nStatus) ;

  if( SUCCEEDED(nStatus) )
    *pliTime = fbi.LastWriteTime ;
    
  return nStatus ;
}