📄 filespy.c
字号:
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp,
SpyDirControlCompletion,
&waitEvent, //context parameter
TRUE,
TRUE,
TRUE
);
status = IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
//
// Wait for the operation to complete
//
if (STATUS_PENDING == status) {
status = KeWaitForSingleObject(&waitEvent,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(STATUS_SUCCESS == status);
}
if (!NT_SUCCESS(status) ||(0 == irpSp->Parameters.QueryFile.Length)) {
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
while (TRUE) {
bufferLength = ((PQUERY_DIRECTORY)&irpSp->Parameters)->Length;
newLength = bufferLength;
currentPosition = 0;
dirInfo =(PFILE_BOTH_DIR_INFORMATION) Irp->UserBuffer;
preDirInfo = dirInfo;
if ((!dirInfo) ||(dirInfo->NextEntryOffset > bufferLength)) {
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
do {
//禁止其他进程访问
if(_stricmp(g_szPrivProcName, SpyGetProcess(name)))
{
Irp->IoStatus.Status = STATUS_NOT_IMPLEMENTED;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_INVALID_DEVICE_REQUEST;
}
dprintf("[FileSpy.sys]MajorFunction-SpyDirControl:%s", SpyGetProcess(name));
//
// Record: Modify by lwf : 07-06-20
// Purpose: Hide Install Directory and permit special process's access
// for virtual encrypt disk using "(_stricmp((const char*)VENCRPYTDISK, SpyGetProcess(name)))"
//
offset = dirInfo->NextEntryOffset;
if (/*1*/(dirInfo->FileNameLength > 0)/*1*/ &&
/*2*/(g_szPrivProcName)/*2*/ &&
/*3*/(g_ulPrivProcNameLen)/*3*/ &&
/*3*/(_stricmp(g_szPrivProcName, SpyGetProcess(name)))/*3*/)
{
if (0 == offset) { // the last one
preDirInfo->NextEntryOffset = 0;
newLength = currentPosition;
} else {
if (preDirInfo != dirInfo) {
preDirInfo->NextEntryOffset += dirInfo->NextEntryOffset;
dirInfo = (PFILE_BOTH_DIR_INFORMATION) ((PUCHAR) dirInfo + offset);
} else {
RtlMoveMemory((PUCHAR) dirInfo,(PUCHAR) dirInfo + offset, bufferLength - currentPosition - offset);
newLength -= offset;
}
}
// break;
}
else
{
currentPosition += offset;
preDirInfo = dirInfo;
dirInfo =(PFILE_BOTH_DIR_INFORMATION)((PUCHAR) dirInfo + offset);
}
} while(0 != offset);
if (0 == newLength) {
KeResetEvent(&waitEvent);
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp,
SpyDirControlCompletion,
&waitEvent, //context parameter
TRUE,
TRUE,
TRUE
);
status = IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
//
// Wait for the operation to complete
//
if (STATUS_PENDING == status) {
status = KeWaitForSingleObject(&waitEvent,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(STATUS_SUCCESS == status);
}
if (!NT_SUCCESS(status) ||(0 == Irp->IoStatus.Information)) {
break;
}
} else {
Irp->IoStatus.Information = newLength;
break;
}
}
//
// Record: add by lwf :07-06-30
// Purpose:Add for Test getting full path name
//
/*
FREEPATHNAME();
ExFreePoolWithTag(fileNameBuffer, FILESPY_POOL_TAG);
*/
Irp->IoStatus.Information = newLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
VOID ProcessCallback(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate
)
{
UNREFERENCED_PARAMETER( hParentId );
if(hProcessId==g_hProcessId && bCreate==FALSE)
{
dprintf(("[FileSpy.sys]MajorCallBack--Main Process Exit."));
g_hProcessId=NULL;
}
}
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for the general purpose file system
filter driver. This routine creates the device object that represents
this driver in the system and registers it for watching all file systems
that register or unregister themselves as active file systems.
Arguments:
DriverObject - Pointer to driver object created by the system.
Return Value:
The function value is the final status from the initialization operation.
--*/
{
UNICODE_STRING nameString;
NTSTATUS status;
PFAST_IO_DISPATCH fastIoDispatch;
ULONG i;
UNICODE_STRING linkString;
UNREFERENCED_PARAMETER( RegistryPath );
//////////////////////////////////////////////////////////////////////
//
// General setup for all filter drivers. This sets up the filter
// driver's DeviceObject and registers the callback routines for
// the filter driver.
//
//////////////////////////////////////////////////////////////////////
#if WINVER >= 0x0501
//
// Try to load the dynamic functions that may be available for our use.
//
SpyLoadDynamicFunctions();
//
// Now get the current OS version that we will use to determine what logic
// paths to take when this driver is built to run on various OS version.
//
SpyGetCurrentVersion();
#endif
//
// Read the custom parameters for FileSpy from the registry
//
// SpyReadDriverParameters( RegistryPath );
// if (FlagOn(gFileSpyDebugLevel,SPYDEBUG_BREAK_ON_DRIVER_ENTRY)) {
// DbgBreakPoint();
// }
//
// Save our Driver Object.
//
gFileSpyDriverObject = DriverObject;
//
// Initialize the lookaside list for name buffering. This is used in
// several places to avoid having a large name buffer on the stack. It is
// also needed by the name lookup routines (NLxxx).
//
ExInitializePagedLookasideList( &gFileSpyNameBufferLookasideList,
NULL,
NULL,
0,
FILESPY_LOOKASIDE_SIZE,
FILESPY_NAME_BUFFER_TAG,
0 );
#if DBG && WINVER >= 0x0501
//
// MULTIVERSION NOTE:
//
// We can only support unload for testing environments if we can enumerate
// the outstanding device objects that our driver has.
//
//
// Unload is useful for development purposes. It is not recommended for
// production versions.
//
if (IS_WINDOWSXP_OR_LATER()) {
ASSERT( NULL != gSpyDynamicFunctions.EnumerateDeviceObjectList );
//gFileSpyDriverObject->DriverUnload = DriverUnload;
}
#endif
//
// Create the device object that will represent the FileSpy device.
//
RtlInitUnicodeString( &nameString, FILESPY_FULLDEVICE_NAME1 );
//
// Create the "control" device object. Note that this device object does
// not have a device extension (set to NULL). Most of the fast IO routines
// check for this condition to determine if the fast IO is directed at the
// control device.
//
status = IoCreateDevice( DriverObject,
0, // has no device extension
&nameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&gControlDeviceObject);
if (STATUS_OBJECT_PATH_NOT_FOUND == status) {
//
// The "\FileSystem\Filter' path does not exist in the object name
// space, so we must be dealing with an OS pre-Windows XP. Try
// the second name we have to see if we can create a device by that
// name.
//
RtlInitUnicodeString( &nameString, FILESPY_FULLDEVICE_NAME2 );
status = IoCreateDevice( DriverObject,
0, // has no device extension
&nameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&gControlDeviceObject);
if (!NT_SUCCESS( status )) {
// SPY_LOG_PRINT( SPYDEBUG_ERROR,
// ("FileSpy!DriverEntry: Error creating FileSpy control device \"%wZ\", error: %x\n",
// &nameString,
// status) );
return status;
}
//
// We were able to successfully create the file spy control device
// using this second name, so we will now fall through and create the
// symbolic link.
//
} else if (!NT_SUCCESS( status )) {
// SPY_LOG_PRINT( SPYDEBUG_ERROR,
// ("FileSpy!DriverEntry: Error creating FileSpy control device \"%wZ\", error: %x\n",
// &nameString,
// status) );
return status;
}
RtlInitUnicodeString( &linkString, FILESPY_DOSDEVICE_NAME );
status = IoCreateSymbolicLink( &linkString, &nameString );
if (!NT_SUCCESS(status)) {
//
// Remove the existing symbol link and try and create it again.
// If this fails then quit.
//
IoDeleteSymbolicLink( &linkString );
status = IoCreateSymbolicLink( &linkString, &nameString );
if (!NT_SUCCESS(status)) {
// SPY_LOG_PRINT( SPYDEBUG_ERROR,
// ("FileSpy!DriverEntry: IoCreateSymbolicLink failed\n") );
IoDeleteDevice(gControlDeviceObject);
return status;
}
}
//
// Initialize the driver object with this device driver's entry points.
//
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction[i] = SpyDispatch;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = SpyCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = SpyClose;
DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] = SpyFsControl;
DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL] = SpyDirControl;
//
// Allocate fast I/O data structure and fill it in. This structure
// is used to register the callbacks for FileSpy in the fast I/O
// data paths.
//
fastIoDispatch = ExAllocatePoolWithTag( NonPagedPool,
sizeof( FAST_IO_DISPATCH ),
FILESPY_POOL_TAG );
if (!fastIoDispatch) {
IoDeleteDevice( gControlDeviceObject );
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlZeroMemory( fastIoDispatch, sizeof( FAST_IO_DISPATCH ) );
fastIoDispatch->SizeOfFastIoDispatch = sizeof( FAST_IO_DISPATCH );
fastIoDispatch->FastIoCheckIfPossible = SpyFastIoCheckIfPossible;
fastIoDispatch->FastIoRead = SpyFastIoRead;
fastIoDispatch->FastIoWrite = SpyFastIoWrite;
fastIoDispatch->FastIoQueryBasicInfo = SpyFastIoQueryBasicInfo;
fastIoDispatch->FastIoQueryStandardInfo = SpyFastIoQueryStandardInfo;
fastIoDispatch->FastIoLock = SpyFastIoLock;
fastIoDispatch->FastIoUnlockSingle = SpyFastIoUnlockSingle;
fastIoDispatch->FastIoUnlockAll = SpyFastIoUnlockAll;
fastIoDispatch->FastIoUnlockAllByKey = SpyFastIoUnlockAllByKey;
fastIoDispatch->FastIoDeviceControl = SpyFastIoDeviceControl;
fastIoDispatch->FastIoDetachDevice = SpyFastIoDetachDevice;
fastIoDispatch->FastIoQueryNetworkOpenInfo = SpyFastIoQueryNetworkOpenInfo;
fastIoDispatch->MdlRead = SpyFastIoMdlRead;
fastIoDispatch->MdlReadComplete = SpyFastIoMdlReadComplete;
fastIoDispatch->PrepareMdlWrite = SpyFastIoPrepareMdlWrite;
fastIoDispatch->MdlWriteComplete = SpyFastIoMdlWriteComplete;
fastIoDispatch->FastIoReadCompressed = SpyFastIoReadCompressed;
fastIoDispatch->FastIoWriteCompressed = SpyFastIoWriteCompressed;
fastIoDispatch->MdlReadCompleteCompressed = SpyFastIoMdlReadCompleteCompressed;
fastIoDispatch->MdlWriteCompleteCompressed = SpyFastIoMdlWriteCompleteCompressed;
fastIoDispatch->FastIoQueryOpen = SpyFastIoQueryOpen;
DriverObject->FastIoDispatch = fastIoDispatch;
//
// Record : Add by lwf : 07-06-20
// Purpose: Get the name offset of process name
//
//
ProcessNameOffset = SpyGetProcessNameOffset();
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -