📄 scanner.c
字号:
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
FLT_PREOP_CALLBACK_STATUS
ScannerPreWrite (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
/*++
Routine Description:
Pre write callback. We want to scan what's being written now.
Arguments:
Data - The structure which describes the operation parameters.
FltObject - The structure which describes the objects affected by this
operation.
CompletionContext - Output parameter which can be used to pass a context
from this pre-write callback to the post-write callback.
Return Value:
Always FLT_PREOP_SUCCESS_NO_CALLBACK.
--*/
{
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
NTSTATUS status;
PSCANNER_NOTIFICATION notification = NULL;
PSCANNER_STREAM_HANDLE_CONTEXT context = NULL;
ULONG replyLength;
BOOLEAN safe = TRUE;
PUCHAR buffer;
UNREFERENCED_PARAMETER( CompletionContext );
//
// If not client port just ignore this write.
//
if (ScannerData.ClientPort == NULL) {
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
status = FltGetStreamHandleContext( FltObjects->Instance,
FltObjects->FileObject,
&context );
if (!NT_SUCCESS( status )) {
//
// We are not interested in this file
//
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
//
// Use try-finally to cleanup
//
try {
//
// Pass the contents of the buffer to user mode.
//
if (Data->Iopb->Parameters.Write.Length != 0) {
//
// Get the users buffer address. If there is a MDL defined, use
// it. If not use the given buffer address.
//
if (Data->Iopb->Parameters.Write.MdlAddress != NULL) {
buffer = MmGetSystemAddressForMdlSafe( Data->Iopb->Parameters.Write.MdlAddress,
NormalPagePriority );
//
// If we have a MDL but could not get and address, we ran out
// of memory, report the correct error
//
if (buffer == NULL) {
Data->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
leave;
}
} else {
//
// Use the users buffer
//
buffer = Data->Iopb->Parameters.Write.WriteBuffer;
}
//
// In a production-level filter, we would actually let user mode scan the file directly.
// Allocating & freeing huge amounts of non-paged pool like this is not very good for system perf.
// This is just a sample!
//
notification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( SCANNER_NOTIFICATION ),
'nacS' );
if (notification == NULL) {
Data->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
leave;
}
notification->BytesToScan = min( Data->Iopb->Parameters.Write.Length, SCANNER_READ_BUFFER_SIZE );
//
// The buffer can be a raw user buffer. Protect access to it
//
try {
RtlCopyMemory( ¬ification->Contents,
buffer,
notification->BytesToScan );
} except( EXCEPTION_EXECUTE_HANDLER ) {
//
// Error accessing buffer. Complete i/o with failure
//
Data->IoStatus.Status = GetExceptionCode() ;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
leave;
}
//
// Send message to user mode to indicate it should scan the buffer.
// We don't have to synchronize between the send and close of the handle
// as FltSendMessage takes care of that.
//
replyLength = sizeof( SCANNER_REPLY );
status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
notification,
sizeof( SCANNER_NOTIFICATION ),
notification,
&replyLength,
NULL );
if (STATUS_SUCCESS == status) {
safe = ((PSCANNER_REPLY) notification)->SafeToOpen;
} else {
//
// Couldn't send message. This sample will let the i/o through.
//
DbgPrint( "!!! scanner.sys --- couldn't send message to user-mode to scan file, status 0x%X\n", status );
}
}
if (!safe) {
//
// Block this write if not paging i/o (as a result of course, this scanner will not prevent memory mapped writes of contaminated
// strings to the file, but only regular writes). The effect of getting ERROR_ACCESS_DENIED for many apps to delete the file they
// are trying to write usually.
// To handle memory mapped writes - we should be scanning at close time (which is when we can really establish that the file object
// is not going to be used for any more writes)
//
DbgPrint( "!!! scanner.sys -- foul language detected in write !!!\n" );
if (!FlagOn( Data->Iopb->IrpFlags, IRP_PAGING_IO )) {
DbgPrint( "!!! scanner.sys -- blocking the write !!!\n" );
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
returnStatus = FLT_PREOP_COMPLETE;
}
}
} finally {
if (notification != NULL) {
ExFreePoolWithTag( notification, 'nacS' );
}
if (context) {
FltReleaseContext( context );
}
}
return returnStatus;
}
//////////////////////////////////////////////////////////////////////////
// Local support routines.
//
/////////////////////////////////////////////////////////////////////////
NTSTATUS
ScannerpScanFileInUserMode (
__in PFLT_INSTANCE Instance,
__in PFILE_OBJECT FileObject,
__out PBOOLEAN SafeToOpen
)
/*++
Routine Description:
This routine is called to send a request up to user mode to scan a given
file and tell our caller whether it's safe to open this file.
Note that if the scan fails, we set SafeToOpen to TRUE. The scan may fail
because the service hasn't started, or perhaps because this create/cleanup
is for a directory, and there's no data to read & scan.
If we failed creates when the service isn't running, there'd be a
bootstrapping problem -- how would we ever load the .exe for the service?
Arguments:
Instance - Handle to the filter instance for the scanner on this volume.
FileObject - File to be scanned.
SafeToOpen - Set to FALSE if the file is scanned successfully and it contains
foul language.
Return Value:
The status of the operation, hopefully STATUS_SUCCESS. The common failure
status will probably be STATUS_INSUFFICIENT_RESOURCES.
--*/
{
NTSTATUS status;
PVOID buffer = NULL;
ULONG bytesRead;
SCANNER_NOTIFICATION notification;
FLT_VOLUME_PROPERTIES volumeProps;
LARGE_INTEGER offset;
ULONG replyLength, length;
PFLT_VOLUME volume = NULL;
*SafeToOpen = TRUE;
//
// If not client port just return.
//
if (ScannerData.ClientPort == NULL) {
return STATUS_SUCCESS;
}
try {
//
// Obtain the volume object .
//
status = FltGetVolumeFromInstance( Instance, &volume );
if (!NT_SUCCESS( status )) {
leave;
}
//
// Determine sector size. Noncached I/O can only be done at sector size offsets, and in lengths which are
// multiples of sector size. A more efficient way is to make this call once and remember the sector size in the
// instance setup routine and setup an instance context where we can cache it.
//
status = FltGetVolumeProperties( volume,
&volumeProps,
sizeof( volumeProps ),
&length );
//
// STATUS_BUFFER_OVERFLOW can be returned - however we only need the properties, not the names
// hence we only check for error status.
//
if (NT_ERROR( status )) {
leave;
}
length = max( SCANNER_READ_BUFFER_SIZE, volumeProps.SectorSize );
//
// Use non-buffered i/o, so allocate aligned pool
//
buffer = FltAllocatePoolAlignedWithTag( Instance,
NonPagedPool,
length,
'nacS' );
if (NULL == buffer) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
//
// Read the beginning of the file and pass the contents to user mode.
//
offset.QuadPart = bytesRead = 0;
status = FltReadFile( Instance,
FileObject,
&offset,
length,
buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL );
if (NT_SUCCESS( status ) && (0 != bytesRead)) {
notification.BytesToScan = (ULONG) bytesRead;
//
// Copy only as much as the buffer can hold
//
RtlCopyMemory( ¬ification.Contents,
buffer,
min( notification.BytesToScan, SCANNER_READ_BUFFER_SIZE ) );
replyLength = sizeof( SCANNER_REPLY );
status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
¬ification,
sizeof(notification),
¬ification,
&replyLength,
NULL );
if (STATUS_SUCCESS == status) {
*SafeToOpen = ((PSCANNER_REPLY) ¬ification)->SafeToOpen;
} else {
//
// Couldn't send message
//
DbgPrint( "!!! scanner.sys --- couldn't send message to user-mode to scan file, status 0x%X\n", status );
}
}
} finally {
if (NULL != buffer) {
FltFreePoolAlignedWithTag( Instance, buffer, 'ncaS' );
}
if (NULL != volume) {
FltObjectDereference( volume );
}
}
return status;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -