write.cpp

一个过滤层文件系统驱动的完整代码,实现了文件的加密,操作截获等

/********************************************************************
	created:	2003/08/08
	created:	8:8:2003   5:06
	filename: 	g:\temp\FsTPM\FsTPM\FsTPM\Write.cpp
	file path:	g:\temp\FsTPM\FsTPM\FsTPM
	file base:	Write
	file ext:	cpp
	author:		Supermi
	
	purpose:	
*********************************************************************/

#include "FsTPM.h"

NTSTATUS 
FsTPMWriteRoutine( 
					PDEVICE_OBJECT pHookDevice, 
					IN PIRP pIrp 
					)
{
	// 
	// 获得当前堆栈，以及下一个处理IRP的堆栈
	//
	PIO_STACK_LOCATION  pCurrentIrpStack = IoGetCurrentIrpStackLocation(pIrp);

	PIO_STACK_LOCATION  pNextIrpStack    = IoGetNextIrpStackLocation(pIrp);
	//
	// 指向我定义的扩展结构，该结构中包括了我所需要的关于下层文件系统的信息
	//
	PHOOK_EXTENSION     pHookExt=(PHOOK_EXTENSION)pHookDevice->DeviceExtension;

	PFILE_OBJECT        pFileObject=pCurrentIrpStack->FileObject;

	PDEVICE_OBJECT		pNextLowerDevice=pHookExt->Vcb.NextLowerDevice;

	VCB Vcb;
	
	ULONG ResultLen;
	
	NTSTATUS ntStatus;
	
	WCHAR   USName[256];
	
	char ProcessName[256]={0};
	
	UNICODE_STRING CUSourceName;

	PFILE_NAME_INFORMATION fileNameInfo=NULL;

	PFILE_PROTECT_LIST_ITEM pItem;

	if (pHookExt->Type==GUIINTERFACE)
	{
		pIrp->IoStatus.Information = 0;
		pIrp->IoStatus.Status = STATUS_SUCCESS;

		IoCompleteRequest( pIrp, IO_NO_INCREMENT );
		return STATUS_SUCCESS;
	}

	_snwprintf(USName,256,L"A:");


	RtlInitUnicodeString(&CUSourceName,USName);
	CUSourceName.MaximumLength=512;

	Vcb=pHookExt->Vcb;


	if (0==pFileObject->FileName.Length)   // 我不知道为什么会有这样的情况
		goto next_stack;


	fileNameInfo = (PFILE_NAME_INFORMATION)ExAllocatePool( NonPagedPool, MAXPATHLEN*sizeof(WCHAR));

	if (NULL==fileNameInfo)
	{
		FsTPM_DbgPrint(("Memory Allocate Fail!\n"));
		return STATUS_UNSUCCESSFUL;
	}

	ntStatus=FsTPMQueryInformationFile(&Vcb,pFileObject,FileNameInformation,fileNameInfo,(MAXPATHLEN-5)*sizeof(WCHAR),&ResultLen);
	if (!NT_SUCCESS(ntStatus))
	{
		FsTPM_DbgPrint((" Query Name Information of file Fail "));
		ErrorString(ntStatus);
		goto next_stack;
	}

	fileNameInfo->FileName[fileNameInfo->FileNameLength/2]=0;
	
	_snwprintf(CUSourceName.Buffer+wcslen(CUSourceName.Buffer),256-wcslen(CUSourceName.Buffer),L"%s",fileNameInfo->FileName);

	CUSourceName.Buffer[0]=(WCHAR)(pHookExt->LogicalDrive);

	CUSourceName.Length=wcslen(CUSourceName.Buffer)*sizeof(WCHAR);


	UpperWordW(CUSourceName.Buffer);

	FsTPM_DbgPrint(("IRP_WRITE: %S\n",CUSourceName.Buffer));

	if (IsSomeSpecialFile(CUSourceName.Buffer, pFileObject, pCurrentIrpStack))
		goto next_stack;

	if (!ProtectList_Is_In( &ProtectControlBlock.FileProtectList, CUSourceName.Buffer, &pItem))
		goto next_stack;

	if (ProtectControlBlock.EnableStaticProtect && 	IS_STATIC_PROTECT(pItem->ProtectedFlag) )
	{	
		if (fileNameInfo!=NULL)
			ExFreePool(fileNameInfo);
		
		pIrp->IoStatus.Information = 0;
		pIrp->IoStatus.Status = STATUS_ACCESS_DENIED;
		
		IoCompleteRequest( pIrp, IO_NO_INCREMENT );
		
		return STATUS_ACCESS_DENIED;
	}
	
	if (ProtectControlBlock.EnableEncryptProtect && IS_ENCRYPT_PROTECT(pItem->ProtectedFlag))
	{
		char *pBuffer;
		if (pHookDevice->Flags & DO_BUFFERED_IO)
		{
			pBuffer=(char *)pIrp->AssociatedIrp.SystemBuffer;
		}
		else
		{
			if (pIrp->MdlAddress)
			{
				pBuffer = (char *)MmGetSystemAddressForMdl (pIrp->MdlAddress);
			}
			else
			{
				if (pIrp->UserBuffer!=NULL)
					pBuffer=(char*)pIrp->UserBuffer;
			}
		}

		if (pBuffer==NULL)
			goto next_stack;

		int i, Len = pCurrentIrpStack->Parameters.Write.Length;
		DbgPrint("data in buffer writed is:\n");
		for (i=0; i<Len; i++)
		{
			if(pBuffer[i] == 'a') pBuffer[i] = 'b';
		}

		//MmUnlockPages(pIrp->MdlAddress);
		
		IoCopyCurrentIrpStackLocationToNext(pIrp);

		ntStatus=IoCallDriver( pNextLowerDevice, pIrp );
		return ntStatus;
	}

next_stack:
	if (fileNameInfo!=NULL)
		ExFreePool(fileNameInfo);
	
	IoSkipCurrentIrpStackLocation(pIrp);

	ntStatus=IoCallDriver( pNextLowerDevice, pIrp );
	
	return ntStatus;

}