fstpm.cpp

一个过滤层文件系统驱动的完整代码,实现了文件的加密,操作截获等

/*++
Copyright (c) 2004 By LiGen , All right reserved
Module Name:
	fstpm.cpp

Abstract:
	本驱程序实现文件改写保护，文件完整性检测，文件加密
	
Environment:
	Windows XP, Compiler Ver > 13.00

Notes:
   	

Revision History:
	created: 16:7:2004 

Author：
	李根	13574849558@hnmcc.com

--*/

#include "FsTPM.h"

WCHAR gRequestEventNameStr[] = L"\\BaseNamedObjects\\tpmreq";
WCHAR gAckEventNameStr[]	 = L"\\BaseNamedObjects\\tpmack";

UNICODE_STRING gRequestEventName = {0};
UNICODE_STRING gAckEventName = {0};

BOOL gUser_Command = FALSE;
ULONG  gAck=0;

// Define a event whose name is the same as the event in our User Thread, 
// so we can notify user by this event object
HANDLE HReq_Event = NULL;
HANDLE HAck_Event = NULL;

PKEVENT pReq_Event = NULL;
PKEVENT pAck_Event;
FAST_MUTEX Guard_Mutex = {0};


WCHAR gSymbol[] = L"\\Device\\FsTPM";
WCHAR gSymbolDos[] = L"\\DosDevices\\FsTPM";

ULONG CurrentDriveSet = 0;

//
// Table of our hook devices for each drive letter. This makes it
// easy to look up the device object that was created to hook a 
// particular drive.
//
PDEVICE_OBJECT      DriveHookDevices[26] = {0};

// 
//  保存系统分配给我的驱动对象的指针
//
PDRIVER_OBJECT FsTPMDriverObject = NULL;

// Save pointer to GUI
PDEVICE_OBJECT pGUIDevice = NULL;

//
// Current bitmask of hooked devices
//
ULONG         CurrentDeviceSet = 0;

ULONG ProcessNameOffset = 0; 

FSTPM_CONTROL_BLOCK ProtectControlBlock = {0};

// define a spin lock
// 
KSPIN_LOCK IoDatabaseLock = {0};
PKSPIN_LOCK IopDatabaseLock = &IoDatabaseLock;




NTSTATUS
DriverEntry(
    IN PDRIVER_OBJECT  pDriverObject,
    IN PUNICODE_STRING pRegistryPath
    )
/*++
Follow Routine Description:

    Installable driver initialization entry point.
    This entry point is called directly by the I/O system.

Arguments:

    pDriverObject - pointer to the driver object

    pRegistryPath - pointer to a unicode string representing the path
                   to driver-specific key in the registry

Return Value:

    STATUS_SUCCESS if successful,
    STATUS_UNSUCCESSFUL otherwise

--*/
{
	NTSTATUS	ntStatus;
	int			i;
	
	FsTPM_DbgPrint(("FsTPM.SYS: entering DriverEntry\n")); 
	FsTPM_DbgPrint(("Enter Entry : RegPath=%S\n",pRegistryPath->Buffer));

	// 读入配置信息
//	ReadParamFromReg(pRegistryPath,pDriverObject);

	ProcessNameOffset=FsTPMGetProcessNameOffset();

	FsTPMDriverObject = pDriverObject;

	CreateList( &ProtectControlBlock.FileProtectList , MAX_LIST_ITEM_NUM );
		
	RtlInitUnicodeString(&gRequestEventName,gRequestEventNameStr);
	RtlInitUnicodeString(&gAckEventName,gAckEventNameStr);

	// Initial event
	pReq_Event = IoCreateSynchronizationEvent(&gRequestEventName,&HReq_Event);
	pAck_Event = IoCreateSynchronizationEvent(&gAckEventName,&HAck_Event);
	ExInitializeFastMutex(&Guard_Mutex);
	

	KeClearEvent (pReq_Event);
	KeClearEvent (pAck_Event);
	
	//
	// Create dispatch points for all routines that must be handled. 
    // All entry points are registered since we might filter a
	// file system that processes all of them.
    //
    for( i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ ) {
	    pDriverObject->MajorFunction[i] = FsTPMDispatch;
    }

	pDriverObject->MajorFunction[IRP_MJ_CREATE]=FsTPMCreateRoutine;
	pDriverObject->MajorFunction[IRP_MJ_WRITE]=FsTPMWriteRoutine;
	pDriverObject->MajorFunction[IRP_MJ_READ]=FsTPMReadRoutine;
	pDriverObject->MajorFunction[IRP_MJ_QUERY_INFORMATION]=FsTPMQueryInformationRoutine;
	pDriverObject->MajorFunction[IRP_MJ_SET_INFORMATION]=FsTPMSetInformationRoutine;

	//
    // 置 Fast I/O dispatch 表
    //
    pDriverObject->FastIoDispatch = &FastIOHook;

	pDriverObject->DriverUnload = FsTPMUnload;

	ntStatus=CreateDevice(pDriverObject);          //创建一个与USER下的GUI程序通信的设备

	if (!NT_SUCCESS(ntStatus))
	{
		FsTPM_DbgPrint(("Creating Device Failed !\n"));
		return ntStatus;
	}

	// 挂载所有文件系统设备
	CurrentDriveSet=0;
	HookDeviceSet(0x3FFFFFC,pDriverObject);

	return STATUS_SUCCESS;
}


NTSTATUS CreateDevice (
		IN PDRIVER_OBJECT	pDriverObject
		) 
//++
// Function:	CreateDevice
//
// Description:
//		创建一个我自己的设备对象，这样我就有了一个与WIN32沟通的桥梁
//
// Arguments:
//		pDriverObject - Passed from I/O Manager
//
// Return value:
//		STATUS_SUCCESS if successful,
//		STATUS_UNSUCCESSFUL otherwise
//--
{
	NTSTATUS status;
	PDEVICE_OBJECT         pGUIObject        = NULL;

	UNICODE_STRING		   GUIObjectNameString;
	UNICODE_STRING		   GUIObjectLinkString;
    PHOOK_EXTENSION        pGUIExt;	
	
	RtlInitUnicodeString( &GUIObjectNameString , gSymbol);
	RtlInitUnicodeString( &GUIObjectLinkString , gSymbolDos);

	// Now create the device
	status = IoCreateDevice( pDriverObject,
							sizeof(HOOK_EXTENSION),
							&GUIObjectNameString,
							FILE_DEVICE_FSTPM,
							0, TRUE,
							&pGUIObject );
	if (!NT_SUCCESS(status))
	{
		FsTPM_DbgPrint(("FsTPM.SYS: IoCreateDevice failed\n"));	
		return status;
	}
	
	pGUIDevice=pGUIObject;

	
	// Initialize the Device Extension
	// Get the Device Extension Pointer
	pGUIExt=(PHOOK_EXTENSION) pGUIObject->DeviceExtension;
	//
    // Mark this as our GUI device
    //
    pGUIExt->Type = GUIINTERFACE;
	pGUIExt->thisDriver=FsTPMDriverObject;

	// Now create the link name
	status = 
		IoCreateSymbolicLink( &GUIObjectLinkString,
							  &GUIObjectNameString);
	if (!NT_SUCCESS(status)) {
		// if it fails now, must delete Device object
		FsTPM_DbgPrint(("FsTPM.SYS: IoCreateSymbolicLink failed\n"));
		IoDeleteDevice( pGUIObject );
		return status;
	}

	
	// Made it
	return STATUS_SUCCESS;
}


VOID FsTPMUnload (
		IN PDRIVER_OBJECT	pDriverObject	
		) 
//++
// Function:	FsTPMUnload
//
// Description:
//		一般的，在文件系统编程中，我们并不提供UnLoad函数，
//      但为了测试方便，故提供之。
//
// Arguments:
//		pDriverObject - Passed from I/O Manager
//
// Return value:
//		none
//--
{	
	UNICODE_STRING wstrGuiLinkName;

	RtlInitUnicodeString( &wstrGuiLinkName, gSymbolDos);

	FsTPM_DbgPrint(("FsTPM.SYS: Unloading...\n"));

    //
    // Delete the symbolic link for our GUI device
    //
    IoDeleteSymbolicLink( &wstrGuiLinkName );
	FsTPM_DbgPrint(("FsTPM.SYS: Deleteing GUI Link ... OK\n"));
	
	//
	// Delete the Device Drivers that we've attached to...
	//
	UnloadDetach();
	FsTPM_DbgPrint(("FsTPM.SYS: Devices are detached ... OK \n"));

	IoDeleteDevice( pGUIDevice );
	FsTPM_DbgPrint(("FsTPM.SYS: I/O Control Device deleted ... OK \n"));

	ZwClose(HReq_Event);
	ZwClose(HAck_Event);

	FsTPM_DbgPrint(("FsTPM.SYS: Close event ... OK \n"));

	FsTPM_DbgPrint(("FsTPM.SYS:  Unload All, Completed ! \n"));
}
//#endif


NTSTATUS
FsTPMDispatch(
    IN PDEVICE_OBJECT pDeviceObject,
    IN PIRP           pIrp
    )
/*++

Followed Routine Description:

    Process the IRPs sent to this device.

Arguments:

    pDeviceObject - pointer to a device object

    pIrp          - pointer to an I/O Request Packet

Return Value:

--*/
{
	
	// 
	// 获得当前堆栈，以及下一个处理IRP的堆栈
	//
    PIO_STACK_LOCATION  pCurrentIrpStack = IoGetCurrentIrpStackLocation(pIrp);
    PIO_STACK_LOCATION  pNextIrpStack    = IoGetNextIrpStackLocation(pIrp);

    //
    // 指向我定义的扩展结构，该结构中包括了我所需要的关于下层文件系统的信息
    //
	PHOOK_EXTENSION     pHookExt=(PHOOK_EXTENSION)pDeviceObject->DeviceExtension;
	
	PDEVICE_OBJECT		pNextLowerDevice=pHookExt->Vcb.NextLowerDevice;

	PFILE_OBJECT        pFileObject=pCurrentIrpStack->FileObject;

	if (pHookExt->Type==GUIINTERFACE)
	{
		pIrp->IoStatus.Information = 0;
		pIrp->IoStatus.Status = STATUS_SUCCESS;

		IoCompleteRequest( pIrp, IO_NO_INCREMENT );
		return STATUS_SUCCESS;
	}
	
	//
	// 其他情况我们不作处理直接交给下方的设备处理
	//
	IoSkipCurrentIrpStackLocation(pIrp);

	NTSTATUS ntStatus=IoCallDriver( pNextLowerDevice, pIrp );

	return ntStatus;
}


VOID
ReadParamFromReg        (
						 IN     PUNICODE_STRING  RegistryPath,
						 IN     PDRIVER_OBJECT   DriverObject
						 )
						 /*++

						 Routine Description:

						 This routine tries to read the FsTPM-specific parameters from
						 the registry.  These values will be found in the registry location
						 indicated by the RegistryPath passed in.

						 Arguments:

						 RegistryPath - the path key which contains the values that are
						 the FsTPM parameters

						 Return Value:

						 None.

						 --*/
{

	return;
}