📄 hookdevice.cpp
字号:
//
// Setup the device extensions. The drive letter and file system object are stored
// in the extension.
//
hookExtension = (PHOOK_EXTENSION)hookDevice->DeviceExtension;
hookExtension->LogicalDrive = 'A'+(unsigned char)DiskNum;
hookExtension->Vcb.RealDevice = fileSysDevice; // 要作修改 , 应该是 VPB->REALDEVICE
hookExtension->Vcb.pVpb = pVpb;
hookExtension->Vcb.NextLowerDevice = Ret;
hookExtension->Hooked = TRUE;
hookExtension->Type = STANDARD;
hookExtension->thisDriver = FsTPMDriverObject;
FsTPM_DbgPrint(("%c: the AttachDevice = 0x%x NextLowerDeviceObject = 0x%x Vpb.RealDevice = 0x%x Vpb.DeviceObject = 0x%x \n ",'A'+(unsigned char)DiskNum,fileSysDevice, Ret, pVpb->RealDevice, pVpb->DeviceObject ));
if( NULL==Ret ) {
//
// Couldn' attach for some reason
//
FsTPM_DbgPrint(("FsTPM: Connect with Filesystem failed: %c (%x) =>%x\n",
'A'+DiskNum, fileSysDevice, ntStatus ));
//
// Derefence the object and get out
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
return ntStatus;
} else {
//
// Make a new drive group for the device,l if it does not have one
// already
//
FsTPM_DbgPrint(("FsTPM: Successfully connected to Filesystem device %c\n", 'A'+DiskNum ));
}
//
// Determine if this is a NTFS drive
//
// fileFsAttributesSize = sizeof( FILE_FS_ATTRIBUTE_INFORMATION) + MAXPATHLEN;
// hookExtension->FsAttributes = (PFILE_FS_ATTRIBUTE_INFORMATION) ExAllocatePoolWithTag( NonPagedPool,
// fileFsAttributesSize,TAGS );
// if( hookExtension->FsAttributes &&
// !NT_SUCCESS( IoQueryVolumeInformation( fileObject, FileFsAttributeInformation,
// fileFsAttributesSize, hookExtension->FsAttributes,
// &fileFsAttributesSize ))) {
//
// //
// // On failure, we just don't have attributes for this file system
// //
// ExFreePool( hookExtension->FsAttributes );
// hookExtension->FsAttributes = NULL;
// }
//
// Close the file and update the hooked drive list by entering a
// pointer to the hook device object in it.
//
ObDereferenceObject( fileObject );
ZwClose( ntFileHandle );
DriveHookDevices[DiskNum] = hookDevice;
} else {
hookExtension = (PHOOK_EXTENSION)DriveHookDevices[DiskNum]->DeviceExtension;
hookExtension->Hooked = TRUE;
}
return STATUS_SUCCESS;
}
VOID
UnhookDevice(
IN ULONG DiskNum
)
//++
// Function: UnhookDevice
//
// Description:
// Unhook a previously hooked driver.
//
// Arguments:
// DiskNum - 0 stand for Driver A, 1 stand for Driver B, ect.
//
// Return value:
// None
//
// Notice :
// this function is just to change the value of "extension->hook"
// if you want to unload & detach a hooked device , please see: UnlockDetach()
//--
{
PHOOK_EXTENSION hookExt;
//
// If the driver has been hooked, unhook it and delete the hook
// device object
//
if( DriveHookDevices[DiskNum] ) {
hookExt =(PHOOK_EXTENSION)DriveHookDevices[DiskNum]->DeviceExtension;
hookExt->Hooked = FALSE;
}
}
VOID
UnloadDetach(
VOID
)
//++
// Function: UnloadDetach
//
// Description:
// Detaches from all devices for an unload
//
// Arguments:
// None
//
// Return value:
// None
//
// Notice :
// This function is used to unload a hooked device.
// Unloading the filter driver is dangerous.
// You can use this function in Debug Mode.
//--
{
ULONG drive, i;
PDEVICE_OBJECT device;
PHOOK_EXTENSION hookExt;
//
// Detach from file system devices
//
for( drive = 0; drive < 26; drive++ ) {
if( DriveHookDevices[drive] ) {
FsTPM_DbgPrint(("Unload %c:",'A'+drive));
device = DriveHookDevices[drive];
hookExt = (PHOOK_EXTENSION)device->DeviceExtension;
IoDetachDevice( hookExt->Vcb.RealDevice );
IoDeleteDevice( device );
for( i =0; i < 26; i++ ) {
if( DriveHookDevices[i] == device ) {
DriveHookDevices[i] = NULL;
}
}
}
}
}
ULONG
HookDeviceSet(
IN ULONG DriveSet,
IN PDRIVER_OBJECT DriverObject
)
//++
// Function: HookDriveSet
//
// Description:
// Hook/Unhook a set of drives specified by user. Return the set
// that is currently hooked.
//
// Arguments:
// DriveSet - A bitmask.If you want to hook Driver C, do it like this: DriveSet | (1<<2)
// DriverObject - Passed from I/O Manager
//
// Return value:
// Return set of drives currently hooked
//--
{
// PHOOK_EXTENSION hookExt; not being used
ULONG drive, i;
ULONG bit;
//
// Scan the drive table, looking for hits on the DriveSet bitmask
//
for ( drive = 0; drive < 26; ++drive ) {
bit = 1 << drive;
//
// Are we supposed to hook this drive?
//
if( (bit & DriveSet) &&
!(bit & CurrentDriveSet) ) {
//
// Try to hook drive
//
if( !HookDevice( drive, DriverObject ) ) {
//
// Remove from drive set if can't be hooked
//
DriveSet &= ~bit;
} else {
//
// hook drives in same drive group
//
for( i = 0; i < 26; i++ ) {
if( DriveHookDevices[i] == DriveHookDevices[ drive ] ) {
DriveSet |= ( 1<<i );
}
}
}
} else if( !(bit & DriveSet) &&
(bit & CurrentDriveSet) ) {
//
// Unhook this drive and all in the group
//
for( i = 0; i< 26; i++ ) {
if( DriveHookDevices[i] == DriveHookDevices[ drive ] ) {
UnhookDevice( i );
DriveSet &= ~(1 << i);
}
}
}
}
//
// Return set of drives currently hooked
//
CurrentDriveSet = DriveSet;
return DriveSet;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -