📄 filemon.c
字号:
//
for( i = 0; i < 26; i++ ) {
if( LDriveMap[i] == LDriveMap[ drive ] &&
!LDriveDevices[i] ) {
DriveSet |= ( 1<<i );
LDriveDevices[i] = LDriveDevices[drive];
}
}
}
} else {
//
// Try to unhook drive
//
if ( ! UnhookDrive( (char)('A'+drive) ) ) {
//
// Unhook failed, leave the drive marked as hooked
//
DriveSet |= bit;
} else {
//
// Unhook worked. Mark all drives in same group as
// unhooked
//
for( i = 0; i< 26; i++ ) {
if( LDriveMap[i] == LDriveMap[ drive ] &&
LDriveDevices[i] ) {
DriveSet &= ~(1 << i);
LDriveDevices[i] = NULL;
}
}
}
}
}
//
// Return set of drives currently hooked
//
return DriveSet;
}
//----------------------------------------------------------------------
//
// ControlCodeString
//
// Takes a control code and sees if we know what it is.
//
//----------------------------------------------------------------------
PCHAR ControlCodeString( ULONG ControlCode, PCHAR Buffer )
{
switch( ControlCode ) {
case FSCTL_REQUEST_OPLOCK_LEVEL_1:
sprintf( Buffer, "FSCTL_REQUEST_OPLOCK_LEVEL_1" );
break;
case FSCTL_REQUEST_OPLOCK_LEVEL_2:
sprintf( Buffer, "FSCTL_REQUEST_OPLOCK_LEVEL_2" );
break;
case FSCTL_REQUEST_BATCH_OPLOCK:
sprintf( Buffer, "FSCTL_REQUEST_BATCH_OPLOCK" );
break;
case FSCTL_OPLOCK_BREAK_ACKNOWLEDGE:
sprintf( Buffer, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE" );
break;
case FSCTL_OPBATCH_ACK_CLOSE_PENDING:
sprintf( Buffer, "FSCTL_OPBATCH_ACK_CLOSE_PENDING" );
break;
case FSCTL_OPLOCK_BREAK_NOTIFY:
sprintf( Buffer, "FSCTL_OPLOCK_BREAK_NOTIFY" );
break;
case FSCTL_LOCK_VOLUME:
sprintf( Buffer, "FSCTL_LOCK_VOLUME" );
break;
case FSCTL_UNLOCK_VOLUME:
sprintf( Buffer, "FSCTL_UNLOCK_VOLUME" );
break;
case FSCTL_DISMOUNT_VOLUME:
sprintf( Buffer, "FSCTL_DISMOUNT_VOLUME" );
break;
case FSCTL_IS_VOLUME_MOUNTED:
sprintf( Buffer, "FSCTL_IS_VOLUME_MOUNTED" );
break;
case FSCTL_IS_PATHNAME_VALID:
sprintf( Buffer, "FSCTL_IS_PATHNAME_VALID" );
break;
case FSCTL_MARK_VOLUME_DIRTY:
sprintf( Buffer, "FSCTL_MARK_VOLUME_DIRTY" );
break;
case FSCTL_QUERY_RETRIEVAL_POINTERS:
sprintf( Buffer, "FSCTL_QUERY_RETRIEVAL_POINTERS" );
break;
case FSCTL_GET_COMPRESSION:
sprintf( Buffer, "FSCTL_GET_COMPRESSION" );
break;
case FSCTL_SET_COMPRESSION:
sprintf( Buffer, "FSCTL_SET_COMPRESSION" );
break;
case FSCTL_OPLOCK_BREAK_ACK_NO_2:
sprintf( Buffer, "FSCTL_OPLOCK_BREAK_ACK_NO_2" );
break;
case FSCTL_QUERY_FAT_BPB:
sprintf( Buffer, "FSCTL_QUERY_FAT_BPB" );
break;
case FSCTL_REQUEST_FILTER_OPLOCK:
sprintf( Buffer, "FSCTL_REQUEST_FILTER_OPLOCK" );
break;
case FSCTL_FILESYSTEM_GET_STATISTICS:
sprintf( Buffer, "FSCTL_FILESYSTEM_GET_STATISTICS" );
break;
case FSCTL_GET_NTFS_VOLUME_DATA:
sprintf( Buffer, "FSCTL_GET_NTFS_VOLUME_DATA" );
break;
case FSCTL_GET_NTFS_FILE_RECORD:
sprintf( Buffer, "FSCTL_GET_NTFS_FILE_RECORD" );
break;
case FSCTL_GET_VOLUME_BITMAP:
sprintf( Buffer, "FSCTL_GET_VOLUME_BITMAP" );
break;
case FSCTL_GET_RETRIEVAL_POINTERS:
sprintf( Buffer, "FSCTL_GET_RETRIEVAL_POINTERS" );
break;
case FSCTL_MOVE_FILE:
sprintf( Buffer, "FSCTL_MOVE_FILE" );
break;
case FSCTL_IS_VOLUME_DIRTY:
sprintf( Buffer, "FSCTL_IS_VOLUME_DIRTY" );
break;
case FSCTL_ALLOW_EXTENDED_DASD_IO:
sprintf( Buffer, "FSCTL_ALLOW_EXTENDED_DASD_IO" );
break;
//
// *** new to NT 5.0
//
#if NT5_IOCTLS
case FSCTL_READ_PROPERTY_DATA:
sprintf( Buffer, "FSCTL_READ_PROPERTY_DATA" );
break;
case FSCTL_WRITE_PROPERTY_DATA:
sprintf( Buffer, "FSCTL_WRITE_PROPERTY_DATA" );
break;
case FSCTL_FIND_FILES_BY_SID:
sprintf( Buffer, "FSCTL_FIND_FILES_BY_SID" );
break;
case FSCTL_DUMP_PROPERTY_DATA:
sprintf( Buffer, "FSCTL_DUMP_PROPERTY_DATA" );
break;
case FSCTL_SET_OBJECT_ID:
sprintf( Buffer, "FSCTL_SET_OBJECT_ID" );
break;
case FSCTL_GET_OBJECT_ID:
sprintf( Buffer, "FSCTL_GET_OBJECT_ID" );
break;
case FSCTL_DELETE_OBJECT_ID:
sprintf( Buffer, "FSCTL_DELETE_OBJECT_ID" );
break;
case FSCTL_SET_REPARSE_POINT:
sprintf( Buffer, "FSCTL_SET_REPARSE_POINT" );
break;
case FSCTL_GET_REPARSE_POINT:
sprintf( Buffer, "FSCTL_GET_REPARSE_POINT" );
break;
case FSCTL_DELETE_REPARSE_POINT:
sprintf( Buffer, "FSCTL_DELETE_REPARSE_POINT" );
break;
case FSCTL_ENUM_USN_DATA:
sprintf( Buffer, "FSCTL_ENUM_USN_DATA" );
break;
case FSCTL_SECURITY_ID_CHECK:
sprintf( Buffer, "FSCTL_SECURITY_ID_CHECK" );
break;
case FSCTL_READ_USN_JOURNAL:
sprintf( Buffer, "FSCTL_READ_USN_JOURNAL" );
break;
case FSCTL_SET_OBJECT_ID_EXTENDED:
sprintf( Buffer, "FSCTL_SET_OBJECT_ID_EXTENDED" );
break;
case FSCTL_CREATE_OR_GET_OBJECT_ID:
sprintf( Buffer, "FSCTL_CREATE_OR_GET_OBJECT_ID" );
break;
case FSCTL_SET_SPARSE:
sprintf( Buffer, "FSCTL_SET_SPARSE" );
break;
case FSCTL_SET_ZERO_DATA:
sprintf( Buffer, "FSCTL_SET_ZERO_DATA" );
break;
case FSCTL_QUERY_ALLOCATED_RANGES:
sprintf( Buffer, "FSCTL_QUERY_ALLOCATED_RANGES" );
break;
case FSCTL_ENABLE_UPGRADE:
sprintf( Buffer, "FSCTL_ENABLE_UPGRADE" );
break;
case FSCTL_SET_ENCRYPTION:
sprintf( Buffer, "FSCTL_SET_ENCRYPTION" );
break;
case FSCTL_ENCRYPTION_FSCTL_IO:
sprintf( Buffer, "FSCTL_ENCRYPTION_FSCTL_IO" );
break;
case FSCTL_WRITE_RAW_ENCRYPTED:
sprintf( Buffer, "FSCTL_WRITE_RAW_ENCRYPTED" );
break;
case FSCTL_READ_RAW_ENCRYPTED:
sprintf( Buffer, "FSCTL_READ_RAW_ENCRYPTED" );
break;
case FSCTL_CREATE_USN_JOURNAL:
sprintf( Buffer, "FSCTL_CREATE_USN_JOURNAL" );
break;
case FSCTL_READ_FILE_USN_DATA:
sprintf( Buffer, "FSCTL_READ_FILE_USN_DATA" );
break;
case FSCTL_WRITE_USN_CLOSE_RECORD:
sprintf( Buffer, "FSCTL_WRITE_USN_CLOSE_RECORD" );
break;
case FSCTL_EXTEND_VOLUME:
sprintf( Buffer, "FSCTL_EXTEND_VOLUME" );
break;
#endif
default:
sprintf( Buffer, "IOCTL: 0x%X", ControlCode );
break;
}
return Buffer;
}
//----------------------------------------------------------------------
//
// ErrorString
//
// Returns string representing the passed error condition.
//
//----------------------------------------------------------------------
PCHAR ErrorString( NTSTATUS RetStat, PCHAR Buffer )
{
switch( RetStat ) {
case STATUS_SUCCESS:
strcpy( Buffer, "SUCCESS" );
break;
case STATUS_CRC_ERROR:
strcpy( Buffer, "CRC ERROR" );
break;
case STATUS_NOT_IMPLEMENTED:
strcpy( Buffer, "NOT IMPLEMENTED" );
break;
case STATUS_EAS_NOT_SUPPORTED:
strcpy( Buffer, "EAS NOT SUPPORTED" );
break;
case STATUS_EA_TOO_LARGE:
strcpy( Buffer, "EA TOO LARGE");
break;
case STATUS_NONEXISTENT_EA_ENTRY:
strcpy( Buffer, "NONEXISTENT EA ENTRY");
break;
case STATUS_BAD_NETWORK_NAME:
strcpy( Buffer, "BAD NETWORK NAME" );
break;
case STATUS_NOTIFY_ENUM_DIR:
strcpy( Buffer, "NOTIFY ENUM DIR" );
break;
case STATUS_FILE_CORRUPT_ERROR:
strcpy( Buffer, "FILE CORRUPT" );
break;
case STATUS_DISK_CORRUPT_ERROR:
strcpy( Buffer, "DISK CORRUPT" );
break;
case STATUS_RANGE_NOT_LOCKED:
strcpy( Buffer, "RANGE NOT LOCKED" );
break;
case STATUS_FILE_CLOSED:
strcpy( Buffer, "FILE CLOSED" );
break;
case STATUS_IN_PAGE_ERROR:
strcpy( Buffer, "IN PAGE ERROR" );
break;
case STATUS_CANCELLED:
strcpy( Buffer, "CANCELLED" );
break;
case STATUS_QUOTA_EXCEEDED:
strcpy( Buffer, "QUOTA EXCEEDED" );
break;
case STATUS_NOT_SUPPORTED:
strcpy( Buffer, "NOT SUPPORTED" );
break;
case STATUS_NO_MORE_FILES:
strcpy( Buffer, "NO MORE FILES" );
break;
case STATUS_OBJECT_NAME_INVALID:
strcpy( Buffer, "NAME INVALID" );
break;
case STATUS_OBJECT_NAME_NOT_FOUND:
strcpy( Buffer, "FILE NOT FOUND" );
break;
case STATUS_NOT_A_DIRECTORY:
strcpy( Buffer, "NOT A DIRECTORY" );
break;
case STATUS_NO_SUCH_FILE:
strcpy( Buffer, "NO SUCH FILE" );
break;
case STATUS_OBJECT_NAME_COLLISION:
strcpy( Buffer, "NAME COLLISION" );
break;
case STATUS_NONEXISTENT_SECTOR:
strcpy( Buffer, "NONEXISTENT SECTOR" );
break;
case STATUS_BAD_NETWORK_PATH:
strcpy( Buffer, "BAD NETWORK PATH" );
break;
case STATUS_OBJECT_PATH_NOT_FOUND:
strcpy( Buffer, "PATH NOT FOUND" );
break;
case STATUS_NO_SUCH_DEVICE:
strcpy( Buffer, "INVALID PARAMETER" );
break;
case STATUS_END_OF_FILE:
strcpy( Buffer, "END OF FILE" );
break;
case STATUS_NOTIFY_CLEANUP:
strcpy( Buffer, "NOTIFY CLEANUP" );
break;
case STATUS_BUFFER_OVERFLOW:
strcpy( Buffer, "BUFFER OVERFLOW" );
break;
case STATUS_NO_MORE_ENTRIES:
strcpy( Buffer, "NO MORE ENTRIES" );
break;
case STATUS_ACCESS_DENIED:
strcpy( Buffer, "ACCESS DENIED" );
break;
case STATUS_SHARING_VIOLATION:
strcpy( Buffer, "SHARING VIOLATION" );
break;
case STATUS_INVALID_PARAMETER:
strcpy( Buffer, "INVALID PARAMETER" );
break;
case STATUS_OPLOCK_BREAK_IN_PROGRESS:
strcpy( Buffer, "OPLOCK BREAK" );
break;
case STATUS_OPLOCK_NOT_GRANTED:
strcpy( Buffer, "OPLOCK NOT GRANTED" );
break;
case STATUS_FILE_LOCK_CONFLICT:
strcpy( Buffer, "FILE LOCK CONFLICT" );
break;
case STATUS_PENDING:
strcpy( Buffer, "PENDING" );
break;
case STATUS_REPARSE:
strcpy( Buffer, "REPARSE" );
break;
case STATUS_MORE_ENTRIES:
strcpy( Buffer, "MORE" );
break;
case STATUS_DELETE_PENDING:
strcpy( Buffer, "DELETE PEND" );
break;
case STATUS_LOCK_NOT_GRANTED:
strcpy( Buffer, "NOT GRANTED" );
break;
case STATUS_FILE_IS_A_DIRECTORY:
strcpy( Buffer, "IS DIRECTORY" );
break;
case STATUS_ALREADY_COMMITTED:
strcpy( Buffer, "ALREADY COMMITTED" );
break;
case STATUS_INVALID_EA_FLAG:
strcpy( Buffer, "INVALID EA FLAG" );
break;
case STATUS_INVALID_INFO_CLASS:
strcpy( Buffer, "INVALID INFO CLASS" );
break;
case STATUS_INVALID_HANDLE:
strcpy( Buffer, "INVALID HANDLE" );
break;
case STATUS_INVALID_DEVICE_REQUEST:
strcpy( Buffer, "INVALID DEVICE REQUEST" );
break;
case STATUS_WRONG_VOLUME:
strcpy( Buffer, "WRONG VOLUME" );
break;
case STATUS_UNEXPECTED_NETWORK_ERROR:
strcpy( Buffer, "NETWORK ERROR" );
break;
case STATUS_DFS_UNAVAILABLE:
strcpy( Buffer, "DFS UNAVAILABLE" );
break;
case STATUS_LOG_FILE_FULL:
strcpy( Buffer, "LOG FILE FULL" );
break;
default:
sprintf( Buffer, "* 0x%X", RetStat );
break;
}
return Buffer;
}
//----------------------------------------------------------------------
// F A S T I O R O U T I N E S
//
// NOTE: There is no need for us to worry about accessing fastio
// parameters within try/except because the I/O manager has either
// probed the validity of the arguments or calls within its own
// try/except block (it doesn't trust us anyway :-) ).
//
//----------------------------------------------------------------------
//----------------------------------------------------------------------
//
// FilemonFastIoCheckIfPossible
//
//----------------------------------------------------------------------
BOOLEAN FilemonFastIoCheckifPossible( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset,
IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, IN BOOLEAN CheckForReadOperation,
OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) {
BOOLEAN retval = FALSE;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN], errorBuf⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -