📄 eddrv.c
字号:
KeReleaseSpinLock( &CountMutex, oldirql );
HookDriveSet( 0, DeviceObject->DriverObject );
} else {
KeReleaseSpinLock( &CountMutex, oldirql );
}
break;
case EDDrv_zerostats:
break;
case EDDrv_getstats:
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
retval = TRUE;
} else {
hookExt = DeviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoDeviceControl )) {
EDDrvGetFullPath( FALSE, FileObject, hookExt, fullPathName );
retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoDeviceControl(
FileObject, Wait, InputBuffer, InputBufferLength, OutputBuffer,
OutputBufferLength, IoControlCode, IoStatus, hookExt->FileSystem );
}
}
return retval;
}
VOID EDDrvFastIoAcquireFile( PFILE_OBJECT FileObject ) {
PDEVICE_OBJECT deviceObject, checkDevice;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
checkDevice = FileObject->DeviceObject->Vpb->DeviceObject;
while( checkDevice ) {
if( checkDevice->DriverObject == EDDrvDriver ) {
deviceObject = checkDevice;
hookExt = deviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, AcquireFileForNtCreateSection )) {
fullPathName = ExAllocatePool( NonPagedPool, MAXPATHLEN );
if( fullPathName ) {
EDDrvGetFullPath( FALSE, FileObject, hookExt, fullPathName );
}
hookExt->FileSystem->DriverObject->FastIoDispatch->AcquireFileForNtCreateSection(
FileObject );
if ( fullPathName ) ExFreePool( fullPathName );
}
return;
}
checkDevice = checkDevice->AttachedDevice;
}
}
VOID EDDrvFastIoReleaseFile( PFILE_OBJECT FileObject ) {
PDEVICE_OBJECT deviceObject, checkDevice;
PHOOK_EXTENSION hookExt;
CHAR *fullPathName, name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
checkDevice = FileObject->DeviceObject->Vpb->DeviceObject;
while( checkDevice ) {
if( checkDevice->DriverObject == EDDrvDriver ) {
deviceObject = IoGetRelatedDeviceObject( FileObject );
hookExt = deviceObject->DeviceExtension;
if( FASTIOPRESENT( hookExt, ReleaseFileForNtCreateSection )) {
fullPathName = ExAllocatePool( NonPagedPool, MAXPATHLEN );
if( fullPathName ) {
EDDrvGetFullPath( FALSE, FileObject, hookExt, fullPathName );
}
hookExt->FileSystem->DriverObject->FastIoDispatch->ReleaseFileForNtCreateSection( FileObject );
if ( fullPathName ) ExFreePool( fullPathName );
}
return;
}
checkDevice = checkDevice->AttachedDevice;
}
}
VOID EDDrvFastIoDetachDevice( PDEVICE_OBJECT SourceDevice, PDEVICE_OBJECT TargetDevice ) {
PHOOK_EXTENSION hookExt;
ULONG i;
CHAR name[PROCNAMELEN];
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
for( i = 0; i < 26; i++ ) {
if( SourceDevice == LDriveDevices[i] ) {
hookExt = SourceDevice->DeviceExtension;
IoDetachDevice( TargetDevice );
IoDeleteDevice( SourceDevice );
LDriveDevices[i] = NULL;
LDriveMap[i] = 0;
return;
}
}
hookExt = SourceDevice->DeviceExtension;
if( FASTIOPRESENT( hookExt, FastIoDetachDevice )) {
hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoDetachDevice(
SourceDevice, TargetDevice );
}
}
VOID EDDrvHookDoneWork( PVOID Context )
{
PEDDrv_WORK EDDrvWork = (PEDDrv_WORK) Context;
ExFreePool( EDDrvWork );
}
NTSTATUS EDDrvHookDone( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp,
IN PVOID Context )
{
PIO_STACK_LOCATION IrpSp;
int seq = (int)Context;
CHAR errval[ERRORLEN], errString[ERRORLEN];
KIRQL oldirql;
LARGE_INTEGER timeStampStart, timeStampComplete, timeResult;
PEDDrv_WORK EDDrvWorkContext;
PUCHAR Buffer = NULL,NeitherBuffer = NULL,DirectBuffer = NULL;
ULONG Len,DirLen,readLen = 0,smallLen = 0;
ULONG i = 0;
LOCK_OPERATION Operation;
PSECTION_OBJECT_POINTERS pSectionPointers = NULL;
PIO_STATUS_BLOCK pIoStatus = NULL;
PUCHAR ptr = NULL;
PMDL Mdl = NULL;
NTSTATUS status;
int BufferingType;
BOOLEAN IsNeitherBuffer=FALSE;
UCHAR cc;
IrpSp = IoGetCurrentIrpStackLocation( Irp );
if(UserValid==TRUE)
{
DbgPrint(("Read Completion Started\n"));
if(Irp!=NULL)
{
if(Irp->UserBuffer!=NULL)
{
IsNeitherBuffer=TRUE;
if((Irp->MdlAddress)!=NULL)
BufferingType=BUFFER_NEITHER_DIRECT;
else if((Irp->AssociatedIrp.SystemBuffer)!=NULL )
BufferingType=BUFFER_NEITHER_BUFFERED;
else
BufferingType=BUFFER_NEITHER_NONE;
}
}
if( (IrpSp->MajorFunction)==IRP_MJ_CREATE)
{
EmptyBuffer(IrpSp);
}
Operation=IoWriteAccess;
if(Irp != NULL)
{
if(IrpSp != NULL)
{
if(NT_SUCCESS(Irp->IoStatus.Status))
{
if(IrpSp->MajorFunction == IRP_MJ_READ)
{
Len=(Irp->IoStatus.Information);
if(IsNeitherBuffer==FALSE)
{
if(Irp->AssociatedIrp.SystemBuffer!=NULL)
{
DbgPrint(("Read Completion: Buffered IO\n"));
}
if(Irp->MdlAddress!=NULL)
{
DbgPrint(("Read Completion: Direct IO\n"));
DirectBuffer=(PUCHAR)MmGetSystemAddressForMdlSafe( Irp->MdlAddress, NormalPagePriority );
DirLen=MmGetMdlByteCount( Irp->MdlAddress );
DbgPrint(("Decrypted Buffer is: \n" ));
for(i=0;i<Len;i++)
{
DirectBuffer[i]=(DirectBuffer[i]^0xAA);
}
DbgPrint(("\n"));
}
}
else if(IsNeitherBuffer==TRUE)
{
DbgPrint(("Read Completion: Neither IO\n"));
Len=(Irp->IoStatus.Information);
DbgPrint(("Neither IO Len is %lu\n",Len));
switch(BufferingType)
{
case BUFFER_NEITHER_DIRECT:
DbgPrint(("Read Completion: Neither_Direct IO\n"));
DirectBuffer=(PUCHAR)MmGetSystemAddressForMdlSafe( Irp->MdlAddress, NormalPagePriority );
DirLen=MmGetMdlByteCount( Irp->MdlAddress );
DbgPrint(("Decrypted Buffer is: \n" ));
for(i=0;i<Len;i++)
{
DirectBuffer[i]=(DirectBuffer[i]^0xAA);
}
DbgPrint(("\n"));
DbgPrint(("First Element = %c",DirectBuffer[0]));
break;
case BUFFER_NEITHER_BUFFERED:
DbgPrint(("Read Completion: Neither_Buffered IO\n"));
break;
case BUFFER_NEITHER_NONE:
DbgPrint(("Only Irp->UserBuffer is Populated\n"));
if(Len > 0)
{
DbgPrint(("Len > 0\n"));
NeitherBuffer = (PUCHAR)ExAllocatePool(NonPagedPool,Len);
if(NeitherBuffer != NULL)
{
DbgPrint(("NeitherBuffer Allocated Successfully\n"));
RtlCopyMemory(NeitherBuffer, Irp->UserBuffer, Len);
DbgPrint(("NeitherBuffer Copied Successfully\n"));
for(i=0;i<Len;i++)
{
NeitherBuffer[i] = NeitherBuffer[i]^0xAA;
}
DbgPrint(("Only NeitherBuffer decrypted successfully\n"));
}
Irp->UserBuffer = NeitherBuffer;
}
break;
}
}
}
else if(IrpSp->MajorFunction == IRP_MJ_WRITE)
{
if(IrpSp->FileObject != NULL)
{
DbgPrint(("FileObject Not Null\n"));
pSectionPointers = (PSECTION_OBJECT_POINTERS)((IrpSp->FileObject)+0x14);
if(pSectionPointers != NULL)
{
DbgPrint(("Section Object Pointers Not Null\n"));
}
}
else
{
DbgPrint(("FileObject Null\n"));
}
}
}
}
}
}
if( FilterOn ) {
DbgPrint(("Inside Completion Routine1\n"));
if( KeGetCurrentIrql() == DISPATCH_LEVEL ) {
EDDrvWorkContext = ExAllocatePool( NonPagedPool, sizeof(EDDrv_WORK));
if( EDDrvWorkContext ) {
DbgPrint(("Inside Completion Routine2\n"));
EDDrvWorkContext->Sequence = seq;
ExInitializeWorkItem( &EDDrvWorkContext->WorkItem,
EDDrvHookDoneWork, EDDrvWorkContext );
ExQueueWorkItem( &EDDrvWorkContext->WorkItem, CriticalWorkQueue );
}
} else {
DbgPrint(("Inside Completion Routine3\n"));
}
}
if( (IrpSp->MajorFunction == IRP_MJ_CREATE ||
IrpSp->MajorFunction == IRP_MJ_CREATE_NAMED_PIPE ||
IrpSp->MajorFunction == IRP_MJ_CREATE_MAILSLOT ) &&
!NT_SUCCESS( Irp->IoStatus.Status )) {
EDDrvFreeHashEntry( IrpSp->FileObject );
}
DbgPrint(("Inside Completion Routine4\n"));
KeAcquireSpinLock( &CountMutex, &oldirql );
OutstandingIRPCount--;
KeReleaseSpinLock( &CountMutex, oldirql );
DbgPrint(("Inside Completion Routine5\n"));
if( Irp->PendingReturned ) {
IoMarkIrpPending( Irp );
}
return Irp->IoStatus.Status;
}
NTSTATUS EDDrvHookRoutine( PDEVICE_OBJECT HookDevice, IN PIRP Irp )
{
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStac⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -