sfilter.c

网程络过滤驱动,可以截获网络封包!对其进行分析拦截!

SfAttachDeviceToDeviceStack(
	IN PDEVICE_OBJECT SourceDevice,
	IN PDEVICE_OBJECT TargetDevice,
	IN OUT PDEVICE_OBJECT *AttachedToDeviceObject
	);

NTSTATUS
SfAttachToFileSystemDevice(
	IN PDEVICE_OBJECT DeviceObject,
	IN PUNICODE_STRING DeviceName
	);

VOID
SfDetachFromFileSystemDevice(
	IN PDEVICE_OBJECT DeviceObject
	);

NTSTATUS
SfAttachToMountedDevice(
	IN PDEVICE_OBJECT DeviceObject,
	IN PDEVICE_OBJECT SFilterDeviceObject
	);

VOID
SfCleanupMountedDevice(
	IN PDEVICE_OBJECT DeviceObject
	);

#if WINVER >= 0x0501
NTSTATUS
SfEnumerateFileSystemVolumes(
	IN PDEVICE_OBJECT FSDeviceObject,
	IN PUNICODE_STRING FSName
	);
#endif

VOID
SfGetObjectName(
	IN PVOID Object,
	IN OUT PUNICODE_STRING Name
	);

VOID
SfGetBaseDeviceObjectName(
	IN PDEVICE_OBJECT DeviceObject,
	IN OUT PUNICODE_STRING DeviceName
	);

BOOLEAN
SfIsAttachedToDevice(
	PDEVICE_OBJECT DeviceObject,
	PDEVICE_OBJECT *AttachedDeviceObject OPTIONAL
	);

BOOLEAN
SfIsAttachedToDeviceW2K(
	PDEVICE_OBJECT DeviceObject,
	PDEVICE_OBJECT *AttachedDeviceObject OPTIONAL
	);

BOOLEAN
SfIsAttachedToDeviceWXPAndLater(
	PDEVICE_OBJECT DeviceObject,
	PDEVICE_OBJECT *AttachedDeviceObject OPTIONAL
	);

VOID
SfReadDriverParameters(
	IN PUNICODE_STRING RegistryPath
	);

NTSTATUS
SfIsShadowCopyVolume (
	IN PDEVICE_OBJECT StorageStackDeviceObject,
	OUT PBOOLEAN IsShadowCopy
	);

BOOLEAN
SfDissectFileName(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp,
	OUT PWSTR FileName
	);

RTL_GENERIC_COMPARE_RESULTS
SfGenericCompareRoutine(
	IN PRTL_GENERIC_TABLE Table,
	IN PVOID FirstStruct,
	IN PVOID SecondStruct
	);

PVOID
SfGenericAllocateRoutine(
	IN PRTL_GENERIC_TABLE Table,
	IN CLONG ByteSize
	);

VOID
SfGenericFreeRoutine(
	IN PRTL_GENERIC_TABLE Table,
	IN PVOID Buffer
	);

NTSTATUS
SfIsEncryptFlagExist(
	IN PDEVICE_OBJECT DeviceObject,
	IN PCWSTR FileName,
	OUT PBOOLEAN Encrypted,
	OUT PVOID Data,
	IN ULONG DataLength
	);

NTSTATUS
SfIsFileNeedEncrypt(
	IN PDEVICE_OBJECT DeviceObject,
	IN PCWSTR FileName,
	OUT PBOOLEAN NeedEncrypt
	);

NTSTATUS
SfSetFileEncrypted(
	IN PDEVICE_OBJECT DeviceObject,
	IN PCWSTR FileName,
	IN BOOLEAN IsEncrypted,
	IN PVOID Data,
	IN ULONG DataLength	
	);

NTSTATUS
SfEncryptDecryptFileByFileObject(
	IN PDEVICE_OBJECT DeviceObject,
	IN PFILE_OBJECT FileObject
	);

NTSTATUS
SfIssueReadWriteIrpSynchronously(
	IN PDEVICE_OBJECT DeviceObject,
	IN PFILE_OBJECT FileObject,
	IN ULONG MajorFunction,
	IN PIO_STATUS_BLOCK IoStatus,
	IN PVOID Buffer,
	IN ULONG Length,
	IN PLARGE_INTEGER ByteOffset,
	IN ULONG IrpFlags
	);

NTSTATUS
SfIssueCleanupIrpSynchronously(
	IN PDEVICE_OBJECT NextDeviceObject,
	IN PIRP Irp,
	IN PFILE_OBJECT FileObject
	);

NTSTATUS
SfCreateFile(
	IN PCWSTR FileName,
	IN ULONG FileAttributes,
	IN BOOLEAN IsFile
	);

NTSTATUS
SfRenameFile(
	IN PWSTR SrcFileName,
	IN PWSTR DstFileName
	);

NTSTATUS
SfForwardIrpSyncronously(
	IN PDEVICE_OBJECT DeviceObject,
	IN PIRP Irp
	);

NTSTATUS
SfLoadRules(
	OUT PHANDLE FileHandle
	);

ULONG 
SfMatchRules(
	IN PCWSTR FileName
	);

BOOLEAN
SfMatchWithPattern(
	IN PCWSTR Pattern,
	IN PCWSTR Name
	);

BOOLEAN
SfMatchOkay(
	IN PCWSTR Pattern
	);

// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /
// 
// Assign text sections for each routine.
// 
// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)

#if DBG && WINVER >= 0x0501
#pragma alloc_text(PAGE, DriverUnload)
#endif

#pragma alloc_text(PAGE, SfFsNotification)
#pragma alloc_text(PAGE, SfCreate)
#pragma alloc_text(PAGE, SfCleanupClose)
#pragma alloc_text(PAGE, SfFsControl)
#pragma alloc_text(PAGE, SfFsControlMountVolume)
#pragma alloc_text(PAGE, SfFsControlMountVolumeComplete)
#pragma alloc_text(PAGE, SfFsControlLoadFileSystem)
#pragma alloc_text(PAGE, SfFsControlLoadFileSystemComplete)
#pragma alloc_text(PAGE, SfFastIoCheckIfPossible)
#pragma alloc_text(PAGE, SfFastIoRead)
#pragma alloc_text(PAGE, SfFastIoWrite)
#pragma alloc_text(PAGE, SfFastIoQueryBasicInfo)
#pragma alloc_text(PAGE, SfFastIoQueryStandardInfo)
#pragma alloc_text(PAGE, SfFastIoLock)
#pragma alloc_text(PAGE, SfFastIoUnlockSingle)
#pragma alloc_text(PAGE, SfFastIoUnlockAll)
#pragma alloc_text(PAGE, SfFastIoUnlockAllByKey)
#pragma alloc_text(PAGE, SfFastIoDeviceControl)
#pragma alloc_text(PAGE, SfFastIoDetachDevice)
#pragma alloc_text(PAGE, SfFastIoQueryNetworkOpenInfo)
#pragma alloc_text(PAGE, SfFastIoMdlRead)
#pragma alloc_text(PAGE, SfFastIoPrepareMdlWrite)
#pragma alloc_text(PAGE, SfFastIoMdlWriteComplete)
#pragma alloc_text(PAGE, SfFastIoReadCompressed)
#pragma alloc_text(PAGE, SfFastIoWriteCompressed)
#pragma alloc_text(PAGE, SfFastIoQueryOpen)
#pragma alloc_text(PAGE, SfAttachDeviceToDeviceStack)
#pragma alloc_text(PAGE, SfAttachToFileSystemDevice)
#pragma alloc_text(PAGE, SfDetachFromFileSystemDevice)
#pragma alloc_text(PAGE, SfAttachToMountedDevice)
#pragma alloc_text(PAGE, SfIsAttachedToDevice)
#pragma alloc_text(PAGE, SfIsAttachedToDeviceW2K)
#pragma alloc_text(INIT, SfReadDriverParameters)
#pragma alloc_text(PAGE, SfIsShadowCopyVolume)

#if WINVER >= 0x0501
#pragma alloc_text(INIT, SfLoadDynamicFunctions)
#pragma alloc_text(INIT, SfGetCurrentVersion)
#pragma alloc_text(PAGE, SfEnumerateFileSystemVolumes)
#pragma alloc_text(PAGE, SfIsAttachedToDeviceWXPAndLater)
#endif

#endif


// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /
// 
//					Functions
// 
// // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // // /

NTSTATUS
DriverEntry(
	IN PDRIVER_OBJECT DriverObject,
	IN PUNICODE_STRING RegistryPath
	)
/*++

Routine Description:

	This is the initialization routine for the SFILTER file system filter
	driver.  This routine creates the device object that represents this
	driver in the system and registers it for watching all file systems that
	register or unregister themselves as active file systems.

Arguments:

	DriverObject - Pointer to driver object created by the system.

Return Value:

	The function value is the final status from the initialization operation.

--*/
{
	PFAST_IO_DISPATCH FastIoDispatch;
	UNICODE_STRING NameString;
	NTSTATUS Status;
	ULONG i;

#if WINVER >= 0x0501
	// 
	// Try to load the dynamic functions that may be available for our use.
	// 
	SfLoadDynamicFunctions();

	// 
	// Now get the current OS version that we will use to determine what logic
	// paths to take when this driver is built to run on various OS version.
	// 
	SfGetCurrentVersion();
#endif

	// 
	// Get Registry values
	// 
	SfReadDriverParameters(RegistryPath);

	// 
	// Save our Driver Object, set our UNLOAD routine
	// 

	gSFilterDriverObject = DriverObject;

#if DBG && WINVER >= 0x0501

	// 
	// MULTIVERSION NOTE:
	// 
	// We can only support unload for testing environments if we can enumerate
	// the outstanding device objects that our driver has.
	// 
	
	// 
	// Unload is useful for development purposes. It is not recommended for
	// production versions
	// 
	if (NULL != gSfDynamicFunctions.EnumerateDeviceObjectList)		
		gSFilterDriverObject->DriverUnload = DriverUnload;
#endif

	Status = ExInitializeResourceLite(&gRulesResource);
	if (!NT_SUCCESS(Status))
	{
		KdPrint(("SFilter!DriverEntry: ExInitializeResourceLite failed, Status=%08x\n", Status));
		return Status;
	}

	Status = SfLoadRules(&gRuleFileHandle);
	if (!NT_SUCCESS(Status))
	{
		ExDeleteResourceLite(&gRulesResource);
		KdPrint(("SFilter!DriverEntry: SfLoadRules failed, Status=%08x\n", Status));
		return Status;
	}

	// 
	// Setup other global variables
	// 
	ExInitializeFastMutex(&gSfilterAttachLock);

	ExInitializePagedLookasideList(
		&gFsCtxLookAsideList,
		NULL,
		NULL,
		0,
		FSCTX_GENERIC_TABLE_POOL_SIZE,
		SFLT_POOL_TAG,
		0
		);
		
	ExInitializePagedLookasideList(
		&gFileNameLookAsideList,
		NULL,
		NULL,
		0,
		MAX_PATH * sizeof(WCHAR),
		SFLT_POOL_TAG,
		0
		);

	ExInitializeNPagedLookasideList(
		&gReadWriteCompletionCtxLookAsideList,
		NULL,
		NULL,
		0,
		sizeof(READ_WRITE_COMPLETION_CONTEXT),
		SFLT_POOL_TAG,
		0
		);

	// 
	// Create the Control Device Object (CDO).  This object represents this 
	// driver.  Note that it does not have a device extension.
	// 
	RtlInitUnicodeString(&NameString, L"\\FileSystem\\Filters\\SFilter");

	Status = IoCreateDevice(
		DriverObject,
		0,					  // has no device extension
		&NameString,
		FILE_DEVICE_DISK_FILE_SYSTEM,
		FILE_DEVICE_SECURE_OPEN,
		FALSE,
		&gSFilterControlDeviceObject
		);
	if (Status == STATUS_OBJECT_PATH_NOT_FOUND)
	{
		// x
		// This must be a version of the OS that doesn't have the Filters
		// path in its namespace.  This was added in Windows XP.
		// 
		// We will try just putting our control device object in the \FileSystem
		// portion of the object name space.
		// 

		RtlInitUnicodeString(&NameString, L"\\FileSystem\\SFilterCDO");

		Status = IoCreateDevice(
			DriverObject,
			0,					  // has no device extension
			&NameString,
			FILE_DEVICE_DISK_FILE_SYSTEM,
			FILE_DEVICE_SECURE_OPEN,
			FALSE,
			&gSFilterControlDeviceObject
			);
		if (!NT_SUCCESS(Status))
		{
			KdPrint(("SFilter!DriverEntry: Error creating control device object \"%wZ\", Status=%08x\n", &NameString, Status));
			ZwClose(&gRuleFileHandle);
			ExDeleteResourceLite(&gRulesResource);
			return Status;
		}
		
	}
	else if (!NT_SUCCESS(Status))
	{
		KdPrint(("SFilter!DriverEntry: Error creating control device object \"%wZ\", Status=%08x\n", &NameString, Status));
		ZwClose(&gRuleFileHandle);
		ExDeleteResourceLite(&gRulesResource);
		return Status;
	}

	// 
	// Initialize the driver object with this device driver's entry points.
	// 
	for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		DriverObject->MajorFunction[i] = SfPassThrough;
	}

	// 
	// We will use SfCreate for all the create operations
	// 
	DriverObject->MajorFunction[IRP_MJ_CREATE] = SfCreate;
	DriverObject->MajorFunction[IRP_MJ_CREATE_NAMED_PIPE] = SfCreate;
	DriverObject->MajorFunction[IRP_MJ_CREATE_MAILSLOT] = SfCreate;
	
	DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] = SfFsControl;
	DriverObject->MajorFunction[IRP_MJ_CLEANUP] = SfCleanupClose;
	DriverObject->MajorFunction[IRP_MJ_CLOSE] = SfCleanupClose;
	DriverObject->MajorFunction[IRP_MJ_READ] = SfRead;
	DriverObject->MajorFunction[IRP_MJ_WRITE] = SfWrite;
	DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL] = SfDirectoryControl;
	DriverObject->MajorFunction[IRP_MJ_SET_INFORMATION] = SfSetInformation;

	// 
	// Allocate fast I/O data structure and fill it in.
	// 
	// NOTE:  The following FastIo Routines are not supported:
	//	AcquireFileForNtCreateSection
	//	ReleaseFileForNtCreateSection
	//	AcquireForModWrite
	//	ReleaseForModWrite
	//	AcquireForCcFlush
	//	ReleaseForCcFlush
	// 
	// For historical reasons these FastIO's have never been sent to filters
	// by the NT I/O system.  Instead, they are sent directly to the base 
	// file system.  On Windows XP and later OS releases, you can use the new 
	// system routine "FsRtlRegisterFileSystemFilterCallbacks" if you need to 
	// intercept these callbacks (see below).
	// 

	FastIoDispatch = ExAllocatePoolWithTag(NonPagedPool, sizeof(FAST_IO_DISPATCH), SFLT_POOL_TAG);
	if (!FastIoDispatch)
	{
		IoDeleteDevice(gSFilterControlDeviceObject);
		ZwClose(&gRuleFileHandle);
		ExDeleteResourceLite(&gRulesResource);
		return STATUS_INSUFFICIENT_RESOURCES;
	}

	RtlZeroMemory(FastIoDispatch, sizeof(FAST_IO_DISPATCH));

	FastIoDispatch->SizeOfFastIoDispatch = sizeof(FAST_IO_DISPATCH);
	FastIoDispatch->FastIoCheckIfPossible = SfFastIoCheckIfPossible;
	FastIoDispatch->FastIoRead = SfFastIoRead;
	FastIoDispatch->FastIoWrite = SfFastIoWrite;
	FastIoDispatch->FastIoQueryBasicInfo = SfFastIoQueryBasicInfo;
	FastIoDispatch->FastIoQueryStandardInfo = SfFastIoQueryStandardInfo;
	FastIoDispatch->FastIoLock = SfFastIoLock;
	FastIoDispatch->FastIoUnlockSingle = SfFastIoUnlockSingle;
	FastIoDispatch->FastIoUnlockAll = SfFastIoUnlockAll;
	FastIoDispatch->FastIoUnlockAllByKey = SfFastIoUnlockAllByKey;
	FastIoDispatch->FastIoDeviceControl = SfFastIoDeviceControl;
	FastIoDispatch->FastIoDetachDevice = SfFastIoDetachDevice;
	FastIoDispatch->FastIoQueryNetworkOpenInfo = SfFastIoQueryNetworkOpenInfo;