📄 pgpwipedeletent.c
字号:
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
if( pdeve->pdevoNext->DriverObject->
FastIoDispatch->MdlWriteCompleteCompressed )
{
retval = pdeve->pdevoNext->DriverObject->
FastIoDispatch->MdlWriteCompleteCompressed(
FileObject, FileOffset,
MdlChain, pdeve->pdevoNext );
}
return retval;
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoQueryOpen
//
// This call actually passes an IRP!
//
//----------------------------------------------------------------------
BOOLEAN
PGPWDNTFastIoQueryOpen(
IN PIRP Irp,
OUT PFILE_NETWORK_OPEN_INFORMATION NetworkInformation,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PFILE_OBJECT fileobject;
PIO_STACK_LOCATION currentIrpStack;
PIO_STACK_LOCATION nextIrpStack;
PDEVEXTENSION pdeve;
pdeve = DeviceObject->DeviceExtension;
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
if( pdeve->pdevoNext->DriverObject->FastIoDispatch->FastIoQueryOpen )
{
currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
nextIrpStack = IoGetNextIrpStackLocation(Irp);
fileobject = currentIrpStack->FileObject;
//
// copy parameters down to next level in the stack
//
*nextIrpStack = *currentIrpStack;
nextIrpStack->DeviceObject = pdeve->pdevoNext;
IoSetNextIrpStackLocation( Irp );
retval = pdeve->pdevoNext->DriverObject->
FastIoDispatch->FastIoQueryOpen(
Irp, NetworkInformation, pdeve->pdevoNext );
}
return retval;
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoReleaseForModWrite
//
//----------------------------------------------------------------------
NTSTATUS
PGPWDNTFastIoReleaseForModWrite(
IN PFILE_OBJECT FileObject,
IN struct _ERESOURCE *ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_SUPPORTED;
PDEVEXTENSION pdeve;
pdeve = DeviceObject->DeviceExtension;
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
if( pdeve->pdevoNext->DriverObject->FastIoDispatch->ReleaseForModWrite )
{
retval = pdeve->pdevoNext->DriverObject->
FastIoDispatch->ReleaseForModWrite(
FileObject, ResourceToRelease,
pdeve->pdevoNext );
}
return retval;
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoAcquireForCcFlush
//
//----------------------------------------------------------------------
NTSTATUS
PGPWDNTFastIoAcquireForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_SUPPORTED;
PDEVEXTENSION pdeve;
pdeve = DeviceObject->DeviceExtension;
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
if( pdeve->pdevoNext->DriverObject->FastIoDispatch->AcquireForCcFlush )
{
retval = pdeve->pdevoNext->DriverObject->
FastIoDispatch->AcquireForCcFlush(
FileObject, pdeve->pdevoNext );
}
return retval;
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoReleaseForCcFlush
//
//----------------------------------------------------------------------
NTSTATUS
PGPWDNTFastIoReleaseForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject )
{
NTSTATUS retval = STATUS_NOT_SUPPORTED;
PDEVEXTENSION pdeve;
pdeve = DeviceObject->DeviceExtension;
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
if( pdeve->pdevoNext->DriverObject->FastIoDispatch->ReleaseForCcFlush )
{
retval = pdeve->pdevoNext->DriverObject->
FastIoDispatch->ReleaseForCcFlush(
FileObject, pdeve->pdevoNext );
}
return retval;
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoDeviceControl
//
//----------------------------------------------------------------------
BOOLEAN
PGPWDNTFastIoDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject )
{
BOOLEAN retval = FALSE;
PDEVEXTENSION pdeve;
pdeve = DeviceObject->DeviceExtension;
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
//
// Its a call for a file system, so pass it through
//
if( pdeve->pdevoNext->DriverObject->
FastIoDispatch->FastIoDeviceControl )
{
retval = pdeve->pdevoNext->DriverObject->
FastIoDispatch->FastIoDeviceControl(
FileObject, Wait, InputBuffer, InputBufferLength,
OutputBuffer, OutputBufferLength, IoControlCode,
IoStatus, pdeve->pdevoNext );
}
return retval;
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoAcquireFile
//
//----------------------------------------------------------------------
VOID
PGPWDNTFastIoAcquireFile(
PFILE_OBJECT FileObject )
{
PDEVICE_OBJECT deviceObject;
PDEVEXTENSION pdeve;
deviceObject = IoGetRelatedDeviceObject( FileObject );
pdeve = deviceObject->DeviceExtension;
// if not intended for us, stop here
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return;
if( pdeve->pdevoNext->DriverObject->
FastIoDispatch->AcquireFileForNtCreateSection )
{
pdeve->pdevoNext->DriverObject->
FastIoDispatch->AcquireFileForNtCreateSection(
FileObject );
}
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoReleaseFile
//
//----------------------------------------------------------------------
VOID
PGPWDNTFastIoReleaseFile(
PFILE_OBJECT FileObject )
{
PDEVICE_OBJECT deviceObject;
PDEVEXTENSION pdeve;
deviceObject = IoGetRelatedDeviceObject( FileObject );
pdeve = deviceObject->DeviceExtension;
// if not intended for us, stop here
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return;
if( pdeve->pdevoNext->DriverObject->
FastIoDispatch->ReleaseFileForNtCreateSection )
{
pdeve->pdevoNext->DriverObject->
FastIoDispatch->ReleaseFileForNtCreateSection( FileObject );
}
}
//----------------------------------------------------------------------
//
// PGPWDNTFastIoDetachDevice
//
// We get this call when a device that we have hooked is being deleted.
// This happens when, for example, a floppy is formatted. We have
// to detach from it and delete our device. We should notify the GUI
// that the hook state has changed, but its not worth the trouble.
//
//----------------------------------------------------------------------
VOID
PGPWDNTFastIoDetachDevice(
PDEVICE_OBJECT SourceDevice,
PDEVICE_OBJECT TargetDevice )
{
PDEVEXTENSION pdeve;
ULONG i;
pdeve = SourceDevice->DeviceExtension;
// if not intended for us, stop here
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return;
//
// See if a device (like a floppy) is being removed out from under us.
// If so, we have to detach from it before it disappears
//
for( i = 2; i < 26; i++ ) {
if( SourceDevice == LDriveDevices[i] ) {
//
// We've hooked it, so we must detach
//
PGPdbgVerbosePrint(("PGPutil: Detaching from drive: %c\n",
pdeve->ucLogicalDrive ));
IoDetachDevice( TargetDevice );
IoDeleteDevice( SourceDevice );
LDriveDevices[i] = NULL;
return;
}
}
//
// Now we can pass the call through
//
if( pdeve->pdevoNext->DriverObject->
FastIoDispatch->FastIoDetachDevice )
{
pdeve->pdevoNext->DriverObject->
FastIoDispatch->FastIoDetachDevice(
SourceDevice, TargetDevice );
}
}
//----------------------------------------------------------------------
//
// PGPWDNTCheckFileForPGPWDNT
//
// See if this file is marked for delete. If so, get its name
// and see if this is a file that should be protected.
//
//----------------------------------------------------------------------
BOOLEAN
PGPWDNTCheckFileForPGPWDNT(
PDEVICE_OBJECT DeviceObject,
PIRP Irp,
char **FileName)
{
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVEXTENSION pdeve;
PCHAR fileNameBuffer;
UNICODE_STRING fileNameUnicodeString;
int i,length;
char *name;
//
// Get the hook extension
//
pdeve = DeviceObject->DeviceExtension;
// if not intended for us, force OS to create IRP
if (pdeve->ulDeviceType != WIPE_DELETE_DEV)
return FALSE;
// We have nothing to do anyway....
if(tc_callback==0)
return FALSE;
// First, make sure its not a directory
if( PGPWDNTIsDirectory( pdeve->pdevoNext, currentIrpStack->FileObject ) )
{
return FALSE;
}
//
// Get the name of the file.
//
fileNameBuffer = ExAllocatePool( NonPagedPool, 1024 );
if( !PGPWDNTGetFileName( pdeve->bIsNTFS, pdeve->pdevoNext,
currentIrpStack->FileObject,
fileNameBuffer, 1024))
{
//
// Couldn't get the name for some reason
//
ExFreePool( fileNameBuffer );
return FALSE;
}
fileNameUnicodeString.Length =
(USHORT) ((PFILE_NAME_INFORMATION) fileNameBuffer)->FileNameLength + 4;
fileNameUnicodeString.MaximumLength = fileNameUnicodeString.Length;
fileNameUnicodeString.Buffer =
ExAllocatePool( PagedPool, fileNameUnicodeString.Length+2+4);
swprintf( fileNameUnicodeString.Buffer, L"%C:", pdeve->ucLogicalDrive );
RtlCopyMemory( &fileNameUnicodeString.Buffer[2],
((PFILE_NAME_INFORMATION) fileNameBuffer)->FileName,
fileNameUnicodeString.Length);
fileNameUnicodeString.Buffer[fileNameUnicodeString.Length/2] = 0;
//
// Determine the length of the name
//
i=0;
length=0;
while( fileNameUnicodeString.Buffer[i++] ) length++;
//
// First, make the ascii name
//
for( i = 0; i < length; i++ )
{
fileNameBuffer[i] = (CHAR) fileNameUnicodeString.Buffer[i];
}
fileNameBuffer[i] = 0;
ExFreePool( fileNameUnicodeString.Buffer );
name=strrchr(fileNameBuffer,'\\');
if(name==NULL)
name=fileNameBuffer;
else
name++;
if((_strnicmp(name,"aaaaaaaa",8)==0)||
(_strnicmp(name,"PGPwipepattern",14)==0))
{
// Its already been wiped by us. Go ahead and let OS delete it.
PGPdbgVerbosePrint(("PGPutil: its already been wiped\n"));
ExFreePool( fileNameBuffer );
return FALSE;
}
length = strlen(name);
if (!_strnicmp(name,"efs",3) && (length > 7))
{
if (!_stricmp(&name[length-4],".tmp"))
{
// Check to see if the file is hidden
if (PGPWDNTIsHiddenFile(pdeve->pdevoNext, currentIrpStack->FileObject))
{
// This is a temporary file from the Encrypted File System.
// It's locked by the system, so we can't wipe it
PGPdbgVerbosePrint(("PGPutil: locked by EFS, can't wipe\n"));
ExFreePool( fileNameBuffer );
return FALSE;
}
}
}
*FileName = fileNameBuffer;
return TRUE;
}
/* The APC structure is defined in ntddk.h */
/* this is KERNEL_ROUTINE for our APC; in particular, it gets called when the APC
is being delivered. Usually one of predefined useful routines in the kernel are
used for this purpose, but we can't use any of them as none of them are exported. */
void MyRoutine(struct _KAPC *Apc,
PKNORMAL_ROUTINE norm_routine,
void *context,
void *SysArg1,
void *SysArg2)
{
ExFreePool(Apc);
return;
}
/* pointer to the APC we will create */
static struct _KAPC *apc;
/* KeInitializeApc() and KeInsertQueueApc() are the two functions needed to
send an APC; they're both exported but not prototyped in the DDK, so we
prototype them here. */
void KeInitializeApc(struct _KAPC *Apc, PKTHREAD thread,
unsigned char state_index,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -