文件过滤驱动--隐藏目录
2007-07-26 13:39
483 查看
//目录控制函数
NTSTATUS
SpyDirControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PFILESPY_DEVICE_EXTENSION devExt;
PIO_STACK_LOCATION irpSp;
PFILE_OBJECT FileObject;
KEVENT waitEvent;
NTSTATUS status;
ULONG bufferLength;
ULONG newLength;
ULONG offset;
ULONG currentPosition;
PFILE_BOTH_DIR_INFORMATION dirInfo = NULL;
PFILE_BOTH_DIR_INFORMATION preDirInfo = NULL;
//CHAR name[PROCNAMELEN];
//PWSTR fileNameBuffer = UNICODE_NULL;
if(gControlDeviceState == CLOSED || PsGetCurrentProcessId()==g_hProcessId)
{
return SpyDispatch(DeviceObject,Irp);
}
devExt = DeviceObject->DeviceExtension;
irpSp = IoGetCurrentIrpStackLocation(Irp);
FileObject = irpSp->FileObject;
PAGED_CODE();
// if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) {
// Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
// Irp->IoStatus.Information = 0;
// IoCompleteRequest(Irp, IO_NO_INCREMENT);
// return STATUS_INVALID_DEVICE_REQUEST;
// }
if (Irp->RequestorMode == KernelMode) {
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
//
// Record: Add by lwf : 07-07-20
// Purpose: We care about volume filter device object
//
if (!devExt->NLExtHeader.StorageStackDeviceObject){
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
if (irpSp->MinorFunction != IRP_MN_QUERY_DIRECTORY){
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
if (FileBothDirectoryInformation != ((PQUERY_DIRECTORY)&irpSp->Parameters)->FileInformationClass) {
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp,
SpyDirControlCompletion,
&waitEvent, //context parameter
TRUE,
TRUE,
TRUE
);
status = IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
//
// Wait for the operation to complete
//
if (STATUS_PENDING == status) {
status = KeWaitForSingleObject(&waitEvent,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(STATUS_SUCCESS == status);
}
if (!NT_SUCCESS(status) ||(0 == irpSp->Parameters.QueryFile.Length)) {
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
//
// Record: add by lwf :07-06-30
// Purpose:Add for Test getting full path name
//
while (TRUE) {
bufferLength = ((PQUERY_DIRECTORY)&irpSp->Parameters)->Length;
newLength = bufferLength;
currentPosition = 0;
dirInfo =(PFILE_BOTH_DIR_INFORMATION) Irp->UserBuffer;
preDirInfo = dirInfo;
if ((!dirInfo) ||(dirInfo->NextEntryOffset > bufferLength)) {
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
do {
//DbgPrint("[FileSpy.sys]MajorFunction-SpyDirControl:%s", SpyGetProcess(name));
//
// Record: Modify by lwf : 07-06-20
// Purpose: Hide Install Directory and permit special process's access
// for virtual encrypt disk using "(_stricmp((const char*)VENCRPYTDISK, FileSpyGetProcess(name)))"
// Record: Modify For OS Restart BUG 07-07-06
//
offset = dirInfo->NextEntryOffset;
if (/*1*/(dirInfo->FileNameLength > 0)/*1*/ &&
/*2*/(IsDirectory(dirInfo->FileAttributes))/*2*/ &&
/*3*/(g_ulHiddenDirLen == dirInfo->FileNameLength + sizeof(WCHAR))/*3*/ &&
/*4*/(_wcsnicmp( dirInfo->FileName, g_szHiddenDir, dirInfo->FileNameLength / sizeof(WCHAR)) == 0)/*4*/){
DbgPrint("[FileSpy.sys]MajorFunction-SpyDirControl,FileNameLength:%d",dirInfo->FileNameLength);
if (0 == offset) { // the last one
preDirInfo->NextEntryOffset = 0;
newLength = currentPosition;
} else {
if (preDirInfo != dirInfo) {
preDirInfo->NextEntryOffset += dirInfo->NextEntryOffset;
dirInfo = (PFILE_BOTH_DIR_INFORMATION) ((PUCHAR) dirInfo + offset);
} else {
RtlMoveMemory((PUCHAR) dirInfo,(PUCHAR) dirInfo + offset, bufferLength - currentPosition - offset);
newLength -= offset;
}
}
// break;
}
else
{
currentPosition += offset;
preDirInfo = dirInfo;
dirInfo =(PFILE_BOTH_DIR_INFORMATION)((PUCHAR) dirInfo + offset);
}
} while(0 != offset);
if (0 == newLength) {
KeResetEvent(&waitEvent);
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp,
SpyDirControlCompletion,
&waitEvent, //context parameter
TRUE,
TRUE,
TRUE
);
status = IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
//
// Wait for the operation to complete
//
if (STATUS_PENDING == status) {
status = KeWaitForSingleObject(&waitEvent,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(STATUS_SUCCESS == status);
}
if (!NT_SUCCESS(status) ||(0 == Irp->IoStatus.Information)) {
break;
}
} else {
Irp->IoStatus.Information = newLength;
break;
}
}
//
// Record: add by lwf :07-06-30
// Purpose:Add for Test getting full path name
//
Irp->IoStatus.Information = newLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
BOOLEAN IsDirectory(
ULONG dirattr
)
//----------------------------------------------------------------------
//
// IsDirectory
//
// Check Whether File Object is Directory
//
//----------------------------------------------------------------------
{
return ( (dirattr != 0xffffffff) && (FILE_ATTRIBUTE_DIRECTORY & dirattr) );
}
//
// Record : Add by lwf : 07-06-19
// Purpose: Handle Setting Hidden Directory Control Code
//
case FILESPY_SetHiddenDir:
if (InputBuffer == NULL || InputBufferLength <= 0) {
IoStatus->Status = STATUS_INVALID_PARAMETER;
DbgPrint("[FileSpy.sys]IOCTLCODE-FILESPY_SetHiddenDir,Err: buffer or length invalid");
break;
}
//
// Copy the device name and add a null to ensure that it is null
// terminated
//
g_szHiddenDir = ExAllocatePoolWithTag( NonPagedPool,
InputBufferLength + sizeof(WCHAR),
FILESPY_POOL_TAG );
if (NULL == g_szHiddenDir) {
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
DbgPrint("[FileSpy.sys]IOCTLCODE-FILESPY_SetHiddenDir,Err: alloc memory failed");
break;
}
try {
RtlCopyMemory( g_szHiddenDir, InputBuffer, InputBufferLength );
} except (EXCEPTION_EXECUTE_HANDLER) {
IoStatus->Status = GetExceptionCode();
DbgPrint("[FileSpy.sys]IOCTLCODE-FILESPY_SetHiddenDir,Err: copy memory err-%0x",IoStatus->Status);
}
if (NT_SUCCESS( IoStatus->Status )) {
g_szHiddenDir[InputBufferLength / sizeof(WCHAR)] = UNICODE_NULL;
DbgPrint("[Filespy.sys]IOCTLCODE-SetHiddenDir.Dir:%ws-Len:%d",InputBuffer,InputBufferLength);
g_ulHiddenDirLen = InputBufferLength;//string length
IoStatus->Status = STATUS_SUCCESS;
}
break;
NTSTATUS
SpyDirControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PFILESPY_DEVICE_EXTENSION devExt;
PIO_STACK_LOCATION irpSp;
PFILE_OBJECT FileObject;
KEVENT waitEvent;
NTSTATUS status;
ULONG bufferLength;
ULONG newLength;
ULONG offset;
ULONG currentPosition;
PFILE_BOTH_DIR_INFORMATION dirInfo = NULL;
PFILE_BOTH_DIR_INFORMATION preDirInfo = NULL;
//CHAR name[PROCNAMELEN];
//PWSTR fileNameBuffer = UNICODE_NULL;
if(gControlDeviceState == CLOSED || PsGetCurrentProcessId()==g_hProcessId)
{
return SpyDispatch(DeviceObject,Irp);
}
devExt = DeviceObject->DeviceExtension;
irpSp = IoGetCurrentIrpStackLocation(Irp);
FileObject = irpSp->FileObject;
PAGED_CODE();
// if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) {
// Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
// Irp->IoStatus.Information = 0;
// IoCompleteRequest(Irp, IO_NO_INCREMENT);
// return STATUS_INVALID_DEVICE_REQUEST;
// }
if (Irp->RequestorMode == KernelMode) {
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
//
// Record: Add by lwf : 07-07-20
// Purpose: We care about volume filter device object
//
if (!devExt->NLExtHeader.StorageStackDeviceObject){
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
if (irpSp->MinorFunction != IRP_MN_QUERY_DIRECTORY){
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
if (FileBothDirectoryInformation != ((PQUERY_DIRECTORY)&irpSp->Parameters)->FileInformationClass) {
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
}
KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp,
SpyDirControlCompletion,
&waitEvent, //context parameter
TRUE,
TRUE,
TRUE
);
status = IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
//
// Wait for the operation to complete
//
if (STATUS_PENDING == status) {
status = KeWaitForSingleObject(&waitEvent,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(STATUS_SUCCESS == status);
}
if (!NT_SUCCESS(status) ||(0 == irpSp->Parameters.QueryFile.Length)) {
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
//
// Record: add by lwf :07-06-30
// Purpose:Add for Test getting full path name
//
while (TRUE) {
bufferLength = ((PQUERY_DIRECTORY)&irpSp->Parameters)->Length;
newLength = bufferLength;
currentPosition = 0;
dirInfo =(PFILE_BOTH_DIR_INFORMATION) Irp->UserBuffer;
preDirInfo = dirInfo;
if ((!dirInfo) ||(dirInfo->NextEntryOffset > bufferLength)) {
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
do {
//DbgPrint("[FileSpy.sys]MajorFunction-SpyDirControl:%s", SpyGetProcess(name));
//
// Record: Modify by lwf : 07-06-20
// Purpose: Hide Install Directory and permit special process's access
// for virtual encrypt disk using "(_stricmp((const char*)VENCRPYTDISK, FileSpyGetProcess(name)))"
// Record: Modify For OS Restart BUG 07-07-06
//
offset = dirInfo->NextEntryOffset;
if (/*1*/(dirInfo->FileNameLength > 0)/*1*/ &&
/*2*/(IsDirectory(dirInfo->FileAttributes))/*2*/ &&
/*3*/(g_ulHiddenDirLen == dirInfo->FileNameLength + sizeof(WCHAR))/*3*/ &&
/*4*/(_wcsnicmp( dirInfo->FileName, g_szHiddenDir, dirInfo->FileNameLength / sizeof(WCHAR)) == 0)/*4*/){
DbgPrint("[FileSpy.sys]MajorFunction-SpyDirControl,FileNameLength:%d",dirInfo->FileNameLength);
if (0 == offset) { // the last one
preDirInfo->NextEntryOffset = 0;
newLength = currentPosition;
} else {
if (preDirInfo != dirInfo) {
preDirInfo->NextEntryOffset += dirInfo->NextEntryOffset;
dirInfo = (PFILE_BOTH_DIR_INFORMATION) ((PUCHAR) dirInfo + offset);
} else {
RtlMoveMemory((PUCHAR) dirInfo,(PUCHAR) dirInfo + offset, bufferLength - currentPosition - offset);
newLength -= offset;
}
}
// break;
}
else
{
currentPosition += offset;
preDirInfo = dirInfo;
dirInfo =(PFILE_BOTH_DIR_INFORMATION)((PUCHAR) dirInfo + offset);
}
} while(0 != offset);
if (0 == newLength) {
KeResetEvent(&waitEvent);
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp,
SpyDirControlCompletion,
&waitEvent, //context parameter
TRUE,
TRUE,
TRUE
);
status = IoCallDriver(devExt->NLExtHeader.AttachedToDeviceObject, Irp);
//
// Wait for the operation to complete
//
if (STATUS_PENDING == status) {
status = KeWaitForSingleObject(&waitEvent,
Executive,
KernelMode,
FALSE,
NULL
);
ASSERT(STATUS_SUCCESS == status);
}
if (!NT_SUCCESS(status) ||(0 == Irp->IoStatus.Information)) {
break;
}
} else {
Irp->IoStatus.Information = newLength;
break;
}
}
//
// Record: add by lwf :07-06-30
// Purpose:Add for Test getting full path name
//
Irp->IoStatus.Information = newLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
BOOLEAN IsDirectory(
ULONG dirattr
)
//----------------------------------------------------------------------
//
// IsDirectory
//
// Check Whether File Object is Directory
//
//----------------------------------------------------------------------
{
return ( (dirattr != 0xffffffff) && (FILE_ATTRIBUTE_DIRECTORY & dirattr) );
}
//
// Record : Add by lwf : 07-06-19
// Purpose: Handle Setting Hidden Directory Control Code
//
case FILESPY_SetHiddenDir:
if (InputBuffer == NULL || InputBufferLength <= 0) {
IoStatus->Status = STATUS_INVALID_PARAMETER;
DbgPrint("[FileSpy.sys]IOCTLCODE-FILESPY_SetHiddenDir,Err: buffer or length invalid");
break;
}
//
// Copy the device name and add a null to ensure that it is null
// terminated
//
g_szHiddenDir = ExAllocatePoolWithTag( NonPagedPool,
InputBufferLength + sizeof(WCHAR),
FILESPY_POOL_TAG );
if (NULL == g_szHiddenDir) {
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
DbgPrint("[FileSpy.sys]IOCTLCODE-FILESPY_SetHiddenDir,Err: alloc memory failed");
break;
}
try {
RtlCopyMemory( g_szHiddenDir, InputBuffer, InputBufferLength );
} except (EXCEPTION_EXECUTE_HANDLER) {
IoStatus->Status = GetExceptionCode();
DbgPrint("[FileSpy.sys]IOCTLCODE-FILESPY_SetHiddenDir,Err: copy memory err-%0x",IoStatus->Status);
}
if (NT_SUCCESS( IoStatus->Status )) {
g_szHiddenDir[InputBufferLength / sizeof(WCHAR)] = UNICODE_NULL;
DbgPrint("[Filespy.sys]IOCTLCODE-SetHiddenDir.Dir:%ws-Len:%d",InputBuffer,InputBufferLength);
g_ulHiddenDirLen = InputBufferLength;//string length
IoStatus->Status = STATUS_SUCCESS;
}
break;
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 发现驱动隐藏文件要是有中文在目录下好象没有对应的entry,还没找到原因
- 编写驱动拦截NT的API实现隐藏文件目录(代码)
- 文件过滤驱动-隐藏目标文件
- 文件过滤驱动-隐藏目标文件
- CLI递归遍历目录并过滤掉隐藏文件
- 文件过滤驱动实现目录重定向(一)
- 文件过滤驱动中 IRP_MJ_XX_INFORMATION 查询文件对象是文件还是目录的方法
- vc实现用文件系统过滤驱动实现文件隐藏的类
- 文件过滤驱动实现目录重定向(二)
- vc实现用文件系统过滤驱动实现文件隐藏的类
- 编写驱动拦截NT的API实现隐藏文件目录
- 文件过滤驱动实现目录重定向(一)good
- 编写驱动拦截NT的API实现隐藏文件目录
- 文件过滤驱动实现目录重定向(三)
- 【】编写驱动拦截NT的API实现隐藏文件目录
- 编写驱动拦截NT的API实现隐藏文件目录
- vc实现用文件系统过滤驱动实现文件隐藏的类
- 编写驱动拦截NT的API实现隐藏文件目录
- 18.1.2-linux目录文件隐藏属性和特殊权限
- Linux文件与目录的默认权限与隐藏权限 - umask, chattr, lsattr, SUID, SGID, SBIT, file