?? myfilespy.c
字號:
IN ULONG CompressedDataInfoLength,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoWriteCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlReadCompleteCompressed(
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlReadCompleteCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoMdlWriteCompleteCompressed(
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoMdlWriteCompleteCompressed\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
BOOLEAN
FastIoQueryOpen(
IN struct _IRP *Irp,
OUT PFILE_NETWORK_OPEN_INFORMATION NetworkInformation,
IN PDEVICE_OBJECT DeviceObject
)
{
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoQueryOpen\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoReleaseForModWrite(
IN PFILE_OBJECT FileObject,
IN struct _ERESOURCE *ResourceToRelease,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoReleaseForModWrite\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoAcquireForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoAcquireForCcFlush\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
NTSTATUS
FastIoReleaseForCcFlush(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject
)
{
PHOOK_EXTENSION HookExt;
BOOLEAN RetVal=FALSE;
DbgPrint("FastIoReleaseForCcFlush\n");
if( !DeviceObject ) return RetVal;
HookExt=DeviceObject->DeviceExtension;
return RetVal;
}
//快速IO例程列表;
FAST_IO_DISPATCH FastIoHook=
{
sizeof(FAST_IO_DISPATCH),
FastIoCheckifPossible,
FastIoRead,
FastIoWrite,
FastIoQueryBasicInfo,
FastIoQueryStandardInfo,
FastIoLock,
FastIoUnlockSingle,
FastIoUnlockAll,
FastIoUnlockAllByKey,
FastIoDeviceControl,
FastIoAcquireFile,
FastIoReleaseFile,
FastIoDetachDevice,
// new for NT 4.0
FastIoQueryNetworkOpenInfo,
FastIoAcquireForModWrite,
FastIoMdlRead,
FastIoMdlReadComplete,
FastIoPrepareMdlWrite,
FastIoMdlWriteComplete,
FastIoReadCompressed,
FastIoWriteCompressed,
FastIoMdlReadCompleteCompressed,
FastIoMdlWriteCompleteCompressed,
FastIoQueryOpen,
FastIoReleaseForModWrite,
FastIoAcquireForCcFlush,
FastIoReleaseForCcFlush
};
//內部函數(shù)(子程序);
NTSTATUS
HookDisk(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING FileNameUnicodeStr;
OBJECT_ATTRIBUTES ObjectAttrib;
NTSTATUS NtStatus;
HANDLE NtFileHandle;
IO_STATUS_BLOCK IOStatus;
PFILE_OBJECT FileObject;
PDEVICE_OBJECT FileSysDevice;
PDEVICE_OBJECT TopDevice;
DbgPrint("-------------------Entry HookDisk\n");
RtlInitUnicodeString( &FileNameUnicodeStr, DOS_DEVICE_DISK);
//初始化對象屬性;
InitializeObjectAttributes( &ObjectAttrib,&FileNameUnicodeStr,
OBJ_CASE_INSENSITIVE,NULL, NULL);
//打開文件根目錄;
NtStatus = ZwCreateFile( &NtFileHandle, SYNCHRONIZE|FILE_ANY_ACCESS,
&ObjectAttrib, &IOStatus, NULL, 0,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE,
NULL, 0 );
if( !NT_SUCCESS( NtStatus ) )
{
DbgPrint("ZwCreateFile fail\n");
return NtStatus;
}
//從文件句柄中得到文件對象指針;
NtStatus = ObReferenceObjectByHandle( NtFileHandle, FILE_READ_DATA,
NULL, KernelMode, &FileObject, NULL );
if( !NT_SUCCESS( NtStatus ))
{
DbgPrint("ObReferenceObjectByHandle fail\n");
ZwClose( NtFileHandle );
return NtStatus;
}
//得到與該文件對象相關聯(lián)的文件系統(tǒng)設備對象;
FileSysDevice = IoGetRelatedDeviceObject( FileObject );
if( ! FileSysDevice )
{
DbgPrint("IoGetRelatedDeviceObject fail\n");
ObDereferenceObject( FileObject );
ZwClose( NtFileHandle );
return NtStatus;
}
//創(chuàng)建一個設備,準備用于掛接該文件系統(tǒng)。
NtStatus = IoCreateDevice( DriverObject,
sizeof(HOOK_EXTENSION),
NULL,//沒有名字;
FileSysDevice->DeviceType,//與父文件設備相同;
0,
FALSE,//不獨占;
&HookDevice );
if( !NT_SUCCESS(NtStatus) )
{
DbgPrint("IoCreateDevice fail\n");
ObDereferenceObject( FileObject );
ZwClose( NtFileHandle );
return NtStatus;
}
//DDK 文檔指出,如果從Dispatch 例程里創(chuàng)建的設備需要表明設備未初始化;
HookDevice->Flags &= ~DO_DEVICE_INITIALIZING;
//設置設備標志;
((PHOOK_EXTENSION)HookDevice->DeviceExtension)->DeviceType=DEVICE_TYPE_HOOK;
//填寫父設備FileSystem域;
((PHOOK_EXTENSION)HookDevice->DeviceExtension)->FileSystem=FileSysDevice;
//掛接設備(Attach),現(xiàn)在我們就可以接受Irp了;
//好象可以被TopDevice=IoAttachDeviceToDeviceStack( HookDevice, FileSysDevice )代替;
NtStatus=IoAttachDeviceByPointer( HookDevice, FileSysDevice );
if( !NT_SUCCESS(NtStatus) )
{
DbgPrint("IoAttachDeviceToDeviceStack fail\n");
ObDereferenceObject( FileObject );
ZwClose( NtFileHandle );
return NtStatus;
}
DbgPrint("IoAttachDeviceToDeviceStack Ok,FileSystem=%x\n",FileSysDevice);
//減少引用計數(shù);
ObDereferenceObject( FileObject );
//關閉句柄;
ZwClose( NtFileHandle );
DbgPrint("-------------------Quit HookDisk\n");
return NtStatus;
}
VOID
//UnLoad例程;
Unload(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING Win32DeviceName;
RtlInitUnicodeString(&Win32DeviceName,DOS_DEVICE_NAME);
if (HookDevice)
{
IoDetachDevice(((PHOOK_EXTENSION)HookDevice->DeviceExtension)->FileSystem );
IoDeleteDevice(HookDevice);
}
IoDeleteDevice(GUIDevice);
IoDeleteSymbolicLink(&Win32DeviceName);
DbgPrint (("Unload OK\n"));
}
//用戶接口Dispatch處理程序;
NTSTATUS
GUIDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PHOOK_EXTENSION HookExt;
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
DbgPrint(("-------------------Entry GUIDispatch\n"));
//假設成功完成Dispatch;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//得到Irp的I/O棧指針;
irpStack = IoGetCurrentIrpStackLocation (Irp);
//得到輸入輸出緩沖區(qū)相關數(shù)據(jù);
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
//得到DeviceIoControl控制代碼(自定義);
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
//得到設備擴展(一個自定義結構);
HookExt=DeviceObject->DeviceExtension;
//處理Dispatch函數(shù);
switch (irpStack->MajorFunction)
{
case IRP_MJ_CREATE:
DbgPrint (("IRP_MJ_CREATE\n"));
break;
case IRP_MJ_CLOSE:
DbgPrint (("IRP_MJ_CLOSE\n"));
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint (("IRP_MJ_DEVICE_CONTROL\n"));
//通過MDL(MemoryDescriptorList)得到輸出緩沖區(qū);
if( Irp->MdlAddress ) outputBuffer = MmGetSystemAddressForMdl( Irp->MdlAddress );
switch (ioControlCode)
{
case DEVICE_IO_CTL_HOOK:
DbgPrint (("DEVICE_IO_CTL_HOOK\n"));
HookDisk(DeviceObject->DriverObject);
break;
}
break;
default:
DbgPrint(("IRP_MJ_UNKNOWN\n"));
break;
}
//通知IO管理器,已經(jīng)完成IO調用;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
DbgPrint(("-------------------Quit GUIDispatch\n"));
return STATUS_SUCCESS;
}
//Irp Dispatch例程;
NTSTATUS
MyDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
PHOOK_EXTENSION HookExt = DeviceObject->DeviceExtension;
//如果是自己的調用
if( HookExt->DeviceType==DEVICE_TYPE_GUI) return GUIDispatch( DeviceObject, Irp );
//如果是文件系統(tǒng)HOOK
DbgPrint(("-------------------Entry HookDispatch\n"));
switch( currentIrpStack->MajorFunction )
{
case IRP_MJ_CREATE:
DbgPrint(("IRP_MJ_CREATE\n"));
break;
case IRP_MJ_READ:
DbgPrint(("IRP_MJ_READ\n"));
break;
case IRP_MJ_WRITE:
DbgPrint(("IRP_MJ_WRITE\n"));
break;
case IRP_MJ_CLOSE:
DbgPrint(("IRP_MJ_CLOSE\n"));
break;
case IRP_MJ_FLUSH_BUFFERS:
DbgPrint(("IRP_MJ_FLUSH_BUFFERS\n"));
break;
case IRP_MJ_QUERY_INFORMATION:
DbgPrint(("IRP_MJ_QUERY_INFORMATION\n"));
break;
case IRP_MJ_SET_INFORMATION:
DbgPrint(("IRP_MJ_SET_INFORMATION\n"));
break;
case IRP_MJ_QUERY_EA:
DbgPrint(("IRP_MJ_QUERY_EA\n"));
break;
case IRP_MJ_SET_EA:
DbgPrint(("IRP_MJ_SET_EA\n"));
break;
case IRP_MJ_QUERY_VOLUME_INFORMATION:
DbgPrint(("IRP_MJ_QUERY_VOLUME_INFORMATION\n"));
break;
case IRP_MJ_SET_VOLUME_INFORMATION:
DbgPrint(("IRP_MJ_SET_VOLUME_INFORMATION\n"));
break;
case IRP_MJ_DIRECTORY_CONTROL:
DbgPrint(("case IRP_MJ_DIRECTORY_CONTROL\n"));
break;
case IRP_MJ_FILE_SYSTEM_CONTROL:
DbgPrint(("IRP_MJ_FILE_SYSTEM_CONTROL\n"));
break;
case IRP_MJ_SHUTDOWN:
DbgPrint(("IRP_MJ_SHUTDOWN\n"));
break;
case IRP_MJ_LOCK_CONTROL:
DbgPrint(("IRP_MJ_LOCK_CONTROL\n"));
break;
case IRP_MJ_CLEANUP:
DbgPrint(("IRP_MJ_CLEANUP\n"));
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint(("IRP_MJ_DEVICE_CONTROL\n"));
break;
case IRP_MJ_QUERY_SECURITY:
DbgPrint(("IRP_MJ_QUERY_SECURITY\n"));
break;
case IRP_MJ_SET_SECURITY:
DbgPrint(("IRP_MJ_SET_SECURITY\n"));
break;
case IRP_MJ_POWER:
DbgPrint(("IRP_MJ_POWER\n"));
break;
case IRP_MJ_PNP:
DbgPrint(("IRP_MJ_PNP\n"));
break;
default:
DbgPrint(("IRP_MJ_UNKOWN\n"));
break;
}
//不做處理,直接給FileSystem處理
//手動復制IrpStack
*nextIrpStack = *currentIrpStack;
//好象可以用IoCopyCurrentIrpStackLocationToNext代替
DbgPrint(("-------------------Quit HookDispatch\n"));
return IoCallDriver( HookExt->FileSystem, Irp );
}
//驅動程序入口;
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
//可用變量定義;
NTSTATUS Status;
UNICODE_STRING NtDeviceName;
UNICODE_STRING Win32DeviceName;
ULONG i;
//初始化Unicode字符串, 創(chuàng)建設備對象;
RtlInitUnicodeString(&NtDeviceName,NT_DEVICE_NAME);
Status=IoCreateDevice( DriverObject,sizeof(HOOK_EXTENSION),&NtDeviceName,
FILE_DEVICE_DISK_FILE_SYSTEM,0,TRUE,&GUIDevice );
//其實無須用HOOK_EXTRNSION結構,可以用全局變量GUIDevice來標識GUI Device;
if (!NT_SUCCESS(Status))
{
DbgPrint(("IoCreateDevice faild\n"));
return Status;
}
//設置設備類型為:DEVICE_TYPE_GUI(應用程序接口設備)標識GUI Device;
((PHOOK_EXTENSION)GUIDevice->DeviceExtension)->DeviceType=DEVICE_TYPE_GUI;
//初始化Unicode字符串, 創(chuàng)建Win32符號連接,以便Win32程序能夠訪問;
RtlInitUnicodeString(&Win32DeviceName,DOS_DEVICE_NAME);
Status=IoCreateSymbolicLink(&Win32DeviceName,&NtDeviceName);
if (!NT_SUCCESS(Status))
{
DbgPrint (("IoCreateSymbolicLink faild\n"));
IoDeleteDevice( GUIDevice );
return Status;
}
//填寫驅動程序Dispatch函數(shù);
for( i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ )
{
DriverObject->MajorFunction[i] = MyDispatch;
}
//為了調試(DriverMonitor),特殊處理Unload,以后只提供通過DeviceIoControl來實現(xiàn)。
DriverObject->DriverUnload =Unload;
//掛接快速IO;
DriverObject->FastIoDispatch = &FastIoHook;
DbgPrint (("DriverEntry Ok\n"));
return Status;
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -