阅读:2655回复:12
devia贴的“文件加密标识 -隐藏文件头的黑客代码”,我在尝试用它,测试出问题了,来看看
DriverObject->MajorFunction[IRP_MJ_QUERY_INFORMATION] = SfGetInformation;
DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL] = SfGetInformation; DriverObject->MajorFunction[IRP_MJ_SET_INFORMATION] = SfSetInformation; NTSTATUS SfGetInformation ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PFILESPY_DEVICE_EXTENSION DevExt = (PFILESPY_DEVICE_EXTENSION) DeviceObject->DeviceExtension; PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp); PFILE_OBJECT FileObject = IrpSp->FileObject; NTSTATUS Status = STATUS_SUCCESS; PFILE_BOTH_DIR_INFORMATION DirInfo = NULL; PFILE_BOTH_DIR_INFORMATION PreDirInfo = NULL; ULONG Length = 0; ULONG NewLength = 0; ULONG Offset = 0; ULONG CurPos = 0; void *pBuffer; // // We only care about volume filter device object // if (!DevExt->NLExtHeader.StorageStackDeviceObject) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } if (!ThisIsOurFile(&IrpSp->FileObject->FileName)) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } KdPrint(("sfilter!SfGetInformation: Flags ======== [%d]\n", Irp->Flags)); if (!(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } if(IrpSp->Parameters.Read.Length == InvisiblePartSize) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } //KdPrint(("SFilter!SfGetInformation ERROR:222\n")); switch(IrpSp->MajorFunction) { case IRP_MJ_QUERY_INFORMATION: { //_asm int 3; switch (IrpSp->Parameters.QueryFile.FileInformationClass) { //Information types that contains file size or current offset case FilePositionInformation: case FileEndOfFileInformation: case FileStandardInformation: case FileAllocationInformation: case FileAllInformation: //_asm int 3; KdPrint(("SFilter!SfGetInformation ERROR:333\n")); Status = SfForwardIrpSyncronously(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); break; default: { KdPrint(("SFilter!SfGetInformation ERROR:444\n")); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); break; } } break; } case IRP_MJ_DIRECTORY_CONTROL: { if (IrpSp->MinorFunction == IRP_MN_QUERY_DIRECTORY) { KdPrint(("SFilter!SfGetInformation ERROR:\n")); Status = SfForwardIrpSyncronously(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); break; } else { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } } default: { KdPrint(("SFilter!SfGetInformation ERROR:666\n")); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); break; } } //_asm int 3; while (TRUE) { KdPrint(("SFilter!SfGetInformation ERROR:777\n")); if (!NT_SUCCESS(Status)) break; //Call original handler //Handle different types of IRP KdPrint(("SFilter!SfGetInformation ERROR:888\n")); switch (IrpSp->MajorFunction) { case IRP_MJ_QUERY_INFORMATION: { //ThisIsOurFile is already tested switch (IrpSp->Parameters.QueryFile.FileInformationClass) { //In all cases modify CurrentByteOffset and/or size (EndOfFile) //to hide first InvisiblePartSize bytes case FilePositionInformation: ((PFILE_POSITION_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->CurrentByteOffset.QuadPart -= InvisiblePartSize; break; case FileEndOfFileInformation: ((PFILE_END_OF_FILE_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart -= InvisiblePartSize; break; case FileStandardInformation: ((PFILE_STANDARD_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->AllocationSize.QuadPart -= InvisiblePartSize; ((PFILE_STANDARD_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart -= InvisiblePartSize; break; case FileAllocationInformation: ((PFILE_ALLOCATION_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->AllocationSize.QuadPart -= InvisiblePartSize; break; case FileAllInformation: ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->PositionInformation.CurrentByteOffset.QuadPart -= InvisiblePartSize; ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->StandardInformation.EndOfFile.QuadPart -= InvisiblePartSize; break; default: break; } break; } case IRP_MJ_DIRECTORY_CONTROL: { PFQD_SmallCommonBlock pQueryDirWin32; //Get a pointer to first directory entries if (IrpSp->MinorFunction == IRP_MN_QUERY_DIRECTORY) { if (Irp->MdlAddress) pBuffer = MmGetSystemAddressForMdl(Irp->MdlAddress); else pBuffer = Irp->UserBuffer; } else break; pQueryDirWin32 = (PFQD_SmallCommonBlock)pBuffer; //Cycle through directory entries while (1) { PWCHAR pFileName = 0; ULONG dwFileNameLength = 0; switch (IrpSp->Parameters.QueryFile.FileInformationClass) { //In all cases get pointer to FileName and FileNameLength case FileDirectoryInformation: dwFileNameLength = ((PKFILE_DIRECTORY_INFORMATION)pQueryDirWin32)->CommonBlock.FileNameLength; pFileName = ((PKFILE_DIRECTORY_INFORMATION)pQueryDirWin32)->FileName; break; case FileFullDirectoryInformation: dwFileNameLength = ((PKFILE_FULL_DIR_INFORMATION)pQueryDirWin32)->CommonBlock.FileNameLength; pFileName = ((PKFILE_FULL_DIR_INFORMATION)pQueryDirWin32)->FileName; break; case FileBothDirectoryInformation: dwFileNameLength = ((PKFILE_BOTH_DIR_INFORMATION)pQueryDirWin32)->CommonBlock.FileNameLength; pFileName = ((PKFILE_BOTH_DIR_INFORMATION)pQueryDirWin32)->FileName; break; default: break; } //_asm int 3; //Is this file that we want? if ((dwFileNameLength == OurFileNameLen) && _wcsnicmp(pFileName, OurFileName, OurFileNameLen/2)==0) { //_asm int 3; //Hide first InvisiblePartSize bytes ((PFQD_CommonBlock)pQueryDirWin32)->FileAttr.EndOfFile.QuadPart -= InvisiblePartSize; break; } //Quit if no more directory entries if (!pQueryDirWin32->NextEntryOffset) break; //Continue with next directory entry pQueryDirWin32 = (PFQD_SmallCommonBlock)((CHAR*)pQueryDirWin32 + pQueryDirWin32->NextEntryOffset); } break; } } break; } IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } NTSTATUS SfSetInformation( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PFILESPY_DEVICE_EXTENSION DevExt = (PFILESPY_DEVICE_EXTENSION) DeviceObject->DeviceExtension; PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp); PFILE_OBJECT FileObject = IrpSp->FileObject; NTSTATUS Status = STATUS_SUCCESS; // // We only care about volume filter device object // if (!DevExt->NLExtHeader.StorageStackDeviceObject) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } if (IrpSp->Parameters.QueryFile.FileInformationClass == FileRenameInformation) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } //KdPrint(("sfilter!SfSetInformation: in 111111111111111111111111 \n")); do { if (IrpSp->FileObject && ThisIsOurFile(&IrpSp->FileObject->FileName)) { //_asm int 3; switch (IrpSp->Parameters.QueryFile.FileInformationClass) { //Information types that contains file size or current offset. //In all cases modify CurrentByteOffset and/or size (EndOfFile) //to hide first InvisiblePartSize bytes case FilePositionInformation: ((PFILE_POSITION_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->CurrentByteOffset.QuadPart += InvisiblePartSize; break; case FileEndOfFileInformation: ((PFILE_END_OF_FILE_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart += InvisiblePartSize; break; case FileStandardInformation: ((PFILE_STANDARD_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->AllocationSize.QuadPart += InvisiblePartSize; ((PFILE_STANDARD_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart += InvisiblePartSize; break; case FileAllocationInformation: //_asm int 3; ((PFILE_ALLOCATION_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->AllocationSize.QuadPart += InvisiblePartSize; break; case FileAllInformation: ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->PositionInformation.CurrentByteOffset.QuadPart += InvisiblePartSize; ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->StandardInformation.EndOfFile.QuadPart += InvisiblePartSize; //((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->AllocationSize.QuadPart += InvisiblePartSize; break; default: { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); break; } } } } while (FALSE); Status = SfForwardIrpSyncronously(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); if (!NT_SUCCESS(Status)) { KdPrint(("sfilter!SfSetInformation: SfForwardIrpSyncronously failed, return %x\n", Status)); } Irp->IoStatus.Status = Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } 各位,看看,我改得对吗? |
|
沙发#
发布于:2007-07-23 19:45
贴出来才知道,代码的可读性差啊,白贴了,估计也没人看
|
|
板凳#
发布于:2007-07-23 21:00
可以使用代码标签
|
|
|
地板#
发布于:2007-07-23 21:20
如果这些东西拿来就能用,那么大把的人都掌握这个技术了
devia贴出这些东西,可没有公开他的加密标示技术,说明这些东西仅供思考,还是要自己搞 |
|
|
地下室#
发布于:2007-07-24 02:45
个人觉得思路是对的,只是我没调好啦,我的问题
FileStandardInformation FileAllInformation IRP_MJ_DIRECTORY_CONTROL中的IRP_MN_QUERY_DIRECTORY我也处理了(但就是重来没进去过) sfread中也跳过自己读标识的动作了 fastio,我都return FALSE;处理了 能读到文件头标识,但源文件自己打开出错,why??? 提示: Not enough storage is available to process this command???? 错误 |
|
5楼#
发布于:2007-07-24 02:45
我的步骤:
1.在sfcreate完成函数执行后,read c:\tt111.txt文件的头(文件标识)。 对 2.在SfGetInformation函数中有以下代码: case FileStandardInformation: ((PFILE_STANDARD_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart -= InvisiblePartSize; break; case FileAllInformation: ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->PositionInformation.CurrentByteOffset.QuadPart -= InvisiblePartSize; ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->StandardInformation.EndOfFile.QuadPart -= InvisiblePartSize; break; 3.在sfread中有以下代码: if(IrpSp->Parameters.Read.Length == InvisiblePartSize) //屏蔽读头标识时执行sfread函数中的加解密动作 { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->NLExtHeader.AttachedToDeviceObject, Irp); } //IrpSp->Parameters.Read.Length -=InvisiblePartSize; IrpSp->Parameters.Read.ByteOffset.QuadPart +=InvisiblePartSize; Length = IrpSp->Parameters.Read.Length ; 4.fastio中我全部类似于下面的处理: BOOLEAN SpyFastIoQueryStandardInfo ( IN PFILE_OBJECT FileObject, IN BOOLEAN Wait, OUT PFILE_STANDARD_INFORMATION Buffer, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) { PDEVICE_OBJECT deviceObject; PFAST_IO_DISPATCH fastIoDispatch; PRECORD_LIST recordList; BOOLEAN returnValue = FALSE; BOOLEAN shouldLog; PAGED_CODE(); ASSERT( IS_FILESPY_DEVICE_OBJECT( DeviceObject ) ); return FALSE;//开始就直接返回 5.IRP_MJ_DIRECTORY_CONTROL,我做了下面处理:(不知道为什么,dbg时,发现代码重来没被执行过) if ((dwFileNameLength == OurFileNameLen) && _wcsnicmp(pFileName, OurFileName, OurFileNameLen/2)==0) { //_asm int 3; //Hide first InvisiblePartSize bytes KdPrint(("SFilter!SfGetInformation ERROR:000000000000\n")); ((PFQD_CommonBlock)pQueryDirWin32)->FileAttr.EndOfFile.QuadPart -= InvisiblePartSize; break; } 6.问题: 测试时,打开c:\tt111.txt文件时,出现Not enough storage is available to process this command????窗口 help me |
|
6楼#
发布于:2007-07-24 06:40
和NOTEPAD本身有关,你用WORDPAD就可以了,NOTEPAD会调用GetfileinformationbyHandle来获得文件信息,这里获得的是原始的信息,然后会调用CreateFileMapping失败,然后跳框,提示存储空间不足,估计还有什么地方没处理好,感觉在文件头上处理还是比较麻烦的。
|
|
|
7楼#
发布于:2007-07-24 12:41
wowocock 兄,你说得对啊,我现在测试的结果,跟你说的一样啊
why? 看来我还得进一步深入啊 |
|
8楼#
发布于:2007-07-24 12:45
真希望在我加班加点时,边上有个同伴啊,哪怕是丑女也行啊
命苦啊。。。 |
|
9楼#
发布于:2007-07-24 13:07
测试发现:
在读文件标识时,我设置flag = 1, 到read中也是flag == 1 。。。。。。(1: IRP_NOCACHE) 但是,读真文时,flag = 0x900 (IRP_DEFER_IO_COMPLETION | IRP_READ_OPERATION) IRP_DEFER_IO_COMPLETION 应该是io延时的意思,我不理解了?????? |
|
10楼#
发布于:2007-07-24 13:57
引用第8楼wengzuhong于2007-07-24 12:45发表的 : 干这行就是吃苦的命,想丑女?弄个塑胶娃娃吧, |
|
|
11楼#
发布于:2007-07-24 16:28
哈哈,给你个安慰奖
|
|
12楼#
发布于:2008-11-25 09:47
Re:devia贴的“文件加密标识 -隐藏文件头的黑客代码”,我在尝试用它,测试出问题了,
大家继续讨论呢 |
|