|
阅读:1225回复:6
有谁遇到过这种现象???(devia大侠我已经将代码贴出来了)
我在set_information的处理函数中已经发现了文件的删除操作,并且将文件删除的IRP返回状态STATUS_ACCESS_DENIED,当加载驱动后,对文件进行删除时,系统会弹出提示框“要删除的文件路径不对或文件不存在”,此时会发现系统已经将该文件删除了,这是怎么回事?
真是奇怪!!! |
|
|
沙发#
发布于:2007-05-22 23:35
NTSTATUS
HookZwSetInformationFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG FileInformationLength, IN FILE_INFORMATION_CLASS FileInformationClass ) { NTSTATUS rc = STATUS_UNSUCCESSFUL; PAGED_CODE(); if ( FileHandle != NULL && FileInformationClass == FileDispositionInformation ) { NTSTATUS nts = STATUS_UNSUCCESSFUL; IO_STATUS_BLOCK iosb ={ 0,0 }; PWCHAR pstring = NULL; ANSI_STRING ansiUndeleteFileName ; UNICODE_STRING usFileName ={ 0,0,0 }; PFILE_NAME_INFORMATION pFileInfo = NULL; RtlInitEmptyUnicodeString( &usFileName,'\0',0 ); RtlInitAnsiString( &ansiUndeleteFileName, ANSI_STRING_HIDE_FILE_NAME ); pFileInfo = (PFILE_NAME_INFORMATION) ExAllocatePool( PagedPool, sizeof(FILE_NAME_INFORMATION) + MAXPATHLENGTH_W ); if ( NULL == pFileInfo ) { return STATUS_INSUFFICIENT_RESOURCES; }//if ( NULL == pfni ) RtlZeroMemory( pFileInfo ,sizeof(FILE_NAME_INFORMATION) + MAXPATHLENGTH_W ); nts = ZwQueryInformationFile( FileHandle, &iosb, pFileInfo, sizeof(FILE_NAME_INFORMATION) + MAXPATHLENGTH_W, FileNameInformation ); if ( !NT_SUCCESS(nts) ) { ExFreePool(pFileInfo); pFileInfo = NULL; return nts; } else { ANSI_STRING ansiDesFileName={0,0,0}, ansiSrcFileName={0,0,0}; PWSTR pwstr=NULL; ULONG len =0; pwstr= wcsrchr( pFileInfo->FileName, L'\\' ); RtlInitUnicodeString(&usFileName, pwstr+1); // uniFileName 不用释放 RtlUnicodeStringToAnsiString(&ansiDesFileName, &usFileName, TRUE); // TRUE, 必须释放 RtlUnicodeStringToAnsiString(&ansiSrcFileName, &usFileName, TRUE); RtlUpperString(&ansiDesFileName, &ansiSrcFileName); // 打印结果, 用 debugview 可以查看打印结果 KdPrint(("ansiFileName :%s\n", ansiDesFileName.Buffer)); KdPrint(("HideFileName :%s\n", ansiUndeleteFileName.Buffer)); len = ansiUndeleteFileName.Length; if( len > ansiDesFileName.Length ) { KdPrint((" Danger!!\n" )); len = ansiDesFileName.Length; } //此处的ansiDesFileName长度可能大于ansiUndeleteFileName,从而造成BSOD if( RtlCompareMemory(ansiDesFileName.Buffer, ansiUndeleteFileName.Buffer, len ) == ansiUndeleteFileName.Length) { RtlFreeAnsiString(&ansiSrcFileName); RtlFreeAnsiString(&ansiDesFileName); ExFreePool(pFileInfo); pFileInfo = NULL; return STATUS_UNSUCCESSFUL; } RtlFreeAnsiString(&ansiSrcFileName); RtlFreeAnsiString(&ansiDesFileName); } ExFreePool(pFileInfo); pFileInfo = NULL; }//if ( FileHandle != NULL && FileInforma rc = ((REALZWSETINFORMATIONFILE)(RealZwSetInformationFile))( FileHandle, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass ); return rc; } |
|
|
板凳#
发布于:2007-05-22 12:20
wcsstr是区分大小写的!
|
|
|
|
地板#
发布于:2007-05-22 10:01
好的!多谢devia大侠,我现在将wcsncmp换成wcsstr了,这样就不存在大小写的问题了。
|
|
|
地下室#
发布于:2007-05-22 09:43
1. 在IRP_MJ_CREATE中检查文件打开时是否有:
DELETE、FILE_DELETE_ON_CLOSE标志, 如果有应该禁止打开操作; 2. wcsncmp是区分大小写比较,请改正; |
|
|
|
5楼#
发布于:2007-05-22 09:25
引用第1楼devia于2007-05-22 08:14发表的 : NTSTATUS SfSetInformation ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status; PIO_STACK_LOCATION irpSp; PUNICODE_STRING name; GET_NAME_CONTROL nameControl; int cmpresult; wchar_t* testDirPath = L"\\Device\\HarddiskVolume1\\test"; irpSp = IoGetCurrentIrpStackLocation(Irp); if(irpSp->Parameters.SetFile.FileInformationClass == FileDispositionInformation) { DbgPrint("----------------------禁止删除文件--------------------\n"); name = SfGetFileName( irpSp->FileObject, Irp->IoStatus.Status, &nameControl ); cmpresult = wcsncmp( name->Buffer, testDirPath, wcslen( testDirPath ) ); if( cmpresult == 0 ) { DbgPrint("===========比较结果一致==========\n"); Irp->IoStatus.Status = STATUS_ACCESS_DENIED; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_ACCESS_DENIED; } } IoSkipCurrentIrpStackLocation( Irp ); return IoCallDriver( ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->AttachedToDeviceObject, Irp ); } |
|
|
6楼#
发布于:2007-05-22 08:14
代码贴上来,这和细节有关,:-)
|
|
|