|
阅读:4032回复:28
求教:如何在create中利用file_object读取打开的文件的内容
如何在create中利用file_object读取打开的文件的内容,用IoBuildSynchronousFsdRequest可行否?我要读取文件头部,来判断是否是加密过的文件,哪位给段代码呀,谢谢!
|
|
驱动小牛
|
沙发#
发布于:2007-07-24 21:48
OSR有篇关于用WINDBG从FILE_OBJECT得到文件类容的文章,具体地址忘了.
|
|
|
板凳#
发布于:2007-07-24 11:19
一起努力
|
|
|
地板#
发布于:2007-07-24 10:38
没留意看看
|
|
|
地下室#
发布于:2007-07-23 12:34
能读出标识了,但问题又来了
打开文件时,出现标识不显示了(正确),可是总是在文件的末尾加了几个“空格”(长度=标识的长度) 为什么,shakesky 兄,你遇到过了吗? |
|
|
5楼#
发布于:2007-07-23 11:29
不好意思,好久没来了
NTSTATUS SfCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PSFILTER_DEVICE_EXTENSION DevExt = (PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension; PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp); PFILE_OBJECT FileObject = IrpSp->FileObject; PFILE_OBJECT RelatedFileObject = FileObject->RelatedFileObject; PWSTR FileName = NULL; NTSTATUS Status = STATUS_SUCCESS; POST_CREATE_WORKER_CONTEXT WorkerCtx; PAGED_CODE(); // // If this is for our control device object, don't allow it to be opened. // if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) { // // Sfilter doesn't allow for any communication through its control // device object, therefore it fails all requests to open a handle // to its control device object. // // See the FileSpy sample for an example of how to allow creates to // the filter's control device object and manage communication via // that handle. // Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_INVALID_DEVICE_REQUEST; } ASSERT(IS_MY_DEVICE_OBJECT(DeviceObject)); // // We only care about volume filter device object // if (!DevExt->StorageStackDeviceObject) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->AttachedToDeviceObject, Irp); } // // Open Volume Device directly // if ((FileObject->FileName.Length == 0) && !RelatedFileObject) { IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->AttachedToDeviceObject, Irp); } do { // // If the file is opened by id, then we can't get file name directly, // But if this case happened, the FsContext must be in GenericTable already. // So we just update the RefCount, that's enough // if (!(IrpSp->Parameters.Create.Options & FILE_OPEN_BY_FILE_ID)) { FileName = ExAllocateFromPagedLookasideList(&gFileNameLookAsideList); if (!FileName) { KdPrint(("sfilter!SfCreate: ExAllocatePoolWithTag failed\n")); Status = STATUS_INSUFFICIENT_RESOURCES; break; } if (!SfDissectFileName(DeviceObject, Irp, FileName)) { KdPrint(("sfilter!SfCreate: SfDissectFileName failed\n")); Status = STATUS_INVALID_PARAMETER; break; } else { if (IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE) { // // We don't care about directories // ExFreeToPagedLookasideList(&gFileNameLookAsideList, FileName); IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->AttachedToDeviceObject, Irp); } } } else { if (IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE) { // // We don't care about directories // IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DevExt->AttachedToDeviceObject, Irp); } } if(wcscmp(FileName,L"C:\\test\\cccc.txt")==0) { KdPrint(("open:%x,%ws\n",IrpSp->Parameters.Create.SecurityContext->DesiredAccess, FileName)); } if(wcscmp(FileName,L"C:\\test\\test.txt")==0) { KdPrint(("open:%x,%ws\n",IrpSp->Parameters.Create.SecurityContext->DesiredAccess, FileName)); } Status = SfForwardIrpSyncronously(DevExt->AttachedToDeviceObject, Irp); if (NT_SUCCESS(Status) && (STATUS_REPARSE != Status)) { FILE_CONTEXT FileCtx; PFILE_CONTEXT FileCtxPtr = NULL; BOOLEAN NewElement = FALSE; if(!SfIsObjectFile(FileObject)) break; FileCtx.FsContext = FileObject->FsContext; if ((IrpSp->Parameters.Create.SecurityContext->DesiredAccess == FILE_READ_ATTRIBUTES) ) //FILE_READ_DATA break; ExAcquireFastMutex(&DevExt->FsCtxTableMutex); FileCtxPtr = RtlLookupElementGenericTable(&DevExt->FsCtxTable, &FileCtx); if (FileCtxPtr) { ++FileCtxPtr->RefCount; ExReleaseFastMutex(&DevExt->FsCtxTableMutex); break; } else { FileCtxPtr = RtlInsertElementGenericTable( &DevExt->FsCtxTable, &FileCtx, sizeof(FILE_CONTEXT), &NewElement ); FileCtxPtr->RefCount = 1; ASSERT(FileName); wcscpy(FileCtxPtr->Name, FileName); KeInitializeEvent(&FileCtxPtr->Event, SynchronizationEvent, TRUE); } ExReleaseFastMutex(&DevExt->FsCtxTableMutex); //KdPrint(("open:%x,%ws\n",IrpSp->Parameters.Create.SecurityContext->DesiredAccess, // FileName)); ExInitializeWorkItem(&WorkerCtx.WorkItem, SfIsEncryptFlagExist, &WorkerCtx); WorkerCtx.DeviceObject = ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->AttachedToDeviceObject; WorkerCtx.FileObject = FileObject; KeInitializeEvent(&WorkerCtx.Event, NotificationEvent, FALSE); WorkerCtx.FileContext = FileCtxPtr; //WorkerCtx.NewElement = NewElement; if (KeGetCurrentIrql() == PASSIVE_LEVEL) SfIsEncryptFlagExist(&WorkerCtx); else { ExQueueWorkItem(&WorkerCtx.WorkItem, DelayedWorkQueue); KeWaitForSingleObject(&WorkerCtx.Event, Executive, KernelMode, FALSE, NULL); } } } while (FALSE); if (FileName) ExFreeToPagedLookasideList(&gFileNameLookAsideList, FileName); Irp->IoStatus.Status = Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } |
|
|
6楼#
发布于:2007-07-16 16:59
shakesky 兄,能不能将你的这段代码贴全拉??
小弟再次谢了 |
|
|
7楼#
发布于:2007-07-16 16:57
结果死机啊,黑屏啊
|
|
|
8楼#
发布于:2007-07-16 16:55
shakesky 兄,IoBuildSynchronousFsdRequest在上面代码的判断之后调用???
|
|
|
9楼#
发布于:2007-07-16 15:53
先谢过,我去试试
|
|
|
10楼#
发布于:2007-07-16 14:10
终于搞定了,总结一下:不要怀疑调用IoBuildDeviceIoControlRequest,下发Irp来读取文件片断有问题,导致蓝屏出错原因往往是有些file_object对象无效或者还没完全生成,加了些屏蔽条件就好了。
下面是我的,希望对大家有帮助 sfcreate中:
if(!SfIsObjectFile(FileObject))
break;
FileCtx.FsContext = FileObject->FsContext;
if ((IrpSp->Parameters.Create.SecurityContext->DesiredAccess
== FILE_READ_ATTRIBUTES) ) //FILE_READ_DATA
break;
BOOLEAN
SfIsObjectFile(
IN PFILE_OBJECT FileObject
)
{
PFSRTL_COMMON_FCB_HEADER fcb = (PFSRTL_COMMON_FCB_HEADER) FileObject->FsContext;
if (!fcb) {
return FALSE;
}
if (fcb->NodeTypeCode == FAT_NTC_FCB)
return TRUE;
else if (fcb->NodeTypeCode == NTFS_NTC_FCB)
return TRUE;
return FALSE;
} |
|
|
11楼#
发布于:2007-07-13 11:25
谢谢了,先
|
|
|
12楼#
发布于:2007-07-13 11:12
|
|
|
|
13楼#
发布于:2007-07-13 11:11
IFS中关于如何利用自己的IRP来实现IO操作的文章,
名字大概是:”Rolling Your Own“, 我记得前段时间我也贴在坛子里了, 所以,大家在问问题前一定要先搜,再问! |
|
|
|
14楼#
发布于:2007-07-13 11:08
上楼,你在哪儿调用此函数?
|
|
|
15楼#
发布于:2007-07-13 09:12
我也有段代码,可是读出来的数据总是一样是0x4e9052eb 20534654
NTSTATUS MakeAsynchronousRequest ( PDEVICE_OBJECT TopOfDeviceStack, PVOID ReadBuffer, ULONG NumBytes ) /*++ Arguments: TopOfDeviceStack - WriteBuffer - Buffer to be sent to the TopOfDeviceStack. NumBytes - Size of buffer to be sent to the TopOfDeviceStack. --*/ { NTSTATUS status; PIRP irp; LARGE_INTEGER startingOffset; PIO_STACK_LOCATION nextStack; PVOID context; IO_STATUS_BLOCK IoStatusBlock; KEVENT event; MY_READ_CONTEXT myReadContext; startingOffset.QuadPart = (LONGLONG) 0; irp = IoAllocateIrp( TopOfDeviceStack->StackSize, TRUE ); if (NULL == irp) { return STATUS_INSUFFICIENT_RESOURCES; } // // Obtain a pointer to the stack location of the first driver that will be // invoked. This is where the function codes and the parameters are set. // // irp->Flags=IRP_BUFFERED_IO; //irp->AssociatedIrp.SystemBuffer = ReadBuffer; //irp->MdlAddress = NULL; //nextStack = IoGetNextIrpStackLocation( irp ); //nextStack->MajorFunction = IRP_MJ_READ; //nextStack->Parameters.Read.Length = NumBytes; //nextStack->Parameters.Read.ByteOffset= startingOffset; irp = IoBuildAsynchronousFsdRequest( IRP_MJ_READ, TopOfDeviceStack, ReadBuffer, NumBytes, &startingOffset, // Optional &IoStatusBlock ); //DbgPrint("%X",IoStatusBlock.Status); //DbgPrint("%X",IoStatusBlock.Information); //if (NULL == irp) { // return STATUS_INSUFFICIENT_RESOURCES; //} // // Allocate memory for context structure to be passed to the completion routine. // //myReadContext.context = ExAllocatePoolWithTag(NonPagedPool, sizeof(ULONG_PTR), 'ITag'); //if (NULL == myReadContext.context ) { // IoFreeIrp(irp); // return STATUS_INSUFFICIENT_RESOURCES; //} myReadContext.event=&event; KeInitializeEvent(&event, NotificationEvent, FALSE); IoSetCompletionRoutine(irp, MakeAsynchronousRequestCompletion, &myReadContext,//context, TRUE, TRUE, TRUE); // // If you want to change any value in the IRP stack, you must // first obtain the stack location by calling IoGetNextIrpStackLocation. // This is the location that is initialized by the IoBuildxxx requests and // is the one that the target device driver is going to view. // //nextStack = IoGetNextIrpStackLocation(irp); // // Change the MajorFunction code to something appropriate. // //nextStack->MajorFunction = IRP_MJ_READ; memset(ReadBuffer,'1',READ_BUFF_SIZE); DbgPrint("%X",*((ULONG*)ReadBuffer)); // //DbgPrint("%X",nextStack->MajorFunction); status=IoCallDriver(TopOfDeviceStack, irp); if(status==STATUS_PENDING) { KeWaitForSingleObject(&event, Executive,KernelMode,0,0); //status=irp->IoStatus.Status; } DbgPrint("%X %X",((ULONG*)ReadBuffer)[0],((ULONG*)ReadBuffer)[1]); return status; } NTSTATUS MakeAsynchronousRequestCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { PMDL mdl, nextMdl; PMY_READ_CONTEXT pMyReadContext=(PMY_READ_CONTEXT)Context; // // If the target device object is set up to do buffered i/o // (TopOfDeviceStack->Flags and DO_BUFFERED_IO), then // IoBuildAsynchronousFsdRequest request allocates a system buffer // for read and write operation. If you stop the completion of the IRP // here, you must free that buffer. // //if(Irp->AssociatedIrp.SystemBuffer && (Irp->Flags & IRP_DEALLOCATE_BUFFER) ) { // ExFreePool(Irp->AssociatedIrp.SystemBuffer); //} // // If the target device object is set up do direct i/o (DO_DIRECT_IO), then // IoBuildAsynchronousFsdRequest creates an MDL to describe the buffer // and locks the pages. If you stop the completion of the IRP, you must unlock // the pages and free the MDL. // //else if (Irp->MdlAddress != NULL) { // for (mdl = Irp->MdlAddress; mdl != NULL; mdl = nextMdl) { // nextMdl = mdl->Next; // MmUnlockPages( mdl ); IoFreeMdl( mdl ); // This function will also unmap pages. // } // Irp->MdlAddress = NULL; //} //if(pMyReadContext->context) { // ExFreePool(pMyReadContext->context); //} // // If you intend to queue the IRP and reuse it for another request, // make sure you call IoReuseIrp(Irp, STATUS_SUCCESS) before you reuse. // DbgPrint("Information %X",Irp->IoStatus.Information); DbgPrint("Status %X",Irp->IoStatus.Status); IoFreeIrp(Irp); KeSetEvent(pMyReadContext->event,IO_NO_INCREMENT,FALSE); // // NOTE: this is the only status that you can return for driver-created asynchronous IRPs. // return STATUS_MORE_PROCESSING_REQUIRED; } |
|
|
16楼#
发布于:2007-07-12 23:00
我用windbg,
|
|
|
17楼#
发布于:2007-07-12 23:00
我用windbg,
|
|
|
18楼#
发布于:2007-07-12 10:21
错误: 我就没抓到错误,只出现黑屏,直接重启,我还想问,我的softice为什么没抓到信息,是不是少了什么设置? 而且系统也没有dump,郁闷。
|
|
|
19楼#
发布于:2007-07-12 09:40
引用第9楼michaelgz于2007-07-12 04:50发表的 : 那该啥时候读,如何读? |
|
上一页
下一页