难道Sysmantec 中使用了minifilter，有兴趣的可以去研究以下。

楼主^#

更多发布于：2008-06-12 12:17

无意中发现Sysmantec 好像使用了minifilter，有兴趣的可以研究一下。

驱动：eeCtrl.sys
部分代码：

NTSTATUS __stdcall sub_12474(int a1, PDRIVER_OBJECT DriverObject, PUNICODE_STRING SourceString)
{
  char ST1C_1_0; // ST1C_1@0
  NTSTATUS result; // eax@1
  SIZE_T *v5; // esi@1
  int v6; // edi@2
  int v7; // eax@9
  int v8; // eax@10
  int v9; // eax@12
  int v10; // eax@13
  PDEVICE_OBJECT *v11; // ebx@17
  NTSTATUS v12; // eax@18
  signed int v13; // esi@18
  char *v14; // ST14_4@19
  char v15; // ST18_1@19
  signed int v16; // eax@22
  int v17; // eax@23
  signed int v18; // eax@28
  NTSTATUS v19; // eax@30
  signed int v20; // eax@32
  signed int v21; // eax@34
  signed int v22; // eax@36
  int v23; // ecx@38
  int v24; // edi@38
  int v25; // eax@40
  signed int v26; // eax@42
  int v27; // eax@44
  signed int v28; // eax@46
  int v29; // eax@49
  PVOID v30; // eax@2
  unsigned __int16 v31; // ax@4
  PVOID v32; // eax@4
  int v33; // eax@6
  const WCHAR *v34; // eax@8
  int v35; // eax@9
  PVOID v36; // eax@18
  PUNICODE_STRING v37; // ecx@18
  char v38; // [sp+2Ch] [bp-14h]@9
  int *v39; // [sp+18h] [bp-28h]@15
  UNICODE_STRING DestinationString; // [sp+1Ch] [bp-24h]@17
  UNICODE_STRING SymbolicLinkName; // [sp+24h] [bp-1Ch]@18
  int v42; // [sp+14h] [bp-2Ch]@28
  int v43; // [sp+10h] [bp-30h]@36
  char v44; // [sp+Fh] [bp-31h]@38

  v5 = (SIZE_T *)SourceString;
  result = sub_13F44((int)SourceString, 0);
  if ( result >= 0 )
  {
   v30 = ExAllocatePoolWithTag(PagedPool, *(_WORD *)v5, 0x61644343u);
   v6 = a1;
   *(_DWORD *)(a1 + 32) = v30;
   if ( !v30
   || (*(_WORD *)(a1 + 30) = *(_WORD *)v5, RtlCopyUnicodeString((PUNICODE_STRING)(a1 + 28), (PUNICODE_STRING)v5), v31 = *(_WORD *)v5 + 22, *(_WORD *)(v6 + 38) = *(_WORD *)v5 + 22, v32 = ExAllocatePoolWithTag(PagedPool, v31, 0x61644343u), *(_DWORD *)(v6 + 40) = v32, !v32) )
   return -1073741670;
   RtlCopyUnicodeString((PUNICODE_STRING)(v6 + 36), (PUNICODE_STRING)v5);
   result = RtlAppendUnicodeToString((PUNICODE_STRING)(v6 + 36), L"\\Parameters");
   if ( result < 0 )
   return result;
   v33 = sub_19FBC();
   if ( sub_1A06A(v33, (ACCESS_MASK)sub_20019) >= 0 )
   {
   if ( sub_1A67A(L"ImagePath", v6 + 92) >= 0 )
   {
   v34 = (const WCHAR *)sub_17A58();
   if ( sub_1434C(v6 + 44, v34) >= 0 )
   {
   v35 = sub_17A58();
   *(_WORD *)v35 = 0;
   *(_WORD *)(v6 + 96) = 2 * (unsigned __int16)((v35 - *(_DWORD *)(v6 + 100)) >> 1);
   sub_1A006((int)&v38);
   dword_5C6EC = (int)DriverObject;
   v7 = (int)ExAllocatePoolWithTag(0, 0x18u, 0x56654343u);
   if ( v7 )
   v8 = sub_1A880(v7);
   else
   v8 = 0;
   *(_DWORD *)(v6 + 24) = v8;
   v9 = (int)ExAllocatePoolWithTag(0, 0x18u, 0x56654343u);
   if ( v9 )
   v10 = sub_1A880(v9);
   else
   v10 = 0;
   v39 = (int *)(v6 + 4936);
   *(_DWORD *)(v6 + 4936) = v10;
   if ( *(_DWORD *)(v6 + 24) && *(_DWORD *)(v6 + 4936) )
   {
   RtlInitUnicodeString(&DestinationString, L"\\Device\\EraserCtrlDrv");
   v11 = (PDEVICE_OBJECT *)(v6 + 20);
   result = IoCreateDevice(
   DriverObject,
   SourceString->Length + 12,
   &DestinationString,
   0xAD9Cu,
   0,
   0,
   (PDEVICE_OBJECT *)(v6 + 20));
   if ( result < 0 )
   return result;
   v36 = (*v11)->DeviceExtension;
   v37 = SourceString;
   *(_DWORD *)v36 = v6;
   *((_WORD *)v36 + 3) = v37->Length;
   *((_DWORD *)v36 + 2) = (char *)v36 + 12;
   RtlCopyUnicodeString((PUNICODE_STRING)((char *)v36 + 4), v37);
   DeviceObject = *v11;
   sub_18E02(SourceString, *v11);
   sub_14666((void *)dword_5C740, 4, "CControlDriver::Initialize - Device created\n");
   RtlInitUnicodeString(&SymbolicLinkName, L"\\??\\EraserCtrlDrv");
   v12 = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
   v13 = v12;
   if ( v12 >= 0 )
   {
   v16 = sub_16ED6();
   if ( v16 < 0 )
   {
   sub_14612(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - MiniFilter not available (0x%08X)\n",
   v16);
   }
   else
   {
   dword_5C71C = sub_17060((int)&unk_5C6A4);
   v17 = sub_17146((int)DriverObject);
   if ( v17 < 0 )
   {
   sub_1463C(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - MiniFilter initialization failed (0x%08X)\n",
   v17);
   sub_17126();
   }
   }
   if ( !sub_1D1B0() )
   {
   sub_1463C(
   (void *)dword_5C740,
   4,
   "ntkAuthenticate::InitializeLibrary - ccVerifyTrust::CVerifyCertProperties::Initialize() == FALSE\n",
   ST1C_1_0);
   v13 = -1073741823;
   sub_1463C(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - ntkAuthenticate::InitializeLibrary failed (0x%08X)\n",
   1);
   return v13;
   }
   v42 = v6 + 404;
   v18 = sub_16130(v6 + 404);
   v13 = v18;
   if ( v18 >= 0 )
   {
   v19 = sub_15A40(v6 + 380);
   v13 = v19;
   if ( v19 >= 0 )
   {
   v20 = sub_14774();
   v13 = v20;
   if ( v20 >= 0 )
   {
   v21 = sub_13646();
   v13 = v21;
   if ( v21 >= 0 )
   {
   LOBYTE(v43) = 0;
   v22 = sub_16E0E(v42);
   v13 = v22;
   if ( v22 >= 0 )
   {
   v24 = a1;
   v44 = 0;
   if ( sub_131D4() >= 0 )
   {
   if ( !v44 )
   {
   v25 = sub_136E4(v24, v43);
   if ( v25 < 0 )
   sub_14612(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - Failed to clean up old drivers (0x%08X)\n",
   v25);
   }
   }
   v26 = sub_1342E(v23, v24, 0);
   if ( v26 < 0 )
   sub_14612(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - Failed to reset client count (0x%08X)\n",
   v26);
   v27 = sub_12FC0();
   if ( v27 < 0 )
   sub_14612(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - Failed to execute reboot actions (0x%08X)\n",
   v27);
   v28 = sub_132F2(v24);
   v13 = v28;
   if ( v28 >= 0 )
   {
   if ( v44 )
   {
   sub_13F44((int)SourceString, 1);
   }
   else
   {
   *(_DWORD *)(v24 + 4932) = v24;
   v29 = sub_197E0();
   v13 = v29;
   if ( v29 < 0 )
   sub_1463C(
   (void *)dword_5C740,
   4,
   "CControlDriver::Initialize - Failed to create listener thread (0x%08X)\n",
   v29);
   }
   DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_12D2E;
   DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)sub_13FCE;
   DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)sub_1404C;
   DriverObject->MajorFunction[15] = (PDRIVER_DISPATCH)sub_140CC;
   sub_14666((void *)dword_5C740, 4, "CControlDriver::Initialize - Complete\n");
   sub_1A8CA(*v39);
   return v13;
   }
   v15 = v28;
   v14 = "CControlDriver::Initialize - Failed to detect pre-install (0x%08X)\n";
   }
   else
   {
   v15 = v22;
   v14 = "CControlDriver::Initialize - Unable to check for reboot actions (0x%08X)\n";
   }
   }
   else
   {
   v15 = v21;
   v14 = "CControlDriver::Initialize - SaveVersionInfo failed (0x%08X)\n";
   }
   }
   else
   {
   v15 = v20;
   v14 = "CControlDriver::Initialize - m_UtilDriverTracker.Initialize failed (0x%08X)\n";
   }
   }
   else
   {
   v15 = v19;
   v14 = "CControlDriver::Initialize - m_ClientTracker initialization failed (0x%08X)\n";
   }
   }
   else
   {
   v15 = v18;
   v14 = "CControlDriver::Initialize - m_RebootActions initialization failed (0x%08X)\n";
   }
   }
   else
   {
   v15 = v12;
   v14 = "CControlDriver::Initialize - Failed to create symbolic link (0x%08X)\n";
   }
   sub_1463C((void *)dword_5C740, 4, v14, v15);
   return v13;
   }
   return -1073741670;
   }
   }
   }
   sub_1A006((int)&v38);
   result = -1073741823;
  }
  return result;
}

喜欢0

microbe 驱动小牛注册日期2007-12-10 最后登录2011-01-17 粉丝1 关注0 积分914分威望420点贡献值1点好评度88点原创分0分专家分1分加关注写私信	沙发^# 发布于：2008-06-12 16:02 。。。哪里看出来是使用MiniFilter架构哦我没看出来，，，，
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

难道Sysmantec 中使用了minifilter，有兴趣的可以去研究以下。

最新喜欢：