请问如何防止一个特定的文件被删除？

小弟想写一个过滤驱动来保护一个特定的文件不被删除和修改，请问如何实现？当用户态调用deletefile的时候，驱动受到什么请求？
谢谢了！

钩什么？

为什么不用钩子？

好文章

再这里学了不少，谢了

我在sfilter的基础上加上了   DriverObject->MajorFunction[IRP_MJ_SET_INFORMATION] = SfSetFileInfo;
。。。
NTSTATUS   //holk
SfSetFileInfo(
    IN PDEVICE_OBJECT DeviceObject,
    IN PIRP Irp
    )
{
    PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );
    PAGED_CODE();
    //
    //  Sfilter doesn't allow handles to its control device object to be created,
    //  therefore, no other operation should be able to come through.
    //
    ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject ));
    ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));
    //
    //  Get this driver out of the driver stack and get to the next driver as
    //  quickly as possible.
    //
//    IoSkipCurrentIrpStackLocation( Irp );
    if ( irpSp->Parameters.SetFile.FileInformationClass == FileDispositionInformation )
    {
PFILE_DISPOSITION_INFORMATION pDispInfo = (PFILE_DISPOSITION_INFORMATION)(Irp->AssociatedIrp.SystemBuffer);
pDispInfo->DeleteFile = FALSE;    
    }
    IoCopyCurrentIrpStackLocationToNext( Irp );
    //
    //  Now call the appropriate file system driver with the request.
    //
    return IoCallDriver( ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->AttachedToDeviceObject, Irp );      
}
可是安装之后并没有能够阻止删除文件，而且在设备管理器里也看不见，但是在device tree工具里面可以看见。
为什么不能拦截删除，再次真诚请教！

IRP_MJ_SET_INFORMATION里处理FileDispositionInformation

拜托能详细点吗？太笼统了。我是不是该拦截IO_MJ_SETINFORMATION
改变FILEDISPOSITION的属性啊？

具体我该在哪些DISPATCH函数里面作处理呢？

谢谢了。

做一个文件系统过滤驱动程序即可。

若是9X平台,用IFSMgr_InstallFileSystemApiHook,

若是2K以上平台,用ZwCreateFile(...)获得要拦截的分区设备对象,再用IoCreateDevice创建自己的过滤设备对象，再用将自己创建的设备对象加到文件系统对象上层，就可作过滤操作了，

How Are Files Deleted In Windows
OSR Staff | Published: 20-Jun-03| Modified: 20-Jun-03


A file or directory is deleted when a deletion request is pending and the last user reference to the file is released (that is, the last IRP_MJ_CLEANUP is sent to the file system).

 

Deletion is requested on a file or directory in one of two ways:

 

When the file/directory is opened, FILE_DELETE_ON_CLOSE is set.  The exact semantics of this are complicated because the file systems explicitly check for this, explicitly add DELETE access to the access required (even if not requested originally) and must deal with issues regarding directories (a directory must be empty before it can be marked delete pending).
For an already opened file/directory, the IRP_MJ_SET_INFORMATION, specifying FileDispositionInformation and then providing the FILE_DISPOSITION_INFORMATION structure indicating TRUE for the DeleteFile field.
 

In these cases the file is now scheduled for deletion, but that can be changed by a subsequent call to modify the file disposition (indicating FALSE for the DeleteFile field.)

 

Note that the EXACT semantics are file system specific.  Do not be surprised if you see some differences in the seven general purpose file systems currently available from Microsoft.  For example, CDFS and UDFS currently do not allow you to delete files (note the term "currently" - were Microsoft to provide a read/write UDF file system, then we suspect these semantics would change.)  NFS semantics are very different than CIFS semantics for deletion.  Similarly, the semantics of the Netware File System are also unclear.