|
阅读:2756回复:1
我 HOOK 了 ZwCreateFile,是文件仍然能创建,请问该返回什么值?
我 HOOK 了 ZwCreateFile,是文件仍然能创建,请问该返回什么值?
我看到有个代码会结束 IRP,可是我这里没有 IRP 指针,怎么结束呢? 谢谢! /** * New process function * Hook API ZwCreateFile */ NTSTATUS NewZwCreateFile ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ) { KdPrint(("NewZwCreateFile:: start\n")); if ( ExGetPreviousMode() != KernelMode ) { // .. KdPrint(("NewZwCreateFile:: not Kernel mode.\n")); } if ( ObjectAttributes->ObjectName->Buffer && wcsstr( ObjectAttributes->ObjectName->Buffer, L"111.txt" ) ) { // ¾Ü¾ø²Ù×÷ FileHandle = NULL; IoStatusBlock->Information = 0; IoStatusBlock->Status = STATUS_UNSUCCESSFUL; //return STATUS_UNSUCCESSFUL; return STATUS_INVALID_PARAMETER; } CHAR szFileName[ MAX_PATH ]; if ( FILE_WRITE_DATA == ( FILE_WRITE_DATA & DesiredAccess ) || FILE_APPEND_DATA == ( FILE_APPEND_DATA & DesiredAccess ) ) { RtlZeroMemory( szFileName, sizeof(szFileName) ); if ( ApiHookFsGetFilenameByHandle( FileHandle, szFileName, sizeof(szFileName) ) ) { if ( APIHOOKFS_ACTION_DENIED == ApiHookFsCheckAction( szFileName ) ) { // ¾Ü¾ø²Ù×÷ return STATUS_ACCESS_DENIED; } } } return g_pfnOrgZwCreateFile ( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength ); } |
|
|
|
沙发#
发布于:2008-04-29 02:52
提供WINDOWS启动时的图形库及键盘接口.
提供内核层超稳定的HOOK库,可以拦任何函数, 如NTOSKRNL.EXE,BOOTVID.DLL,KDCOM.DLL,HAL.DLL等所有的函数。 连系EMAIL : qydok@126.com ---- |
|