寒江独钓中minifilter的问题

楼主^#

更多发布于：2010-09-01 16:19

小弟写得代码，基本上都是抄的寒江独钓的例子，刚学驱动多抄写代码学习一下，可是为什么编译成功并且运行后不能阻止记事本的打开呢？牛人们帮小弟看一下吧，代码很简单，估计您一二分钟就知道问题在哪了
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>

#pragma prefast(disable:_WARNING_ENCODE_MEMBER_FUNCTION_POINTER,"Not valid for kernel mode drivers")

#define FILTER_NAME L"Filter"

typedef struct _FILTER_DATA{
   PFLT_FILTER FilterHandle;
}FILTER_DATA,*PFILTER_DATA;

DRIVER_INITIALIZE DriverEntry;

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath);

NTSTATUS Unload(FLT_FILTER_UNLOAD_FLAGS Flags);

NTSTATUS QueryTeardown(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags);

FLT_PREOP_CALLBACK_STATUS PreCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects,PVOID* CompletionContext);

FLT_POSTOP_CALLBACK_STATUS PostCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects,PVOID CompletionContext,FLT_POST_OPERATION_FLAGS Flags);

NTSTATUS InstanceSetup(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_SETUP_FLAGS Flags,DEVICE_TYPE VolumeDeviceType,FLT_FILESYSTEM_TYPE VolumeFilesystemType);

BOOLEAN UnicodeToString(PUNICODE_STRING UniName,char Name[]);

FILTER_DATA FilterData;

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT,DriverEntry)
#pragma alloc_text(PAGE,Unload)
#pragma alloc_text(PAGE,QueryTeardown)
#pragma alloc_text(PAGE,PreCreate)
#endif

const FLT_OPERATION_REGISTRATION Callbacks[]={
   {IRP_MJ_CREATE,0,PreCreate,PostCreate},
   {IRP_MJ_OPERATION_END}
   };

CONST FLT_REGISTRATION FilterRegistration={
   sizeof(FLT_REGISTRATION),//SIZE
   FLT_REGISTRATION_VERSION,//VERSION
   0,//FLAGS
   NULL,//CONTEXT
   Callbacks,//OPERATION CALLBACK
   Unload,//
   InstanceSetup,//INSTANCE SETUP
   QueryTeardown,//
   NULL,
   NULL,
   NULL,
   NULL,
   NULL};

   NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
   {
   NTSTATUS status;
   UNREFERENCED_PARAMETER(RegistryPath);
   DbgPrint("DriverEntry~");
   status=FltRegisterFilter(DriverObject,&FilterRegistration,&FilterData.FilterHandle);
   ASSERT(NT_SUCCESS(status));
   if(NT_SUCCESS(status))
   {

   status=FltStartFiltering(FilterData.FilterHandle);
   if(!NT_SUCCESS(status))
   {
   FltUnregisterFilter(FilterData.FilterHandle);

   }


   }

   return status;

   }

   BOOLEAN UnicodeToString(PUNICODE_STRING UniName,char Name[])
   {
   ANSI_STRING AnsiName;
   NTSTATUS status;
   char* name;

   __try{
   status=RtlUnicodeStringToAnsiString(&AnsiName,UniName,TRUE);
   if(AnsiName.Length<260)
   {
   name=(PCHAR)AnsiName.Buffer;
   strcpy(Name,_strupr(name));
   DbgPrint("UnicodeStringToChar: %S\n",Name);
   }
   RtlFreeAnsiString(&AnsiName);

   }
   __except(EXCEPTION_EXECUTE_HANDLER){

   DbgPrint("UnicodeStringToChar EXCEPTION_EXECUTE_HANDLER\n");
   return FALSE;


   }


   return TRUE;

   }




   NTSTATUS InstanceSetup(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_SETUP_FLAGS Flags,DEVICE_TYPE VolumeDeviceType,FLT_FILESYSTEM_TYPE VolumeFilesystemType)
   {
   UNREFERENCED_PARAMETER(FltObjects);
   UNREFERENCED_PARAMETER(Flags);
   UNREFERENCED_PARAMETER(VolumeDeviceType);
   UNREFERENCED_PARAMETER(VolumeFilesystemType);
   PAGED_CODE();
   DbgPrint("InstanceSetup~");
   return STATUS_SUCCESS;


   }


   FLT_PREOP_CALLBACK_STATUS PreCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects,PVOID* CompletionContext)
   {
   char FileName[260]="X:";
   NTSTATUS status;
   PFLT_FILE_NAME_INFORMATION nameInfo;
   UNREFERENCED_PARAMETER(FltObjects);
   UNREFERENCED_PARAMETER(CompletionContext);
   PAGED_CODE();
   __try
   {
   status=FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED|FLT_FILE_NAME_QUERY_DEFAULT,&nameInfo);
   if(NT_SUCCESS(status))
   {
   FltParseFileNameInformation(nameInfo);
   if(UnicodeToString(&nameInfo->Name,FileName))
   {
   if(strstr(FileName,"NOTEPAD.EXE")>0)
   {
   Data->IoStatus.Status=STATUS_ACCESS_DENIED;
   Data->IoStatus.Information=0;
   FltReleaseFileNameInformation(nameInfo);
   return FLT_PREOP_COMPLETE;
   }

   }
   FltReleaseFileNameInformation(nameInfo);
   }


   }
   __except(EXCEPTION_EXECUTE_HANDLER)
   {
   DbgPrint("PreCreate EXCEPTION_EXECUTE_HANDLER\n");
   }



   return FLT_PREOP_SUCCESS_NO_CALLBACK;
   }

   FLT_POSTOP_CALLBACK_STATUS PostCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects,PVOID CompletionContext,FLT_POST_OPERATION_FLAGS Flags)
   {
   FLT_POSTOP_CALLBACK_STATUS returnStatus=FLT_POSTOP_FINISHED_PROCESSING;
   PFLT_FILE_NAME_INFORMATION nameInfo;
   NTSTATUS status;
   UNREFERENCED_PARAMETER(CompletionContext);
   UNREFERENCED_PARAMETER(Flags);
   return returnStatus;


   }


   NTSTATUS Unload(FLT_FILTER_UNLOAD_FLAGS Flags)
   {
   UNREFERENCED_PARAMETER(Flags);
   PAGED_CODE();
   DbgPrint("Unload~");
   FltUnregisterFilter(FilterData.FilterHandle);
   return STATUS_SUCCESS;

   }

   NTSTATUS QueryTeardown(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags)
   {
   UNREFERENCED_PARAMETER(FltObjects);
   UNREFERENCED_PARAMETER(Flags);
   PAGED_CODE();
   DbgPrint("QueryTeardown~");
   return STATUS_SUCCESS;

   }

喜欢0

hfz8867879 驱动牛犊注册日期2010-07-31 最后登录2021-03-06 粉丝0 关注0 积分286分威望321点贡献值0点好评度0点原创分0分专家分4分加关注写私信	沙发^# 发布于：2010-09-01 16:22 小弟刚学习，完全是新手加菜鸟，大大们不吝赐教啊...代码简单的很，麻烦您看一眼吧
	回复(0) 喜欢(0)

ycmint 驱动牛犊注册日期2011-05-07 最后登录2012-03-19 粉丝0 关注0 积分12分威望141点贡献值0点好评度0点原创分0分专家分0分加关注写私信	板凳^# 发布于：2011-08-05 15:21 strcpy(Name,_strupr(name));
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

寒江独钓中minifilter的问题

最新喜欢：