|
阅读:3515回复:1
过滤MountPointManager操作问题
为了拦截修改卷字符(Volume letter)的操作(计算机管理-磁盘管理-修改驱动器号)。我写了个驱动,挂在"\\DosDevices\\MountPointManager"上。
获取了所有IRP_MJ_DEVICE_CONTROL后看出来修改卷符号的操作是这样一个流程: IOCTL_MOUNTMGR_DELETE_POINTS IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS ... IOCTL_MOUNTMGR_CREATE_POINT ... 但当我修改代码阻止DELETE_POINT和CREATE_POINT 操作之后,每次修改盘符的时候就出现下面这种现象: 1.被修改的盘的盘符没了,也就无法通过explorer或者cmd访问了。 2.修改的时候出现的事件如下: IOCTL_MOUNTMGR_DELETE_POINTS! We should ban this operation!!(这是我完成IRP操作的时候显示的) IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS! IOCTL_MOUNTMGR_CREATE_POINT! We should ban this operation!! IOCTL_MOUNTMGR_QUERY_POINTS! IOCTL_MOUNTMGR_DELETE_POINTS! We should ban this operation!! IOCTL_MOUNTMGR_CREATE_POINT! We should ban this operation!! IOCTL_MOUNTMGR_QUERY_POINTS! IOCTL_MOUNTMGR_DELETE_POINTS! We should ban this operation!! IOCTL_MOUNTMGR_CREATE_POINT! We should ban this operation!! IOCTL_MOUNTMGR_QUERY_POINTS! IOCTL_MOUNTMGR_DELETE_POINTS! We should ban this operation!! IOCTL_MOUNTMGR_CREATE_POINT! We should ban this operation!! IOCTL_MOUNTMGR_QUERY_POINTS! IOCTL_MOUNTMGR_DELETE_POINTS! We should ban this operation!! IOCTL_MOUNTMGR_CREATE_POINT! We should ban this operation!! IOCTL_MOUNTMGR_QUERY_POINTS! IOCTL_MOUNTMGR_DELETE_POINTS! We should ban this operation!! IOCTL_MOUNTMGR_QUERY_POINTS! ...(一堆IOCTL_MOUNTMGR_QUERY_POINTS) 用于返回IRP的代码: KdPrint(("We should ban this operation!!\n")); Irp->IoStatus.Status=STATUS_INVALID_PARAMETER; Irp->IoStatus.Information=0; IoCompleteRequest(Irp,IO_NO_INCREMENT); return STATUS_UNSUCCESSFUL; 请问为何会出现这种情况?多谢! |
|
|
沙发#
发布于:2009-04-03 12:56
没人看么?顶下顶下!
|
|