|
阅读:1624回复:1
高手进来看下,什么地方出错了
本人刚刚开始学习驱动,现在写一个minifilter截获删除,并创建硬链接的驱动
代码如下,高手看看那里错了 FLT_PREOP_CALLBACK_STATUS NPPreDelete ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ) { PFILE_LINK_INFORMATION plinkinfo; char FileName[260] = "X:"; NTSTATUS status; HANDLE hFile; IO_STATUS_BLOCK isb; PFLT_FILE_NAME_INFORMATION nameInfo; UNICODE_STRING ufile_name; UNICODE_STRING filename; PDEVICE_OBJECT pDeviceObject; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( CompletionContext ); PAGED_CODE(); if(IS_START==1) { __try { if(Data->Iopb->Parameters.SetFileInformation.FileInformationClass==FileDispositionInformation) { #if DBG _asm int 3; #endif RtlInitUnicodeString(&ufile_name,L"\\DosDevices\\E:\\test.txt"); plinkinfo =(PFILE_LINK_INFORMATION)ExAllocatePool(NonPagedPool, 512); RtlCopyMemory(&(plinkinfo->FileName),&ufile_name,ufile_name.Length); plinkinfo->FileNameLength = ufile_name.Length; plinkinfo->ReplaceIfExists = TRUE; plinkinfo->RootDirectory = NULL; //这个是通过FileObject获取文件句柄,是不是这里有问题? status = ObOpenObjectByPointer(Data->Iopb->TargetFileObject, 0, NULL, DELETE, *IoFileObjectType, KernelMode, &hFile ); //创建硬链接 status = NtSetInformationFile(hFile,&isb,plinkinfo,512,FileLinkInformation); if(status != STATUS_SUCCESS) { DbgPrint(("Create Link Error: %08X", status)); } ExFreePool(plinkinfo); NtClose(hFile); } } __except(EXCEPTION_EXECUTE_HANDLER) { DbgPrint("NPPreCreate EXCEPTION_EXECUTE_HANDLER\n"); } } return FLT_PREOP_SUCCESS_WITH_CALLBACK; } |
|
|
沙发#
发布于:2010-05-30 01:55
另一种方法是不获取文件句柄,直接用FileObject发送IRP
pDeviceObject=IoGetRelatedDeviceObject(Data->Iopb->TargetFileObject); status=cfFileSetInformation(pDeviceObject,&Data->Iopb->TargetFileObject,FileLinkInformation,NULL,&plinkinfo,sizeof(plinkinfo)); DbgPrint EXCEPTION_EXECUTE_HANDLER 不知什么地方错了 |
|