|
阅读:2326回复:7
给sfilter添加IRP_MJ_DIRECTORY_CONTROL的处理隐藏文件.怎么老是重启呢?
我给sfilter添加了IRP_MJ_DIRECTORY_CONTROL的处理
现在还没有添加具体的文件要隐藏代码,不知道为什么点开\"我的电脑\"电脑就会挂机 而直接点开其他文件夹没问题。请高手看一下 : //这是我添加的一个Disptch Function DriverObject->MajorFunction[IRP_MJ_DIRECTORY_CONTROL]=SfDRControl; //文件控制IRP请求 NTSTATUS SfDRControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp) { NTSTATUS status; PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp ); // PAGED_CODE(); // VALIDATE_IRQL(Irp); // // If this is for our control device object, fail the operation // if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) { Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_INVALID_DEVICE_REQUEST; } ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject )); //判断请求的Minor Function函数 if(irpSp->MinorFunction==IRP_MN_QUERY_DIRECTORY) { KEVENT waitEvent; KeInitializeEvent( &waitEvent, NotificationEvent, FALSE); IoCopyCurrentIrpStackLocationToNext( Irp ); IoSetCompletionRoutine(Irp,SfDRControlCompletion,&waitEvent,TRUE,TRUE,TRUE ); // // Call the next driver in the stack. // status = IoCallDriver( ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->AttachedToDeviceObject, Irp ); // // Wait for the completion routine to be called // if (STATUS_PENDING == status) { NTSTATUS localStatus = KeWaitForSingleObject(&waitEvent, Executive, KernelMode, FALSE, NULL); ASSERT(STATUS_SUCCESS == localStatus); } //此处处理相应的文件控制请求信息 DbgPrint(\"Query Directory IRP Hooked!\\n\"); status = Irp->IoStatus.Status; /* if( NT_SUCCESS( Irp->IoStatus.Status ) ) { if(irpSp->Parameters.QueryDirectory.FileInformationClass==FileBothDirectoryInformation) { //这里进行隐藏文件处理 } } */ IoCompleteRequest( Irp, IO_NO_INCREMENT ); return status; } else { IoSkipCurrentIrpStackLocation( Irp ); return IoCallDriver( ((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->AttachedToDeviceObject, Irp ); } } NTSTATUS SfDRControlCompletion (IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp,IN PVOID Context) { PKEVENT event = Context; UNREFERENCED_PARAMETER( DeviceObject ); UNREFERENCED_PARAMETER( Irp ); ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject )); KeSetEvent(event, IO_NO_INCREMENT, FALSE); return STATUS_MORE_PROCESSING_REQUIRED; } |
|
|
沙发#
发布于:2005-05-27 15:53
你加了哪些代码?
到哪里出问题了? |
|
|
板凳#
发布于:2005-05-27 16:29
PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );的后边,要跟IoCopyCurrentIrpStackLocationToNext(Irp);呀。还有,IoCallDriver(((PSFILTER_DEVICE_EXTENSION) DeviceObject->DeviceExtension)->AttachedToDeviceObject, Irp);也很重要。我也是新手,呵呵。
|
|
|
地板#
发布于:2005-05-27 22:56
It seems you complete IRP request twice when you processing IRP_MN_QUERY_DIRECTORY. Don\'t call IoCompleteRequest() after IoCallDriver().
Article \"Passing IRPs down the Driver Stack\" in WinDDK document is very helpful. |
|
|
地下室#
发布于:2005-05-31 12:01
It seems you complete IRP request twice when you processing IRP_MN_QUERY_DIRECTORY. Don\'t call IoCompleteRequest() after IoCallDriver(). 这个地方就得再complete一次,因为他在完成例程停止了irp的完成。 如果不考虑/**/注释掉的语句,看不出什么问题。 |
|
|
5楼#
发布于:2005-05-31 13:16
Yes, you are right. I missed his completion routine.
|
|
|
6楼#
发布于:2005-06-23 11:39
下面是引用vancaho于2005-05-24 10:10发表的给sfilter添加IRP_MJ_DIRECTORY_CONTROL的处理隐藏文件.怎么老是重启呢?: 我试了一下,在XP SP2上没死机。(未长期测试) 你的OS是什么? FILEMON也是这样的处理,说实话,很不稳定,经常兰屏。 |
|
|
7楼#
发布于:2005-06-24 09:51
装个调试工具,再把系统属性里面的自动重新启动前面的勾去掉,看看是什么错误
|
|