阅读:983回复:0
求助,发Irp到FileDeviceObject直接删除文件的代码疑问
下面的代码是参考某大虾的文章后自己写的一段代码,作用如题,
NTSTATUS FDeleteFile(PUNICODE_STRING filename) { HANDLE hf; NTSTATUS lns; IO_STATUS_BLOCK iosb; OBJECT_ATTRIBUTES oba; PFILE_OBJECT pfo; KEVENT event; PIRP pirp; PMDL mdl; FILE_DISPOSITION_INFORMATION *pbuffer_nopaged; PIO_STACK_LOCATION pisl; DEVICE_OBJECT *pdo; if(KeGetCurrentIrql() >PASSIVE_LEVEL) { return STATUS_SUCCESS; } InitializeObjectAttributes( &oba,filename,OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,0,0); lns=IoCreateFile(&hf,DELETE|GENERIC_READ,&oba,&iosb,0,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_OPEN,0,0,0,0,0,IO_FORCE_ACCESS_CHECK | IO_NO_PARAMETER_CHECKING); if(!NT_SUCCESS(lns)) { #if (DBG) { DbgPrint ("-------------------IoCreateFile error\n"); DbgPrint ("filename.buffer:%ws\n.lenght:%d\n.maxlen:%d",filename->Buffer,filename->Length,filename->MaximumLength); DbgPrint ("Obj name:%ws",oba.ObjectName->Buffer); DbgPrint ("Status:%x",lns); } #endif return lns; } lns=ObReferenceObjectByHandle(hf,DELETE,*IoFileObjectType,KernelMode,(PVOID *)&pfo,0); if(!NT_SUCCESS(lns)) { #if (DBG) { DbgPrint ("-------------------ObReferenceObjectByHandle error\n"); } #endif return lns; } if(pfo->Vpb!=NULL&&pfo->Vpb->DeviceObject!=NULL) { pdo=pfo->Vpb->DeviceObject; } else pdo=pfo->DeviceObject; pirp=IoAllocateIrp(pdo->StackSize,FALSE); if(!pirp) { #if (DBG) { DbgPrint ("-------------------IoAllocateIrp\n"); } #endif return lns; } pbuffer_nopaged=(FILE_DISPOSITION_INFORMATION *)ExAllocatePool(NonPagedPool,sizeof(FILE_DISPOSITION_INFORMATION)); if(!pbuffer_nopaged) { IoFreeIrp(pirp); return STATUS_SUCCESS; } RtlZeroMemory(pbuffer_nopaged,sizeof(FILE_DISPOSITION_INFORMATION)); pbuffer_nopaged->DeleteFile=TRUE; if(pdo->Flags & DO_BUFFERED_IO) { pirp->AssociatedIrp.SystemBuffer=(PVOID)pbuffer_nopaged;//buffered io #if (DBG) { DbgPrint("DO_BUFFERED_IO"); } #endif } else if(pdo->Flags & DO_DIRECT_IO) { mdl=IoAllocateMdl((PVOID)pbuffer_nopaged,sizeof(FILE_DISPOSITION_INFORMATION),0,0,0); MmBuildMdlForNonPagedPool(mdl); pirp->MdlAddress=mdl;//direct io #if (DBG) { DbgPrint("DO_DIRECT_IO"); } #endif } else { pirp->UserBuffer=(PVOID)pbuffer_nopaged;//neither i/o, use kernel buffer } pisl=IoGetNextIrpStackLocation (pirp); pisl->FileObject=pfo; pisl->MajorFunction=IRP_MJ_SET_INFORMATION; pisl->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION); pisl->Parameters.SetFile.FileInformationClass = FileDispositionInformation; pisl->Parameters.SetFile.DeleteHandle = hf; KeInitializeEvent(&event, NotificationEvent, FALSE); IoSetCompletionRoutine(pirp,IoCompletion,&event,1,1,1); #if (DBG) { DbgPrint ("-------------------IoSetCompletionRoutine\n"); DbgPrint ("Device name:%ws",pdo->DriverObject->DriverName.Buffer); } #endif lns=IoCallDriver(pdo,pirp); if(lns==STATUS_PENDING) { KeWaitForSingleObject(&event, Executive,KernelMode,0,0); lns=pirp->IoStatus.Status; } lns=pirp->IoStatus.Information;//bytes read if(mdl){IoFreeMdl(mdl);}//if DO_DIRECT_IO if(pbuffer_nopaged){ExFreePool((PVOID)pbuffer_nopaged);} IoFreeIrp(pirp); return lns; } 可是当Irp发送到Ntfs.sys后总是蓝屏,如果不发送,就是去掉lns=IoCallDriver(pdo,pirp);这句,就会在 if(mdl){IoFreeMdl(mdl);}这句时蓝屏,报告BAD_POOL_HEADER,我是新手,请大家帮我看看问题处在哪啊,郁闷 |
|