阅读:1053回复:0
是否可以从IrpStackLocation中判断来自网络的文件访问?
在网上找到这个代码,他说从 IrpStackLocation中可以判断网络文件访问,但这个代码我却没有看懂,请问强人,这代码可行吗?能具体讲解下什么原理判断的吗?谢谢大家
//--------------------------------------------------- //从IrpStackLocation中判断来自网络的文件访问 BOOLEAN SfIsFromNetAccess( PIO_STACK_LOCATION IrpSp ) { NTSTATUS status; PACCESS_TOKEN pToken = NULL; PTOKEN_SOURCE pTokenSrc = NULL ; PSECURITY_SUBJECT_CONTEXT secSubCtx; //PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp); secSubCtx = &(IrpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext); if (secSubCtx->ClientToken != NULL || secSubCtx->PrimaryToken != NULL) { pToken = SeQuerySubjectContextToken(secSubCtx); } if (pToken == NULL) { //KdPrint(("SeQuerySubjectContextToken Errorn")); return FALSE; } // // Get TokenSource Name If SourceName is "NtLmSsp" it was logged-in via Lanmanager, // "User32" represents localy logged-in users. // __try { status = SeQueryInformationToken(pToken,TokenSource,&pTokenSrc); if (NT_SUCCESS(status)) { pTokenSrc->SourceName[TOKEN_SOURCE_LENGTH-1] = 0x00; KdPrint(("Token Name :%s Len:%dn",pTokenSrc->SourceName,strlen(pTokenSrc->SourceName))); if (_stricmp(pTokenSrc->SourceName,"NtLmSsp") == 0 ) { KdPrint(("NetWork Access Token Findn")); return TRUE; } } else { KdPrint(("SeQueryInformationToken Error:0x%xn",status)); } } __finally { ExFreePool(pTokenSrc); } return FALSE; } |
|