|
阅读:1632回复:1
sfilter中的写文件出错.
我写了一个小的文件过滤驱动,作用是把当前写的这个文件的内容保存下来.
现在能成功取到写的内容了. 不过,输出的长度好像长于当前的内容.我在保存时,写文件总是不成功,提示错误0xc00054 代码如下:请各位帮我看一下.谢谢.. _inline NTSTATUS SaveFile (UNICODE_STRING filename,LARGE_INTEGER offset, ULONG length,PVOID m_buffer) { HANDLE FileHandle; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatus; NTSTATUS Status; UNICODE_STRING m_save_filename,m_temp; WCHAR m_file_buffer[260]; PVOID m_save_buffer; if(KeGetCurrentIrql() != PASSIVE_LEVEL) { DbgPrint("Irp is not PASSIVE_LEVEL\n"); return FALSE; } UNREFERENCED_PARAMETER(offset); UNREFERENCED_PARAMETER(length); RtlInitEmptyUnicodeString(&m_save_filename,m_file_buffer,260); RtlInitUnicodeString(&m_temp,L"\\??\\C:");////只临时D盘,所以把当前的东西保存在C盘,这样,就不会重入了. RtlCopyUnicodeString(&m_save_filename,&m_temp); RtlAppendUnicodeStringToString(&m_save_filename,&filename); m_save_buffer=ExAllocatePoolWithTag(NonPagedPool,length,SF_POOL_TAG); RtlZeroMemory(m_save_buffer,length); RtlCopyMemory(m_save_buffer, m_buffer,length); InitializeObjectAttributes(&ObjectAttributes, &m_save_filename, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL ); // Status = ZwCreateFile(&FileHandle, FILE_WRITE_DATA | SYNCHRONIZE, &ObjectAttributes, &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(Status)) { ExFreePool(m_save_buffer); return Status; } Status = ZwWriteFile(FileHandle, NULL, NULL, NULL, &IoStatus, m_save_buffer, length,///写入长度,我发现总是写入的4096,不管这个文件改了多少,只要小于4096,就会直接写入这么多. //这个函数,就会返回错误信息,0xc000054 //如果把写入长度变得短点,就没有问题了.比如:100字节 NULL, NULL ); ZwClose(FileHandle); ExFreePool(m_save_buffer); if (!NT_SUCCESS(Status)) { DbgPrint("save is :%x \r\n",Status); } return Status; } //////////这里是在IRP_MJ_WRITE中的调用代码..请帮忙看一下,有没有错误..谢谢 if(irpSp->Parameters.Write.Length!=0&&Irp->MdlAddress) { mdl = MmGetSystemAddressForMdl( Irp->MdlAddress ); if(mdl) {// SaveFile(name,irpSp->Parameters.Write.ByteOffset,irpSp->Parameters.Write.Length,mdl); } } |
|
