|
阅读:3278回复:2
隐藏加密头
根据WDK中的例子SwapBuffers修改的,加密头在IRP_MJ_CREATE中写入文件的头部,我在读写中都修改拉偏移量,为什么读的时候还是把加密头读出来的,写保存后加密头被覆盖拉,文件变成没有标识,麻烦高手帮我看看,为什么隐藏不了加密头的,读写代码如下:
FLT_PREOP_CALLBACK_STATUS SwapPreReadBuffers( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ) { PFILE_OBJECT file; PFile_node node; PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; FLT_PREOP_CALLBACK_STATUS retValue = FLT_PREOP_SUCCESS_NO_CALLBACK; PVOID newBuf = NULL; PMDL newMdl = NULL; PVOLUME_CONTEXT volCtx = NULL; PPRE_2_POST_CONTEXT p2pCtx; NTSTATUS status; BOOLEAN istag; ULONG readLen = iopb->Parameters.Read.Length; PLARGE_INTEGER offset = &Data->Iopb->Parameters.Read.ByteOffset; file=iopb->TargetFileObject; istag=NPIsCurProcSec(); try { if (readLen == 0) { leave; } if(!istag) { leave; } //检查是否已经在加密表中 AddLock(); node=NPIsFileNeedCrypt(file); ReleaseLock(); if(node==NULL) leave; if (!FlagOn((IRP_PAGING_IO |IRP_SYNCHRONOUS_PAGING_IO|IRP_NOCACHE),iopb->IrpFlags)) { DbgPrint(" 缓存读 "); leave; } //增加读的偏移量 offset->QuadPart += CF_FILE_HEADER_SIZE; status = FltGetVolumeContext( FltObjects->Filter, FltObjects->Volume, &volCtx ); if (!NT_SUCCESS(status)) { leave; } if (FlagOn(IRP_NOCACHE,iopb->IrpFlags)) { readLen = (ULONG)ROUND_TO_SIZE(readLen,volCtx->SectorSize); } newBuf = ExAllocatePoolWithTag( NonPagedPool, readLen, BUFFER_SWAP_TAG ); if (newBuf == NULL) { leave; } if (FlagOn(Data->Flags,FLTFL_CALLBACK_DATA_IRP_OPERATION)) { newMdl = IoAllocateMdl( newBuf, readLen, FALSE, FALSE, NULL ); if (newMdl == NULL) { leave; } MmBuildMdlForNonPagedPool( newMdl ); } p2pCtx = ExAllocateFromNPagedLookasideList( &Pre2PostContextList ); if (p2pCtx == NULL) { leave; } iopb->Parameters.Read.ReadBuffer = newBuf; iopb->Parameters.Read.MdlAddress = newMdl; FltSetCallbackDataDirty( Data ); p2pCtx->SwappedBuffer = newBuf; p2pCtx->VolCtx = volCtx; *CompletionContext = p2pCtx; retValue = FLT_PREOP_SUCCESS_WITH_CALLBACK; } finally { if (retValue != FLT_PREOP_SUCCESS_WITH_CALLBACK) { if (newBuf != NULL) { ExFreePool( newBuf ); } if (newMdl != NULL) { IoFreeMdl( newMdl ); } if (volCtx != NULL) { FltReleaseContext( volCtx ); } } } return retValue; } FLT_POSTOP_CALLBACK_STATUS SwapPostReadBuffers( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags ) { PVOID origBuf; PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; FLT_POSTOP_CALLBACK_STATUS retValue = FLT_POSTOP_FINISHED_PROCESSING; PPRE_2_POST_CONTEXT p2pCtx = CompletionContext; BOOLEAN cleanupAllocatedBuffer = TRUE; // This system won't draining an operation with swapped buffers, verify // the draining flag is not set. ASSERT(!FlagOn(Flags, FLTFL_POST_OPERATION_DRAINING)); try { if (!NT_SUCCESS(Data->IoStatus.Status) || (Data->IoStatus.Information == 0)) { leave; } if (iopb->Parameters.Read.MdlAddress != NULL) { origBuf = MmGetSystemAddressForMdlSafe( iopb->Parameters.Read.MdlAddress, NormalPagePriority ); if (origBuf == NULL) { Data->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES; Data->IoStatus.Information = 0; leave; } } else if (FlagOn(Data->Flags,FLTFL_CALLBACK_DATA_SYSTEM_BUFFER) || FlagOn(Data->Flags,FLTFL_CALLBACK_DATA_FAST_IO_OPERATION)) { // If this is a system buffer, just use the given address because // it is valid in all thread contexts. // If this is a FASTIO operation, we can just use the // buffer (inside a try/except) since we know we are in // the correct thread context (you can't pend FASTIO's). origBuf = iopb->Parameters.Read.ReadBuffer; } else { // They don't have a MDL and this is not a system buffer // or a fastio so this is probably some arbitrary user // buffer. We can not do the processing at DPC level so // try and get to a safe IRQL so we can do the processing. if (FltDoCompletionProcessingWhenSafe( Data, FltObjects, CompletionContext, Flags, SwapPostReadBuffersWhenSafe, &retValue )) { // This operation has been moved to a safe IRQL, the called // routine will do (or has done) the freeing so don't do it // in our routine. cleanupAllocatedBuffer = FALSE; } else { // We are in a state where we can not get to a safe IRQL and // we do not have a MDL. There is nothing we can do to safely // copy the data back to the users buffer, fail the operation // and return. This shouldn't ever happen because in those // situations where it is not safe to post, we should have // a MDL. Data->IoStatus.Status = STATUS_UNSUCCESSFUL; Data->IoStatus.Information = 0; } leave; } // We either have a system buffer or this is a fastio operation // so we are in the proper context. Copy the data handling an // exception. // try { RtlCopyMemory( origBuf, p2pCtx->SwappedBuffer, Data->IoStatus.Information ); } except (EXCEPTION_EXECUTE_HANDLER) { Data->IoStatus.Status = GetExceptionCode(); Data->IoStatus.Information = 0; } } finally { // If we are supposed to, cleanup the allocated memory and release // the volume context. The freeing of the MDL (if there is one) is // handled by FltMgr. if (cleanupAllocatedBuffer) { ExFreePool( p2pCtx->SwappedBuffer ); FltReleaseContext( p2pCtx->VolCtx ); ExFreeToNPagedLookasideList( &Pre2PostContextList, p2pCtx ); } } return retValue; } FLT_POSTOP_CALLBACK_STATUS SwapPostReadBuffersWhenSafe ( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags ) { PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; PPRE_2_POST_CONTEXT p2pCtx = CompletionContext; PVOID origBuf; NTSTATUS status; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( Flags ); ASSERT(Data->IoStatus.Information != 0); // This is some sort of user buffer without a MDL, lock the user buffer // so we can access it. This will create a MDL for it. status = FltLockUserBuffer( Data ); if (!NT_SUCCESS(status)) { Data->IoStatus.Status = status; Data->IoStatus.Information = 0; } else { // Get a system address for this buffer. origBuf = MmGetSystemAddressForMdlSafe( iopb->Parameters.Read.MdlAddress, NormalPagePriority ); if (origBuf == NULL) { // If we couldn't get a SYSTEM buffer address, fail the operation Data->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES; Data->IoStatus.Information = 0; } else { // // Copy the data back to the original buffer. Note that we // don't need a try/except because we will always have a system // buffer address RtlCopyMemory( origBuf, p2pCtx->SwappedBuffer, Data->IoStatus.Information ); } } ExFreePool( p2pCtx->SwappedBuffer ); FltReleaseContext( p2pCtx->VolCtx ); ExFreeToNPagedLookasideList( &Pre2PostContextList, p2pCtx ); return FLT_POSTOP_FINISHED_PROCESSING; } FLT_PREOP_CALLBACK_STATUS SwapPreWriteBuffers( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ) { PFILE_OBJECT file; PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; FLT_PREOP_CALLBACK_STATUS retValue = FLT_PREOP_SUCCESS_NO_CALLBACK; PVOID newBuf = NULL; PMDL newMdl = NULL; PVOLUME_CONTEXT volCtx = NULL; PPRE_2_POST_CONTEXT p2pCtx; PVOID origBuf; NTSTATUS status; LARGE_INTEGER filesize,newsize; PFile_node node; BOOLEAN istag; ULONG writeLen = iopb->Parameters.Write.Length; PLARGE_INTEGER offset = &Data->Iopb->Parameters.Write.ByteOffset; file=iopb->TargetFileObject ; istag=NPIsCurProcSec(); try { if (writeLen == 0) { leave; } //检查是否已经在加密表中 AddLock(); node=NPIsFileNeedCrypt(file); ReleaseLock(); if(node==NULL) { leave; } if(istag==TRUE) { offset->QuadPart += CF_FILE_HEADER_SIZE; } if (!FlagOn((IRP_PAGING_IO |IRP_SYNCHRONOUS_PAGING_IO|IRP_NOCACHE),iopb->IrpFlags)) { File_GetFileSize(Data, FltObjects, &filesize) ; if (offset->QuadPart + iopb->Parameters.Write.Length> filesize.QuadPart) { newsize.QuadPart = offset->QuadPart + iopb->Parameters.Write.Length; File_SetFileSize(Data, FltObjects,&newsize); } NPFileCacheClear(file); DbgPrint("缓存写"); leave; } status = FltGetVolumeContext( FltObjects->Filter, FltObjects->Volume, &volCtx ); if (!NT_SUCCESS(status)) { leave; } if (FlagOn(IRP_NOCACHE,iopb->IrpFlags)) { writeLen = (ULONG)ROUND_TO_SIZE(writeLen,volCtx->SectorSize); } newBuf = ExAllocatePoolWithTag( NonPagedPool, writeLen, BUFFER_SWAP_TAG ); if (newBuf == NULL) { leave; } if (FlagOn(Data->Flags,FLTFL_CALLBACK_DATA_IRP_OPERATION)) { newMdl = IoAllocateMdl( newBuf, writeLen, FALSE, FALSE, NULL ); if (newMdl == NULL) { leave; } MmBuildMdlForNonPagedPool( newMdl ); } if (iopb->Parameters.Write.MdlAddress != NULL) { origBuf = MmGetSystemAddressForMdlSafe( iopb->Parameters.Write.MdlAddress, NormalPagePriority ); if (origBuf == NULL) { Data->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES; Data->IoStatus.Information = 0; retValue = FLT_PREOP_COMPLETE; leave; } } else { origBuf = iopb->Parameters.Write.WriteBuffer; } try { RtlCopyMemory( newBuf, origBuf, writeLen ); } except (EXCEPTION_EXECUTE_HANDLER) { Data->IoStatus.Status = GetExceptionCode(); Data->IoStatus.Information = 0; retValue = FLT_PREOP_COMPLETE; leave; } p2pCtx = ExAllocateFromNPagedLookasideList( &Pre2PostContextList ); if (p2pCtx == NULL) { leave; } iopb->Parameters.Write.WriteBuffer = newBuf; iopb->Parameters.Write.MdlAddress = newMdl; FltSetCallbackDataDirty( Data ); p2pCtx->SwappedBuffer = newBuf; p2pCtx->VolCtx = volCtx; *CompletionContext = p2pCtx; retValue = FLT_PREOP_SUCCESS_WITH_CALLBACK; } finally { if (retValue != FLT_PREOP_SUCCESS_WITH_CALLBACK) { if (newBuf != NULL) { ExFreePool( newBuf ); } if (newMdl != NULL) { IoFreeMdl( newMdl ); } if (volCtx != NULL) { FltReleaseContext( volCtx ); } } } return retValue; } FLT_POSTOP_CALLBACK_STATUS SwapPostWriteBuffers( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags ) { PPRE_2_POST_CONTEXT p2pCtx = CompletionContext; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( Flags ); ExFreePool( p2pCtx->SwappedBuffer ); FltReleaseContext( p2pCtx->VolCtx ); ExFreeToNPagedLookasideList( &Pre2PostContextList, p2pCtx ); return FLT_POSTOP_FINISHED_PROCESSING; } |
|
|
沙发#
发布于:2010-05-24 16:32
大虾,请教!
|
|
|
板凳#
发布于:2010-05-24 22:00
你跟踪了吗,是从哪里跳出来的。我觉得是你的加密文件根本就没加入到加密表内,在下面这一段就直接跳出来了。
//检查是否已经在加密表中 AddLock(); node=NPIsFileNeedCrypt(file); ReleaseLock(); if(node==NULL) leave; 或者是istag=NPIsCurProcSec(); 判断是否正确。 |
|