阅读:1918回复:11
这段程序有什么问题?用户被禁言,该主题自动屏蔽! |
|
最新喜欢:Ice_Bi... |
沙发#
发布于:2002-04-30 16:34
Hello,
You would not change user buffer without check Its valid, because It maybe invalid. It is suggesting that useing the function ProbeForWrite() to check the valid of user buffer . \"if(pContext)\" can not make sure that It is a valid memory. For pContext=0xcccccccd,ect. Sorry, because of my system error, I can only use english. Regards, Zhj |
|
板凳#
发布于:2002-04-30 17:23
用户被禁言,该主题自动屏蔽! |
|
地板#
发布于:2002-05-01 05:02
你用SOFT ICE 跟踪过么,SOFT ICE 中的显示的出你的正确内容么
|
|
地下室#
发布于:2002-05-01 11:35
用户被禁言,该主题自动屏蔽! |
|
5楼#
发布于:2002-05-01 11:45
那你有没有判断FILE_BOTH_DIR_INFORMATION结构里面的成员FileNameLength 啊!这个可是指定了后面的数组FileName的大小的呢!
|
|
6楼#
发布于:2002-05-01 21:08
用户被禁言,该主题自动屏蔽! |
|
7楼#
发布于:2002-05-01 21:54
用户被禁言,该主题自动屏蔽! |
|
8楼#
发布于:2002-05-01 22:59
1. pdirinfo->FileName 是WCHAR[]或者WCHAR *吗?
2. 结尾是WCHAR(0)吗? 解决了, 估计也就是使用初始话好的中间BUFFER吧. 那么大约就是2的原因了. |
|
9楼#
发布于:2002-05-04 16:47
这是针对IRP->USERBUFFER不能改的回答.
我写了一个指定目录的加解密的TEST LEVEL FILTER DRIVER. 给我地址, 我送给你. 从FILEMON改起的,体系上有问题. 如果想作为一个成熟的东西用, 你要做: 1.为了对付REMOABLE MEDIA, 需要改写成 FS DRIVER. 2.为了省事, 我假定要处理的目录是C:\\ENCRYPTDIR,对于其它的目录, 都放过去了. 3.为了省事, 对于文件读写还是目录树读写没有做确实的判断,如果读写的文件名长度大于 C:\\ENCRYPTDIR\\ 就认为是文件, 否则认为是目录. -> 所以不能支持C:\\ENCRYPTDIR\\ 下的子目录. 4.为了省事, 总假定是在原来的CONTEXT下执行. 对于非ORIGINAL CONTEXT的情况, COMMENT的形式写了做法 5.加解秘的算法很简单, 无论文本文件还是BINARY, WRITE时 ,所有的大写改成小写, 小写改成大写. READ时,反之. 6.对于WRITE,READ, 只限定的处理了IPR_MJ_READ, IRP_MJ_WRITE, FASTIOREAD, FASTIOWRITE, 对于FASTIO的其他READ, WRITE形式, 虽然极少发生, 但确实有.自己加吧. 对于你的USERBUFFER不能写的问题, 原因很简单, 在IRP_MJ_WRITE时受到的USERBUFFER的MEMORY RANGE 是只读属性的. 我用下面的方法解决. #include \"ntddk.h\" #include \"stdarg.h\" #include \"stdio.h\" #include \"stdlib.h\" #include \"..\\exe\\ioctlcmd.h\" #include \"filemon.h\" /* some comment .... i use zwopenprocess to get current process handle. it also can done by : mov eax, fs:0x18 mov eax, [eax+0x20] eax is current process handle. but zwopenprocess should be better: same code can deal other process. */ #define NEW_PAGE_ATTR PAGE_READWRITE //| PAGE_GUARD BOOLEAN fncDealIrpWrite(ULONG *seqNum, LARGE_INTEGER *dateTime, CHAR *name, PIRP Irp, CHAR *fullPathName, PIO_STACK_LOCATION currentIrpStack ) { BOOLEAN bLogRet = FALSE; TYPE_ZwProtectVirtualMemory fncProtectVirtualMemory=NULL; _asm { lea eax, mycall; mov fncProtectVirtualMemory,eax; jmp realstart; mycall: mov eax, 0x77; lea edx,[esp+0x4]; int 0x2e; ret 0x14; } realstart: ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); if ( _strnicmp(fullPathName, ENCRYPT_DIR,strlen(ENCRYPT_DIR)) == 0 ) { char *pInData=NULL; char szTmpBuf[4]={0x00,}; char *szBuffer = NULL; BOOLEAN bShouldProbe = FALSE; NTSTATUS ntLocalStatus; ULONG OldProtect, OldProtect1; HANDLE hProcess =NULL; OBJECT_ATTRIBUTES ObjAttr; CLIENT_ID ClientId; //commented by zdhe. //here we must decide whether it\'s directory sector write or file write. //because when you create a file or subdir in this dir , system will send mj_write to modify //directory info. in this case, we should never try to touch this data. //in this test module, we use a simple way : //because i will not make subdir, so if fullpathname is longer then //ENCRYPT_DIR +1 (include \\) , then it\'s a file. //to decice it\'s a dir or file, you can use queryfileinformatin. if ( strlen(fullPathName) <= strlen(ENCRYPT_DIR ) +1 ) goto Original; GETLOGBUFFER(szBuffer ); if ( szBuffer == InsufficientResources ) { ASSERT(FALSE); }else { ULONG i; ULONG dwBytes =0; switch(Irp->RequestorMode) { case KernelMode: DbgPrint((\"***************KernelMode\\n\")); if ( Irp->MdlAddress )//not so exactly. but for common FS write, it does only use mdl { pInData = (char *) MmGetSystemAddressForMdl(Irp->MdlAddress); }else { ASSERT(FALSE); pInData = (char *) Irp->AssociatedIrp.SystemBuffer; } break; case UserMode: DbgPrint((\"***********UserMode\\n\")); //it\'s not safe. //because if Original Context is different with current context, //we should allocate memory and use ZwReadVirtualMemory to get data from orginal context //in this test program, we just take the risk //to compare this IRP is dealing in orginal context or not. //compare psgetcurrentthread and Irp->tail.overlay.thread. ASSERT(PsGetCurrentThread() == Irp->Tail.Overlay.Thread); pInData = (char *) Irp->UserBuffer; bShouldProbe = TRUE; break; default: DbgPrint((\"Other Mode\\n\")); ASSERT(FALSE); break; } ASSERT(pInData); RtlZeroMemory(szBuffer , LOG_DATASIZE ); dwBytes = min( (ULONG) LOG_DATASIZE / 3 -4 ,(ULONG) currentIrpStack->Parameters.Write.Length) ; for ( i =0; pInData && i < dwBytes ; i ++ ) //print first min (currentIrpStack->Parameters.Write.Length , 128) /3 bytes { sprintf(szTmpBuf, \"%0x \", pInData); strcat(szBuffer , szTmpBuf); } if ( (Irp->Flags & IRP_PAGING_IO) || (Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO)) { //do nothing //this is for paging io. we must dealing data in fast io }else { try { if ( bShouldProbe ) //if systembuffer or mdl, we need not modify write/read ??? { //something very important. //we can not make sure current process is orginal process or not. if ( PsGetCurrentThread() == Irp->Tail.Overlay.Thread) { InitializeObjectAttributes(&ObjAttr,0,0,0,0); ClientId.UniqueProcess = PsGetCurrentProcessId(); ClientId.UniqueThread =0; ntLocalStatus = ZwOpenProcess(&hProcess , PROCESS_ALL_ACCESS, &ObjAttr, &ClientId); if ( NT_SUCCESS(ntLocalStatus)) { }else { hProcess=NULL; ASSERT(FALSE); } } if ( hProcess ) { dwBytes = currentIrpStack->Parameters.Write.Length; ntLocalStatus = fncProtectVirtualMemory(hProcess , &pInData, &dwBytes, NEW_PAGE_ATTR, //PAGE_READWRITE | PAGE_GUARD &OldProtect); ASSERT(NT_SUCCESS(ntLocalStatus) && dwBytes >= currentIrpStack->Parameters.Write.Length); } } /* //when data block is big, it\'s fail . anyway, we had catch this error. ProbeForWrite ( pInData, currentIrpStack->Parameters.Write.Length, sizeof(UCHAR) ); */ //because we has not cache file size informatin, so not needed extra work may happen. //take the risk //how about hProcess is null? //a little difficult: //1. get PETHRAD from Irp->Tail.Overlay.Thread //2. get PEPROCESS from PETHRAD //3. get UnqueProcesID from PEPROCESS //4. ZwOpenProcess //5. ZwReadVirtualMemory from orginal process context //6. change data //7. ZwProtectVirtualMemory for Data range in orignal process context //8. ZwWriteVirtualMemory //9. Close,Free try { for ( i =0; hProcess && i < currentIrpStack->Parameters.Write.Length; i++ ) { //change capital to little, little to capital if ( pInData >=\'a\' && pInData <= \'z\' ) { pInData = pInData -\'a\' + \'A\'; }else if ( pInData >=\'A\' && pInData <= \'Z\' ) { pInData = pInData -\'A\' + \'a\'; }else { //no change... } } }except(1) { ASSERT(FALSE); } if ( hProcess) { dwBytes = currentIrpStack->Parameters.Write.Length; ntLocalStatus = fncProtectVirtualMemory(hProcess , &pInData, &dwBytes, OldProtect, &OldProtect1); ASSERT( NT_SUCCESS(ntLocalStatus) && currentIrpStack->Parameters.Write.Length <= dwBytes); ZwClose(hProcess); hProcess = NULL; } } except(1) { DbgPrint((\"current irql: %d\\n\",(ULONG) KeGetCurrentIrql())); ASSERT(FALSE); } } } bLogRet = LogRecord( TRUE, seqNum, dateTime, NULL, \"%s\\tIRP_MJ_WRITE%c\\t%s\\tOffset: %d Length: %d , Data:%s\", name, (Irp->Flags & IRP_PAGING_IO) || (Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO) ? \'*\' : \' \', fullPathName, currentIrpStack->Parameters.Write.ByteOffset.LowPart, currentIrpStack->Parameters.Write.Length , szBuffer); FREELOGBUFFER(szBuffer ); return bLogRet; } Original: return LogRecord( TRUE, seqNum, dateTime, NULL, \"%s\\tIRP_MJ_WRITE%c\\t%s\\tOffset: %d Length: %d\", name, (Irp->Flags & IRP_PAGING_IO) || (Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO) ? \'*\' : \' \', fullPathName, currentIrpStack->Parameters.Write.ByteOffset.LowPart, currentIrpStack->Parameters.Write.Length ); } //---------------------------------------------------------------------- // // FilemonFastIoWrite // //---------------------------------------------------------------------- BOOLEAN FilemonFastIoWrite( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, IN PVOID Buffer, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) { BOOLEAN retval = FALSE; PHOOK_EXTENSION hookExt; CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN]; LARGE_INTEGER timeStampStart, timeStampComplete, timeResult; LARGE_INTEGER dateTime; TYPE_ZwProtectVirtualMemory fncProtectVirtualMemory=NULL; _asm { lea eax, mycall; mov fncProtectVirtualMemory,eax; jmp realstart; mycall: mov eax, 0x00000077; lea edx,[esp+0x4]; int 0x2e; ret 0x14; } realstart: if( !DeviceObject ) return FALSE; hookExt = DeviceObject->DeviceExtension; if( FASTIOPRESENT( hookExt, FastIoWrite )) { GETPATHNAME(FALSE); TIMESTAMPSTART(); if ( _strnicmp(fullPathName, ENCRYPT_DIR,strlen(ENCRYPT_DIR)) == 0 ) { char *pInData=Buffer; char szTmpBuf[4]={0x00,}; char *szBuffer = NULL; HANDLE hProcess; ULONG i,dwBytes ; NTSTATUS ntLocalStatus; ULONG OldProtect, OldProtect1; OBJECT_ATTRIBUTES ObjAttr; CLIENT_ID ClientId; //commented by zdhe. //here we must decide whether it\'s directory sector write or file write. //because when you create a file or subdir in this dir , system will send mj_write to modify //directory info. in this case, we should never try to touch this data. //in this test module, we use a simple way : //because i will not make subdir, so if fullpathname is longer then //ENCRYPT_DIR +1 (include \\) , then it\'s a file. //to decice it\'s a dir or file, you can use queryfileinformatin. if ( strlen(fullPathName) <= strlen(ENCRYPT_DIR ) +1 ) goto Original; GETLOGBUFFER(szBuffer ); if ( szBuffer == InsufficientResources ) { goto Original; } ASSERT(pInData); //print log. RtlZeroMemory(szBuffer , LOG_DATASIZE ); dwBytes = min( (ULONG) LOG_DATASIZE / 3 -4 ,(ULONG) Length) ; for ( i =0; pInData && i < dwBytes ; i ++ ) //print first min (currentIrpStack->Parameters.Write.Length , 128) /3 bytes { sprintf(szTmpBuf, \"%0x \", pInData); strcat(szBuffer , szTmpBuf); } try { /* it will always be success. ProbeForRead ( pInData, Length, sizeof(UCHAR) ); //for write, it will always success. */ /* //when data block is big, it\'s fail . anyway, we catch this error in following method. ProbeForWrite ( pInData, dwBytes, sizeof(UCHAR) ); */ //commonly, pInData is a readonly range. so change it!!! //In FastIoWrite, we can make sure it\'s running in original context. so we need not //zwopenprocess, directly , use PsGetCurrentProcessId to get current process handle. InitializeObjectAttributes(&ObjAttr,0,0,0,0); ClientId.UniqueProcess = PsGetCurrentProcessId(); ClientId.UniqueThread =0; ntLocalStatus = ZwOpenProcess(&hProcess , PROCESS_ALL_ACCESS, &ObjAttr, &ClientId); if ( NT_SUCCESS(ntLocalStatus)) { }else { hProcess=NULL; ASSERT(FALSE); } if ( hProcess ) { dwBytes = Length; ntLocalStatus = fncProtectVirtualMemory(hProcess , &pInData, &dwBytes, NEW_PAGE_ATTR, //PAGE_READWRITE | PAGE_NOCACHE, &OldProtect); ASSERT( NT_SUCCESS(ntLocalStatus) && Length <= dwBytes); } //change write data... try { for ( i =0; i < Length; i++ ) { //change capital to little, little to capital if ( pInData >=\'a\' && pInData <= \'z\' ) { pInData = pInData -\'a\' + \'A\'; }else if ( pInData >=\'A\' && pInData <= \'Z\' ) { pInData = pInData -\'A\' + \'a\'; }else { //no change... } } }except(1) { ASSERT(FALSE); } if ( hProcess ) { dwBytes = Length; ntLocalStatus = fncProtectVirtualMemory(hProcess , &pInData, &dwBytes, OldProtect, &OldProtect1); ASSERT( NT_SUCCESS(ntLocalStatus) && Length <= dwBytes); ZwClose(hProcess); hProcess = NULL; } } except(1) { DbgPrint((\"current irql: %d\\n\",(ULONG) KeGetCurrentIrql())); ASSERT(FALSE); } retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoWrite( FileObject, FileOffset, Length, Wait, LockKey, Buffer, IoStatus, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked ) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_WRITE\\t%s\\tOffset: %d Length: %d\\t%s,Data:%s\", FilemonGetProcess( name ), fullPathName, FileOffset->LowPart, Length, retval?ErrorString( IoStatus->Status, errorBuf ):\"FAILURE\" ,szBuffer ); } FREELOGBUFFER(szBuffer ); FREEPATHNAME(); return retval; } Original: retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoWrite( FileObject, FileOffset, Length, Wait, LockKey, Buffer, IoStatus, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked ) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_WRITE\\t%s\\tOffset: %d Length: %d\\t%s\", FilemonGetProcess( name ), fullPathName, FileOffset->LowPart, Length, retval?ErrorString( IoStatus->Status, errorBuf ):\"FAILURE\" ); } FREEPATHNAME(); } return retval; } //commonly, we does not deal with writecompressed. if really need to do it, //we must first read fastfat source code.... //for ntfs, hpfs, how??? //!!!reference linux code!!!! //---------------------------------------------------------------------- // // FilemonFastIoWriteCompressed // //---------------------------------------------------------------------- BOOLEAN FilemonFastIoWriteCompressed( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN ULONG LockKey, OUT PVOID Buffer, OUT PMDL *MdlChain, OUT PIO_STATUS_BLOCK IoStatus, OUT struct _COMPRESSED_DATA_INFO *CompressedDataInfo, IN ULONG CompressedDataInfoLength, IN PDEVICE_OBJECT DeviceObject ) { BOOLEAN retval = FALSE; PHOOK_EXTENSION hookExt; CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN]; LARGE_INTEGER timeStampStart, timeStampComplete, timeResult; LARGE_INTEGER dateTime; ASSERT(FALSE); if( !DeviceObject ) return FALSE; hookExt = DeviceObject->DeviceExtension; if( FASTIOPRESENT( hookExt, FastIoWriteCompressed )) { GETPATHNAME(FALSE); TIMESTAMPSTART(); retval = hookExt->FileSystem->DriverObject->FastIoDispatch->FastIoWriteCompressed( FileObject, FileOffset, Length, LockKey, Buffer, MdlChain, IoStatus, CompressedDataInfo, CompressedDataInfoLength, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked ) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_WRITE_COMPRESSED\\t%s\\tOffset: %d Length: %d\\t%s\", FilemonGetProcess( name ), fullPathName, FileOffset->LowPart, Length, retval ? ErrorString( IoStatus->Status, errorBuf ) : \"FAILURE\" ); } FREEPATHNAME(); } return retval; } //---------------------------------------------------------------------- // // FilemonFastIoMdlWriteCompleteCompressed // //---------------------------------------------------------------------- BOOLEAN FilemonFastIoMdlWriteCompleteCompressed( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain, IN PDEVICE_OBJECT DeviceObject ) { BOOLEAN retval = FALSE; PHOOK_EXTENSION hookExt; CHAR *fullPathName, name[PROCNAMELEN]; LARGE_INTEGER timeStampStart, timeStampComplete, timeResult; LARGE_INTEGER dateTime; ASSERT(FALSE); if( !DeviceObject ) return FALSE; hookExt = DeviceObject->DeviceExtension; if( FASTIOPRESENT( hookExt, MdlWriteCompleteCompressed )) { GETPATHNAME(FALSE); TIMESTAMPSTART(); retval = hookExt->FileSystem->DriverObject->FastIoDispatch->MdlWriteCompleteCompressed( FileObject, FileOffset, MdlChain, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_MDL_WRITE_COMPLETE_COMPRESSED\\t%s\\tOffset: %d\\t%s\", FilemonGetProcess( name ), fullPathName, FileOffset->LowPart, \"OK\" ); } FREEPATHNAME(); } return retval; } //---------------------------------------------------------------------- // // FilemonFastIoPrepareMdlWrite // I has not realized mdlwrite. it\'s just because of lasy. // when you mount our dir as iis ftp server directory, // writeMdl does happens in somecase. you can do it your self. // commonly , there is no this kind of access for formal access // //---------------------------------------------------------------------- BOOLEAN FilemonFastIoPrepareMdlWrite( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN ULONG LockKey, OUT PMDL *MdlChain, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ) { BOOLEAN retval = FALSE; PHOOK_EXTENSION hookExt; CHAR *fullPathName, name[PROCNAMELEN], errorBuf[ERRORLEN]; LARGE_INTEGER timeStampStart, timeStampComplete, timeResult; LARGE_INTEGER dateTime; ASSERT(FALSE); if( !DeviceObject ) return FALSE; hookExt = DeviceObject->DeviceExtension; IoStatus->Status = STATUS_NOT_IMPLEMENTED; IoStatus->Information = 0; if( FASTIOPRESENT( hookExt, PrepareMdlWrite )) { GETPATHNAME(FALSE); TIMESTAMPSTART(); retval = hookExt->FileSystem->DriverObject->FastIoDispatch->PrepareMdlWrite( FileObject, FileOffset, Length, LockKey, MdlChain, IoStatus, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked ) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_PREPARE_MDL_WRITE\\t%s\\tOffset: %d Length: %d\\t%s\", FilemonGetProcess( name ), fullPathName, FileOffset->LowPart, Length, retval ? ErrorString( IoStatus->Status, errorBuf ): \"FAILURE\" ); } FREEPATHNAME(); } return retval; } //---------------------------------------------------------------------- // // FilemonFastIoMdlWriteComplete // //---------------------------------------------------------------------- BOOLEAN FilemonFastIoMdlWriteComplete( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain, IN PDEVICE_OBJECT DeviceObject ) { BOOLEAN retval = FALSE; PHOOK_EXTENSION hookExt; CHAR *fullPathName, name[PROCNAMELEN]; LARGE_INTEGER timeStampStart, timeStampComplete, timeResult; LARGE_INTEGER dateTime; ASSERT(FALSE); if( !DeviceObject ) return FALSE; hookExt = DeviceObject->DeviceExtension; if( FASTIOPRESENT( hookExt, MdlWriteComplete )) { GETPATHNAME(FALSE); TIMESTAMPSTART(); retval = hookExt->FileSystem->DriverObject->FastIoDispatch->MdlWriteComplete( FileObject, FileOffset, MdlChain, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked ) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_MDL_WRITE_COMPLETE\\t%s\\tOffset: %d\\tOK\", FilemonGetProcess( name ), fullPathName, FileOffset->LowPart ); } FREEPATHNAME(); } return retval; } //---------------------------------------------------------------------- // // FilemonFastIoReleaseForModWrite // no need change. // //---------------------------------------------------------------------- NTSTATUS FilemonFastIoReleaseForModWrite( IN PFILE_OBJECT FileObject, IN struct _ERESOURCE *ResourceToRelease, IN PDEVICE_OBJECT DeviceObject ) { NTSTATUS retval = STATUS_NOT_IMPLEMENTED; PHOOK_EXTENSION hookExt; CHAR *fullPathName, errval[ERRORLEN], name[PROCNAMELEN]; LARGE_INTEGER timeStampStart, timeStampComplete, timeResult; LARGE_INTEGER dateTime; ASSERT(FALSE); if( !DeviceObject ) return STATUS_NOT_IMPLEMENTED; hookExt = DeviceObject->DeviceExtension; if( FASTIOPRESENT( hookExt, ReleaseForModWrite )) { GETPATHNAME(FALSE); TIMESTAMPSTART(); retval = hookExt->FileSystem->DriverObject->FastIoDispatch->ReleaseForModWrite( FileObject, ResourceToRelease, hookExt->FileSystem ); if( FilterDef.logwrites && hookExt->Hooked) { TIMESTAMPSTOP(); LogRecord( TRUE, NULL, &dateTime, &timeResult, \"%s\\tFASTIO_RELEASE_FOR_MOD_WRITE\\t%s\\t\\t%s\", FilemonGetProcess( name ), fullPathName, ErrorString( retval, errval )); } FREEPATHNAME(); } return retval; } |
|
10楼#
发布于:2002-05-04 17:35
用户被禁言,该主题自动屏蔽! |
|
11楼#
发布于:2002-05-07 10:26
非常好
|
|