|
阅读:1785回复:3
一个关于处理IRP_MJ_WRITE和IRP_MJ_WRITE的问题?
我的在程序中修改了filespy的函数SpyLogIrp来截获IO的数据,函数SpyLogIrp会在irp产生和完成时两次被调用,由if (LoggingFlags & LOG_ORIGINATING_IRP)来区分,代码如下:
PIO_STACK_LOCATION pIrpStack; PRECORD_IRP pRecordIrp; PDEVICE_EXTENSION deviceExtension; PUNICODE_STRING volumeName; ULONG lookupFlags; ULONG ReadLength = Irp->IoStatus.Information; PVOID pbuf; pRecordIrp = &RecordList->LogRecord.Record.RecordIrp; pIrpStack = IoGetCurrentIrpStackLocation(Irp); //deal with the originating irp if (LoggingFlags & LOG_ORIGINATING_IRP) { pRecordIrp->IrpMajor = pIrpStack->MajorFunction; pRecordIrp->IrpMinor = pIrpStack->MinorFunction; pRecordIrp->IrpFlags = Irp->Flags; pRecordIrp->FileObject = (FILE_ID)pIrpStack->FileObject; pRecordIrp->ProcessId = (FILE_ID)PsGetCurrentProcessId(); pRecordIrp->ThreadId = (FILE_ID)PsGetCurrentThreadId(); FEGetProcess( pRecordIrp->ProcessName ); //Deal with the write operation if(pRecordIrp->IrpMajor == IRP_MJ_WRITE) { if((Irp->Flags & IRP_NOCACHE)&&(Irp->MdlAddress != NULL)) { pbuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority ); if(ReadLength>=65535)ReadLength = 65534; pRecordIrp->pIOContent[0] = (CHAR)1; RtlCopyMemory((PVOID)(pRecordIrp->pIOContent+1), pbuf, ReadLength); pRecordIrp->pIOContent[ReadLength+1] = \'\\0\'; } else { pRecordIrp->pIOContent[0] = (CHAR)0; } } else { pRecordIrp->pIOContent[0] = (CHAR)0; } ......................... } //deal with the completion irp if (LoggingFlags & LOG_COMPLETION_IRP) { pRecordIrp->ReturnStatus = Irp->IoStatus.Status; pRecordIrp->ReturnInformation = Irp->IoStatus.Information; if(pRecordIrp->IrpMajor == IRP_MJ_READ) { if((Irp->Flags & IRP_NOCACHE)&&(Irp->MdlAddress != NULL)) { pbuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority ); if(ReadLength>=65535)ReadLength = 65534; pRecordIrp->pIOContent[0] = (CHAR)1; RtlCopyMemory((PVOID)(pRecordIrp->pIOContent+1), pbuf, ReadLength); pRecordIrp->pIOContent[ReadLength+1] = \'\\0\'; } else { pRecordIrp->pIOContent[0] = (CHAR)0; } } else { pRecordIrp->pIOContent[0] = (CHAR)0; } } } //deal with the complete irp if (LoggingFlags & LOG_COMPLETION_IRP) { pRecordIrp->ReturnStatus = Irp->IoStatus.Status; pRecordIrp->ReturnInformation = Irp->IoStatus.Information; if(pRecordIrp->IrpMajor == IRP_MJ_READ) { if((Irp->Flags & IRP_NOCACHE)&&(Irp->MdlAddress != NULL)) { pbuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority ); if(ReadLength>=65535)ReadLength = 65534; pRecordIrp->pIOContent[0] = (CHAR)1; RtlCopyMemory((PVOID)(pRecordIrp->pIOContent+1), pbuf, ReadLength); RecordIrp->pIOContent[ReadLength+1] = \'\\0\'; } else { pRecordIrp->pIOContent[0] = (CHAR)0; } } else { pRecordIrp->pIOContent[0] = (CHAR)0; } } } 但是出现如下问题: 当我把if(pRecordIrp->IrpMajor == IRP_MJ_WRITE)一段放入irp产生时调用的那段代码中时程序截获不了写入硬盘的数据,但是当我放入IoCompleteRoutine时调用的那段代码中时就可以,请问为生么? 还有就是我截获的数据不完全是我想要的运用程序写入硬盘的数据还有一些类似FILE*和FILE0我不关心的数据,请问怎样区分写入硬盘的数据是否是运用程序写入硬盘的数据? 先谢了!!!~_~ |
|
最新喜欢: znsoft
|
|
沙发#
发布于:2004-05-19 15:52
兄弟们随便嗯一声呀~_~
小弟万分感激!!!!!!!!!1 |
|
|
板凳#
发布于:2004-05-28 20:54
写入硬盘的操作是没有程序和系统的分别的,所以在文件层做HOOK是不实用的
[编辑 - 5/30/04 by tzhcsoft] |
|
|
地板#
发布于:2004-06-07 23:00
写入硬盘的操作是没有程序和系统的分别的,所以在文件层做HOOK是不实用的 还有什么更好的方法吗?(是Hook service吗???)如果有不妨公布一下 |
|
|
