阅读:1796回复:6
filemon 隐藏的部分代码,但不能完成隐藏功能,请高手指教。
//filemon 隐藏的部分代码,但不能完成隐藏功能,请高手指教。
NTSTATUS FilemonHookRoutine( PDEVICE_OBJECT HookDevice, IN PIRP Irp ) { PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp); PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp); PMOVE_FILE_DATA moveFile; PQUERY_DIRECTORY queryDirectory; PFILE_OBJECT FileObject; PHOOK_EXTENSION hookExt; LARGE_INTEGER dateTime; LARGE_INTEGER perfTime; PCHAR fullPathName = NULL; BOOLEAN hookCompletion, createPath; CHAR controlCodeBuffer[ERRORLEN]; CHAR attributeString[ERRORLEN]; CHAR optionString[ERRORLEN]; CHAR name[PROCNAMELEN]; ULONG i; ANSI_STRING directoryFilter; PCHAR queryFilter; ULONG seqNum; KIRQL oldirql; // // Extract the file object from the IRP // FileObject = currentIrpStack->FileObject; // // Point at the device extension, which contains information on which // file system this IRP is headed for // hookExt = HookDevice->DeviceExtension; // // We note open cases so that when we query the file name // we don't ask the file system for the name (since it won't // have seen the file object yet). // if( currentIrpStack->MajorFunction == IRP_MJ_CREATE || currentIrpStack->MajorFunction == IRP_MJ_CREATE_NAMED_PIPE || currentIrpStack->MajorFunction == IRP_MJ_CREATE_MAILSLOT ) { // // Clear any existing fileobject/name association stored in the // hash table // FilemonFreeHashEntry( FileObject ); createPath = TRUE; } else if( currentIrpStack->MajorFunction == IRP_MJ_CLOSE ) { // // We treat close as a special case of create for name querying // since calling into NTFS during a close can result in a deadlock. // createPath = TRUE; } else if( currentIrpStack->MajorFunction == IRP_MJ_CLEANUP && FileObject->Flags & FO_STREAM_FILE ) { // // Treat cleanup of stream file objects as special create case, because // querying them causes NTFS to screwup on NT 4 // createPath = TRUE; } else { createPath = FALSE; } // // Allocate a buffer and get the name only if we have to // if( FilterOn && hookExt->Hooked ) { GETPATHNAME( createPath ); } // // Only log it if it passes the filter // if( hookExt->Hooked && fullPathName ) { // // If measuring absolute time go and get the timestamp. // KeQuerySystemTime( &dateTime ); perfTime = KeQueryPerformanceCounter( NULL ); // // We want to watch this IRP complete // seqNum = (ULONG) -1; hookCompletion = FALSE; // // Determine what function we're dealing with // FilemonGetProcess( name ); switch( currentIrpStack->MajorFunction ) { case IRP_MJ_CREATE: hookCompletion = LogRecord( TRUE, &seqNum, &dateTime, NULL, "%s\tIRP_MJ_CREATE\t%s\tAttributes: %s Options: %s", name, fullPathName, CreateAttributesString( currentIrpStack->Parameters.Create.FileAttributes, attributeString ), CreateOptionsString( currentIrpStack->Parameters.Create.Options, optionString )); // // If its an open-by-id we free the hash entry now so that on the next access to // the file we'll pick up the file's real name. // if( currentIrpStack->Parameters.Create.Options & FILE_OPEN_BY_FILE_ID ) { FilemonFreeHashEntry( FileObject ); } break; /*************************目录控制***************** case IRP_MJ_DIRECTORY_CONTROL: switch( currentIrpStack->MinorFunction ) { case IRP_MN_NOTIFY_CHANGE_DIRECTORY: hookCompletion = LogRecord( TRUE, &seqNum, &dateTime, NULL, "%s\tIRP_MJ_DIRECTORY_CONTROL\t%s\tChange Notify", name, fullPathName ); break; case IRP_MN_QUERY_DIRECTORY:// //隐藏处理函数:从本论坛上得到的代码 ApcHookHideFile( Irp, currentIrpStack );// //n能够跟踪到要隐藏的目录,但是不能实现,还能看到。请指教 queryDirectory = (PQUERY_DIRECTORY)¤tIrpStack->Parameters; queryFilter = NULL; if( queryDirectory->FileName ) { if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &directoryFilter, queryDirectory->FileName, TRUE ))) { queryFilter = ExAllocatePool( PagedPool, directoryFilter.Length + 1 ); if( queryFilter ) { memcpy( queryFilter, directoryFilter.Buffer, directoryFilter.Length ); queryFilter[ directoryFilter.Length ] = 0; // // Massage DOS-internal wildcards // for( i = 0; i < strlen( queryFilter ); i++ ) { if( queryFilter == '<' ) queryFilter = '*'; else if( queryFilter == '>' ) queryFilter = '?'; } } RtlFreeAnsiString( &directoryFilter ); } } if( queryFilter ) { hookCompletion = LogRecord( TRUE, &seqNum, &dateTime, NULL, "%s\tIRP_MJ_DIRECTORY_CONTROL\t%s\t%s: %s", name, fullPathName, FileInformation[queryDirectory->FileInformationClass], queryFilter ); ExFreePool( queryFilter ); } else { hookCompletion = LogRecord( TRUE, &seqNum, &dateTime, NULL, "%s\tIRP_MJ_DIRECTORY_CONTROL\t%s\t%s", name, fullPathName, FileInformation[queryDirectory->FileInformationClass] ); } break; default: hookCompletion = LogRecord( TRUE, &seqNum, &dateTime, NULL, "%s\tIRP_MJ_DIRECTORY_CONTROL\t%s\t", name, fullPathName ); break; } break; } else { // // We don't care about this IRP's completion // hookCompletion = FALSE; // // Do name processing for the sake of keeping the hash table current // switch( currentIrpStack->MajorFunction ) { case IRP_MJ_CLOSE: // // This fileobject/name association can be discarded now. // FilemonFreeHashEntry( FileObject ); break; } } // // Free the buffer if we have one // if( fullPathName && fullPathName != InsufficientResources ) { ExFreeToNPagedLookasideList( &FullPathLookaside, fullPathName ); } // // Copy parameters down to next level in the stack for the driver below us // *nextIrpStack = *currentIrpStack; #if DBG // // If an unload isn't in progress, we should register a completion callback // so that the IRP's return status can be examined. // KeAcquireSpinLock( &CountMutex, &oldirql ); #endif if( !UnloadInProgress && hookCompletion ) { #if DBG // // Increment the outstanding IRP count since this IRP will be headed // for our completion routine // FilemonDriver->DriverUnload = NULL; OutstandingIRPCount++; DbgPrint(("+%d: %x\n", OutstandingIRPCount, Irp ));; #endif // DBG // // Grab the time stamp and Log it in the current stack location. This // is legal since the stack location is ours, and we're done looking at // the parameters. This makes it easy to pass this to the completion routine. The // DiskPerf example in the NT DDK uses this trick. // currentIrpStack->Parameters.Read.ByteOffset = perfTime; #if defined(_IA64_) IoSetCompletionRoutine( Irp, FilemonHookDone, (PVOID) (ULONG_PTR) seqNum, TRUE, TRUE, TRUE ); #else IoSetCompletionRoutine( Irp, FilemonHookDone, (PVOID) seqNum, TRUE, TRUE, TRUE ); #endif } else { // // Set no completion routine // IoSetCompletionRoutine( Irp, FilemonHookDone, NULL, FALSE, FALSE, FALSE ); } #if DBG KeReleaseSpinLock( &CountMutex, oldirql ); #endif // // Return the results of the call to the caller // return IoCallDriver( hookExt->FileSystem, Irp ); } //隐藏 VOID ApcHookHideFile( PIRP Irp, PIO_STACK_LOCATION currentIrpStack ) { PFILE_BOTH_DIR_INFORMATION QueryBuffer = NULL; ULONG offset = 0; ULONG currentPosition = 0; ULONG bufferLength = currentIrpStack->Parameters.QueryFile.Length; ULONG NewLength = 0; WCHAR fileNameToRemove[] = L"888"; PUCHAR startEntryToRemove = NULL; PUCHAR startNextEntry = NULL; NewLength = bufferLength; QueryBuffer = (PFILE_BOTH_DIR_INFORMATION) Irp->UserBuffer; if( QueryBuffer->NextEntryOffset > bufferLength ) return; do { offset = QueryBuffer->NextEntryOffset; // DebugPrint( ( "HookRoutine : QUERY_DIR : TestH - ws 0xd\n", // QueryBuffer->FileName, QueryBuffer->NextEntryOffset ) ); if( wcsncmp(QueryBuffer->FileName, fileNameToRemove, 3 ) == 0 ) { startEntryToRemove = (PUCHAR) QueryBuffer; startNextEntry = (PUCHAR) QueryBuffer + offset; RtlMoveMemory( startEntryToRemove, startNextEntry, bufferLength - currentPosition - offset ); NewLength -= offset; break; } currentPosition += offset; QueryBuffer = (PFILE_BOTH_DIR_INFORMATION) ( (PUCHAR) QueryBuffer + offset ); } while( offset != 0 ); Irp->IoStatus.Information = NewLength; //IoCompleteRequest(Irp, IO_NO_INCREMENT); } |
|
最新喜欢:TH1999 |
沙发#
发布于:2004-07-10 12:40
不能完成隐藏功能是什么意思?
是不是你不能完全控制(屏蔽)所有的IRP操作是吗? |
|
|
板凳#
发布于:2004-07-10 16:12
不能实现目录隐藏功能,请指教,怎样实现
|
|
地板#
发布于:2004-10-28 20:35
是啊,怎样实现?
|
|
地下室#
发布于:2004-10-29 11:34
仔细搜搜以前的帖子,有挺多例子的
|
|
5楼#
发布于:2004-10-29 17:20
文件隐藏没问题吗??
|
|
|
6楼#
发布于:2004-10-31 00:40
处理 IRP_MN_QUERY_DIRECTORY
网上有篇 隐藏 进程 目录的。。 的文章,照到做 |
|
|