阅读:2097回复:9
在FilemonHookRoutine中使用ZwReadFile读取文件问题?
我在FilemonHookRoutine中
添加如下代码 case IRP_MJ_READ: { hookCompletion = LogRecord( TRUE, &seqNum, &dateTime, NULL, "%stIRP_MJ_READ%ct%stOffset: %d Length: %d", name, (Irp->Flags & IRP_PAGING_IO) || (Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO) ? '*' : ' ', fullPathName, currentIrpStack->Parameters.Read.ByteOffset.LowPart, currentIrpStack->Parameters.Read.Length ); // // Print read length. // DbgPrint(( "FILEMON.SYS: The file is %sn", fullPathName )); DbgPrint(( "FILEMON.SYS: IRP_MJ_READ Read Length is %d Bytesn", currentIrpStack->Parameters.Read.Length )); RtlInitUnicodeString( &logFileUnicodeString, logFileNameBuffer ); InitializeObjectAttributes( &objectAttributes, &logFileUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL ); ntStatusOfFile = ZwOpenFile( &hFile, SYNCHRONIZE | GENERIC_READ, &objectAttributes, &IoStatusBlock ,0, FILE_SYNCHRONOUS_IO_ALERT ); if( !NT_SUCCESS(ntStatusOfFile)) { DbgPrint(("ZwOpenFile failed.n")); break; } ntStatusOfFile = ZwQueryInformationFile( hFile, &IoStatusBlock, (void*)&eof, sizeof(eof), FileStandardInformation ); uFileSize = 2048; // check uFileSize is zero? pDataBuf = (char*)ExAllocatePool( NonPagedPool, uFileSize + 1); if ( pDataBuf == NULL ) { DbgPrint(("pDataBuf == NULL n")); } ntStatusOfFile = ZwReadFile( &hFile, NULL, NULL, NULL, &IoStatusBlock, pDataBuf, uFileSize, NULL, NULL ); if( !NT_SUCCESS(ntStatusOfFile)) { DbgPrint(("ZwReadFile failed.n")); ZwClose( hFile ); hFile = NULL; break; } ZwClose( hFile ); hFile = NULL; ExFreePool( pDataBuf ); pDataBuf = NULL; } 为什么ZwOpenFile函数执行成功!而ZwReadFile函数总是执行失败? :) [编辑 - 1/18/05 by paladinii] |
|
|
沙发#
发布于:2005-01-18 11:58
ZwReadFile也会调用IRP_MJ_READ的IRP请求,你这样做可能会产生类似循环的现象吧。想想有没有其他的办法。
|
|
|
板凳#
发布于:2005-01-18 13:26
楼上的兄弟说的是阿,我也认为它会产生IRP_MJ_READ,DDK Helper也是这么说的,可是我确实看到有人这么实现的,并且我测试的时候也没有产生IRP重入,只是ZwReadFile返回不成功,我也是没有办法这么做的,本来是想在ReadCompletion中截获读取的数据,或者构造IRP包去读数据,但实在是没有相关资料做起来比较困难,不知道你能否给我些提示资料或者代码参考。谢谢!
|
|
|
地板#
发布于:2005-01-18 16:19
你说的完成历程和构造irp,好像filemon里都用到了。
他在FilemonHookRoutine里为每个IRP设置完成历程,另外,取得文件的路经就是通过构造IRP来实现的。 你可以搜索一下文件动态加解密的帖子,里面都是通过设置完成历程来实现的。 |
|
|
地下室#
发布于:2005-01-18 16:53
好的,多谢楼上的兄弟,今后望能多交流。
|
|
|
5楼#
发布于:2005-01-18 17:04
计划采用驱动来实现文件访问中的动态加解密问题,有一个问题比较迷惑,现拿出来向各位请教一下,就是在处理文件读写IRP请求过程中,数据到底放在哪个缓冲区?采用下面的代码取到的缓冲区是否有问题?
switch( Irp->RequestorMode ) { case KernelMode: if( Irp ->MdlAddress ) pBuffer = MmGetSystemAddressForMdl( Irp->MdlAddress ); else pBuffer = Irp ->AssociatedIrp.SystemBuffer; break; case UserMode: if( Irp ->MdlAddress ) pBuffer = MmGetSystemAddressForMdl( Irp->MdlAddress ); else pBuffer = Irp ->UserBuffer; break; default: break; } 还请各位高手给予指点,谢谢!! fslife 你的问题解决了吗?能否把经验和修改后的代码给大家Share一下。 |
|
|
6楼#
发布于:2005-01-18 17:54
文件写:
switch(Irp->RequestorMode) { case KernelMode: if (Irp->MdlAddress) { sysDataBuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); } else { sysDataBuf = Irp->AssociatedIrp.SystemBuffer; } break; case UserMode: if (Irp->MdlAddress) { sysDataBuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); } else { sysDataBuf = Irp->UserBuffer; } break; default: break; } 文件读: switch(Irp->RequestorMode) { case KernelMode: if (Irp->MdlAddress) { sysDataBuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); } else { sysDataBuf = Irp->AssociatedIrp.SystemBuffer; } break; case UserMode: if (Irp->MdlAddress) { sysDataBuf = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); } else { sysDataBuf = Irp->UserBuffer; } |
|
|
7楼#
发布于:2005-01-19 11:20
感谢fslife不啬指教,我的信箱是filter@redsec.org 你方便留个信箱吗?我们多多交流一下。
[编辑 - 2/27/05 by paladinii] |
|
|
8楼#
发布于:2005-01-19 19:00
ATTENTION: Callers of ZwReadFile must be running at IRQL = PASSIVE_LEVEL.
So, put ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL) at the entry of FilemonHookRoutine |
|
|
9楼#
发布于:2005-01-20 09:39
这点我到是忽略了。谢谢!
|
|
|