不说废话了,直接进入主题。
首先程序不是《寒江独钓》上原来的那个,是我在DegbgMan上的下的一个修改版。但核心部分没变。
问题是测试时在dfReinitializationRoutine中ZwCreateFile返回了0xC000003AL,即STATUS_OBJECT_PATH_NOT_FOUND,但按书上的说法,这里是不应该返回STATUS_OBJECT_PATH_NOT_FOUND,因为此时NTFS已经准备好了,一时没有头绪,不知根本问题出现在那里,请高手指教,下面是相关源码,对测试环境的简单介绍和一些崩溃信息。
VOID dfReinitializationRoutine(
IN PDRIVER_OBJECT DriverObject,
IN PVOID Context,
IN ULONG Count
)
{
NTSTATUS ntStatus;
WCHAR SparseFilename[] = L"\\??\\C:\\temp.dat";
UNICODE_STRING SparseFilenameUni;
IO_STATUS_BLOCK ios = { 0 };
OBJECT_ATTRIBUTES ObjAttr = { 0 };
FILE_END_OF_FILE_INFORMATION FileEndInfo = { 0 };
RtlInitUnicodeString(&SparseFilenameUni,SparseFilename);
InitializeObjectAttributes(
&ObjAttr,
&SparseFilenameUni,
OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,
NULL,
NULL);
ntStatus = ZwCreateFile(
&gProtectDevExt->TempFile,
GENERIC_READ | GENERIC_WRITE,
&ObjAttr,
&ios,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OVERWRITE_IF,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_SYNCHRONOUS_IO_NONALERT |
FILE_NO_INTERMEDIATE_BUFFERING,
NULL,
0);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("Error No.%ld\n",ntStatus);
__asm int 3
goto ERROUT;
}
ntStatus = ZwFsControlFile(
gProtectDevExt->TempFile,
NULL,
NULL,
NULL,
&ios,
FSCTL_SET_SPARSE,
NULL,
0,
NULL,
0);
if(!NT_SUCCESS(ntStatus))
{
goto ERROUT;
}
FileEndInfo.EndOfFile.QuadPart = gProtectDevExt->TotalSizeInByte.QuadPart + 10*1024*1024;
ntStatus = ZwSetInformationFile(
gProtectDevExt->TempFile,
&ios,
&FileEndInfo,
sizeof(FILE_END_OF_FILE_INFORMATION),
FileEndOfFileInformation
);
if (!NT_SUCCESS(ntStatus))
{
goto ERROUT;
}
gProtectDevExt->Protect = TRUE;
return;
ERROUT:
KdPrint(("error create temp file!\n"));
return;
}
测试环境:一共是两个盘,都已经是转换为NTFS系统,如下
下面是崩溃信息:
Error No.-1073741766
Break instruction exception - code 80000003 (first chance)
*** ERROR: Module load completed but symbols could not be loaded for DiskFilter.sys
DiskFilter+0x565:
f8aba565 cc int 3
kd> lm o
start end module name
804d8000 806d0480 nt (pdb symbols) c:\symbols\ntkrnlpa.pdb\30B5FB31AE7E4ACAABA750AA241FF3311\ntkrnlpa.pdb
806d1000 806f1300 hal (deferred)
f83c8000 f83e1b80 Mup (deferred)
f83e2000 f840e980 NDIS (deferred)
f840f000 f849b600 Ntfs (deferred)
f849c000 f84b2880 KSecDD (deferred)
f84b3000 f84c4e00 sr (deferred)
f84c5000 f84e4b00 fltMgr (deferred)
f84e5000 f84fc880 SCSIPORT (deferred)
f84fd000 f8514900 atapi (deferred)
f8515000 f853a100 dmio (deferred)
f853b000 f8559880 ftdisk (deferred)
f855a000 f856a280 pci (deferred)
f856b000 f8598500 ACPI (deferred)
f869a000 f86a2d80 isapnp (deferred)
f86aa000 f86b4580 MountMgr (deferred)
f86ba000 f86c5f80 VolSnap (deferred)
f86ca000 f86d2e00 disk (deferred)
f86da000 f86e6180 CLASSPNP (deferred)
f86ea000 f86f4580 agp440 (deferred)
f891a000 f8920180 PCIIDEX (deferred)
f8922000 f8926d00 PartMgr (deferred)
f8aaa000 f8aad000 BOOTVID (deferred)
f8aae000 f8ab0800 compbatt (deferred)
f8ab2000 f8ab5f00 BATTC (deferred)
f8ab6000 f8ab8c00 vmscsi (deferred)
f8aba000 f8abdf00 DiskFilter (no symbols)
f8b9a000 f8b9bb80 kdcom (deferred)
f8b9c000 f8b9d100 WMILIB (deferred)
f8b9e000 f8b9f580 intelide (deferred)
f8ba0000 f8ba1700 dmload (deferred)
请高手指教,这里先谢谢了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课