最近,在看寒江独钓,想利用其中的一个源代码(sflt_smpl),做一个和斑竹曾经做的监视文件的东东,
我仅在下面两个函数中添加如下的语句,但是一创建文件,系统就像死了一样,恳请大家帮帮满,谢谢!
SF_RET OnSfilterIrpPre(
IN PDEVICE_OBJECT dev,
IN PDEVICE_OBJECT next_dev,
IN PVOID extension,
IN PIRP irp,
OUT NTSTATUS *status,
PVOID *context)
{
return SF_IRP_GO_ON;
}
VOID OnSfilterIrpPost(
IN PDEVICE_OBJECT dev,
IN PDEVICE_OBJECT next_dev,
IN PVOID extension,
IN PIRP irp,
IN NTSTATUS status,
PVOID context)
{
ANSI_STRING aFilePath;
WCHAR chFilePath[1024] = {0};
POBJECT_NAME_INFORMATION ObjectNameInformation = NULL;
// 获得当前调用栈
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(irp);
PFILE_OBJECT file = irpsp->FileObject;
// 我仅仅过滤文件请求。 FileObject不存在的情况一律passthru.
if(file == NULL)
return ;
// 首要决定哪些请求是我们必须过滤的。多余的提前passthru掉。
if( irpsp->MajorFunction != IRP_MJ_CREATE &&
irpsp->MajorFunction != IRP_MJ_CLOSE &&
irpsp->MajorFunction != IRP_MJ_READ &&
irpsp->MajorFunction != IRP_MJ_WRITE &&
irpsp->MajorFunction != IRP_MJ_CLOSE &&
irpsp->MajorFunction != IRP_MJ_CLEANUP &&
irpsp->MajorFunction != IRP_MJ_SET_INFORMATION &&
irpsp->MajorFunction != IRP_MJ_DIRECTORY_CONTROL &&
irpsp->MajorFunction != IRP_MJ_QUERY_INFORMATION)
return ;
if(irpsp->MajorFunction == IRP_MJ_CREATE)
{
//如果创建失败, 跳过
if (!NT_SUCCESS(irp->IoStatus.Status))
{
return ;
}
//如果创建的是文件夹跳过
if ( ( irpsp->Parameters.Create.Options & FILE_DIRECTORY_FILE ) != 0 )
{
return;
}
//如果是创建文件, 则记录
if(irp->IoStatus.Information == FILE_CREATED)
{
ObjectNameInformation = (POBJECT_NAME_INFORMATION)chFilePath;
if (NT_SUCCESS(IoQueryFileDosDeviceName(irpsp->FileObject, &ObjectNameInformation)))
{
KdPrint(("aaa"));
return;
}
}
}
}
[课程]Android-CTF解题方法汇总!