HANDLE hFile=NULL;
path.Buffer=ExAllocatePoolWithTag(NonPagedPool,length+4,CCX_MEM_TAG);
path.Length=0;
path.MaximumLength=(USHORT)length+4;
if(path.Buffer==NULL)
{
status=STATUS_INSUFFICIENT_RESOURCES;
ret=FLT_PREOP_COMPLETE;
break;
}
memset(path.Buffer,0,path.MaximumLength);
//将路径复制到缓冲区中
length=ccx_get_path(Data,&path);
hFile=ccxOpenFile(FltObjects->Filter,FltObjects->Instance,&path,Data->Iopb,&status,&myfile,&information);
//--------------------------------------------------------------
//调用打开文件:
HANDLE ccxOpenFile(
IN PFLT_FILTER Filter,
IN PFLT_INSTANCE Instance,
IN PUNICODE_STRING path,
IN PFLT_IO_PARAMETER_BLOCK irpsp,
OUT NTSTATUS *status,
OUT PFILE_OBJECT *file,
OUT PULONG information)
{
HANDLE hFile=NULL;
OBJECT_ATTRIBUTES oi;
IO_STATUS_BLOCK iostatus;
//----------------------------------------------------------------------------------------------------
ULONG desired_access=irpsp->Parameters.Create.SecurityContext->DesiredAccess;
ULONG disposition=irpsp->Parameters.Create.Options>>24;
ULONG share_access=irpsp->Parameters.Create.ShareAccess;
ULONG file_attri=irpsp->Parameters.Create.FileAttributes;
ULONG create_options=irpsp->Parameters.Create.Options && 0x00ffffff;
ULONG EaLength=irpsp->Parameters.Create.EaLength;
PVOID EaBuffer=irpsp->Parameters.Create.EaBuffer;
ULONG Flags=IO_IGNORE_SHARE_ACCESS_CHECK;
//----------------------------------------------------------------------------------------------------
ASSERT(irpsp->MajorFunction==IRP_MJ_CREATE);
*information=0;
InitializeObjectAttributes(&oi,path,OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,NULL,NULL);
DbgPrint("文件名2:%wZ\n",path); //这里有输出完整的文件名
*status=FltCreateFile(Filter,Instance,&hFile,desired_access,&oi,&iostatus,
(PLARGE_INTEGER)0,file_attri,share_access,disposition,create_options,EaBuffer,EaLength,Flags);
if(!NT_SUCCESS(*status))
{
DbgPrint("打开文件失败:%08X\n",*status);
return hFile;
}
//----------------------------------------------------------------------------------------------------
*information=iostatus.Information;
//从文件句柄获取FileObject以方便后面的操作
*status=ObReferenceObjectByHandle(
hFile,0,*IoFileObjectType,KernelMode,file,NULL);
if(!NT_SUCCESS(*status))
//ASSERT(FALSE);
ZwClose(hFile);
}
return hFile;
}
//-------------------------------------------
问题:
1。这段代码是放在PreCreate中的
用FltCreateFile失败,返回0xC000000D,文件名输出无问题,缓冲区也足够大
2.换成*status=ZwCreateFile(&hFile,desired_access,&oi,&iostatus,(PLARGE_INTEGER)0,file_attri,share_access,
disposition,create_options,EaBuffer,EaLength);
也一样失败,会蓝屏。
不知是什么原因?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)