一段自己写的MiniFilter版本的SandBox源码,供于研究。感谢麦洛克菲的王康安老师。
支持夸全盘。 详情看附件。
FLT_PREOP_CALLBACK_STATUS
SimRepPreCreate (
__inout PFLT_CALLBACK_DATA Cbd,
__in PCFLT_RELATED_OBJECTS FltObjects,
__out PVOID *CompletionContext
)
{
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
UNICODE_STRING fileName; //The open name from the end of the volume name to the end.
UNICODE_STRING newFileName={0}; //The output file name.
// UNICODE_STRING matchFileName; //The string we use to do the prefix comparison.
HANDLE pid;
int dwCreate;
int dwAccess;
NTSTATUS status;
FLT_PREOP_CALLBACK_STATUS callbackStatus;
WCHAR* pTemStr=NULL;
UNREFERENCED_PARAMETER( CompletionContext );
PAGED_CODE();
status = STATUS_SUCCESS;
callbackStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;- default is no post op callback
newFileName.Buffer = NULL;
newFileName.Length = newFileName.MaximumLength = 0;
pid=PsGetCurrentProcessId();
if (g_Pid!=pid && g_Pid1!=pid )
goto SimRepPreCreateCleanup;
ASSERT( Cbd->Iopb->MajorFunction == IRP_MJ_CREATE ||
Cbd->Iopb->MajorFunction == IRP_MJ_NETWORK_QUERY_OPEN );
if (FlagOn( Cbd->Iopb->OperationFlags, SL_OPEN_PAGING_FILE )) {
goto SimRepPreCreateCleanup;
}
if (FlagOn( Cbd->Iopb->TargetFileObject->Flags, FO_VOLUME_OPEN )) {
goto SimRepPreCreateCleanup;
}
status = FltGetFileNameInformation( Cbd,
FLT_FILE_NAME_OPENED |
FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP,
&nameInfo );
if (!NT_SUCCESS( status )) {
goto SimRepPreCreateCleanup;
}
status = FltParseFileNameInformation( nameInfo );
if (!NT_SUCCESS( status )) {
goto SimRepPreCreateCleanup;
}
dwAccess = Cbd->Iopb->Parameters.Create.SecurityContext->DesiredAccess;
dwCreate = (Cbd->Iopb->Parameters.Create.Options >> 24) & 0x000000ff;
pTemStr=ExAllocatePool(PagedPool,MAX_PATH*2);
if(pTemStr==NULL)
goto SimRepPreCreateCleanup;
//如果是创建新的文件到路径下面
if(
(dwCreate == FILE_CREATE) ||
(dwCreate == FILE_OPEN_IF) ||
(dwCreate == FILE_OVERWRITE_IF) ||
(dwCreate == FILE_SUPERSEDE)||
(dwCreate == FILE_SUPERSEDE)
)
{
RtlZeroMemory(pTemStr,MAX_PATH*2);
RtlCopyMemory(pTemStr,FltObjects->FileObject->FileName.Buffer,FltObjects->FileObject->FileName.Length);
if(MyStrStr(pTemStr,L"JLUZH_Box")) // 吉林大学珠海学院的简称
goto SimRepPreCreateCleanup;
newFileName.Buffer=ExAllocatePool(PagedPool,MAX_PATH*2);
newFileName.Length=0;
newFileName.MaximumLength=MAX_PATH*2;
if(newFileName.Buffer==NULL)
goto SimRepPreCreateCleanup;
RtlZeroMemory(newFileName.Buffer,MAX_PATH*2);
RtlUnicodeStringCbCopyStringN(&newFileName,MBOX_PATH,sizeof(WCHAR)*wcslen(MBOX_PATH));
//判断盘符
RtlZeroMemory(pTemStr,MAX_PATH*2);
RtlCopyMemory(pTemStr,nameInfo->Volume.Buffer,nameInfo->Volume.Length);
if(MyStrStr(pTemStr,L"Device\\HarddiskVolume1"))//用于学习用,所以定死2个盘符
RtlUnicodeStringCbCatStringN(&newFileName,L"\\C",sizeof(WCHAR)*wcslen(L"\\C")+sizeof(WCHAR));
else
RtlUnicodeStringCbCatStringN(&newFileName,L"\\D",sizeof(WCHAR)*wcslen(L"\\C")+sizeof(WCHAR));
//创建文件夹
if(!MyStrStr(pTemStr,L""))
{
WCHAR *Path=NULL;
Path=ExAllocatePool(PagedPool,MAX_PATH*2);
if(Path==NULL)
goto SimRepPreCreateCleanup;
RtlZeroMemory(Path,MAX_PATH*2);
RtlCopyMemory(Path,nameInfo->ParentDir.Buffer,nameInfo->ParentDir.Length);
CreateDirectry(newFileName.Buffer,Path,FltObjects->Instance,FltObjects->Filter);//这很重要吧
ExFreePool(Path);
Path=NULL;
}
RtlUnicodeStringCbCatN(&newFileName,&(FltObjects->FileObject->FileName),FltObjects->FileObject->FileName.Length);
status = Globals.ReplaceFileNameFunction( Cbd->Iopb->TargetFileObject,
newFileName.Buffer,
newFileName.Length );
if ( !NT_SUCCESS( status )) {
DebugTrace( DEBUG_TRACE_REPARSE_OPERATIONS | DEBUG_TRACE_ERROR,
("[SimRep]: SimRepPreCreate -> Failed to allocate string for file %wZ (Cbd = %p, FileObject = %p)\n",
&nameInfo->Name,
Cbd,
FltObjects->FileObject ));
goto SimRepPreCreateCleanup;
}
//
// Set the status to STATUS_REPARSE
//
status = STATUS_REPARSE;
DebugTrace( DEBUG_TRACE_REPARSE_OPERATIONS | DEBUG_TRACE_REPARSED_OPERATIONS,
("[SimRep]: SimRepPreCreate -> Returning STATUS_REPARSE for file %wZ. (Cbd = %p, FileObject = %p)\n"
"\tOpenedFileName = %wZ\n"
"\tNewName = %wZ\n",
&fileName, Cbd, FltObjects->FileObject,
&nameInfo->Name,
&newFileName) );
goto SimRepPreCreateCleanup;
}
SimRepPreCreateCleanup:
//
// Release the references we have acquired
//
SimRepFreeUnicodeString( &newFileName );
if (nameInfo != NULL) {
FltReleaseFileNameInformation( nameInfo );
}
if (status == STATUS_REPARSE)
{
//
// Reparse the open
//
Cbd->IoStatus.Status = STATUS_REPARSE;
Cbd->IoStatus.Information = IO_REPARSE;
callbackStatus = FLT_PREOP_COMPLETE;
}
else if (!NT_SUCCESS( status )) {
//
// An error occurred, fail the open
//
DebugTrace( DEBUG_TRACE_ERROR,
("[SimRep]: SimRepPreCreate -> Failed with status 0x%x \n",
status) );
Cbd->IoStatus.Status = status;
callbackStatus = FLT_PREOP_COMPLETE;
}
DebugTrace( DEBUG_TRACE_ALL_IO,
("[SimRep]: SimRepPreCreate -> Exit (Cbd = %p, FileObject = %p)\n",
Cbd,
FltObjects->FileObject) );
return callbackStatus;
}
simrep的框架,怎么运行,看相关文档。
[课程]FART 脱壳王!加量不加价!FART作者讲授!