-
-
[求助]minifilter-preRead中如何自建IRP读取?
-
2013-8-10 17:22
-
在minifilter中,postCreate操作可以调用以下代码实现文件读取(代码来自互联网),但是在PreRead 与PostRead中使用以上代码,就直接给hung了。同时使用FltGetFileNameInformation获取文件名,返回STATUS_FLT_INVALID_NAME_REQUEST。求助,求助
:
NTSTATUS FileReadWriteFile(
__in ULONG MajorFunction,
__in PFLT_INSTANCE Instance,
__in PFILE_OBJECT FileObject,
__in PLARGE_INTEGER ByteOffset,
__in ULONG Length,
__in PVOID Buffer,
__out PULONG BytesReadWrite,
__in FLT_IO_OPERATION_FLAGS FltFlags
)
{
ULONG i;
PIRP irp;
KEVENT Event;
PIO_STACK_LOCATION ioStackLocation;
IO_STATUS_BLOCK IoStatusBlock = { 0 };
PDEVICE_OBJECT pVolumeDevObj = NULL ;
PDEVICE_OBJECT pFileSysDevObj= NULL ;
PDEVICE_OBJECT pNextDevObj = NULL ;
//获取minifilter相邻下层的设备对象
pVolumeDevObj = IoGetDeviceAttachmentBaseRef(FileObject->DeviceObject) ;
if (NULL == pVolumeDevObj)
{
return STATUS_UNSUCCESSFUL ;
}
//共享路径没有这个值,故这里需要判断一下,也就是说共享读取写入目前不支持
if (NULL == pVolumeDevObj->Vpb)
{
return STATUS_UNSUCCESSFUL ;
}
pFileSysDevObj = pVolumeDevObj->Vpb->DeviceObject ;
pNextDevObj = pFileSysDevObj ;
if (NULL == pNextDevObj)
{
ObDereferenceObject(pVolumeDevObj) ;
return STATUS_UNSUCCESSFUL ;
}
//开始构建读写IRP
KeInitializeEvent(&Event, SynchronizationEvent, FALSE);
// 分配irp.
irp = IoAllocateIrp(pNextDevObj->StackSize, FALSE);
if(irp == NULL) {
ObDereferenceObject(pVolumeDevObj) ;
return STATUS_INSUFFICIENT_RESOURCES;
}
irp->AssociatedIrp.SystemBuffer = NULL;
irp->MdlAddress = NULL;
irp->UserBuffer = Buffer;
irp->UserEvent = &Event;
irp->UserIosb = &IoStatusBlock;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->RequestorMode = KernelMode;
if(MajorFunction == IRP_MJ_READ)
irp->Flags = IRP_DEFER_IO_COMPLETION|IRP_READ_OPERATION|IRP_NOCACHE;
else if (MajorFunction == IRP_MJ_WRITE)
irp->Flags = IRP_DEFER_IO_COMPLETION|IRP_WRITE_OPERATION|IRP_NOCACHE;
else
{
ObDereferenceObject(pVolumeDevObj) ;
return STATUS_UNSUCCESSFUL ;
}
if ((FltFlags & FLTFL_IO_OPERATION_PAGING) == FLTFL_IO_OPERATION_PAGING)
{
irp->Flags |= IRP_PAGING_IO ;
}
// 填写irpsp
ioStackLocation = IoGetNextIrpStackLocation(irp);
ioStackLocation->MajorFunction = (UCHAR)MajorFunction;
ioStackLocation->MinorFunction = (UCHAR)IRP_MN_NORMAL;
ioStackLocation->DeviceObject = pNextDevObj;
ioStackLocation->FileObject = FileObject ;
if(MajorFunction == IRP_MJ_READ)
{
ioStackLocation->Parameters.Read.ByteOffset = *ByteOffset;
ioStackLocation->Parameters.Read.Length = Length;
}
else
{
ioStackLocation->Parameters.Write.ByteOffset = *ByteOffset;
ioStackLocation->Parameters.Write.Length = Length ;
}
// 设置完成
IoSetCompletionRoutine(irp, DLP_FileReadWriteFileComplete, 0, TRUE, TRUE, TRUE);
(void) IoCallDriver(pNextDevObj, irp);
KeWaitForSingleObject(&Event, Executive, KernelMode, TRUE, 0);
*BytesReadWrite = IoStatusBlock.Information;
ObDereferenceObject(pVolumeDevObj) ;
return IoStatusBlock.Status;
} [培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
