FLT_PREOP_CALLBACK_STATUS
NPPreWrite
(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
);
FLT_POSTOP_CALLBACK_STATUS
NPPostWrite
(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
);
//operation registration
const FLT_OPERATION_REGISTRATION Callbacks[] =
{
{
IRP_MJ_CREATE,
0,
NPPreCreate,
NPPostCreate
},
{
IRP_MJ_SET_INFORMATION,
0,
NPPreSetInformation,
NPPostSetInformation
},
{
IRP_MJ_READ,
0,
NPPreRead,
NPPostRead
},
{
IRP_MJ_WRITE,
0,
NPPreWrite,
NPPostWrite
},
{
IRP_MJ_OPERATION_END
}
};
FLT_POSTOP_CALLBACK_STATUS NPPostWrite
(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
FLT_PREOP_CALLBACK_STATUS NPPreWrite
(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PAGED_CODE();
{
PFLT_FILE_NAME_INFORMATION nameInfo;
//直接获得文件名并检查
if( NT_SUCCESS( FltGetFileNameInformation( Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo ) ) )
{
if( NT_SUCCESS( FltParseFileNameInformation( nameInfo ) ) )
{
WCHAR pTempBuf[ 512 ] = { 0 };
WCHAR *pNonPageBuf = NULL, *pTemp = pTempBuf;
if( nameInfo->Name.MaximumLength > 512 )
{
pNonPageBuf = ExAllocatePool( NonPagedPool, nameInfo->Name.MaximumLength );
pTemp = pNonPageBuf;
}
RtlCopyMemory( pTemp, nameInfo->Name.Buffer, nameInfo->Name.MaximumLength );
DbgPrint("[MiniFilter][IRP_MJ_WRITE]%wZ", &nameInfo->Name);
_wcsupr( pTemp );
if( NULL != wcsstr( pTemp, L"README.TXT" ) ) // 检查是不是要保护的文件
{
//DbgPrint( "\r\nIn NPPreWrite(), FilePath{%wZ} is forbided.", &nameInfo->Name );
if( NULL != pNonPageBuf )
ExFreePool( pNonPageBuf );
FltReleaseFileNameInformation( nameInfo );
return FLT_PREOP_DISALLOW_FASTIO;
}
if( NULL != pNonPageBuf )
ExFreePool( pNonPageBuf );
}
FltReleaseFileNameInformation( nameInfo );
}
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
部分关键代码,涉及到写文件内容方面的
驱动安装,加载后,手工对这个README.TXT修改可以拦截.用WINHEX修改也可以拦截.
但是用ASP脚本对这个README.TXT修改,虽然可以拦截,但是会将原来的内容清空.导致文件大小为0.
不知道还要处理什么?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课