首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]MiniFilter过滤不到文件名称
发表于: 2014-10-30 22:41 6069

[求助]MiniFilter过滤不到文件名称

ZSYL 活跃值
2014-10-30 22:41
6069
FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(
  __inout PFLT_CALLBACK_DATA Data,
  __in PCFLT_RELATED_OBJECTS FltObjects,
  __in_opt PVOID CompletionContext,
  __in FLT_POST_OPERATION_FLAGS Flags
  )
{
  FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;

//   if (Data->Flags & FLTFL_CALLBACK_DATA_FAST_IO_OPERATION)
//   {
//     KdPrint(("Post_Fast_Io\n"));
//   }
//   else if (Data->Flags & FLTFL_CALLBACK_DATA_FS_FILTER_OPERATION)
//   {
//     KdPrint(("Post_MiniFilter_Io\n"));
//   }
//   else if (Data->Flags & FLTFL_CALLBACK_DATA_IRP_OPERATION)
//   {
//     KdPrint(("Post_IRP_Io\n"));
//   }

  __try
  {
    if (NULL != FltObjects->FileObject)
    {
      PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL;
      NTSTATUS ntStatus = FltGetFileNameInformation(Data,
        FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
        &fileNameInfo);
      if (NT_SUCCESS(ntStatus))
      {
        ntStatus = FltParseFileNameInformation(fileNameInfo);
        if (NT_SUCCESS(ntStatus))
        {
          KdPrint(("%wZ\n", fileNameInfo->Name));
        }
        FltReleaseFileNameInformation(fileNameInfo);
        fileNameInfo = NULL;
      }
    }
  }
  __except (EXCEPTION_EXECUTE_HANDLER)
  {
    KdPrint(("PostOperationCallback异常\n"));
  }

  return returnStatus;
}


打开一个文本文件,拦截到请求,但是FltObjects->FileObject 一直都是NULL,PreCallback中也是如此,获取不到文件名称,什么情况?

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (8)
dayang
雪    币: 220
活跃值: (721)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
这类代码,我发过一个求助帖子中有,不过我的问题没有解决
2014-10-31 10:20
0
mccoysc
雪    币: 65
活跃值: (112)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
3
FltGetFileNameInformation
2014-10-31 13:39
0
mccoysc
雪    币: 65
活跃值: (112)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
4
而且拦截文件读写删除请求,你不觉得在post回调里已经晚了么
2014-10-31 13:40
0
ZSYL
雪    币: 16
活跃值: (430)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
在Pre回调中也一样,什么都拦截不到
2014-11-1 00:18
0
mccoysc
雪    币: 65
活跃值: (112)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
6
我只能回答说,没有可能!人品问题!
2014-11-2 08:34
0
ZSYL
雪    币: 16
活跃值: (430)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
快疯掉了,难道是我的虚拟机有问题?大虾看下我的代码哪里有错?
MiniFileFilterDriver.rar
上传的附件:
2014-11-3 00:23
0
ZSYL
雪    币: 16
活跃值: (430)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
还是直接上代码吧
#pragma once

#ifdef __cplusplus
extern "C"
{
#endif

#include <fltKernel.h>

#ifdef __cplusplus
}
#endif

extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);

NTSTATUS FilterUnLoad(FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS PreOperationCallback(__inout PFLT_CALLBACK_DATA Data,
	__in PCFLT_RELATED_OBJECTS FltObjects,
	__deref_out_opt PVOID *CompletionContext);
FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(__inout PFLT_CALLBACK_DATA Data,
	__in PCFLT_RELATED_OBJECTS FltObjects,
	__in_opt PVOID CompletionContext,
	__in FLT_POST_OPERATION_FLAGS Flags);

const FLT_OPERATION_REGISTRATION Callback[] = {
		{ IRP_MJ_CREATE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_CREATE_NAMED_PIPE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_CLOSE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_READ,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_WRITE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_QUERY_INFORMATION,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_SET_INFORMATION,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_QUERY_EA,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_SET_EA,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_FLUSH_BUFFERS,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_QUERY_VOLUME_INFORMATION,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_SET_VOLUME_INFORMATION,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_DIRECTORY_CONTROL,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_FILE_SYSTEM_CONTROL,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_DEVICE_CONTROL,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_INTERNAL_DEVICE_CONTROL,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_SHUTDOWN,
		0,
		PreOperationCallback,
		NULL },                           //post operation callback not supported

		{ IRP_MJ_LOCK_CONTROL,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_CLEANUP,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_CREATE_MAILSLOT,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_QUERY_SECURITY,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_SET_SECURITY,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_QUERY_QUOTA,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_SET_QUOTA,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_PNP,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_ACQUIRE_FOR_MOD_WRITE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_RELEASE_FOR_MOD_WRITE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_ACQUIRE_FOR_CC_FLUSH,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_RELEASE_FOR_CC_FLUSH,
		0,
		PreOperationCallback,
		PostOperationCallback },

		/*    { IRP_MJ_NOTIFY_STREAM_FILE_OBJECT,
		0,
		PreOperationCallback,
		PostOperationCallback },*/

		{ IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_NETWORK_QUERY_OPEN,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_MDL_READ,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_MDL_READ_COMPLETE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_PREPARE_MDL_WRITE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_MDL_WRITE_COMPLETE,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_VOLUME_MOUNT,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_VOLUME_DISMOUNT,
		0,
		PreOperationCallback,
		PostOperationCallback },

		{ IRP_MJ_OPERATION_END }
};

CONST FLT_REGISTRATION g_registration = {
	sizeof(FLT_REGISTRATION),			// Size
	FLT_REGISTRATION_VERSION,			// Version
	NULL,								// Flags
	NULL,								// ContextRegistration
	Callback,							// OperationRegistration
	FilterUnLoad,						// FilterUnloadCallback
	NULL,								// InstanceSetupCallback
	NULL,								// InstanceQueryTeardownCallback
	NULL,								// InstanceTeardownStartCallback
	NULL,								// InstanceTeardownCompleteCallback
	NULL,								// GenerateFileNameCallback
	NULL,								// NormalizeNameComponentCallback
	NULL,								// NormalizeContextCleanupCallback
};

typedef struct _NULL_FILTER_DATA {

	PFLT_FILTER FilterHandle;

} NULL_FILTER_DATA, *PNULL_FILTER_DATA;

NULL_FILTER_DATA FilterData;


#include "FsMiniFilter.h"


NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	__try
	{
		status = FltRegisterFilter(DriverObject, &g_registration, &FilterData.FilterHandle);

		if (NT_SUCCESS(status)){
			status = FltStartFiltering(FilterData.FilterHandle);
			if (!NT_SUCCESS(status)){
				FltUnregisterFilter(FilterData.FilterHandle);
			}
		}
		KdPrint(("MiniFilter启动成功\r\n"));
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("DriverEntry 异常\r\n"));
	}
	return status;
}

NTSTATUS FilterUnLoad(FLT_FILTER_UNLOAD_FLAGS Flags)
{
	if (NULL != FilterData.FilterHandle)
		FltUnregisterFilter(FilterData.FilterHandle);

	KdPrint(("MiniFilter卸载成功\r\n"));
	return STATUS_SUCCESS;
}

FLT_PREOP_CALLBACK_STATUS PreOperationCallback(__inout PFLT_CALLBACK_DATA Data,
	__in PCFLT_RELATED_OBJECTS FltObjects,
	__deref_out_opt PVOID *CompletionContext
	)
{
	KdPrint(("进入PreCallback\r\n"));
	__try
	{
		if (NULL != FltObjects->FileObject)
		{
			PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL;
			NTSTATUS ntStatus = FltGetFileNameInformation(Data,
				FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
				&fileNameInfo);
			if (NT_SUCCESS(ntStatus))
			{
				ntStatus = FltParseFileNameInformation(fileNameInfo);
				if (NT_SUCCESS(ntStatus))
				{
					KdPrint(("%wZ\n", fileNameInfo->Name));
				}
				FltReleaseFileNameInformation(fileNameInfo);
				fileNameInfo = NULL;
			}
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("PreOperationCallback异常\r\n"));
	}

	FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
	if (Data->Iopb->MajorFunction == IRP_MJ_SHUTDOWN) {
		PostOperationCallback(Data,
			FltObjects,
			NULL,
			0);

		returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;

	}
	else {
		returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK;
	}

	KdPrint(("离开PreCallback\r\n"));
	return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(
	__inout PFLT_CALLBACK_DATA Data,
	__in PCFLT_RELATED_OBJECTS FltObjects,
	__in_opt PVOID CompletionContext,
	__in FLT_POST_OPERATION_FLAGS Flags
	)
{
	KdPrint(("进入PostCallback\r\n"));
	FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;

	__try
	{
		if (NULL != FltObjects->FileObject)
		{
			PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL;
			NTSTATUS ntStatus = FltGetFileNameInformation(Data,
				FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
				&fileNameInfo);
			if (NT_SUCCESS(ntStatus))
			{
				ntStatus = FltParseFileNameInformation(fileNameInfo);
				if (NT_SUCCESS(ntStatus))
				{
					KdPrint(("%wZ\n", fileNameInfo->Name));
				}
				FltReleaseFileNameInformation(fileNameInfo);
				fileNameInfo = NULL;
			}
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("PostOperationCallback异常\r\n"));
	}

	KdPrint(("离开PostCallback\r\n"));
	return returnStatus;
}
2014-11-3 00:40
0
yvqvan
雪    币: 121
活跃值: (121)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
楼主,回去好好看看WDK文档。去掉FltObjects->FileObject的判断。
2014-11-3 01:13
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//