最新回复 (8)
dayang 雪币： 220 活跃值： (631) 能力值： ( LV2，RANK：10 ) 在线值：发帖 38 回帖 938 粉丝 1 关注私信	dayang 2014-10-31 10:20 2 楼 0 这类代码，我发过一个求助帖子中有,不过我的问题没有解决
mccoysc 雪币： 65 活跃值： (112) 能力值： ( LV3，RANK：30 ) 在线值：发帖 15 回帖 343 粉丝 2 关注私信	mccoysc 2014-10-31 13:39 3 楼 0 FltGetFileNameInformation
mccoysc 雪币： 65 活跃值： (112) 能力值： ( LV3，RANK：30 ) 在线值：发帖 15 回帖 343 粉丝 2 关注私信	mccoysc 2014-10-31 13:40 4 楼 0 而且拦截文件读写删除请求，你不觉得在post回调里已经晚了么
ZSYL 雪币： 16 活跃值： (350) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 198 粉丝 0 关注私信	ZSYL 2014-11-1 00:18 5 楼 0 在Pre回调中也一样，什么都拦截不到
mccoysc 雪币： 65 活跃值： (112) 能力值： ( LV3，RANK：30 ) 在线值：发帖 15 回帖 343 粉丝 2 关注私信	mccoysc 2014-11-2 08:34 6 楼 0 我只能回答说，没有可能！人品问题！
ZSYL 雪币： 16 活跃值： (350) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 198 粉丝 0 关注私信	ZSYL 2014-11-3 00:23 7 楼 0 快疯掉了，难道是我的虚拟机有问题？大虾看下我的代码哪里有错？ MiniFileFilterDriver.rar 上传的附件： MiniFileFilterDriver.rar （3.26kb，21次下载）
ZSYL 雪币： 16 活跃值： (350) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 198 粉丝 0 关注私信	ZSYL 2014-11-3 00:40 8 楼 0 还是直接上代码吧 #pragma once #ifdef __cplusplus extern "C" { #endif #include <fltKernel.h> #ifdef __cplusplus } #endif extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath); NTSTATUS FilterUnLoad(FLT_FILTER_UNLOAD_FLAGS Flags); FLT_PREOP_CALLBACK_STATUS PreOperationCallback(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID CompletionContext); FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags); const FLT_OPERATION_REGISTRATION Callback[] = { { IRP_MJ_CREATE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CREATE_NAMED_PIPE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CLOSE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_READ, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_EA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_EA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_FLUSH_BUFFERS, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_VOLUME_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_VOLUME_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_DIRECTORY_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_DEVICE_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_INTERNAL_DEVICE_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SHUTDOWN, 0, PreOperationCallback, NULL }, //post operation callback not supported { IRP_MJ_LOCK_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CLEANUP, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CREATE_MAILSLOT, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_SECURITY, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_SECURITY, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_QUOTA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_QUOTA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_PNP, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0, PreOperationCallback, PostOperationCallback }, / { IRP_MJ_NOTIFY_STREAM_FILE_OBJECT, 0, PreOperationCallback, PostOperationCallback },/ { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_NETWORK_QUERY_OPEN, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_MDL_READ, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_MDL_READ_COMPLETE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_PREPARE_MDL_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_MDL_WRITE_COMPLETE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_VOLUME_MOUNT, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_VOLUME_DISMOUNT, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_OPERATION_END } }; CONST FLT_REGISTRATION g_registration = { sizeof(FLT_REGISTRATION), // Size FLT_REGISTRATION_VERSION, // Version NULL, // Flags NULL, // ContextRegistration Callback, // OperationRegistration FilterUnLoad, // FilterUnloadCallback NULL, // InstanceSetupCallback NULL, // InstanceQueryTeardownCallback NULL, // InstanceTeardownStartCallback NULL, // InstanceTeardownCompleteCallback NULL, // GenerateFileNameCallback NULL, // NormalizeNameComponentCallback NULL, // NormalizeContextCleanupCallback }; typedef struct _NULL_FILTER_DATA { PFLT_FILTER FilterHandle; } NULL_FILTER_DATA, PNULL_FILTER_DATA; NULL_FILTER_DATA FilterData; #include "FsMiniFilter.h" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { NTSTATUS status = STATUS_UNSUCCESSFUL; __try { status = FltRegisterFilter(DriverObject, &g_registration, &FilterData.FilterHandle); if (NT_SUCCESS(status)){ status = FltStartFiltering(FilterData.FilterHandle); if (!NT_SUCCESS(status)){ FltUnregisterFilter(FilterData.FilterHandle); } } KdPrint(("MiniFilter启动成功\r\n")); } __except (EXCEPTION_EXECUTE_HANDLER) { KdPrint(("DriverEntry 异常\r\n")); } return status; } NTSTATUS FilterUnLoad(FLT_FILTER_UNLOAD_FLAGS Flags) { if (NULL != FilterData.FilterHandle) FltUnregisterFilter(FilterData.FilterHandle); KdPrint(("MiniFilter卸载成功\r\n")); return STATUS_SUCCESS; } FLT_PREOP_CALLBACK_STATUS PreOperationCallback(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ) { KdPrint(("进入PreCallback\r\n")); __try { if (NULL != FltObjects->FileObject) { PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL; NTSTATUS ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED \| FLT_FILE_NAME_QUERY_DEFAULT, &fileNameInfo); if (NT_SUCCESS(ntStatus)) { ntStatus = FltParseFileNameInformation(fileNameInfo); if (NT_SUCCESS(ntStatus)) { KdPrint(("%wZ\n", fileNameInfo->Name)); } FltReleaseFileNameInformation(fileNameInfo); fileNameInfo = NULL; } } } __except (EXCEPTION_EXECUTE_HANDLER) { KdPrint(("PreOperationCallback异常\r\n")); } FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; if (Data->Iopb->MajorFunction == IRP_MJ_SHUTDOWN) { PostOperationCallback(Data, FltObjects, NULL, 0); returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; } else { returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK; } KdPrint(("离开PreCallback\r\n")); return FLT_PREOP_SUCCESS_WITH_CALLBACK; } FLT_POSTOP_CALLBACK_STATUS PostOperationCallback( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags ) { KdPrint(("进入PostCallback\r\n")); FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING; __try { if (NULL != FltObjects->FileObject) { PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL; NTSTATUS ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED \| FLT_FILE_NAME_QUERY_DEFAULT, &fileNameInfo); if (NT_SUCCESS(ntStatus)) { ntStatus = FltParseFileNameInformation(fileNameInfo); if (NT_SUCCESS(ntStatus)) { KdPrint(("%wZ\n", fileNameInfo->Name)); } FltReleaseFileNameInformation(fileNameInfo); fileNameInfo = NULL; } } } __except (EXCEPTION_EXECUTE_HANDLER) { KdPrint(("PostOperationCallback异常\r\n")); } KdPrint(("离开PostCallback\r\n")); return returnStatus; }
yvqvan 雪币： 121 活跃值： (121) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 42 粉丝 1 关注私信	yvqvan 2014-11-3 01:13 9 楼 0 楼主，回去好好看看WDK文档。去掉FltObjects->FileObject的判断。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

[求助]MiniFilter过滤不到文件名称