[分享]从 fs_rec.sys 聊聊 windows 如何加载文件系统-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [分享]从 fs_rec.sys 聊聊 windows 如何加载文件系统 0.00雪花

发表于: 2015-6-29 12:27 3087

[旧帖] [分享]从 fs_rec.sys 聊聊 windows 如何加载文件系统 0.00雪花

公监第一人

2015-6-29 12:27

3087

PKEVENT FsRecLoadSync = NULL;

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING Registry)
{
int Index = 0;
PDEVICE_OBJECT DeviceObject;

DriverObject->MajorFunction[IRP_MJ_FILE_SYSTEM_CONTROL] = FsRecFsControl;
DriverObject->MajorFunction[IRP_MJ_CREATE] = FsRecCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = FsRecCleanupClose;

DriverObject->DriverUnload = FsRecUnload;

FsRecLoadSync = (PKEVENT)ExAllocatePoolWithTag(sizeof(KEVENT),NonPagedPool,POOL_TAG);
if(FsRecLoadSync == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}

KeInitializeEvent(FsRecLoadSync,SynchronizationEvent,TRUE);

if(NT_SUCCESS(FsRecCreateAndRegisterDO(DriverObject,NULL,NULL,
L"\\Cdfs",
L"\\FileSystem\\CdfsRecognizer",
CDFS_TYPE,
FILE_DEVICE_CD_ROM_FILE_SYSTEM,
TRUE)))
{
Index ++;
}

if (NT_SUCCESS( FsRecCreateAndRegisterDO(
DriverObject,
NULL,
&DeviceObject,
L"\\UdfsCdRom",
L"\\FileSystem\\UdfsCdRomRecognizer",
UDFS_TYPE,
FILE_DEVICE_CD_ROM_FILE_SYSTEM,
FALSE) ))
{
Index++;
}

if (NT_SUCCESS( FsRecCreateAndRegisterDO(
DriverObject,
NULL,
&DeviceObject,
L"\\Fat",
L"\\FileSystem\\FatDiskRecognizer",
FATCD_TYPE,
FILE_DEVICE_DISK_FILE_SYSTEM,
FALSE) ))
{
Index++;
}

if (NT_SUCCESS( FsRecCreateAndRegisterDO(
DriverObject,
DeviceObject,
NULL,
L"\\FatCdrom",
L"\\FileSystem\\FatCdRomRecognizer",
FATCD_TYPE,
FILE_DEVICE_CD_ROM_FILE_SYSTEM,
FALSE) ))
{
Index++;
}

if (NT_SUCCESS( FsRecCreateAndRegisterDO(DriverObject, NULL, NULL,
L"\\Ntfs",
L"\\FileSystem\\NtfsRecognizer",
NTFS_TYPE,
FILE_DEVICE_DISK_FILE_SYSTEM,
FALSE) ))
{
++Index;
}

if (NT_SUCCESS( FsRecCreateAndRegisterDO(DriverObject,
NULL,
NULL,
L"\\ExFat",
L"\\FileSystem\\ExFatRecognizer",
EXFAT_TYPE,
FILE_DEVICE_DISK_FILE_SYSTEM,
FALSE) ))
{
++Index;
}

return Index != 0 ? STATUS_SUCCESS : STATUS_IMAGE_ALREADY_LOADED;

}

NTSTATUS FsRecCreateAndRegisterDO(PDRIVER_OBJECT DriverObject,
   PDEVICE_OBJECT ParentDev,
   PDEVICE_OBJECT* CreatedDev,
   LPWSTR DeviceName,
   LPWSTR Recognizer,
   FILE_SYSTEM_TYPE  FileSystemType,
   ULONG DeviceType,
   BOOLEAN bLowPrority)
{
NTSTATUS Status;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING DestinationString;
HANDLE Handle;
PDEVICE_OBJECT DeviceObject;
PDEVICE_EXTENSION DevExt;
PFN_IoRegisterFileSystem pfn_IoRegisterFileSystem = NULL;

if(CreatedDev)  CreatedDev = NULL;
RtlInitUnicodeString(&DestinationString, DeviceName);
InitializeObjectAttributes(&ObjectAttributes,&DestinationString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);

Status = ZwCreateFile(&Handle,
SYNCHRONIZE, // 0x100000,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
1,
0,
NULL,
0);

if(NT_SUCCESS(Status))
{
ZwClose(Handle);
}

if(Status != STATUS_OBJECT_NAME_NOT_FOUND)
{
Status = STATUS_SUCCESS;
}

if(!NT_SUCCESS(Status))
{
RtlInitUnicodeString(&DestinationString, Recognizer);

Status = IoCreateDevice(DriverObject,
sizeof(DEVICE_EXTENSION),
&DestinationString,
DeviceType,
0,
FALSE,
&DeviceObject);

if(NT_SUCCESS(Status))
{
DevExt = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;

DevExt->FileSystemType = FileSystemType;

DevExt->LoadStatus = DRIVER_NOTLOAD;

if(ParentDev)
{
DevExt->ParentDevice = ((PDEVICE_EXTENSION)ParentDev->DeviceExtension)->ParentDevice;
DevExt = (PDEVICE_EXTENSION)ParentDev->DeviceExtension;
}

DevExt->ParentDevice = DeviceObject;

if(CreatedDev)
CreatedDev[0] = DeviceObject;

if(bLowPrority)
{
DeviceObject->Flags |= DO_LOW_PRIORITY_FILESYSTEM;
}

RtlInitUnicodeString(&DestinationString, L"IoRegisterFileSystem");

pfn_IoRegisterFileSystem =
(PFN_IoRegisterFileSystem)MmGetSystemRoutineAddress(&DestinationString);

if(pfn_IoRegisterFileSystem)
pfn_IoRegisterFileSystem(DeviceObject);

Status = STATUS_SUCCESS;
}
}
else
{
Status = STATUS_IMAGE_ALREADY_LOADED;
}

return Status;
}

NTSTATUS FsRecFsControl(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS Status;
PDEVICE_EXTENSION DevExt;
PIO_STACK_LOCATION  IrpSp;

PAGED_CODE();

IrpSp = IoGetCurrentIrpStackLocation(Irp);
DevExt = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;

if(DevExt->LoadStatus && IrpSp->MinorFunction == IRP_MN_MOUNT_VOLUME)
{
Status = DevExt->LoadStatus != DRIVER_LOADED ? STATUS_FS_DRIVER_REQUIRED : STATUS_UNRECOGNIZED_VOLUME;
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp,0);
return Status;
}
else
{
switch(DevExt->FileSystemType)
{
case CDFS_TYPE:
Status = CdfsRecFsControl(DeviceObject,Irp);
break;

case FATCD_TYPE:
Status = FatRecFsControl(DeviceObject,Irp);
break;

case NTFS_TYPE:
Status = NtfsRecFsControl(DeviceObject,Irp);
break;

case EXFAT_TYPE:
Status = ExFatRecFsControl(DeviceObject,Irp);
break;

default:
Status = STATUS_INVALID_DEVICE_REQUEST;
break;

}
}

return Status;
}

NTSTATUS ExFatRecFsControl(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION IrpSp;
PDEVICE_EXTENSION DevExt;
ULONG SectorSize;
LARGE_INTEGER StartingOffset;
BOOLEAN BlockReaded = FALSE;
UCHAR* BlockData;

PAGED_CODE();

IrpSp = IoGetCurrentIrpStackLocation(Irp);

if(IrpSp->MinorFunction == IRP_MN_MOUNT_VOLUME)
{
Status = STATUS_UNRECOGNIZED_VOLUME;

if(FsRecGetDeviceSectorSize(IrpSp->Parameters.MountVolume.DeviceObject,&SectorSize,0))
{
StartingOffset.QuadPart = 0;
BlockData = NULL;

if (FsRecReadBlock(IrpSp->Parameters.MountVolume.DeviceObject, &StartingOffset, 512, SectorSize, &BlockData, &BlockReaded) )
{
if ( IsExFatVolume(BlockData) )
Status = STATUS_FS_DRIVER_REQUIRED;
}
if(BlockData) ExFreePoolWithTag(BlockData,0);
}
else
{
BlockReaded = TRUE;
}
}
else if(IrpSp->MinorFunction == IRP_MN_LOAD_FILE_SYSTEM)
{
Status = FsRecLoadFileSystem(DeviceObject,L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\ExFat");
}
else
{
Status = STATUS_INVALID_DEVICE_REQUEST;
}

Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp,0);
return Status;
}

[课程]Linux pwn 探索篇！

收藏・2

免费・0

支持

最新回复 (3)
公监第一人雪币： 37 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 24 粉丝 0 关注私信	公监第一人 2 楼这对扩展 windows 默认支持的文件系统有一定作用 2015-6-29 12:36 0
公监第一人雪币： 37 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 24 粉丝 0 关注私信	公监第一人 3 楼有人在找防止 USB 盘放复制的方案1 ： windows nt 系列一直存在一个注册表键值可以实现注册表路径: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies 键名: WriteProtect 类型： DWORD 值： 0x00000001 所有USB存储设备只读值: 0x0 可读写方案2： Storage Lower Filter Driver 用于过滤磁盘的扇区读写，机器狗时代的拦截产物 2015-6-29 13:48 0
公监第一人雪币： 37 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 24 粉丝 0 关注私信	公监第一人 4 楼 BOOLEAN FsRecReadBlock(PDEVICE_OBJECT DeviceObject,PLARGE_INTEGER StartingOffset,ULONG LengthToRead,ULONG SectorSize,OUT PUCHAR* BlockData,OUT PBOOLEAN BlockReaded) { NTSTATUS Status; IO_STATUS_BLOCK IoStatusBlock; KEVENT Event; PIRP Irp; ULONG SectorAlignLength = 0; PAGED_CODE(); if(BlockReaded) BlockReaded[0] = FALSE; KeInitializeEvent(&Event,SynchronizationEvent,FALSE); if ( LengthToRead > SectorSize ) SectorAlignLength = SectorSize * (LengthToRead + SectorSize - 1) / SectorSize; else SectorAlignLength = SectorSize; if(!BlockData) { BlockData[0] = ExAllocatePoolWithTag(PagedPool,(SectorAlignLength + PAGE_SIZE - 1) & 0xFFFFF000,POOL_TAG); } if(BlockData[0]) { Irp = IoBuildSynchronousFsdRequest(IRP_MJ_READ, DeviceObject, BlockData[0], SectorAlignLength, StartingOffset, &Event, &IoStatusBlock); if(Irp) { (IoGetNextIrpStackLocation(Irp))->Flags \|= IRP_PAGING_IO; Status = IoCallDriver(DeviceObject,Irp); if(Status == STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,NULL); Status = IoStatusBlock.Status; } if(!NT_SUCCESS(Status)) { if(BlockReaded) BlockReaded[0] = TRUE; return FALSE; } return TRUE; } } return FALSE; } BOOLEAN FsRecGetDeviceSectorSize(PDEVICE_OBJECT DeviceObject,PULONG SectorSize,OUT NTSTATUS* OutStatus) { NTSTATUS Status; KEVENT Event; IO_STATUS_BLOCK IoStatus; PIRP Irp; LARGE_INTEGER DiskLength; PIO_STACK_LOCATION IrpSp; ULONG IoCtlCode; DISK_GEOMETRY DiskGeometry; PAGED_CODE(); KeInitializeEvent(&Event,SynchronizationEvent,FALSE); Irp = IoBuildDeviceIoControlRequest(IOCTL_DISK_GET_LENGTH_INFO, DeviceObject, NULL, 0, (PVOID)&DiskLength, sizeof(LARGE_INTEGER), FALSE, &Event, &IoStatus); if(Irp) { (IoGetNextIrpStackLocation(Irp))->Flags \|= IRP_PAGING_IO; // 系统自动释放 Status = IoCallDriver(DeviceObject, Irp); if(Status == STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,NULL); Status = IoStatus.Status; } if(DeviceObject->DeviceType == FILE_DEVICE_CD_ROM) { IoCtlCode = IOCTL_CDROM_GET_DRIVE_GEOMETRY; } else if(DeviceObject->DeviceType == FILE_DEVICE_DISK) { IoCtlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY; } else { if(OutStatus) OutStatus[0] = Status; return FALSE; } KeInitializeEvent(&Event, SynchronizationEvent, FALSE); Irp = IoBuildDeviceIoControlRequest(IoCtlCode, DeviceObject, NULL, 0, &DiskGeometry, sizeof(DISK_GEOMETRY), FALSE, &Event, &IoStatus); if(Irp) { (IoGetNextIrpStackLocation(Irp))->Flags \|= IRP_PAGING_IO; // 系统自动释放 Status = IoCallDriver(DeviceObject, Irp); if(Status == STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,NULL); Status = IoStatus.Status; } if(OutStatus) OutStatus[0] = Status; if(NT_SUCCESS(Status) && DiskGeometry.BytesPerSector) { SectorSize[0] = DiskGeometry.BytesPerSector; return TRUE; } } else { if(OutStatus) OutStatus[0] = STATUS_INSUFFICIENT_RESOURCES; return FALSE; } return FALSE; } if(OutStatus) OutStatus[0] = STATUS_INSUFFICIENT_RESOURCES; // 0xC000009A; return FALSE; } 少发了2个函数 2015-6-29 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

公监第一人

发帖

回帖

RANK

关注

私信

他的文章

[原创]对过去6年的人和事，真心说声对不起 4271

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
公监第一人雪币： 37 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 24 粉丝 0 关注私信	公监第一人 2 楼这对扩展 windows 默认支持的文件系统有一定作用 2015-6-29 12:36 0
公监第一人雪币： 37 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 24 粉丝 0 关注私信	公监第一人 3 楼有人在找防止 USB 盘放复制的方案1 ： windows nt 系列一直存在一个注册表键值可以实现注册表路径: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies 键名: WriteProtect 类型： DWORD 值： 0x00000001 所有USB存储设备只读值: 0x0 可读写方案2： Storage Lower Filter Driver 用于过滤磁盘的扇区读写，机器狗时代的拦截产物 2015-6-29 13:48 0
公监第一人雪币： 37 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 24 粉丝 0 关注私信	公监第一人 4 楼 BOOLEAN FsRecReadBlock(PDEVICE_OBJECT DeviceObject,PLARGE_INTEGER StartingOffset,ULONG LengthToRead,ULONG SectorSize,OUT PUCHAR* BlockData,OUT PBOOLEAN BlockReaded) { NTSTATUS Status; IO_STATUS_BLOCK IoStatusBlock; KEVENT Event; PIRP Irp; ULONG SectorAlignLength = 0; PAGED_CODE(); if(BlockReaded) BlockReaded[0] = FALSE; KeInitializeEvent(&Event,SynchronizationEvent,FALSE); if ( LengthToRead > SectorSize ) SectorAlignLength = SectorSize * (LengthToRead + SectorSize - 1) / SectorSize; else SectorAlignLength = SectorSize; if(!BlockData) { BlockData[0] = ExAllocatePoolWithTag(PagedPool,(SectorAlignLength + PAGE_SIZE - 1) & 0xFFFFF000,POOL_TAG); } if(BlockData[0]) { Irp = IoBuildSynchronousFsdRequest(IRP_MJ_READ, DeviceObject, BlockData[0], SectorAlignLength, StartingOffset, &Event, &IoStatusBlock); if(Irp) { (IoGetNextIrpStackLocation(Irp))->Flags \|= IRP_PAGING_IO; Status = IoCallDriver(DeviceObject,Irp); if(Status == STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,NULL); Status = IoStatusBlock.Status; } if(!NT_SUCCESS(Status)) { if(BlockReaded) BlockReaded[0] = TRUE; return FALSE; } return TRUE; } } return FALSE; } BOOLEAN FsRecGetDeviceSectorSize(PDEVICE_OBJECT DeviceObject,PULONG SectorSize,OUT NTSTATUS* OutStatus) { NTSTATUS Status; KEVENT Event; IO_STATUS_BLOCK IoStatus; PIRP Irp; LARGE_INTEGER DiskLength; PIO_STACK_LOCATION IrpSp; ULONG IoCtlCode; DISK_GEOMETRY DiskGeometry; PAGED_CODE(); KeInitializeEvent(&Event,SynchronizationEvent,FALSE); Irp = IoBuildDeviceIoControlRequest(IOCTL_DISK_GET_LENGTH_INFO, DeviceObject, NULL, 0, (PVOID)&DiskLength, sizeof(LARGE_INTEGER), FALSE, &Event, &IoStatus); if(Irp) { (IoGetNextIrpStackLocation(Irp))->Flags \|= IRP_PAGING_IO; // 系统自动释放 Status = IoCallDriver(DeviceObject, Irp); if(Status == STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,NULL); Status = IoStatus.Status; } if(DeviceObject->DeviceType == FILE_DEVICE_CD_ROM) { IoCtlCode = IOCTL_CDROM_GET_DRIVE_GEOMETRY; } else if(DeviceObject->DeviceType == FILE_DEVICE_DISK) { IoCtlCode = IOCTL_DISK_GET_DRIVE_GEOMETRY; } else { if(OutStatus) OutStatus[0] = Status; return FALSE; } KeInitializeEvent(&Event, SynchronizationEvent, FALSE); Irp = IoBuildDeviceIoControlRequest(IoCtlCode, DeviceObject, NULL, 0, &DiskGeometry, sizeof(DISK_GEOMETRY), FALSE, &Event, &IoStatus); if(Irp) { (IoGetNextIrpStackLocation(Irp))->Flags \|= IRP_PAGING_IO; // 系统自动释放 Status = IoCallDriver(DeviceObject, Irp); if(Status == STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,NULL); Status = IoStatus.Status; } if(OutStatus) OutStatus[0] = Status; if(NT_SUCCESS(Status) && DiskGeometry.BytesPerSector) { SectorSize[0] = DiskGeometry.BytesPerSector; return TRUE; } } else { if(OutStatus) OutStatus[0] = STATUS_INSUFFICIENT_RESOURCES; return FALSE; } return FALSE; } if(OutStatus) OutStatus[0] = STATUS_INSUFFICIENT_RESOURCES; // 0xC000009A; return FALSE; } 少发了2个函数 2015-6-29 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复