-
-
[求助]使用FltRegisterFilter后导致无法关机
-
发表于:
2018-10-9 10:36
2642
-
[求助]使用FltRegisterFilter后导致无法关机
RT:微过滤器驱动
使用
FltRegisterFilter后导致无法关机。但不是每次都不能关机,如果注册回调后立马关机没问题,过会再关机就关不了,一直在关机界面卡着不动
//TODO - 列出要过滤的所有请求。
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_DIRECTORY_CONTROL,0,NULL,FsFilterDriverPostOperation },
{ IRP_MJ_OPERATION_END }
};
/*************************************************************************
公开函数
*************************************************************************/
/*初始化过滤器*/
NTSTATUS MiniFilterInit(_In_ PDRIVER_OBJECT DriverObject){
//VMProtectBegin(__FUNCTION__);
NTSTATUS status;
/*定义我们想要用FltMgr过滤的内容*/
CONST FLT_REGISTRATION FilterRegistration = {
sizeof(FLT_REGISTRATION), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
FsFilterDriverUnload, // MiniFilterUnload
FsFilterDriverInstanceSetup, // InstanceSetup
FsFilterDriverInstanceQueryTeardown, // InstanceQueryTeardown
FsFilterDriverInstanceTeardownStart, // InstanceTeardownStart
FsFilterDriverInstanceTeardownComplete, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
KeInitializeSpinLock(&MiniFilter_Lock);
InitializeListHead(&MiniFilter_File_Path);
status = FltRegisterFilter(DriverObject,&FilterRegistration,&gFilterHandle);
FLT_ASSERT(NT_SUCCESS(status));
if (NT_SUCCESS(status)) {
status = FltStartFiltering(gFilterHandle);
if (!NT_SUCCESS(status)) {
FltUnregisterFilter(gFilterHandle);
DPRINT("文件过滤器注册失败\n");
}
}
//VMProtectEnd();
return status;
}
/*卸载过滤器*/
NTSTATUS FsFilterDriverUnload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
{
//VMProtectBegin(__FUNCTION__);
UNREFERENCED_PARAMETER(Flags);
PAGED_CODE();
DPRINT("FsFilterDriver!FsFilterDriverUnload: Entered\n");
//FltUnregisterFilter(gFilterHandle);
//VMProtectEnd();
return STATUS_SUCCESS;
}
/*后操作*/
FLT_POSTOP_CALLBACK_STATUS FsFilterDriverPostOperation(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags)
{
//VMProtectBegin(__FUNCTION__);
PFLT_PARAMETERS params = &Data->Iopb->Parameters;
NTSTATUS status;
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
UNREFERENCED_PARAMETER(Flags);
if (!NT_SUCCESS(Data->IoStatus.Status))
return FLT_POSTOP_FINISHED_PROCESSING;
if (Rule(Data))
{
status = STATUS_SUCCESS;
//这里省略N行代码......................
Data->IoStatus.Status = status;
}
//VMProtectEnd();
return FLT_POSTOP_FINISHED_PROCESSING;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2018-10-9 10:40
被老坛酸菜TM编辑
,原因:
hzqst
