-
-
未解决
[求助]关于minifilter文件重定向求助
-
发表于:
2020-11-13 20:18
3373
-
未解决 [求助]关于minifilter文件重定向求助
跑VMware虚拟机脚本挂机,看虚拟机快照文件都一样,不再次快照也不会改变,想着能不能把所有克隆出的虚拟机的快照文件重定向都指向同一份快照文件,用minifilter实现了,记事本打开测试也没问题,但是一开虚拟机就炸,请问这是怎么回事啊,是不是我回调错了
还是说VMware打开文件是从驱动层打开的?
下面是回调代码
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
FsFilter1PreOperation,
FsFilter1PostOperation },
{ IRP_MJ_OPERATION_END }
};
FLT_PREOP_CALLBACK_STATUS
FsFilter1PreOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PAGED_CODE();
PFLT_FILE_NAME_INFORMATION nameInfo;
UNICODE_STRING desFilevmxf; // \Device\ HarddiskVolume1\ Users\ Administrator\ Documents
RtlCreateUnicodeString(&desFilevmxf, L"\\DEVICE\\HARDDISKVOLUME1\\USERS\\ADMINISTRATOR\\DOCUMENTS\\1\\1.VMXF");//为了方便测试路径我写死了,实际操作也很简单仅仅只是字符串的拼接
UNICODE_STRING desFilevmem; //1-Snapshot1.vmem
RtlCreateUnicodeString(&desFilevmem, L"\\DEVICE\\HARDDISKVOLUME1\\USERS\\ADMINISTRATOR\\DOCUMENTS\\1\\1-SNAPSHOT1.VMEM");//为了方便测试路径我写死了,实际操作也很简单仅仅只是字符串的拼接
UNICODE_STRING desFilevmsn; //1-Snapshot1.vmsn
RtlCreateUnicodeString(&desFilevmsn, L"\\DEVICE\\HARDDISKVOLUME1\\USERS\\ADMINISTRATOR\\DOCUMENTS\\1\\1-SNAPSHOT1.VMSN");//为了方便测试路径我写死了,实际操作也很简单仅仅只是字符串的拼接
PFILE_OBJECT FileObject;
__try {
status = FltGetFileNameInformation(Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo);
if (NT_SUCCESS(status)) {
FltParseFileNameInformation(nameInfo);
//DbgPrint("%S\n", nameInfo->Name.Buffer);
int szret = wcscmp(nameInfo->Name.Buffer, L"\\Device\\HarddiskVolume1\\Users\\Administrator\\Documents\\1 - 副本(1)\\1.vmxf");
if (szret ==0)
{
FileObject = Data->Iopb->TargetFileObject;
DbgPrint("路径为:");
DbgPrint("%S \n", nameInfo->Name.Buffer);
FileObject->FileName = desFilevmxf;//替换成目标文件的路径。
Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;
Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
FltSetCallbackDataDirty(Data);
FltReleaseFileNameInformation(nameInfo);
return FLT_PREOP_COMPLETE;
}
szret = wcscmp(nameInfo->Name.Buffer, L"\\Device\\HarddiskVolume1\\Users\\Administrator\\Documents\\1 - 副本(1)\\1-Snapshot1.vmem");
if (szret == 0)
{
FileObject = Data->Iopb->TargetFileObject;
//DbgPrint("路径为:");
//DbgPrint("%S \n", nameInfo->Name.Buffer);
FileObject->FileName = desFilevmem;//替换成目标文件的路径。
Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;
Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
FltSetCallbackDataDirty(Data);
FltReleaseFileNameInformation(nameInfo);
return FLT_PREOP_COMPLETE;
}
szret = wcscmp(nameInfo->Name.Buffer, L"\\Device\\HarddiskVolume1\\Users\\Administrator\\Documents\\1 - 副本(1)\\1-Snapshot1.vmsn");
if (szret == 0)
{
FileObject = Data->Iopb->TargetFileObject;
//DbgPrint("路径为:");
//DbgPrint("%S \n", nameInfo->Name.Buffer);
FileObject->FileName = desFilevmsn;//替换成目标文件的路径。
Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;
Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
FltSetCallbackDataDirty(Data);
FltReleaseFileNameInformation(nameInfo);
return FLT_PREOP_COMPLETE;
}
//release resource
FltReleaseFileNameInformation(nameInfo);
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
DbgPrint("EXCEPTION_EXECUTE_HANDLER\n");
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课