//尝试挂接file system
#include "Hookfilesystem.h"
HANDLE hFileHandle; OBJECT_ATTRIBUTES ObjectAttrib; PDEVICE_OBJECT pFileDeviceObject;
struct _DRIVER_OBJECT *pDeviceObject;
PDRIVER_DISPATCH RealCreateDispatch;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject ,IN PUNICODE_STRING RegistryPath) { UNICODE_STRING uninameString,unilinkString; NTSTATUS ntStatus; PDEVICE_OBJECT pDeviceObject; RtlInitUnicodeString(&uninameString,L""); ntStatus = IoCreateDevice(DriverObject, 0, &uninameString, FILE_DEVICE_UNKNOWN, 0, TRUE, &pDeviceObject ); if(!NT_SUCCESS(ntStatus)) //如果创建设备失败,则直接退出 return ntStatus; //创建Win32可见的符号连接 RtlInitUnicodeString( &unilinkString, L"" ); ntStatus = IoCreateSymbolicLink(&unilinkString ,&uninameString); if(!NT_SUCCESS(ntStatus)) { return ntStatus; } //设置Dispatch DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatch; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispatch; //设置Unload DriverObject->DriverUnload = DriverUnload; //Hook File System HookFileSystem(); return 0; }
NTSTATUS DriverDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (Irp,IO_NO_INCREMENT); return Irp->IoStatus.Status; }
void DriverUnload(IN PDRIVER_OBJECT pDriverObject) { UNICODE_STRING uniNameString; RtlInitUnicodeString(&uniNameString, L""); IoDeleteSymbolicLink(&uniNameString); //删除win32可见 IoDeleteDevice(pDriverObject->DeviceObject); //删除设备 return ; }
void HookFileSystem(void) { UNICODE_STRING uniDeviceName; NTSTATUS Ntstatus; IO_STATUS_BLOCK IoStatusBlock; PVOID pFileObject; RtlInitUnicodeString(&uniDeviceName ,L""); InitializeObjectAttributes(&ObjectAttrib ,&uniDeviceName ,OBJ_CASE_INSENSITIVE, NULL, NULL); //打开一个设备 Ntstatus = ZwCreateFile( &hFileHandle, SYNCHRONIZE|FILE_ANY_ACCESS, &ObjectAttrib, &IoStatusBlock, 0, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE, 0, 0 ); if(!NT_SUCCESS(Ntstatus)) { DbgPrint("ZwCreateFile Failed,ntstatus:%ld\n",Ntstatus); return; } //通过文件句柄得到与之向对应的文件对象 Ntstatus = ObReferenceObjectByHandle(hFileHandle,FILE_READ_DATA,0,0,&pFileObject,NULL); if(!NT_SUCCESS(Ntstatus)) { ZwClose(hFileHandle); DbgPrint("ObReferenceObjectByHandle Failed,ntstatus:%ld\n",Ntstatus); return; } //在通过该文件对象查找相对应的文件设备 pFileDeviceObject = IoGetRelatedDeviceObject(pFileObject); //文件对象引用计数器减一 ObDereferenceObject(pFileObject); ZwClose(hFileHandle); if(pFileDeviceObject==NULL) { DbgPrint("Get File Object Failed\n"); return ; } pDeviceObject = pFileDeviceObject->DriverObject; if(pDeviceObject->MajorFunction[IRP_MJ_CREATE] == HookCreateDispatch) { DbgPrint("already hook IRP_MJ_CREATE\n"); return ; } //保存IRP_MJ_CREATE处理的地址 RealCreateDispatch = pDeviceObject->MajorFunction[IRP_MJ_CREATE]; //Hook Create DisPatch pDeviceObject->MajorFunction[IRP_MJ_CREATE] = HookCreateDispatch; return; }
NTSTATUS HookCreateDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { // DbgPrint("hook success\r\n"); PIO_STACK_LOCATION pIocurrentstack; PFILE_OBJECT pFileObject; DbgPrint("DeviceName:%S\r\n",DeviceObject->DriverObject->DriverName.Buffer); pIocurrentstack = IoGetCurrentIrpStackLocation(Irp); pFileObject = pIocurrentstack->FileObject; DbgPrint("FileName:%S\r\n",pFileObject->FileName.Buffer); _asm { push Irp push DeviceObject call RealCreateDispatch } return 0; }
|