windows内科安全与驱动开发，minifilter禁止txt文件打开demo

/*++ Module Name: MiniFilter.c Abstract: This is the main module of the MiniFilter miniFilter driver. Environment: Kernel mode --*/ #include <fltKernel.h> #include <dontuse.h> #include <suppress.h> #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers") #define MINISPY_PORT_NAME L"\\MiniPort" PFLT_FILTER gFilterHandle; PFLT_PORT gServerPort; PFLT_PORT gClientPort; ULONG_PTR OperationStatusCtx = 1; #define PTDBG_TRACE_ROUTINES 0x00000001 #define PTDBG_TRACE_OPERATION_STATUS 0x00000002 ULONG gTraceFlags = 0; // Defines the commands between the utility and the filter typedef enum _MINI_COMMAND { ENUM_PASS = 0, ENUM_BLOCK } MINI_COMMAND; // Defines the command structure between the utility and the filter. typedef struct _COMMAND_MESSAGE { MINI_COMMAND Command; } COMMAND_MESSAGE, *PCOMMAND_MESSAGE; MINI_COMMAND gCommand = ENUM_PASS; #define PT_DBG_PRINT( _dbgLevel, _string ) \ (FlagOn(gTraceFlags,(_dbgLevel)) ? \ DbgPrint _string : \ ((int)0)) /************************************************************************* Prototypes *************************************************************************/ BOOLEAN NPUnicodeStringToChar(PUNICODE_STRING UniName, char Name[]) { ANSI_STRING AnsiName; NTSTATUS ntstatus; char* nameptr; __try { ntstatus = RtlUnicodeStringToAnsiString(&AnsiName, UniName, TRUE); if (AnsiName.Length < 260) { nameptr = (PCHAR)AnsiName.Buffer; //Convert into upper case and copy to buffer //strcpy(Name, _strupr(nameptr)); //将字符串转换成大写形式 strcpy(Name,_strlwr(nameptr));//讲字符串转换成小写形式 DbgPrint("NPUnicodeStringToChar : %s\n", Name); } RtlFreeAnsiString(&AnsiName); } __except(EXCEPTION_EXECUTE_HANDLER) { DbgPrint("NPUnicodeStringToChar EXCEPTION_EXECUTE_HANDLER\n"); return FALSE; } return TRUE; } //获取进程全路径 PUNICODE_STRING GetSeLocateProcessImageName(PEPROCESS Process,PUNICODE_STRING *pImageFileName) { POBJECT_NAME_INFORMATION pProcessImageName = NULL; PUNICODE_STRING pTempUS = NULL; ULONG NameLength = 0; //Process->SeAuditProcessCreationInfo.ImageFileName->Name //win7 x86 offset = 0x1ec //if (NULL == Process->SeAuditProcessCreationInfo.ImageFileName) pProcessImageName = (POBJECT_NAME_INFORMATION)(*(ULONG*)((ULONG)Process + 0x1ec)); if(pProcessImageName == NULL) { DbgPrint("Process->SeAuditProcessCreationInfo.ImageFileName == NULL \n"); return NULL; } else { NameLength = sizeof(UNICODE_STRING) + pProcessImageName->Name.MaximumLength; pTempUS = ExAllocatePoolWithTag( NonPagedPool, NameLength, 'aPeS' ); if (NULL != pTempUS) { RtlCopyMemory( pTempUS, &pProcessImageName->Name, NameLength ); pTempUS->Buffer = (PWSTR)(((PUCHAR) pTempUS) + sizeof(UNICODE_STRING)); *pImageFileName = pTempUS; DbgPrint("Path:%wZ\n",&pProcessImageName->Name); return *pImageFileName; } return NULL; } } PFILE_OBJECT __declspec(naked) __stdcall _MmGetFileObjectForSection(PVOID Section) { __asm { push ebp; mov ebp, esp; mov eax, dword ptr ss:[ebp + 0x08]; mov eax, dword ptr ds:[eax + 0x14]; mov eax, dword ptr ds:[eax]; mov eax, dword ptr ds:[eax + 0x24]; mov esp, ebp; pop ebp; ret 0x04; } } NTSTATUS PsReferenceProcessFilePointer(IN PEPROCESS Process, OUT PVOID *OutFileObject) { PVOID SectionObject; if (SectionObject = *(PVOID*)((PCHAR)Process + 0x138)) { PFILE_OBJECT FileObject; FileObject = _MmGetFileObjectForSection(SectionObject); *OutFileObject = FileObject; ObReferenceObject (FileObject); return STATUS_SUCCESS; } return STATUS_UNSUCCESSFUL; } PUNICODE_STRING PsGetProcessFullName(PEPROCESS pTargetProcess) { PFILE_OBJECT pFileObject=NULL; POBJECT_NAME_INFORMATION pObjectNameInfo=NULL; if(!NT_SUCCESS(PsReferenceProcessFilePointer(pTargetProcess,&pFileObject))) return NULL; if(!NT_SUCCESS(IoQueryFileDosDeviceName(pFileObject,&pObjectNameInfo))) return NULL; ObDereferenceObject(pFileObject); return &(pObjectNameInfo->Name);//尚未释放内存 以及 ObDereferenceObject } DRIVER_INITIALIZE DriverEntry; NTSTATUS DriverEntry ( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ); NTSTATUS MiniFilterInstanceSetup ( _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_SETUP_FLAGS Flags, _In_ DEVICE_TYPE VolumeDeviceType, _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType ); VOID MiniFilterInstanceTeardownStart ( _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags ); VOID MiniFilterInstanceTeardownComplete ( _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags ); NTSTATUS MiniFilterUnload ( _In_ FLT_FILTER_UNLOAD_FLAGS Flags ); NTSTATUS MiniFilterInstanceQueryTeardown ( _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags ); FLT_PREOP_CALLBACK_STATUS MiniFilterPreOperation ( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext ); VOID MiniFilterOperationStatusCallback ( _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, _In_ NTSTATUS OperationStatus, _In_ PVOID RequesterContext ); FLT_POSTOP_CALLBACK_STATUS MiniFilterPostOperation ( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags ); FLT_PREOP_CALLBACK_STATUS MiniFilterPreOperationNoPostOperation ( _Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext ); BOOLEAN MiniFilterDoRequestOperationStatus( _In_ PFLT_CALLBACK_DATA Data ); // // Assign text sections for each routine. //用户态和内核态建立连接 NTSTATUS MiniConnect( __in PFLT_PORT ClientPort, __in PVOID ServerPortCookie, __in_bcount(SizeOfContext) PVOID ConnectionContext, __in ULONG SizeOfContext, __deref_out_opt PVOID *ConnectionCookie ); //用户态和内核断开连接 VOID MiniDisconnect( __in_opt PVOID ConnectionCookie ); //用户态和内核态传送数据 NTSTATUS MiniMessage ( __in PVOID ConnectionCookie, __in_bcount_opt(InputBufferSize) PVOID InputBuffer, __in ULONG InputBufferSize, __out_bcount_part_opt(OutputBufferSize,*ReturnOutputBufferLength) PVOID OutputBuffer, __in ULONG OutputBufferSize, __out PULONG ReturnOutputBufferLength ); #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT, DriverEntry) #pragma alloc_text(PAGE, MiniFilterUnload) #pragma alloc_text(PAGE, MiniFilterInstanceQueryTeardown) #pragma alloc_text(PAGE, MiniFilterInstanceSetup) #pragma alloc_text(PAGE, MiniFilterInstanceTeardownStart) #pragma alloc_text(PAGE, MiniFilterInstanceTeardownComplete) #endif // // operation registration // CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0, MiniFilterPreOperation, MiniFilterPostOperation }, #if 0 // TODO - List all of the requests to filter. { IRP_MJ_CREATE_NAMED_PIPE, 0, MiniFilterPreOperation, MiniFilterPostOperation }, { IRP_MJ_CLOSE, 0, MiniFilterPreOperation, MiniFilterPostOperation }, { IRP_MJ_READ, 0, MiniFilterPreOperation, MiniFilterPostOperation }, { IRP_MJ_WRITE, 0, MiniFilterPreOperation, MiniFilterPostOperation }, { IRP_M