最近感觉有点浮躁 不知道为什么 可能是学习 驱动学的有点心态崩吧。。。。。 但是还是咬咬牙坚持了 、
因为感觉自己现在还差了远 如果自己 寒假不好好学习 内核这方面的知识 下学期 还要去 撸关于CTF的东西 自己一直海峡那个去看看 编译原理 所以
感觉 任务比较多呀!!!!!!!!!!
然后这次 博客 是根据 Windows黑客编程技术详解 一书所写 感觉很惭愧 感觉博客写的不怎么样 但是 寒假 所写的博客 主要是 让自己
看着不忘 为以后 写出更好的博客 打基础 如果有些的不好的话 还请各位见谅
然后这次文件监控 是用 Minifiter框架写的 然后这个框架比较好理解 虽然说 代码看起来很多
但是主要的就是
设置程序过滤的irp 所要监控的文件操作
使用FitRegisterFilter 注册过滤器
使用FtlStarFilering 开启注册器
然后 在DriverUnload 受用FitUnregisterFilter卸载过滤器
然后 在vs2013 的项目中直接选择
我鼠标选定的项目即可
然后
首先 设置要过滤的IRP
然后 在回调里面写入然后 设置就行了
代码如下
CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #if 0 // TODO - List all of the
requests to filter. { IRP_MJ_CREATE_NAMED_PIPE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLOSE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FLUSH_BUFFERS, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_VOLUME_INFORMATION,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_VOLUME_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DIRECTORY_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DEVICE_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_INTERNAL_DEVICE_CONTROL,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SHUTDOWN, 0,
Minifilter_FileMonitor_TestPreOperationNoPostOperation, NULL }, //post
operations not supported { IRP_MJ_LOCK_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLEANUP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CREATE_MAILSLOT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PNP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_NETWORK_QUERY_OPEN, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PREPARE_MDL_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_WRITE_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_MOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_DISMOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #endif // TODO {
IRP_MJ_OPERATION_END } };
然后开启和关闭过滤器的代码 vs2013也生成好了 然后主要是回调函数 代码是 windows 黑客编程技术详解的源代码
BOOLEAN IsProtectionFile(PFLT_FILE_NAME_INFORMATION lpNameInfo) { BOOLEAN
bProtect = FALSE; PWCHAR lpszProtectionFileName, lpszFileName; // 申请内存
lpszProtectionFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
lpszFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 512); // 初始化内存
RtlZeroMemory(lpszProtectionFileName, 256); RtlZeroMemory(lpszFileName, 512);
// 复制数据 RtlCopyMemory(lpszFileName, lpNameInfo->Name.Buffer, (sizeof(WCHAR) +
lpNameInfo->Name.Length)); RtlCopyMemory(lpszProtectionFileName, L"520.exe",
(sizeof(WCHAR) + wcslen(L"520.exe"))); // 判断 if (NULL != wcsstr(lpszFileName,
lpszProtectionFileName)) { bProtect = TRUE; } // 释放内存
ExFreePool(lpszProtectionFileName); ExFreePool(lpszFileName); return bProtect;
} /*************************************************************************
MiniFilter callback routines.
*************************************************************************/
FLT_PREOP_CALLBACK_STATUS Minifilter_FileMonitor_TestPreOperation ( _Inout_
PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) /*++ Routine
Description: This routine is a pre-operation dispatch routine for this
miniFilter. This is non-pageable because it could be called on the paging path
Arguments: Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and file object.
CompletionContext - The context for the completion routine for this operation.
Return Value: The return value is the status of the operation. --*/ { NTSTATUS
status; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER(
CompletionContext ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
Entered\n") ); /* 要进行监控的话,通常在PreXXX里处理,而要进行监视的话,则通常在PostXXX里
处理(当然监视在PreXXX里处理也行). 下面对监控文件的读写、删除、重命名、改属性的操作,并且禁止对指定文件520.exe 做任何操作。
原理是:在传入的参数里获取文件名,并打印出来,如果发现是被保护的文件,就返回操作。 */ // 获取文件路径 UCHAR MajorFunction =
Data->Iopb->MajorFunction; PFLT_FILE_NAME_INFORMATION lpNameInfo = NULL; status
= FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT, &lpNameInfo); if (NT_SUCCESS(status)) { status =
FltParseFileNameInformation(lpNameInfo); if (NT_SUCCESS(status)) { // CREATE if
(IRP_MJ_CREATE == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_CREATE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // 读取 else if (IRP_MJ_READ ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_READ]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE; //
return FLT_PREOP_DISALLOW_FASTIO; } } // 文件写入 else if (IRP_MJ_WRITE ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_WRITE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // 修改文件信息 else if
(IRP_MJ_SET_INFORMATION == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_SET_INFORMATION]%wZ", &lpNameInfo->Name)); return
FLT_PREOP_COMPLETE; // return FLT_PREOP_DISALLOW_FASTIO; } } } } /* // // See
if this is an operation we would like the operation status // for. If so
request it. // // NOTE: most filters do NOT need to do this. You only need to
make // this call if, for example, you need to know if the oplock was //
actually granted. // if (Minifilter_FileMonitor_TestDoRequestOperationStatus(
Data )) { status = FltRequestOperationStatusCallback( Data,
Minifilter_FileMonitor_TestOperationStatusCallback,
(PVOID)(++OperationStatusCtx) ); if (!NT_SUCCESS(status)) { PT_DBG_PRINT(
PTDBG_TRACE_OPERATION_STATUS,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
FltRequestOperationStatusCallback Failed, status=%08x\n", status) ); } } //
This template code does not do anything with the callbackData, but // rather
returns FLT_PREOP_SUCCESS_WITH_CALLBACK. // This passes the request down to the
next miniFilter in the chain. */ return FLT_PREOP_SUCCESS_WITH_CALLBACK; }
然后就这样了 书上还表示要采用inf的方式
选定inf文件 鼠标右键 安装
用管理员CMD输入 net start 服务名 启动服务 这个服务名是驱动名字
要是停止服务 输入 net stop 服务名即可