I feel a bit impetuous recently     Do not know why? It could be learning Driving is a little bit of a broken mentality ..... But still gritted his teeth and held on     ,

Because I feel like I'm still far from it     If you Don't study hard in winter vacation Knowledge of kernel Next semester I still have to go About CTF Something about   I went to see the channel all the time Principles of compilation     therefore
feel There are many tasks !!!!!!!!!!

And then this time   Blog It's based on  Windows Detailed explanation of hacker programming technology Written in a Book     I feel ashamed I feel that the blog is not good   however Winter vacation Blogs written Mainly Let yourself
Don't forget   For the future Write a better blog Laying the foundation   If something's not good   Please forgive me

 

And then this file monitoring Yes, it is Minifiter Frame written   Then the framework is easier to understand Although The code looks a lot   

But the main thing is

Set program filtered irp  File operations to be monitored

use FitRegisterFilter Registration filter  

use FtlStarFilering Open register

then stay DriverUnload Use FitUnregisterFilter Unload filter  

then stay vs2013 Direct selection in the project  

I can click the selected item  

then  

first Set the IRP

then Write in the callback and then Just set it up

The code is as follows
CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #if 0 // TODO - List all of the
requests to filter. { IRP_MJ_CREATE_NAMED_PIPE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLOSE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FLUSH_BUFFERS, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_VOLUME_INFORMATION,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_VOLUME_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DIRECTORY_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DEVICE_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_INTERNAL_DEVICE_CONTROL,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SHUTDOWN, 0,
Minifilter_FileMonitor_TestPreOperationNoPostOperation, NULL }, //post
operations not supported { IRP_MJ_LOCK_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLEANUP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CREATE_MAILSLOT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PNP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_NETWORK_QUERY_OPEN, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PREPARE_MDL_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_WRITE_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_MOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_DISMOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #endif // TODO {
IRP_MJ_OPERATION_END } };
Then turn on and off the filter code vs2013 It's also generated Then it's mainly callback functions   The code is windows Hacker programming technology detailed explanation of the source code

 
BOOLEAN IsProtectionFile(PFLT_FILE_NAME_INFORMATION lpNameInfo) { BOOLEAN
bProtect = FALSE; PWCHAR lpszProtectionFileName, lpszFileName; // Request memory
lpszProtectionFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
lpszFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 512); // Initialize memory
RtlZeroMemory(lpszProtectionFileName, 256); RtlZeroMemory(lpszFileName, 512);
// Copy data RtlCopyMemory(lpszFileName, lpNameInfo->Name.Buffer, (sizeof(WCHAR) +
lpNameInfo->Name.Length)); RtlCopyMemory(lpszProtectionFileName, L"520.exe",
(sizeof(WCHAR) + wcslen(L"520.exe"))); // judge if (NULL != wcsstr(lpszFileName,
lpszProtectionFileName)) { bProtect = TRUE; } // Free memory
ExFreePool(lpszProtectionFileName); ExFreePool(lpszFileName); return bProtect;
} /*************************************************************************
MiniFilter callback routines.
*************************************************************************/
FLT_PREOP_CALLBACK_STATUS Minifilter_FileMonitor_TestPreOperation ( _Inout_
PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) /*++ Routine
Description: This routine is a pre-operation dispatch routine for this
miniFilter. This is non-pageable because it could be called on the paging path
Arguments: Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and file object.
CompletionContext - The context for the completion routine for this operation.
Return Value: The return value is the status of the operation. --*/ { NTSTATUS
status; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER(
CompletionContext ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
Entered\n") ); /* If you want to monitor it , Usually in PreXXX Inside processing , And if you want to monitor , Usually in the PostXXX in
handle ( Of course, surveillance is on PreXXX It's OK to deal with it ). Read and write the monitoring file below , delete , rename , Operation of changing property , And it is forbidden to specify files 520.exe Do anything .
The principle is : Get the file name in the parameter passed in , And print it out , If it is found to be a protected file , Return to the operation . */ // Get file path UCHAR MajorFunction =
Data->Iopb->MajorFunction; PFLT_FILE_NAME_INFORMATION lpNameInfo = NULL; status
= FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT, &lpNameInfo); if (NT_SUCCESS(status)) { status =
FltParseFileNameInformation(lpNameInfo); if (NT_SUCCESS(status)) { // CREATE if
(IRP_MJ_CREATE == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_CREATE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // read else if (IRP_MJ_READ ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_READ]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE; //
return FLT_PREOP_DISALLOW_FASTIO; } } // File write else if (IRP_MJ_WRITE ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_WRITE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // Modify file information else if
(IRP_MJ_SET_INFORMATION == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_SET_INFORMATION]%wZ", &lpNameInfo->Name)); return
FLT_PREOP_COMPLETE; // return FLT_PREOP_DISALLOW_FASTIO; } } } } /* // // See
if this is an operation we would like the operation status // for. If so
request it. // // NOTE: most filters do NOT need to do this. You only need to
make // this call if, for example, you need to know if the oplock was //
actually granted. // if (Minifilter_FileMonitor_TestDoRequestOperationStatus(
Data )) { status = FltRequestOperationStatusCallback( Data,
Minifilter_FileMonitor_TestOperationStatusCallback,
(PVOID)(++OperationStatusCtx) ); if (!NT_SUCCESS(status)) { PT_DBG_PRINT(
PTDBG_TRACE_OPERATION_STATUS,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
FltRequestOperationStatusCallback Failed, status=%08x\n", status) ); } } //
This template code does not do anything with the callbackData, but // rather
returns FLT_PREOP_SUCCESS_WITH_CALLBACK. // This passes the request down to the
next miniFilter in the chain. */ return FLT_PREOP_SUCCESS_WITH_CALLBACK; }
And that's it   The book also indicated that it would adopt inf The way   

selected inf file Right mouse button install

Use administrator CMD input net start service name   Start service   The service name is the driver name

If the service stops input net stop Service name is OK  

 

Technology