I feel a bit impetuous recently Do not know why? It could be learning Driving is a little bit of a broken mentality ..... But still gritted his teeth and held on ,
Because I feel like I'm still far from it If you Don't study hard in winter vacation Knowledge of kernel Next semester I still have to go About CTF Something about I went to see the channel all the time Principles of compilation therefore
feel There are many tasks !!!!!!!!!!
And then this time Blog It's based on Windows Detailed explanation of hacker programming technology Written in a Book I feel ashamed I feel that the blog is not good however Winter vacation Blogs written Mainly Let yourself
Don't forget For the future Write a better blog Laying the foundation If something's not good Please forgive me
And then this file monitoring Yes, it is Minifiter Frame written Then the framework is easier to understand Although The code looks a lot
But the main thing is
Set program filtered irp File operations to be monitored
use FitRegisterFilter Registration filter
use FtlStarFilering Open register
then stay DriverUnload Use FitUnregisterFilter Unload filter
then stay vs2013 Direct selection in the project
I can click the selected item
then
first Set the IRP
then Write in the callback and then Just set it up
The code is as follows
CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #if 0 // TODO - List all of the
requests to filter. { IRP_MJ_CREATE_NAMED_PIPE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLOSE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FLUSH_BUFFERS, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_VOLUME_INFORMATION,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_VOLUME_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DIRECTORY_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DEVICE_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_INTERNAL_DEVICE_CONTROL,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SHUTDOWN, 0,
Minifilter_FileMonitor_TestPreOperationNoPostOperation, NULL }, //post
operations not supported { IRP_MJ_LOCK_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLEANUP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CREATE_MAILSLOT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PNP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_NETWORK_QUERY_OPEN, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PREPARE_MDL_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_WRITE_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_MOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_DISMOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #endif // TODO {
IRP_MJ_OPERATION_END } };
Then turn on and off the filter code vs2013 It's also generated Then it's mainly callback functions The code is windows Hacker programming technology detailed explanation of the source code
BOOLEAN IsProtectionFile(PFLT_FILE_NAME_INFORMATION lpNameInfo) { BOOLEAN
bProtect = FALSE; PWCHAR lpszProtectionFileName, lpszFileName; // Request memory
lpszProtectionFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
lpszFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 512); // Initialize memory
RtlZeroMemory(lpszProtectionFileName, 256); RtlZeroMemory(lpszFileName, 512);
// Copy data RtlCopyMemory(lpszFileName, lpNameInfo->Name.Buffer, (sizeof(WCHAR) +
lpNameInfo->Name.Length)); RtlCopyMemory(lpszProtectionFileName, L"520.exe",
(sizeof(WCHAR) + wcslen(L"520.exe"))); // judge if (NULL != wcsstr(lpszFileName,
lpszProtectionFileName)) { bProtect = TRUE; } // Free memory
ExFreePool(lpszProtectionFileName); ExFreePool(lpszFileName); return bProtect;
} /*************************************************************************
MiniFilter callback routines.
*************************************************************************/
FLT_PREOP_CALLBACK_STATUS Minifilter_FileMonitor_TestPreOperation ( _Inout_
PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) /*++ Routine
Description: This routine is a pre-operation dispatch routine for this
miniFilter. This is non-pageable because it could be called on the paging path
Arguments: Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and file object.
CompletionContext - The context for the completion routine for this operation.
Return Value: The return value is the status of the operation. --*/ { NTSTATUS
status; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER(
CompletionContext ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
Entered\n") ); /* If you want to monitor it , Usually in PreXXX Inside processing , And if you want to monitor , Usually in the PostXXX in
handle ( Of course, surveillance is on PreXXX It's OK to deal with it ). Read and write the monitoring file below , delete , rename , Operation of changing property , And it is forbidden to specify files 520.exe Do anything .
The principle is : Get the file name in the parameter passed in , And print it out , If it is found to be a protected file , Return to the operation . */ // Get file path UCHAR MajorFunction =
Data->Iopb->MajorFunction; PFLT_FILE_NAME_INFORMATION lpNameInfo = NULL; status
= FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT, &lpNameInfo); if (NT_SUCCESS(status)) { status =
FltParseFileNameInformation(lpNameInfo); if (NT_SUCCESS(status)) { // CREATE if
(IRP_MJ_CREATE == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_CREATE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // read else if (IRP_MJ_READ ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_READ]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE; //
return FLT_PREOP_DISALLOW_FASTIO; } } // File write else if (IRP_MJ_WRITE ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_WRITE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // Modify file information else if
(IRP_MJ_SET_INFORMATION == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_SET_INFORMATION]%wZ", &lpNameInfo->Name)); return
FLT_PREOP_COMPLETE; // return FLT_PREOP_DISALLOW_FASTIO; } } } } /* // // See
if this is an operation we would like the operation status // for. If so
request it. // // NOTE: most filters do NOT need to do this. You only need to
make // this call if, for example, you need to know if the oplock was //
actually granted. // if (Minifilter_FileMonitor_TestDoRequestOperationStatus(
Data )) { status = FltRequestOperationStatusCallback( Data,
Minifilter_FileMonitor_TestOperationStatusCallback,
(PVOID)(++OperationStatusCtx) ); if (!NT_SUCCESS(status)) { PT_DBG_PRINT(
PTDBG_TRACE_OPERATION_STATUS,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
FltRequestOperationStatusCallback Failed, status=%08x\n", status) ); } } //
This template code does not do anything with the callbackData, but // rather
returns FLT_PREOP_SUCCESS_WITH_CALLBACK. // This passes the request down to the
next miniFilter in the chain. */ return FLT_PREOP_SUCCESS_WITH_CALLBACK; }
And that's it The book also indicated that it would adopt inf The way
selected inf file Right mouse button install
Use administrator CMD input net start service name Start service The service name is the driver name
If the service stops input net stop Service name is OK
Technology
Daily Recommendation