Minifilter过滤,功能实现对驱动目录的监控,包括创建,重命名,删除并实现hips
注意下:我的这套过滤只能用在nt6系统上
原因是使用一个nt6上才有的函数
见函数
PsGetProcessFullName
其实没必要自己来写获取全路径
因为minifilter已经给我们提供了获取全路径的函数
FltGetFileNameInformation
我就不改了,哈哈
说说遇到的问题吧
在监控创建的时候,我是在post中监控,我拒绝后,会弹窗,2-3次吧,也就是会请求2-3次,我的解决方法是记录上一次拒绝的文件全路径,然后下一次来的时候来比对
这里可以将处理过的文件加入链表或者hash,我偷懒了,就直接用这种方法来解决多重求情的问题,
这里注意下,出现多次请求的原因是你第一次放行了,那么我们第二次的时候就知道比对的时候就直接放行了
考虑过在pre中监控
但根据MF周老师的意见 说在这里拿到的信息是不准确的,
可以用下面一句话总结:
在pre中是对请求本身就行拦截,在post中是对请求完成结果的拦截.
遵循周老师的意见,我还是在post中监控
在拦截创建的时候,还有一个问题,就是如果创建的时候我拒绝了,那么返回给用户的会出现一个替换的框(文件已存在,但大小是0)
针对这个情况,我直接对这个data设置文件属性 有点像前面学习的IRP下发强删文件
- //就算拒绝了 也会创建一个空文件 这里我们删除
- fdi.DeleteFile = TRUE;
- FltSetInformationFile(FltObjects->Instance, FltObjects->FileObject, &fdi, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation);
//就算拒绝了 也会创建一个空文件 这里我们删除 fdi.DeleteFile = TRUE; FltSetInformationFile(FltObjects->Instance, FltObjects->FileObject, &fdi, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation);
在post中 我们可以使用FltCancelFileOpen 或者FltCancelFileIrp(未测试)来取消前面的操作
还有一点是,刚开始写的时候我直接对Create的回调函数进行过滤,没有判断文件打开的属性,或是文件还是文件夹
然后一直弹窗,然后 你懂得....
然后就修复了 对文件夹的判断和打开的判断
这里其实是有BUG的 为什么这么说呢,在CreateFile的函数中 我们可以用FILE_OPEN_IF创建文件 这里没有过滤
这里不应该在内核中过滤 原因是如果这里填写了对FILE_OPEN_IF的过滤,会不断弹窗,而且这个时候在这里已经不能判断文件是否存在了 已经完成了
已经生成了一个文件 一个为空的文件
那么怎么办呢,思路是得到此时文件的大小,如果是0则是新建,否则就是打开操作
获取大小的方法我知道的是通过FltReadFile去读文件 然后BytesRead就是文件的大小
还有一个思路就是在pre中过滤,此时文件还没有创建,我们得到文件的全路径,然后打开,如果返回NO_FOUND就说明是新建操作
下面是对文件夹的判断
- if (!NT_SUCCESS( Data->IoStatus.Status ) ||
- (STATUS_REPARSE == Data->IoStatus.Status)) {
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- Options = Data->Iopb->Parameters.Create.Options;
- if (FlagOn(Options, FILE_DIRECTORY_FILE) ||
- FlagOn(FltObjects->FileObject->Flags, FO_VOLUME_OPEN) ||
- FlagOn(Data->Flags, SL_OPEN_PAGING_FILE))
- {
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- ulDisposition = (Data->Iopb->Parameters.Create.Options >> 24) & 0xFF;
- if (ulDisposition == FILE_CREATE || ulDisposition == FILE_OVERWRITE || ulDisposition == FILE_OVERWRITE_IF)
- {
- PopWindow = TRUE;
- }
if (!NT_SUCCESS( Data->IoStatus.Status ) ||
(STATUS_REPARSE == Data->IoStatus.Status)) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
Options = Data->Iopb->Parameters.Create.Options;
if (FlagOn(Options, FILE_DIRECTORY_FILE) ||
FlagOn(FltObjects->FileObject->Flags, FO_VOLUME_OPEN) ||
FlagOn(Data->Flags, SL_OPEN_PAGING_FILE))
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
ulDisposition = (Data->Iopb->Parameters.Create.Options >> 24) & 0xFF;
if (ulDisposition == FILE_CREATE || ulDisposition == FILE_OVERWRITE || ulDisposition == FILE_OVERWRITE_IF)
{
PopWindow = TRUE;
}
另外遇到的问题是删除
删除分两种
一种是直接删除 也就是shift+Del的方式
这种没什么问题
另外一种普通的删除,右键文件-删除-或者直接按Del
这其实一个发现 + 更名的操作
这个发现具体我也不知道怎么说,因为你普通删除文件的时候,不是有一个正在发现文件吗,就是统计文件的大小操作
然后就是更名的操作
这是我第一次实验时出现的情况
我的操作是 普通删除->放行->然后就出现了这个框
有了这个后 就简单了,在PreSetInforMation中获得文件全路径,匹配如果中间有Recycle.Bin的字符串
但这不是准确的,我也偷懒啦
至于重命名 无非就是拿到重命名后的路径
两种方法
1.直接在buffer中拿
2.FltGetDestinationFileNameInformation获得
不懂的是:重命名的路径能直接在buffer中拿到 为什么还要使用FltGetDestinationFileNameInformation呢,知道的人可以回复下
- pRenameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
- /*
- //这也是可行的
- wstrTest = ExAllocatePool(NonPagedPool,pRenameInfo->FileNameLength + 1);
- if(wstrTest == NULL)
- leave;
- memset(wstrTest,'\0',pRenameInfo->FileNameLength + 1);
- wcsncpy(wstrTest,pRenameInfo->FileName,pRenameInfo->FileNameLength);
- DbgPrint("%ws\n",wstrTest);*/
- status = FltGetDestinationFileNameInformation(Instance,Data->Iopb->TargetFileObject,pRenameInfo->RootDirectory,pRenameInfo->FileName,pRenameInfo->FileNameLength,FLT_FILE_NAME_NORMALIZED,&pOutReNameinfo);
- if(!NT_SUCCESS(status))
- {
- DbgPrint("FltGetDestinationFileNameInformation is faild! 0x%x",status);
- leave;
- }
- wcsncpy(¬ification->RePathName,pOutReNameinfo->Name.Buffer,pOutReNameinfo->Name.MaximumLength);
- DbgPrint("重命名:%wZ\n",&pOutReNameinfo->Name);
- FltReleaseFileNameInformation(pOutReNameinfo);
pRenameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
/*
//这也是可行的
wstrTest = ExAllocatePool(NonPagedPool,pRenameInfo->FileNameLength + 1);
if(wstrTest == NULL)
leave;
memset(wstrTest,'\0',pRenameInfo->FileNameLength + 1);
wcsncpy(wstrTest,pRenameInfo->FileName,pRenameInfo->FileNameLength);
DbgPrint("%ws\n",wstrTest);*/
status = FltGetDestinationFileNameInformation(Instance,Data->Iopb->TargetFileObject,pRenameInfo->RootDirectory,pRenameInfo->FileName,pRenameInfo->FileNameLength,FLT_FILE_NAME_NORMALIZED,&pOutReNameinfo);
if(!NT_SUCCESS(status))
{
DbgPrint("FltGetDestinationFileNameInformation is faild! 0x%x",status);
leave;
}
wcsncpy(¬ification->RePathName,pOutReNameinfo->Name.Buffer,pOutReNameinfo->Name.MaximumLength);
DbgPrint("重命名:%wZ\n",&pOutReNameinfo->Name);
FltReleaseFileNameInformation(pOutReNameinfo);
其他没什么了 就是R3的处理了,我对创建多次请求的判断是放在R3的
核心文件:R0
- #include <fltKernel.h>
- #include <dontuse.h>
- #include <suppress.h>
- #include "scanuk.h"
- #include "scanner.h"
- #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")
- NTSTATUS
- PsReferenceProcessFilePointer (
- IN PEPROCESS Process,
- OUT PVOID *OutFileObject
- );
- SCANNER_DATA ScannerData;
- UNICODE_STRING g_LastDelFileName = {0};
- //
- // This is a static list of file name extensions files we are interested in scanning
- //
- const UNICODE_STRING ScannerExtensionsToScan[] =
- { RTL_CONSTANT_STRING( L"doc"),
- RTL_CONSTANT_STRING( L"txt"),
- RTL_CONSTANT_STRING( L"bat"),
- RTL_CONSTANT_STRING( L"cmd"),
- RTL_CONSTANT_STRING( L"inf"),
- /*RTL_CONSTANT_STRING( L"ini"), Removed, to much usage*/
- {0, 0, NULL}
- };
- //
- // Function prototypes
- //
- NTSTATUS
- ScannerPortConnect (
- __in PFLT_PORT ClientPort,
- __in_opt PVOID ServerPortCookie,
- __in_bcount_opt(SizeOfContext) PVOID ConnectionContext,
- __in ULONG SizeOfContext,
- __deref_out_opt PVOID *ConnectionCookie
- );
- VOID
- ScannerPortDisconnect (
- __in_opt PVOID ConnectionCookie
- );
- NTSTATUS
- ScannerpScanFileInUserMode (
- __in PFLT_INSTANCE Instance,
- __in PFILE_OBJECT FileObject,
- __out PBOOLEAN SafeToOpen
- );
- BOOLEAN
- ScannerpCheckExtension (
- __in PUNICODE_STRING Extension
- );
- NTSTATUS
- MyScannerpScanFileInUserMode (
- __in PFLT_INSTANCE Instance,
- __in PFILE_OBJECT FileObject,
- __in PFLT_CALLBACK_DATA Data,
- __in ULONG Operation,
- __out PBOOLEAN SafeToOpen
- );
- //
- // Assign text sections for each routine.
- //
- #ifdef ALLOC_PRAGMA
- #pragma alloc_text(INIT, DriverEntry)
- #pragma alloc_text(PAGE, ScannerInstanceSetup)
- #pragma alloc_text(PAGE, ScannerPreCreate)
- #pragma alloc_text(PAGE, ScannerPostCreate)
- #pragma alloc_text(PAGE, ScannerPortConnect)
- #pragma alloc_text(PAGE, ScannerPortDisconnect)
- #pragma alloc_text(PAGE, ScannerPostSetInforMation)
- #pragma alloc_text(PAGE, ScannerPreSetInforMation )
- //IsPatternMatch
- //PsGetProcessFullName
- #endif
- //
- // Constant FLT_REGISTRATION structure for our filter. This
- // initializes the callback routines our filter wants to register
- // for. This is only used to register with the filter manager
- //
- const FLT_OPERATION_REGISTRATION Callbacks[] = {
- { IRP_MJ_CREATE,
- 0,
- ScannerPreCreate,
- ScannerPostCreate},
- { IRP_MJ_CLEANUP,
- 0,
- ScannerPreCleanup,
- NULL},
- { IRP_MJ_WRITE,
- 0,
- ScannerPreWrite,
- NULL},
- { IRP_MJ_SET_INFORMATION,
- 0,
- ScannerPreSetInforMation,
- ScannerPostSetInforMation},
- { IRP_MJ_OPERATION_END }
- };
- const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
- { FLT_STREAMHANDLE_CONTEXT,
- 0,
- NULL,
- sizeof(SCANNER_STREAM_HANDLE_CONTEXT),
- 'chBS' },
- { FLT_CONTEXT_END }
- };
- const FLT_REGISTRATION FilterRegistration = {
- sizeof( FLT_REGISTRATION ), // Size
- FLT_REGISTRATION_VERSION, // Version
- 0, // Flags
- ContextRegistration, // Context Registration.
- Callbacks, // Operation callbacks
- ScannerUnload, // FilterUnload
- ScannerInstanceSetup, // InstanceSetup
- ScannerQueryTeardown, // InstanceQueryTeardown
- NULL, // InstanceTeardownStart
- NULL, // InstanceTeardownComplete
- NULL, // GenerateFileName
- NULL, // GenerateDestinationFileName
- NULL // NormalizeNameComponent
- };
- BOOLEAN IsPatternMatch(PUNICODE_STRING Expression, PUNICODE_STRING Name, BOOLEAN IgnoreCase)
- {
- return FsRtlIsNameInExpression(
- Expression,
- Name,
- IgnoreCase,//如果这里设置为TRUE,那么Expression必须是大写的
- NULL
- );
- }
- PUNICODE_STRING PsGetProcessFullName(PEPROCESS pTargetProcess)
- {
- PFILE_OBJECT pFileObject=NULL;
- POBJECT_NAME_INFORMATION pObjectNameInfo=NULL;
- if(!NT_SUCCESS(PsReferenceProcessFilePointer(pTargetProcess,&pFileObject)))
- return NULL;
- if(!NT_SUCCESS(IoQueryFileDosDeviceName(pFileObject,&pObjectNameInfo)))
- return NULL;
- ObDereferenceObject(pFileObject);
- return &(pObjectNameInfo->Name);//尚未释放内存 以及 ObDereferenceObject
- }
- ULONG g_Count = 0;
- NTSTATUS
- DriverEntry (
- __in PDRIVER_OBJECT DriverObject,
- __in PUNICODE_STRING RegistryPath
- )
- {
- OBJECT_ATTRIBUTES oa;
- UNICODE_STRING uniString;
- PSECURITY_DESCRIPTOR sd;
- NTSTATUS status;
- UNREFERENCED_PARAMETER( RegistryPath );
- g_LastDelFileName.Buffer = ExAllocatePool(NonPagedPool,MAX_PATH*2);
- g_LastDelFileName.Length = g_LastDelFileName.MaximumLength = MAX_PATH*2;
- memset(g_LastDelFileName.Buffer,'\0',MAX_PATH*2);
- //注册回调
- status = FltRegisterFilter( DriverObject,
- &FilterRegistration,
- &ScannerData.Filter );
- if (!NT_SUCCESS( status )) {
- return status;
- }
- //创建端口
- RtlInitUnicodeString( &uniString, ScannerPortName );
- //设置通信端口权限 ,只有管理员和系统进程才能操作
- status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS );
- if (NT_SUCCESS( status )) {
- InitializeObjectAttributes( &oa,
- &uniString,
- OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
- NULL,
- sd );
- //创建通信端口,并设置对应的回调函数
- status = FltCreateCommunicationPort( ScannerData.Filter,
- &ScannerData.ServerPort,
- &oa,//设置的名字
- NULL,
- ScannerPortConnect,//当R3连接时回调 主要是记录R3的进程ID或EPROCESS以便放过本进程 还有记录R3的通信端口,给后面主动通信的时候用
- ScannerPortDisconnect,//当R3离线时回调 主要是关闭R3端口和设置R3的进程信息为NULL
- NULL,//处理R3主动函数 比如R3下新的规则,
- 1 );//最后一个常为1
- //设置好后需要释放权限的设置
- FltFreeSecurityDescriptor( sd );
- if (NT_SUCCESS( status )) {
- //
- // Start filtering I/O.
- //
- //开始过滤
- status = FltStartFiltering( ScannerData.Filter );
- if (NT_SUCCESS( status )) {
- return STATUS_SUCCESS;
- }
- //失败就滚吧
- FltCloseCommunicationPort( ScannerData.ServerPort );
- }
- }
- //失败就滚吧
- FltUnregisterFilter( ScannerData.Filter );
- return status;
- }
- NTSTATUS
- ScannerPortConnect (
- __in PFLT_PORT ClientPort,
- __in_opt PVOID ServerPortCookie,
- __in_bcount_opt(SizeOfContext) PVOID ConnectionContext,
- __in ULONG SizeOfContext,
- __deref_out_opt PVOID *ConnectionCookie
- )
- {
- PAGED_CODE();
- UNREFERENCED_PARAMETER( ServerPortCookie );
- UNREFERENCED_PARAMETER( ConnectionContext );
- UNREFERENCED_PARAMETER( SizeOfContext);
- UNREFERENCED_PARAMETER( ConnectionCookie );
- ASSERT( ScannerData.ClientPort == NULL );
- ASSERT( ScannerData.UserProcess == NULL );
- //设置本身进程 和 R3的的通信端口 给后面判断和通信时使用
- ScannerData.UserProcess = PsGetCurrentProcess();
- ScannerData.ClientPort = ClientPort;
- DbgPrint( "!!! scanner.sys --- connected, port=0x%p\n", ClientPort );
- return STATUS_SUCCESS;
- }
- VOID
- ScannerPortDisconnect(
- __in_opt PVOID ConnectionCookie
- )
- {
- UNREFERENCED_PARAMETER( ConnectionCookie );
- PAGED_CODE();
- DbgPrint( "!!! scanner.sys --- disconnected, port=0x%p\n", ScannerData.ClientPort );
- //关闭R3通信端口
- FltCloseClientPort( ScannerData.Filter, &ScannerData.ClientPort );
- //设置R3进程为0
- ScannerData.UserProcess = NULL;
- }
- NTSTATUS
- ScannerUnload (
- __in FLT_FILTER_UNLOAD_FLAGS Flags
- )
- {
- UNREFERENCED_PARAMETER( Flags );
- //
- // Close the server port.
- //
- if(g_LastDelFileName.Buffer)
- ExFreePool(g_LastDelFileName.Buffer);
- FltCloseCommunicationPort( ScannerData.ServerPort );
- //
- // Unregister the filter
- //
- FltUnregisterFilter( ScannerData.Filter );
- return STATUS_SUCCESS;
- }
- NTSTATUS
- ScannerInstanceSetup (
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __in FLT_INSTANCE_SETUP_FLAGS Flags,
- __in DEVICE_TYPE VolumeDeviceType,
- __in FLT_FILESYSTEM_TYPE VolumeFilesystemType
- )
- {
- UNREFERENCED_PARAMETER( FltObjects );
- UNREFERENCED_PARAMETER( Flags );
- UNREFERENCED_PARAMETER( VolumeFilesystemType );
- PAGED_CODE();
- ASSERT( FltObjects->Filter == ScannerData.Filter );
- //
- // Don't attach to network volumes.
- //
- if (VolumeDeviceType == FILE_DEVICE_NETWORK_FILE_SYSTEM) {
- return STATUS_FLT_DO_NOT_ATTACH;
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS
- ScannerQueryTeardown (
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
- )
- {
- UNREFERENCED_PARAMETER( FltObjects );
- UNREFERENCED_PARAMETER( Flags );
- return STATUS_SUCCESS;
- }
- FLT_PREOP_CALLBACK_STATUS
- ScannerPreCreate (
- __inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __deref_out_opt PVOID *CompletionContext
- )
- {
- UNREFERENCED_PARAMETER( FltObjects );
- UNREFERENCED_PARAMETER( CompletionContext );
- PAGED_CODE();
- //
- // See if this create is being done by our user process.
- //
- //DbgPrint("Pre Creta!\n");
- if (IoThreadToProcess( Data->Thread ) == ScannerData.UserProcess) {
- DbgPrint( "!!! scanner.sys -- allowing create for trusted process \n" );
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- return FLT_PREOP_SUCCESS_WITH_CALLBACK;
- }
- BOOLEAN
- ScannerpCheckExtension (
- __in PUNICODE_STRING Extension
- )
- {
- const UNICODE_STRING *ext;
- if (Extension->Length == 0) {
- return FALSE;
- }
- //
- // Check if it matches any one of our static extension list
- //
- ext = ScannerExtensionsToScan;
- while (ext->Buffer != NULL) {
- if (RtlCompareUnicodeString( Extension, ext, TRUE ) == 0) {
- //
- // A match. We are interested in this file
- //
- return TRUE;
- }
- ext++;
- }
- return FALSE;
- }
- //处理打开,创建时(一般这个时候提示的话就是已经被感染了)
- FLT_POSTOP_CALLBACK_STATUS
- ScannerPostCreate (
- __inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __in_opt PVOID CompletionContext,
- __in FLT_POST_OPERATION_FLAGS Flags
- )
- {
- FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
- PFLT_FILE_NAME_INFORMATION nameInfo;
- NTSTATUS status;
- BOOLEAN safeToOpen, scanFile;
- UNICODE_STRING ustrRule = {0};
- ULONG Options;
- ULONG ulDisposition;
- BOOLEAN PopWindow = FALSE;
- FILE_DISPOSITION_INFORMATION fdi;
- UNREFERENCED_PARAMETER( CompletionContext );
- UNREFERENCED_PARAMETER( Flags );
- //UNREFERENCED_PARAMETER( Flags );
- //
- // If this create was failing anyway, don't bother scanning now.
- //
- //DbgPrint("Pos Creta!\n");
- if (!NT_SUCCESS( Data->IoStatus.Status ) ||
- (STATUS_REPARSE == Data->IoStatus.Status)) {
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- Options = Data->Iopb->Parameters.Create.Options;
- if (FlagOn(Options, FILE_DIRECTORY_FILE) ||
- FlagOn(FltObjects->FileObject->Flags, FO_VOLUME_OPEN) ||
- FlagOn(Data->Flags, SL_OPEN_PAGING_FILE))
- {
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- ulDisposition = (Data->Iopb->Parameters.Create.Options >> 24) & 0xFF;
- if (ulDisposition == FILE_CREATE || ulDisposition == FILE_OVERWRITE || ulDisposition == FILE_OVERWRITE_IF)
- {
- PopWindow = TRUE;
- }
- status = FltGetFileNameInformation( Data,
- FLT_FILE_NAME_NORMALIZED |
- FLT_FILE_NAME_QUERY_DEFAULT,
- &nameInfo );
- if (!NT_SUCCESS( status )) {
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- FltParseFileNameInformation( nameInfo );
- //
- // Check if the extension matches the list of extensions we are interested in
- //
- RtlInitUnicodeString(&ustrRule, L"\\*\\*\\WINDOWS\\SYSTEM32\\*\\*.SYS");
- scanFile = IsPatternMatch(&ustrRule,&nameInfo->Name,TRUE);
- //DbgPrint("%wZ\n",&nameInfo->Name);
- //scanFile = ScannerpCheckExtension( &nameInfo->Extension );
- //
- // Release file name info, we're done with it
- //
- FltReleaseFileNameInformation( nameInfo );
- if (!scanFile) {
- //
- // Not an extension we are interested in
- //
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- if(PopWindow)
- {
- MyScannerpScanFileInUserMode( FltObjects->Instance,
- FltObjects->FileObject,
- Data,
- 1,
- &safeToOpen );
- if (!safeToOpen) {
- //
- // Ask the filter manager to undo the create.
- //
- DbgPrint( "!!! scanner.sys -- foul language detected in postcreate !!!\n" );
- DbgPrint( "!!! scanner.sys -- undoing create \n" );
- //就算拒绝了 也会创建一个空文件 这里我们删除
- fdi.DeleteFile = TRUE;
- FltSetInformationFile(FltObjects->Instance, FltObjects->FileObject, &fdi, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation);
- FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
- Data->IoStatus.Status = STATUS_ACCESS_DENIED;
- Data->IoStatus.Information = 0;
- returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
- }
- }
- return returnStatus;
- }
- //处理打开时 有写权限但 打开成功时是安全的,等它关闭的时候的我们来扫描它
- //触发这个回调的条件是文件引用技术为0,这个包括内核+R3的计数,一般是在上层使用了ZwClose或者CloseHandle时调用
- FLT_PREOP_CALLBACK_STATUS
- ScannerPreCleanup (
- __inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __deref_out_opt PVOID *CompletionContext
- )
- {
- UNREFERENCED_PARAMETER( Data );
- UNREFERENCED_PARAMETER( FltObjects );
- UNREFERENCED_PARAMETER( CompletionContext );
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- //处理写关闭
- FLT_PREOP_CALLBACK_STATUS
- ScannerPreWrite (
- __inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __deref_out_opt PVOID *CompletionContext
- )
- {
- FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
- UNREFERENCED_PARAMETER( CompletionContext );
- UNREFERENCED_PARAMETER( FltObjects );
- UNREFERENCED_PARAMETER( Data );
- //
- // If not client port just ignore this write.
- //
- //如果R3进程退出了
- if (ScannerData.ClientPort == NULL) {
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- return returnStatus;
- }
- BOOLEAN isNeedWatchFile(PFLT_CALLBACK_DATA Data)
- {
- BOOLEAN Ret = FALSE;
- UNICODE_STRING ustrRule = {0};
- PFLT_FILE_NAME_INFORMATION nameInfo = {0};
- NTSTATUS status = STATUS_SUCCESS;
- status = FltGetFileNameInformation( Data,
- FLT_FILE_NAME_NORMALIZED |
- FLT_FILE_NAME_QUERY_DEFAULT,
- &nameInfo );
- if (!NT_SUCCESS( status )) {
- return FALSE;
- }
- FltParseFileNameInformation( nameInfo );
- RtlInitUnicodeString(&ustrRule, L"\\*\\*\\WINDOWS\\SYSTEM32\\*\\*.SYS");
- Ret = IsPatternMatch(&ustrRule,&nameInfo->Name,TRUE);
- FltReleaseFileNameInformation( nameInfo );
- return Ret;
- }
- VOID UnicodeToChar(PUNICODE_STRING src, char *dst)
- {
- ANSI_STRING string;
- RtlUnicodeStringToAnsiString(&string,src,TRUE);
- strcpy(dst,string.Buffer);
- RtlFreeAnsiString(&string);
- }
- BOOLEAN isRecycle(PFLT_CALLBACK_DATA Data ,PCFLT_RELATED_OBJECTS FltObje)
- {
- BOOLEAN Ret = FALSE;
- PFLT_FILE_NAME_INFORMATION nameInfo = {0};
- PFILE_RENAME_INFORMATION pRenameInfo = {0};
- NTSTATUS status = STATUS_SUCCESS;
- char *temp = (char*)ExAllocatePool(NonPagedPool,MAX_PATH*2);
- if(temp == NULL)
- return TRUE;
- memset(temp,'\0',MAX_PATH*2);
- //特殊情况,当字符串中包含$Recycle.Bin时是普通删除,实际上删除只是更名而已
- pRenameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
- status = FltGetDestinationFileNameInformation(FltObje->Instance,Data->Iopb->TargetFileObject,pRenameInfo->RootDirectory,pRenameInfo->FileName,pRenameInfo->FileNameLength,FLT_FILE_NAME_NORMALIZED,&nameInfo);
- if(!NT_SUCCESS(status))
- {
- DbgPrint("FltGetDestinationFileNameInformation is faild! 0x%x",status);
- return TRUE;
- }
- UnicodeToChar(&nameInfo->Name,temp);
- if(strstr(temp,"Recycle.Bin"))
- Ret = TRUE;
- else
- Ret = FALSE;
- FltReleaseFileNameInformation(nameInfo);
- ExFreePool(temp);
- return Ret;
- }
- FLT_PREOP_CALLBACK_STATUS
- ScannerPreSetInforMation(
- __inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __deref_out_opt PVOID *CompletionContext
- )
- {
- FLT_PREOP_CALLBACK_STATUS status = FLT_PREOP_SUCCESS_NO_CALLBACK;
- ULONG Options = 0;//记录操作类型 1创建,2重命名,3删除
- BOOLEAN isAllow = TRUE;//是否放行
- UNREFERENCED_PARAMETER(Data);
- UNREFERENCED_PARAMETER(FltObjects);
- UNREFERENCED_PARAMETER(CompletionContext);
- //UNREFERENCED_PARAMETER(FltObjects);
- if(ScannerData.ClientPort == NULL)
- {
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- if(ScannerData.UserProcess == PsGetCurrentProcess())
- {
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- /*
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileRenameInformation ||//重命名
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileBasicInformation || //设置基础信息
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileAllocationInformation ||
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileEndOfFileInformation ||//设置大小
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation)//删除
- */
- if(Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation ||
- Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation )
- {
- switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass)
- {
- case FileRenameInformation:
- Options = 2;
- break;
- case FileDispositionInformation:
- Options = 3;
- break;
- default:
- Options = 0;//爆炸啦
- break;
- }
- //判断是不是我们要监控的
- if(!isNeedWatchFile(Data))
- {
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- if(Options == 2)
- {
- if(isRecycle(Data,FltObjects))
- {
- return FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- }
- //进程路径,操作类型,原路径,重命名后路径
- MyScannerpScanFileInUserMode(FltObjects->Instance,FltObjects->FileObject,Data,Options,&isAllow);
- if(!isAllow)
- {
- DbgPrint("ReName in PreSetInforMation !\n");
- Data->IoStatus.Status = STATUS_ACCESS_DENIED;
- Data->IoStatus.Information = 0;
- status = FLT_PREOP_COMPLETE;
- }else
- {
- status = FLT_PREOP_SUCCESS_NO_CALLBACK;
- }
- }
- return status;
- }
- FLT_POSTOP_CALLBACK_STATUS
- ScannerPostSetInforMation (
- __inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __in_opt PVOID CompletionContext,
- __in FLT_POST_OPERATION_FLAGS Flags
- )
- {
- //FLT_POSTOP_CALLBACK_STATUS status = FLT_POSTOP_FINISHED_PROCESSING;
- //ULONG Options = 0;//记录操作类型 1创建,2重命名,3删除
- //BOOLEAN isAllow = TRUE;//是否放行
- UNREFERENCED_PARAMETER(Flags);
- UNREFERENCED_PARAMETER(Data);
- UNREFERENCED_PARAMETER(FltObjects);
- UNREFERENCED_PARAMETER(CompletionContext);
- /*
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileRenameInformation ||//重命名
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileBasicInformation || //设置基础信息
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileAllocationInformation ||
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileEndOfFileInformation ||//设置大小
- lpIrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation)//删除
- */
- //if(Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation ||
- // Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation )
- //{
- // switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass)
- // {
- // case FileRenameInformation:
- // Options = 2;
- // break;
- // case FileDispositionInformation:
- // Options = 3;
- // break;
- // default:
- // Options = 0;//爆炸啦
- // break;
- // }
- // //判断是不是我们要监控的
- // if(!isNeedWatchFile(Data))
- // {
- // return FLT_POSTOP_FINISHED_PROCESSING;
- // }
- // if(Options == 2)
- // {
- // if(isRecycle(Data,FltObjects))
- // {
- // return FLT_POSTOP_FINISHED_PROCESSING;
- // }
- // }
- // //进程路径,操作类型,原路径,重命名后路径
- // MyScannerpScanFileInUserMode(FltObjects->Instance,FltObjects->FileObject,Data,Options,&isAllow);
- // if(!isAllow)
- // {
- // DbgPrint("ReName in PostSetInforMation !\n");
- //
- // FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
- // Data->IoStatus.Status = STATUS_ACCESS_DENIED;
- // Data->IoStatus.Information = 0;
- //
- // status = FLT_POSTOP_FINISHED_PROCESSING;
- // }else
- // {
- // status = FLT_POSTOP_FINISHED_PROCESSING;
- // }
- //}
- //return status;
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
- //操作类型 1创建 2重命名 3 删除
- NTSTATUS
- MyScannerpScanFileInUserMode (
- __in PFLT_INSTANCE Instance,
- __in PFILE_OBJECT FileObject,
- __in PFLT_CALLBACK_DATA Data,
- __in ULONG Operation,
- __out PBOOLEAN SafeToOpen
- )
- {
- NTSTATUS status = STATUS_SUCCESS;
- PSCANNER_NOTIFICATION notification = NULL;
- ULONG replyLength = 0;
- PEPROCESS pEprocess = 0;
- PUNICODE_STRING uSProcessPath = NULL;
- PFLT_FILE_NAME_INFORMATION nameInfo;
- PFLT_FILE_NAME_INFORMATION pOutReNameinfo;
- PFILE_RENAME_INFORMATION pRenameInfo;
- UNREFERENCED_PARAMETER( FileObject );
- UNREFERENCED_PARAMETER( Instance );
- *SafeToOpen = TRUE;
- //
- // If not client port just return.
- //
- if (ScannerData.ClientPort == NULL) {
- return STATUS_SUCCESS;
- }
- try {
- notification = ExAllocatePoolWithTag( NonPagedPool,
- sizeof( SCANNER_NOTIFICATION ),
- 'nacS' );
- if(NULL == notification)
- {
- status = STATUS_INSUFFICIENT_RESOURCES;
- leave;
- }
- //在这里获取进程路径,操作类型,目标路径
- //拷贝操作类型
- notification->Operation = Operation;
- pEprocess =
- Data->Thread ? IoThreadToProcess(Data->Thread) : PsGetCurrentProcess();
- if(pEprocess == NULL)
- {
- status = STATUS_INSUFFICIENT_RESOURCES;
- leave;
- }
- uSProcessPath = PsGetProcessFullName(pEprocess);//这里需要释放UNICODESTRING 的内存
- if(uSProcessPath == NULL)
- {
- status = STATUS_INSUFFICIENT_RESOURCES;
- leave;
- }
- //拷贝进程路径
- wcsncpy(¬ification->ProcessPath,uSProcessPath->Buffer,uSProcessPath->Length);
- //wcsncpy(¬ification->ProcessPath,L"test",wcslen(L"test"));
- status = FltGetFileNameInformation( Data,
- FLT_FILE_NAME_NORMALIZED |
- FLT_FILE_NAME_QUERY_DEFAULT,
- &nameInfo );
- //FltGetDestinationFileNameInformation(
- if (!NT_SUCCESS( status )) {
- status = STATUS_INSUFFICIENT_RESOURCES;
- leave;
- }
- //拷贝目标路径
- FltParseFileNameInformation( nameInfo );
- //这里应该注意下多线程的
- if(Operation == 3)
- {
- //DbgPrint("[DjWow]%wZ\n",&g_LastDelFileName);
- //DbgPrint("[DjWow]%wZ\n",&nameInfo->Name);
- if(wcsncmp(g_LastDelFileName.Buffer,nameInfo->Name.Buffer,nameInfo->Name.MaximumLength) == 0)
- {
- FltReleaseFileNameInformation( nameInfo );
- memset(g_LastDelFileName.Buffer,'\0',MAX_PATH*2);
- *SafeToOpen = TRUE;
- leave;
- }
- }
- if(Operation == 3)
- {
- wcsncpy(g_LastDelFileName.Buffer,nameInfo->Name.Buffer,nameInfo->Name.MaximumLength);
- }
- wcsncpy(¬ification->TargetPath,nameInfo->Name.Buffer,nameInfo->Name.MaximumLength);
- FltReleaseFileNameInformation( nameInfo );
- if(Operation == 2)//重命名
- {
- pRenameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
- /*
- //这也是可行的
- wstrTest = ExAllocatePool(NonPagedPool,pRenameInfo->FileNameLength + 1);
- if(wstrTest == NULL)
- leave;
- memset(wstrTest,'\0',pRenameInfo->FileNameLength + 1);
- wcsncpy(wstrTest,pRenameInfo->FileName,pRenameInfo->FileNameLength);
- DbgPrint("%ws\n",wstrTest);*/
- status = FltGetDestinationFileNameInformation(Instance,Data->Iopb->TargetFileObject,pRenameInfo->RootDirectory,pRenameInfo->FileName,pRenameInfo->FileNameLength,FLT_FILE_NAME_NORMALIZED,&pOutReNameinfo);
- if(!NT_SUCCESS(status))
- {
- DbgPrint("FltGetDestinationFileNameInformation is faild! 0x%x",status);
- leave;
- }
- wcsncpy(¬ification->RePathName,pOutReNameinfo->Name.Buffer,pOutReNameinfo->Name.MaximumLength);
- DbgPrint("重命名:%wZ\n",&pOutReNameinfo->Name);
- FltReleaseFileNameInformation(pOutReNameinfo);
- }
- replyLength = sizeof( SCANNER_REPLY );
- status = FltSendMessage( ScannerData.Filter,
- &ScannerData.ClientPort,
- notification,
- sizeof(SCANNER_NOTIFICATION),
- notification,
- &replyLength,
- NULL );
- if (STATUS_SUCCESS == status) {
- *SafeToOpen = ((PSCANNER_REPLY) notification)->SafeToOpen;
- } else {
- //
- // Couldn't send message
- //
- DbgPrint( "!!! scanner.sys --- couldn't send message to user-mode to scan file, status 0x%X\n", status );
- }
- } finally {
- if (NULL != notification) {
- ExFreePoolWithTag( notification, 'nacS' );
- }
- if(NULL != pEprocess)
- {
- //ObfDereferenceObject(pEprocess);
- }
- if(NULL != uSProcessPath)
- {
- ExFreePool(uSProcessPath);
- }
- }
- return status;
- }
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>
#include "scanuk.h"
#include "scanner.h"
#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")
NTSTATUS
PsReferenceProcessFilePointer (
IN PEPROCESS Process,
OUT PVOID *OutFileObject
);
SCANNER_DATA ScannerData;
UNICODE_STRING g_LastDelFileName = {0};
//
// This is a static list of file name extensions files we are interested in scanning
//
const UNICODE_STRING ScannerExtensionsToScan[] =
{ RTL_CONSTANT_STRING( L"doc"),
RTL_CONSTANT_STRING( L"txt"),
RTL_CONSTANT_STRING( L"bat"),
RTL_CONSTANT_STRING( L"cmd"),
RTL_CONSTANT_STRING( L"inf"),
/*RTL_CONSTANT_STRING( L"ini"), Removed, to much usage*/
{0, 0, NULL}
};
//
// Function prototypes
//
NTSTATUS
ScannerPortConnect (
__in PFLT_PORT ClientPort,
__in_opt PVOID ServerPortCookie,
__in_bcount_opt(SizeOfContext) PVOID ConnectionContext,
__in ULONG SizeOfContext,
__deref_out_opt PVOID *ConnectionCookie
);
VOID
ScannerPortDisconnect (
__in_opt PVOID ConnectionCookie
);
NTSTATUS
ScannerpScanFileInUserMode (
__in PFLT_INSTANCE Instance,
__in PFILE_OBJECT FileObject,
__out PBOOLEAN SafeToOpen
);
BOOLEAN
ScannerpCheckExtension (
__in PUNICODE_STRING Extension
);
NTSTATUS
MyScannerpScanFileInUserMode (
__in PFLT_INSTANCE Instance,
__in PFILE_OBJECT FileObject,
__in PFLT_CALLBACK_DATA Data,
__in ULONG Operation,
__out PBOOLEAN SafeToOpen
);
//
// Assign text sections for each routine.
//
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, ScannerInstanceSetup)
#pragma alloc_text(PAGE, ScannerPreCreate)
#pragma alloc_text(PAGE, ScannerPostCreate)
#pragma alloc_text(PAGE, ScannerPortConnect)
#pragma alloc_text(PAGE, ScannerPortDisconnect)
#pragma alloc_text(PAGE, ScannerPostSetInforMation)
#pragma alloc_text(PAGE, ScannerPreSetInforMation )
//IsPatternMatch
//PsGetProcessFullName
#endif
//
// Constant FLT_REGISTRATION structure for our filter. This
// initializes the callback routines our filter wants to register
// for. This is only used to register with the filter manager
//
const FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
ScannerPreCreate,
ScannerPostCreate},
{ IRP_MJ_CLEANUP,
0,
ScannerPreCleanup,
NULL},
{ IRP_MJ_WRITE,
0,
ScannerPreWrite,
NULL},
{ IRP_MJ_SET_INFORMATION,
0,
ScannerPreSetInforMation,
ScannerPostSetInforMation},
{ IRP_MJ_OPERATION_END }
};
const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
{ FLT_STREAMHANDLE_CONTEXT,
0,
NULL,
sizeof(SCANNER_STREAM_HANDLE_CONTEXT),
'chBS' },
{ FLT_CONTEXT_END }
};
const FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
ContextRegistration, // Context Registration.
Callbacks, // Operation callbacks
ScannerUnload, // FilterUnload
ScannerInstanceSetup, // InstanceSetup
ScannerQueryTeardown, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
BOOLEAN IsPatternMatch(PUNICODE_STRING Expression, PUNICODE_STRING Name, BOOLEAN IgnoreCase)
{
return FsRtlIsNameInExpression(
Expression,
Name,
IgnoreCase,//如果这里设置为TRUE,那么Expression必须是大写的
NULL
);
}
PUNICODE_STRING PsGetProcessFullName(PEPROCESS pTargetProcess)
{
PFILE_OBJECT pFileObject=NULL;
POBJECT_NAME_INFORMATION pObjectNameInfo=NULL;
if(!NT_SUCCESS(PsReferenceProcessFilePointer(pTargetProcess,&pFileObject)))
return NULL;
if(!NT_SUCCESS(IoQueryFileDosDeviceName(pFileObject,&pObjectNameInfo)))
return NULL;
ObDereferenceObject(pFileObject);
return &(pObjectNameInfo->Name);//尚未释放内存 以及 ObDereferenceObject
}
ULONG g_Count = 0;
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
PSECURITY_DESCRIPTOR sd;
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
g_LastDelFileName.Buffer = ExAllocatePool(NonPagedPool,MAX_PATH*2);
g_LastDelFileName.Length = g_LastDelFileName.MaximumLength = MAX_PATH*2;
memset(g_LastDelFileName.Buffer,'\0',MAX_PATH*2);
//注册回调
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&ScannerData.Filter );
if (!NT_SUCCESS( status )) {
return status;
}
//创建端口
RtlInitUnicodeString( &uniString, ScannerPortName );
//设置通信端口权限 ,只有管理员和系统进程才能操作
status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS );
if (NT_SUCCESS( status )) {
InitializeObjectAttributes( &oa,
&uniString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
sd );
//创建通信端口,并设置对应的回调函数
status = FltCreateCommunicationPort( ScannerData.Filter,
&ScannerData.ServerPort,
&oa,//设置的名字
NULL,
ScannerPortConnect,//当R3连接时回调 主要是记录R3的进程ID或EPROCESS以便放过本进程 还有记录R3的通信端口,给后面主动通信的时候用
ScannerPortDisconnect,//当R3离线时回调 主要是关闭R3端口和设置R3的进程信息为NULL
NULL,//处理R3主动函数 比如R3下新的规则,
1 );//最后一个常为1
//设置好后需要释放权限的设置
FltFreeSecurityDescriptor( sd );
if (NT_SUCCESS( status )) {
//
// Start filtering I/O.
//
//开始过滤
status = FltStartFiltering( ScannerData.Filter );
if (NT_SUCCESS( status )) {
return STATUS_SUCCESS;
}
//失败就滚吧
FltCloseCommunicationPort( ScannerData.ServerPort );
}
}
//失败就滚吧
FltUnregisterFilter( ScannerData.Filter );
return status;
}
NTSTATUS
ScannerPortConnect (
__in PFLT_PORT ClientPort,
__in_opt PVOID ServerPortCookie,
__in_bcount_opt(SizeOfContext) PVOID ConnectionContext,
__in ULONG SizeOfContext,
__deref_out_opt PVOID *ConnectionCookie
)
{
PAGED_CODE();
UNREFERENCED_PARAMETER( ServerPortCookie );
UNREFERENCED_PARAMETER( ConnectionContext );
UNREFERENCED_PARAMETER( SizeOfContext);
UNREFERENCED_PARAMETER( ConnectionCookie );
ASSERT( ScannerData.ClientPort == NULL );
ASSERT( ScannerData.UserProcess == NULL );
//设置本身进程 和 R3的的通信端口 给后面判断和通信时使用
ScannerData.UserProcess = PsGetCurrentProcess();
ScannerData.ClientPort = ClientPort;
DbgPrint( "!!! scanner.sys --- connected, port=0x%p\n", ClientPort );
return STATUS_SUCCESS;
}
VOID
ScannerPortDisconnect(
__in_opt PVOID ConnectionCookie
)
{
UNREFERENCED_PARAMETER( ConnectionCookie );
PAGED_CODE();
DbgPrint( "!!! scanner.sys --- disconnected, port=0x%p\n", ScannerData.ClientPort );
//关闭R3通信端口
FltCloseClientPort( ScannerData.Filter, &ScannerData.ClientPort );
//设置R3进程为0
ScannerData.UserProcess = NULL;
}
NTSTATUS
ScannerUnload (
__in FLT_FILTER_UNLOAD_FLAGS Flags
)
{
UNREFERENCED_PARAMETER( Flags );
//
// Close the server port.
//
if(g_LastDelFileName.Buffer)
ExFreePool(g_LastDelFileName.Buffer);
FltCloseCommunicationPort( ScannerData.ServerPort );
//
// Unregister the filter
//
FltUnregisterFilter( ScannerData.Filter );
return STATUS_SUCCESS;
}
NTSTATUS
ScannerInstanceSetup (
__in PCFLT_RELATED_OBJECTS FltObjects,
__in FLT_INSTANCE_SETUP_FLAGS Flags,
__in DEVICE_TYPE VolumeDeviceType,
__in FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
UNREFERENCED_PARAMETER( VolumeFilesystemType );
PAGED_CODE();
ASSERT( FltObjects->Filter == ScannerData.Filter );
//
// Don't attach to network volumes.
//
if (VolumeDeviceType == FILE_DEVICE_NETWORK_FILE_SYSTEM) {
return STATUS_FLT_DO_NOT_ATTACH;
}
return STATUS_SUCCESS;
}
NTSTATUS
ScannerQueryTeardown (
__in PCFLT_RELATED_OBJECTS FltObjects,
__in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Flags );
return STATUS_SUCCESS;
}
FLT_PREOP_CALLBACK_STATUS
ScannerPreCreate (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PAGED_CODE();
//
// See if this create is being done by our user process.
//
//DbgPrint("Pre Creta!\n");
if (IoThreadToProcess( Data->Thread ) == ScannerData.UserProcess) {
DbgPrint( "!!! scanner.sys -- allowing create for trusted process \n" );
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
BOOLEAN
ScannerpCheckExtension (
__in PUNICODE_STRING Extension
)
{
const UNICODE_STRING *ext;
if (Extension->Length == 0) {
return FALSE;
}
//
// Check if it matches any one of our static extension list
//
ext = ScannerExtensionsToScan;
while (ext->Buffer != NULL) {
if (RtlCompareUnicodeString( Extension, ext, TRUE ) == 0) {
//
// A match. We are interested in this file
//
return TRUE;
}
ext++;
}
return FALSE;
}
//处理打开,创建时(一般这个时候提示的话就是已经被感染了)
FLT_POSTOP_CALLBACK_STATUS
ScannerPostCreate (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
PFLT_FILE_NAME_INFORMATION nameInfo;
NTSTATUS status;
BOOLEAN safeToOpen, scanFile;
UNICODE_STRING ustrRule = {0};
ULONG Options;
ULONG ulDisposition;
BOOLEAN PopWindow = FALSE;
FILE_DISPOSITION_INFORMATION fdi;
UNREFERENCED_PARAMETER( CompletionContext );
UNREFERENCED_PARAMETER( Flags );
//UNREFERENCED_PARAMETER( Flags );
//
// If this create was failing anyway, don't bother scanning now.
//
//DbgPrint("Pos Creta!\n");
if (!NT_SUCCESS( Data->IoStatus.Status ) ||
(STATUS_REPARSE == Data->IoStatus.Status)) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
Options = Data->Iopb->Parameters.Create.Options;
if (FlagOn(Options, FILE_DIRECTORY_FILE) ||
FlagOn(FltObjects->FileObject->Flags, FO_VOLUME_OPEN) ||
FlagOn(Data->Flags, SL_OPEN_PAGING_FILE))
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
ulDisposition = (Data->Iopb->Parameters.Create.Options >> 24) & 0xFF;
if (ulDisposition == FILE_CREATE || ulDisposition == FILE_OVERWRITE || ulDisposition == FILE_OVERWRITE_IF)
{
PopWindow = TRUE;
}
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );
if (!NT_SUCCESS( status )) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
FltParseFileNameInformation( nameInfo );
//
// Check if the extension matches the list of extensions we are interested in
//
RtlInitUnicodeString(&ustrRule, L"\\*\\*\\WINDOWS\\SYSTEM32\\*\\*.SYS");
scanFile = IsPatternMatch(&ustrRule,&nameInfo->Name,TRUE);
//DbgPrint("%wZ\n",&nameInfo->Name);
//scanFile = ScannerpCheckExtension( &nameInfo->Extension );
//
// Release file name info, we're done with it
//
FltReleaseFileNameInformation( nameInfo );
if (!scanFile) {
//
// Not an extension we are interested in
//
return FLT_POSTOP_FINISHED_PROCESSING;
}
if(PopWindow)
{
MyScannerpScanFileInUserMode( FltObjects->Instance,
FltObjects->FileObject,
Data,
1,
&safeToOpen );
if (!safeToOpen) {
//
// Ask the filter manager to undo the create.
//
DbgPrint( "!!! scanner.sys -- foul language detected in postcreate !!!\n" );
DbgPrint( "!!! scanner.sys -- undoing create \n" );
//就算拒绝了 也会创建一个空文件 这里我们删除
fdi.DeleteFile = TRUE;
FltSetInformationFile(FltObjects->Instance, FltObjects->FileObject, &fdi, sizeof(FILE_DISPOSITION_INFORMATION), FileDispositionInformation);
FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
}
}
return returnStatus;
}
//处理打开时 有写权限但 打开成功时是安全的,等它关闭的时候的我们来扫描它
//触发这个回调的条件是文件引用技术为0,这个包括内核+R3的计数,一般是在上层使用了ZwClose或者CloseHandle时调用
FLT_PREOP_CALLBACK_STATUS
ScannerPreCleanup (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
UNREFERENCED_PARAMETER( Data );
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
//处理写关闭
FLT_PREOP_CALLBACK_STATUS
ScannerPreWrite (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
UNREFERENCED_PARAMETER( CompletionContext );
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( Data );
//
// If not client port just ignore this write.
//
//如果R3进程退出了
if (ScannerData.ClientPort == NULL) {
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
return returnStatus;
}
BOOLEAN isNeedWatchFile(PFLT_CALLBACK_DATA Data)
{
BOOLEAN Ret = FALSE;
UNICODE_STRING ustrRule = {0};
PFLT_FILE_NAME_INFORMATION nameInfo = {0};
NTSTATUS status = STATUS_SUCCESS;
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );
if (!NT_SUCCESS( status )) {
return FALSE;
}
FltParseFileNameInformation( nameInfo );
RtlInitUnicodeString(&ustrRule, L"\\*\\*\\WINDOWS\\SYSTEM32\\*\\*.SYS");
Ret = IsPatternMatch(&ustrRule,&nameInfo->Name,TRUE);
FltReleaseFileNameInformation( nameInfo );
return Ret;
}
VOID UnicodeToChar(PUNICODE_STRING src, char *dst)
{
ANSI_STRING string;
RtlUnicodeStringToAnsiString(&string,src,TRUE);
strcpy(dst,string.Buffer);
RtlFreeAnsiString(&string);
}
BOOLEAN isRecycle(PFLT_CALLBACK_DATA Data ,PCFLT_RELATED_OBJECTS FltObje)
{
BOOLEAN Ret = FALSE;
PFLT_FILE_NAME_INFORMATION nameInfo = {0};
PFILE_RENAME_INFORMATION pRenameInfo = {0};
NTSTATUS status = STATUS_SUCCESS;
char *temp = (char*)ExAllocatePool(NonPagedPool,MAX_PATH*2);
if(temp == NULL)
return TRUE;
memset(temp,'\0',MAX_PATH*2);
//特殊情况,当字符串中包含$Recycle.Bin时是普通删除,实际上删除只是更名而已
pRenameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
status = FltGetDestinationFileNameInformation(FltObje->Instance,Data->Iopb->TargetFileObject,pRenameInfo->RootDirectory,pRenameInfo->FileName,pRenameInfo->FileNameLength,FLT_FILE_NAME_NORMALIZED,&nameInfo);
if(!NT_SUCCESS(status))
{
DbgPrint("FltGetDestinationFileNameInformation is faild! 0x%x",status);
return TRUE;
}
UnicodeToChar(&nameInfo->Name,temp);
if(strstr(temp,"Recycle.Bin"))
Ret = TRUE;
else
Ret = FALSE;
FltReleaseFileNameInformation(nameInfo);
ExFreePool(temp);
return Ret;
}
FLT_PREOP_CALLBACK_STATUS
ScannerPreSetInforMation(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
FLT_PREOP_CALLBACK_STATUS status = FLT_PREOP_SUCCESS_NO_CALLBACK;
ULONG Options = 0;//记录操作类型 1创建,2重命名,3删除
BOOLEAN isAllow = TRUE;//是否放行
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
//UNREFERENCED_PARAMETER(FltObjects);
if(ScannerData.ClientPort == NULL)
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if(ScannerData.UserProcess == PsGetCurrentProcess())
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
/*
lpIrpStack->Parameters.SetFile.FileInformationClass == FileRenameInformation ||//重命名
lpIrpStack->Parameters.SetFile.FileInformationClass == FileBasicInformation || //设置基础信息
lpIrpStack->Parameters.SetFile.FileInformationClass == FileAllocationInformation ||
lpIrpStack->Parameters.SetFile.FileInformationClass == FileEndOfFileInformation ||//设置大小
lpIrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation)//删除
*/
if(Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation ||
Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation )
{
switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass)
{
case FileRenameInformation:
Options = 2;
break;
case FileDispositionInformation:
Options = 3;
break;
default:
Options = 0;//爆炸啦
break;
}
//判断是不是我们要监控的
if(!isNeedWatchFile(Data))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if(Options == 2)
{
if(isRecycle(Data,FltObjects))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
}
//进程路径,操作类型,原路径,重命名后路径
MyScannerpScanFileInUserMode(FltObjects->Instance,FltObjects->FileObject,Data,Options,&isAllow);
if(!isAllow)
{
DbgPrint("ReName in PreSetInforMation !\n");
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
status = FLT_PREOP_COMPLETE;
}else
{
status = FLT_PREOP_SUCCESS_NO_CALLBACK;
}
}
return status;
}
FLT_POSTOP_CALLBACK_STATUS
ScannerPostSetInforMation (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
//FLT_POSTOP_CALLBACK_STATUS status = FLT_POSTOP_FINISHED_PROCESSING;
//ULONG Options = 0;//记录操作类型 1创建,2重命名,3删除
//BOOLEAN isAllow = TRUE;//是否放行
UNREFERENCED_PARAMETER(Flags);
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
/*
lpIrpStack->Parameters.SetFile.FileInformationClass == FileRenameInformation ||//重命名
lpIrpStack->Parameters.SetFile.FileInformationClass == FileBasicInformation || //设置基础信息
lpIrpStack->Parameters.SetFile.FileInformationClass == FileAllocationInformation ||
lpIrpStack->Parameters.SetFile.FileInformationClass == FileEndOfFileInformation ||//设置大小
lpIrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation)//删除
*/
//if(Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileRenameInformation ||
// Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation )
//{
// switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass)
// {
// case FileRenameInformation:
// Options = 2;
// break;
// case FileDispositionInformation:
// Options = 3;
// break;
// default:
// Options = 0;//爆炸啦
// break;
// }
// //判断是不是我们要监控的
// if(!isNeedWatchFile(Data))
// {
// return FLT_POSTOP_FINISHED_PROCESSING;
// }
// if(Options == 2)
// {
// if(isRecycle(Data,FltObjects))
// {
// return FLT_POSTOP_FINISHED_PROCESSING;
// }
// }
// //进程路径,操作类型,原路径,重命名后路径
// MyScannerpScanFileInUserMode(FltObjects->Instance,FltObjects->FileObject,Data,Options,&isAllow);
// if(!isAllow)
// {
// DbgPrint("ReName in PostSetInforMation !\n");
//
// FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
// Data->IoStatus.Status = STATUS_ACCESS_DENIED;
// Data->IoStatus.Information = 0;
//
// status = FLT_POSTOP_FINISHED_PROCESSING;
// }else
// {
// status = FLT_POSTOP_FINISHED_PROCESSING;
// }
//}
//return status;
return FLT_POSTOP_FINISHED_PROCESSING;
}
//操作类型 1创建 2重命名 3 删除
NTSTATUS
MyScannerpScanFileInUserMode (
__in PFLT_INSTANCE Instance,
__in PFILE_OBJECT FileObject,
__in PFLT_CALLBACK_DATA Data,
__in ULONG Operation,
__out PBOOLEAN SafeToOpen
)
{
NTSTATUS status = STATUS_SUCCESS;
PSCANNER_NOTIFICATION notification = NULL;
ULONG replyLength = 0;
PEPROCESS pEprocess = 0;
PUNICODE_STRING uSProcessPath = NULL;
PFLT_FILE_NAME_INFORMATION nameInfo;
PFLT_FILE_NAME_INFORMATION pOutReNameinfo;
PFILE_RENAME_INFORMATION pRenameInfo;
UNREFERENCED_PARAMETER( FileObject );
UNREFERENCED_PARAMETER( Instance );
*SafeToOpen = TRUE;
//
// If not client port just return.
//
if (ScannerData.ClientPort == NULL) {
return STATUS_SUCCESS;
}
try {
notification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( SCANNER_NOTIFICATION ),
'nacS' );
if(NULL == notification)
{
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
//在这里获取进程路径,操作类型,目标路径
//拷贝操作类型
notification->Operation = Operation;
pEprocess =
Data->Thread ? IoThreadToProcess(Data->Thread) : PsGetCurrentProcess();
if(pEprocess == NULL)
{
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
uSProcessPath = PsGetProcessFullName(pEprocess);//这里需要释放UNICODESTRING 的内存
if(uSProcessPath == NULL)
{
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
//拷贝进程路径
wcsncpy(¬ification->ProcessPath,uSProcessPath->Buffer,uSProcessPath->Length);
//wcsncpy(¬ification->ProcessPath,L"test",wcslen(L"test"));
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );
//FltGetDestinationFileNameInformation(
if (!NT_SUCCESS( status )) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
//拷贝目标路径
FltParseFileNameInformation( nameInfo );
//这里应该注意下多线程的
if(Operation == 3)
{
//DbgPrint("[DjWow]%wZ\n",&g_LastDelFileName);
//DbgPrint("[DjWow]%wZ\n",&nameInfo->Name);
if(wcsncmp(g_LastDelFileName.Buffer,nameInfo->Name.Buffer,nameInfo->Name.MaximumLength) == 0)
{
FltReleaseFileNameInformation( nameInfo );
memset(g_LastDelFileName.Buffer,'\0',MAX_PATH*2);
*SafeToOpen = TRUE;
leave;
}
}
if(Operation == 3)
{
wcsncpy(g_LastDelFileName.Buffer,nameInfo->Name.Buffer,nameInfo->Name.MaximumLength);
}
wcsncpy(¬ification->TargetPath,nameInfo->Name.Buffer,nameInfo->Name.MaximumLength);
FltReleaseFileNameInformation( nameInfo );
if(Operation == 2)//重命名
{
pRenameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
/*
//这也是可行的
wstrTest = ExAllocatePool(NonPagedPool,pRenameInfo->FileNameLength + 1);
if(wstrTest == NULL)
leave;
memset(wstrTest,'\0',pRenameInfo->FileNameLength + 1);
wcsncpy(wstrTest,pRenameInfo->FileName,pRenameInfo->FileNameLength);
DbgPrint("%ws\n",wstrTest);*/
status = FltGetDestinationFileNameInformation(Instance,Data->Iopb->TargetFileObject,pRenameInfo->RootDirectory,pRenameInfo->FileName,pRenameInfo->FileNameLength,FLT_FILE_NAME_NORMALIZED,&pOutReNameinfo);
if(!NT_SUCCESS(status))
{
DbgPrint("FltGetDestinationFileNameInformation is faild! 0x%x",status);
leave;
}
wcsncpy(¬ification->RePathName,pOutReNameinfo->Name.Buffer,pOutReNameinfo->Name.MaximumLength);
DbgPrint("重命名:%wZ\n",&pOutReNameinfo->Name);
FltReleaseFileNameInformation(pOutReNameinfo);
}
replyLength = sizeof( SCANNER_REPLY );
status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
notification,
sizeof(SCANNER_NOTIFICATION),
notification,
&replyLength,
NULL );
if (STATUS_SUCCESS == status) {
*SafeToOpen = ((PSCANNER_REPLY) notification)->SafeToOpen;
} else {
//
// Couldn't send message
//
DbgPrint( "!!! scanner.sys --- couldn't send message to user-mode to scan file, status 0x%X\n", status );
}
} finally {
if (NULL != notification) {
ExFreePoolWithTag( notification, 'nacS' );
}
if(NULL != pEprocess)
{
//ObfDereferenceObject(pEprocess);
}
if(NULL != uSProcessPath)
{
ExFreePool(uSProcessPath);
}
}
return status;
}
R3:
- // MiniFliter_MFCDlg.cpp : 实现文件
- //
- #include "stdafx.h"
- #include "MiniFliter_MFC.h"
- #include "MiniFliter_MFCDlg.h"
- #include "afxdialogex.h"
- #include "resource.h"
- #include <windows.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <winioctl.h>
- #include <string.h>
- #include <crtdbg.h>
- #include <assert.h>
- #include <fltuser.h>
- #include "../MiniFliter_Scaner/scanuk.h"
- #include "User.h"
- #include <dontuse.h>
- #include "PopupDlg.h"
- #pragma comment(lib,"fltlib.lib")
- #define SCANNER_DEFAULT_REQUEST_COUNT 5
- #define SCANNER_DEFAULT_THREAD_COUNT 2
- #define SCANNER_MAX_THREAD_COUNT 64
- typedef struct _SCANNER_THREAD_CONTEXT {
- HANDLE Port;
- HANDLE Completion;
- } SCANNER_THREAD_CONTEXT, *PSCANNER_THREAD_CONTEXT;
- HANDLE g_port = 0;
- #ifdef _DEBUG
- #define new DEBUG_NEW
- #endif
- // 用于应用程序“关于”菜单项的 CAboutDlg 对话框
- class CAboutDlg : public CDialogEx
- {
- public:
- CAboutDlg();
- // 对话框数据
- enum { IDD = IDD_ABOUTBOX };
- protected:
- virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
- // 实现
- protected:
- DECLARE_MESSAGE_MAP()
- public:
- //virtual INT_PTR DoModal();
- };
- CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
- {
- }
- void CAboutDlg::DoDataExchange(CDataExchange* pDX)
- {
- CDialogEx::DoDataExchange(pDX);
- }
- BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
- END_MESSAGE_MAP()
- // CMiniFliter_MFCDlg 对话框
- CMiniFliter_MFCDlg::CMiniFliter_MFCDlg(CWnd* pParent /*=NULL*/)
- : CDialogEx(CMiniFliter_MFCDlg::IDD, pParent)
- {
- m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
- }
- void CMiniFliter_MFCDlg::DoDataExchange(CDataExchange* pDX)
- {
- CDialogEx::DoDataExchange(pDX);
- }
- BEGIN_MESSAGE_MAP(CMiniFliter_MFCDlg, CDialogEx)
- ON_WM_SYSCOMMAND()
- ON_WM_PAINT()
- ON_WM_QUERYDRAGICON()
- ON_BN_CLICKED(IDC_START, &CMiniFliter_MFCDlg::OnBnClickedStart)
- END_MESSAGE_MAP()
- // CMiniFliter_MFCDlg 消息处理程序
- BOOL CMiniFliter_MFCDlg::OnInitDialog()
- {
- CDialogEx::OnInitDialog();
- // 将“关于...”菜单项添加到系统菜单中。
- // IDM_ABOUTBOX 必须在系统命令范围内。
- ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
- ASSERT(IDM_ABOUTBOX < 0xF000);
- CMenu* pSysMenu = GetSystemMenu(FALSE);
- if (pSysMenu != NULL)
- {
- BOOL bNameValid;
- CString strAboutMenu;
- bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
- ASSERT(bNameValid);
- if (!strAboutMenu.IsEmpty())
- {
- pSysMenu->AppendMenu(MF_SEPARATOR);
- pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
- }
- }
- // 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动
- // 执行此操作
- SetIcon(m_hIcon, TRUE); // 设置大图标
- SetIcon(m_hIcon, FALSE); // 设置小图标
- return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
- }
- void CMiniFliter_MFCDlg::OnSysCommand(UINT nID, LPARAM lParam)
- {
- if ((nID & 0xFFF0) == IDM_ABOUTBOX)
- {
- CAboutDlg dlgAbout;
- //dlgAbout.DoModal();
- }
- else
- {
- CDialogEx::OnSysCommand(nID, lParam);
- }
- }
- // 如果向对话框添加最小化按钮,则需要下面的代码
- // 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序,
- // 这将由框架自动完成。
- void CMiniFliter_MFCDlg::OnPaint()
- {
- if (IsIconic())
- {
- CPaintDC dc(this); // 用于绘制的设备上下文
- SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
- // 使图标在工作区矩形中居中
- int cxIcon = GetSystemMetrics(SM_CXICON);
- int cyIcon = GetSystemMetrics(SM_CYICON);
- CRect rect;
- GetClientRect(&rect);
- int x = (rect.Width() - cxIcon + 1) / 2;
- int y = (rect.Height() - cyIcon + 1) / 2;
- // 绘制图标
- dc.DrawIcon(x, y, m_hIcon);
- }
- else
- {
- CDialogEx::OnPaint();
- }
- }
- //当用户拖动最小化窗口时系统调用此函数取得光标
- //显示。
- HCURSOR CMiniFliter_MFCDlg::OnQueryDragIcon()
- {
- return static_cast<HCURSOR>(m_hIcon);
- }
- DWORD HandData(LPCTSTR str)
- {
- CPopupDlg dlg;
- dlg.SetText(str);
- dlg.DoModal();
- if(dlg.m_Allow == TRUE)
- return 1;
- else
- return 0;
- }
- DWORD
- ScannerWorker(
- __in PSCANNER_THREAD_CONTEXT Context
- )
- {
- DWORD dwRet = 0;
- DWORD outSize = 0;
- HRESULT hr = 0;
- ULONG_PTR key = 0;
- BOOL result = TRUE;
- //CHAR strPop[MAX_PATH*2] = {0};
- WCHAR strOptions[50*2] = {0};//操作类型字符串
- WCHAR LastPath[MAX_PATH*2] = {0};
- BOOL LastResult = TRUE;
- LPOVERLAPPED pOvlp;
- PSCANNER_NOTIFICATION notification;
- SCANNER_REPLY_MESSAGE replyMessage;
- PSCANNER_MESSAGE message;
- //DWORD dwRet = 0;
- CString tip = NULL;
- memset(LastPath,'\0',MAX_PATH*2);
- #pragma warning(push)
- #pragma warning(disable:4127) // conditional expression is constant
- while (TRUE) {
- #pragma warning(pop)
- //
- // Poll for messages from the filter component to scan.
- //
- result = GetQueuedCompletionStatus( Context->Completion, &outSize, &key, &pOvlp, INFINITE );
- //
- // Obtain the message: note that the message we sent down via FltGetMessage() may NOT be
- // the one dequeued off the completion queue: this is solely because there are multiple
- // threads per single port handle. Any of the FilterGetMessage() issued messages can be
- // completed in random order - and we will just dequeue a random one.
- //
- message = CONTAINING_RECORD( pOvlp, SCANNER_MESSAGE, Ovlp );
- if (!result) {
- hr = HRESULT_FROM_WIN32( GetLastError() );
- break;
- }
- //printf( "Received message, size %d\n", pOvlp->InternalHigh );
- //tip.Format(L"Received message, size %d\n", pOvlp->InternalHigh );
- notification = &message->Notification;
- if(notification->Operation == 1)
- {
- if(wcsncmp(LastPath,notification->TargetPath,wcslen(notification->TargetPath))==0)
- {
- memset(LastPath,'\0',MAX_PATH*2);
- result = LastResult;
- goto EX;
- }
- }
- memset(strOptions,'\0',50);
- switch (notification->Operation)
- {
- case 1:
- wcscpy_s(strOptions,50,L"创建");
- break;
- case 2:
- wcscpy_s(strOptions,50,L"重命名");
- break;
- case 3:
- wcscpy_s(strOptions,50,L"删除");
- break;
- default:
- wcscpy_s(strOptions,50,L"爆炸");
- break;
- }
- //memset(strPop,'\0',MAX_PATH*2);
- if(notification->Operation == 2)
- {
- //sprintf(strPop,"进程:%S\r\n操作:%s\r\n目标:%S\r\n重名为:%S\r\n是否放行?",notification->ProcessPath,strOptions,notification->TargetPath,notification->RePathName);
- tip.Format(L"进程:%s\r\n操作:%s\r\n目标:%s\r\n重名为:%s\r\n是否放行?",notification->ProcessPath,strOptions,notification->TargetPath,notification->RePathName);
- }else
- {
- //sprintf(strPop,"进程:%S\r\n操作:%s\r\n目标:%S\r\n是否放行?",notification->ProcessPath,strOptions,notification->TargetPath);
- tip.Format(L"进程:%s\r\n操作:%s\r\n目标:%s\r\n是否放行?",notification->ProcessPath,strOptions,notification->TargetPath);
- }
- Sleep(1000);
- //dwRet = MessageBoxA(NULL,strPop,"监控到攻击行为",MB_YESNO);
- dwRet = HandData(tip);
- if(dwRet == 1)
- result = FALSE;
- else
- result = TRUE;
- LastResult = result;
- EX:
- wcsncpy_s(LastPath,MAX_PATH*2,notification->TargetPath,MAX_PATH*2);
- replyMessage.ReplyHeader.Status = 0;
- replyMessage.ReplyHeader.MessageId = message->MessageHeader.MessageId;
- replyMessage.Reply.SafeToOpen = !result;
- printf( "Replying message, ResultCode: %d\n", replyMessage.Reply.SafeToOpen );
- hr = FilterReplyMessage( Context->Port,
- (PFILTER_REPLY_HEADER) &replyMessage,
- sizeof( replyMessage ) );
- if (SUCCEEDED( hr )) {
- printf( "Replied message\n" );
- } else {
- printf( "Scanner: Error replying message. Error = 0x%X\n", hr );
- break;
- }
- memset( &message->Ovlp, 0, sizeof( OVERLAPPED ) );
- hr = FilterGetMessage( Context->Port,
- &message->MessageHeader,
- FIELD_OFFSET( SCANNER_MESSAGE, Ovlp ),
- &message->Ovlp );
- if (hr != HRESULT_FROM_WIN32( ERROR_IO_PENDING )) {
- break;
- }
- }
- if (!SUCCEEDED( hr )) {
- if (hr == HRESULT_FROM_WIN32( ERROR_INVALID_HANDLE )) {
- //
- // Scanner port disconncted.
- //
- printf( "Scanner: Port is disconnected, probably due to scanner filter unloading.\n" );
- } else {
- printf( "Scanner: Unknown error occured. Error = 0x%X\n", hr );
- }
- }
- free( message );
- return hr;
- }
- //此函数需放到线程中执行
- int InitFltUser()
- {
- DWORD dwDefRequestCount = SCANNER_DEFAULT_REQUEST_COUNT;
- DWORD dwDefThreadCount = SCANNER_DEFAULT_THREAD_COUNT;
- DWORD dwMaxThreadCount = SCANNER_MAX_THREAD_COUNT;
- SCANNER_THREAD_CONTEXT context;
- PSCANNER_MESSAGE msg;
- HANDLE threads[SCANNER_MAX_THREAD_COUNT];
- CString tip = NULL;
- DWORD threadId;
- DWORD i = 0;
- //连接到端口
- HRESULT hr = FilterConnectCommunicationPort(ScannerPortName,0,NULL,0,NULL,&g_port);
- if(IS_ERROR(hr))
- {
- AfxMessageBox(L"hr is null\n");
- return 0;
- }
- //为这个句柄创建一个Comption
- HANDLE completion = CreateIoCompletionPort( g_port,
- NULL,
- 0,
- dwDefThreadCount );
- if (completion == NULL)
- {
- tip.Format(L"ERROR: Creating completion port: %d\n", GetLastError());
- AfxMessageBox(tip);
- CloseHandle( g_port );
- return 0;
- }
- //tip.Format(L"Scanner: Port = 0x%p Completion = 0x%p\n", g_port, completion );
- //this->SetWindowTextW(tip);
- context.Port = g_port;
- context.Completion = completion;
- //创建规定的线程
- for (i = 0; i < dwDefThreadCount; i++)
- {
- //创建线程
- threads[i] = CreateThread( NULL,
- 0,
- (LPTHREAD_START_ROUTINE)ScannerWorker,
- &context,
- 0,
- &threadId );
- if (threads[i] == NULL)
- {
- hr = GetLastError();
- tip.Format(L"ERROR: Couldn't create thread: %d\n", hr );
- //this->SetWindowTextW(tip);
- goto main_cleanup;
- }
- for (DWORD j = 0; j < dwDefRequestCount; j++)
- {
- //
- // Allocate the message.
- //
- #pragma prefast(suppress:__WARNING_MEMORY_LEAK, "msg will not be leaked because it is freed in ScannerWorker")
- msg = (PSCANNER_MESSAGE)malloc( sizeof( SCANNER_MESSAGE ));
- if (msg == NULL) {
- hr = ERROR_NOT_ENOUGH_MEMORY;
- goto main_cleanup;
- }
- memset( &msg->Ovlp, 0, sizeof( OVERLAPPED ) );
- //
- // Request messages from the filter driver.
- //
- hr = FilterGetMessage( g_port,
- &msg->MessageHeader,
- FIELD_OFFSET( SCANNER_MESSAGE, Ovlp ),
- &msg->Ovlp );
- if (hr != HRESULT_FROM_WIN32( ERROR_IO_PENDING ))
- {
- free( msg );
- goto main_cleanup;
- }
- }
- }
- hr = S_OK;
- WaitForMultipleObjectsEx( i, threads, TRUE, INFINITE, FALSE );
- //返回线程数组和 数组个数
- main_cleanup:
- tip.Format(L"Scanner: All done. Result = 0x%08x\n", hr );
- //this->SetWindowTextW(tip);
- CloseHandle(g_port);
- CloseHandle(completion);
- return hr+1;
- }
- void CMiniFliter_MFCDlg::OnBnClickedStart()
- {
- CreateThread(NULL,0, (LPTHREAD_START_ROUTINE)InitFltUser,NULL,0,NULL);
- }
浙公网安备 33010602011771号