内核驱动编程,想在驱动级上Hook ZwCreateFile(),然后做点其他事情....
在入口DriverEntry先hook了这个函数
HOOK_SYSCALL(ZwCreateFile, MyZwCreateFile, OriZwCreateFile);
HOOK_SYSCALL函数可以获得Zw*函数的地址,然后取得索引,自动的交换SSDT中索引所对应的函数地址和我们hook函数的地址。
然后:
NTSTATUS
MyZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
UNICODE_STRING openFileName;
RtlInitUnicodeString(&openFileName, ObjectAttributes->ObjectName->Buffer);
// 宽字符比较
if(wcsstr(ObjectAttributes->ObjectName->Buffer, L"@L")){
// do something i want
return STATUS_SEVERITY_ERROR;
}
}
其实,我想说的是这个
wcsstr(ObjectAttributes->ObjectName->Buffer, L"@L")
wcsstr在一个宽字符串string中搜索另一个宽字符串
ObjectAttributes->ObjectName->Buffer 是操作的文件名
// OBJECT_ATTRIBUTES
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;//长度 18h
HANDLE RootDirectory;// 00000000
PUNICODE_STRING ObjectName;//指向对象名的指针
ULONG Attributes;//对象属性00000040h
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR,0
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE,0
} OBJECT_ATTRIBUTES;