[note] 贴一段能实现文件隐藏的Minifilter

最新推荐文章于 2020-05-22 09:02:41 发布
最新推荐文章于 2020-05-22 09:02:41 发布
阅读量192 收藏 1
点赞数
原文链接:http://www.cnblogs.com/Tbit/archive/2010/10/01/1839762.html
版权

#include <fltKernel.h>
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>

#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")

PFLT_FILTER filterHandle;
PWCHAR prefixName = L"invisible";
ULONG prefixLength = 9;

/*************************************************************************
    Prototypes
*************************************************************************/

NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath );
NTSTATUS PtUnload ( __in FLT_FILTER_UNLOAD_FLAGS Flags );

FLT_POSTOP_CALLBACK_STATUS MjDirectoryControlPostOperation ( __inout PFLT_CALLBACK_DATA Data,
                                                             __in PCFLT_RELATED_OBJECTS FltObjects,
                                                             __in_opt PVOID CompletionContext,
                                                             __in FLT_POST_OPERATION_FLAGS Flags );

BOOLEAN hasPrefix( PWCHAR name, ULONG length );
   
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, PtUnload)
#endif

CONST FLT_OPERATION_REGISTRATION Callbacks[] =
{
    { IRP_MJ_DIRECTORY_CONTROL,
      0,
      NULL,
      MjDirectoryControlPostOperation },

    { IRP_MJ_OPERATION_END }
};

CONST FLT_REGISTRATION FilterRegistration =
{
    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    0,                                  //  Flags
    NULL,                               //  Context
    Callbacks,                          //  Operation callbacks
    PtUnload,                           //  MiniFilterUnload
    NULL,                               //  InstanceSetup
    NULL,                               //  InstanceQueryTeardown
    NULL,                               //  InstanceTeardownStart
    NULL,                               //  InstanceTeardownComplete
    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent
};

NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath )
{
    NTSTATUS status;

    UNREFERENCED_PARAMETER( RegistryPath );

    status = FltRegisterFilter( DriverObject, &FilterRegistration, &filterHandle );

    if (NT_SUCCESS( status ))
    {
        status = FltStartFiltering( filterHandle );

        if (!NT_SUCCESS( status ))
        {
            FltUnregisterFilter( filterHandle );
        }
    }

    return status;
}

NTSTATUS PtUnload ( __in FLT_FILTER_UNLOAD_FLAGS Flags )
{
    UNREFERENCED_PARAMETER( Flags );
    PAGED_CODE();

    FltUnregisterFilter( filterHandle );

    return STATUS_SUCCESS;
}

FLT_POSTOP_CALLBACK_STATUS MjDirectoryControlPostOperation ( __inout PFLT_CALLBACK_DATA Data,
                                                             __in PCFLT_RELATED_OBJECTS FltObjects,
                                                             __in_opt PVOID CompletionContext,
                                                             __in FLT_POST_OPERATION_FLAGS Flags )
{
    ULONG length;
    ULONG nextOffset = 0;
    ULONG previousEntryWasDeleted = 0;
    PCHAR queryBuffer = 0;
    int modified = 0;
    int removedAllEntries = 1;

    PFILE_BOTH_DIR_INFORMATION currentFileInfo = 0;
    PFILE_BOTH_DIR_INFORMATION nextFileInfo = 0;
    PFILE_BOTH_DIR_INFORMATION previousFileInfo = 0;
   
    UNICODE_STRING fileName;
   
    UNREFERENCED_PARAMETER( FltObjects );
    UNREFERENCED_PARAMETER( CompletionContext );

    if( FlagOn( Flags, FLTFL_POST_OPERATION_DRAINING ) )
    {
        return FLT_POSTOP_FINISHED_PROCESSING;
    }
   
    if( Data->Iopb->MinorFunction == IRP_MN_QUERY_DIRECTORY &&
        Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass == FileBothDirectoryInformation &&
        Data->Iopb->Parameters.DirectoryControl.QueryDirectory.Length > 0 &&
        NT_SUCCESS(Data->IoStatus.Status) )
    {
        currentFileInfo = (PFILE_BOTH_DIR_INFORMATION)Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer;
        previousFileInfo = currentFileInfo;
           
        do
        {
            nextOffset = currentFileInfo->NextEntryOffset;
            nextFileInfo = (PFILE_BOTH_DIR_INFORMATION)((PCHAR)(currentFileInfo) + nextOffset);

            if( hasPrefix( currentFileInfo->FileName, currentFileInfo->FileNameLength ) )
            {
                if( nextOffset == 0 )
                {
                    previousFileInfo->NextEntryOffset = 0;
                }
                else
                {
                    previousFileInfo->NextEntryOffset = (ULONG)((PCHAR)currentFileInfo - (PCHAR)previousFileInfo) + nextOffset;
                }
               
                modified = 1;
                previousEntryWasDeleted = 1;
            }
            else
            {
                removedAllEntries = 0;

                if( !previousEntryWasDeleted )
                {
                    previousFileInfo = currentFileInfo;
                }
                previousEntryWasDeleted = 0;
            }
           
            currentFileInfo = nextFileInfo;
        } while( nextOffset != 0 );

        if( modified )
        {
            if( removedAllEntries )
            {
                Data->IoStatus.Status = STATUS_NO_MORE_FILES;
            }
            else
            {
                FltSetCallbackDataDirty( Data );
            }
        }
    }
   
    return FLT_POSTOP_FINISHED_PROCESSING;
}

BOOLEAN hasPrefix( PWCHAR name, ULONG length )
{
    ULONG i;
    ULONG wcharLength = length / 2;

    if( wcharLength < prefixLength )
    {
        return FALSE;
    }

    for( i=0; i<prefixLength; i++ )
    {
        if( name[i] != prefixName[i] )
            return FALSE;
    }
   
    return TRUE;
}

转载于:https://www.cnblogs.com/Tbit/archive/2010/10/01/1839762.html

a519609598
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
win7 隐藏驱动编译于安装
飞鸟
10-25 1352
为了实现Win7下面,对目标文件隐藏,经过调试,一下代码可以实现相关的功能。 /*++ Copyright (c) 1999 - 2002 Microsoft Corporation Module Name: passThrough.c Abstract: This is the main module of the passThrough miniFilter
微过滤(minifilter)驱动实现文件隐藏增强版
fangshy的专栏
11-10 1128
微过滤驱动主要用于安全隔离盒累产品,通过收集资料,和各位高手的文章,具有参考意义的的文章主要输入下 看雪论套:https://bbs.pediy.com/thread-226174.htm 是一篇很有质量的文章,基本逻辑已经实现,入门级的如何新建工程,编译,签名与安装,可以参考其他教程,这里只把实践重遇到的问题进行总结与给出解决方案。现在先总结问题: 问题1:设置为保护,仍然可以删除文件和目录; 问题2、保护状态仍然可以通过鼠标右键新建文件夹与其他文件,只是内容为空,0字节大小; 问题3、发现目录
minifilter实现文件隐藏
feixi7358的博客
10-16 1526
我发到看雪上了   https://bbs.pediy.com/thread-226174.htm
驱动用MiniFilter隐藏指定类型的文件.rar
09-10
驱动用MiniFilter隐藏指定类型的文件.rar
minifilter实现文件隐藏,很全,有源代码
04-20
里面是用windows驱动驱动的minifilter框架实现文件隐藏功能,里面有六个条目,前两个条目分别是驱动层和应用层的源代码;接下来的两个文件时应用层的文件(一个是配置文件,一个是exe应用层文件),InstMiniDrv是加载minifilter驱动的文件,最后一个是生成的驱动文件,ps(以上文件在启动时都要以管理员权限启动,不然会失败,因为驱动的加载要用管理员权限才行)
精选_基于Minifilter实现文件隐藏_源码打包
03-10
本教程将深入探讨如何基于Minifilter技术实现文件隐藏,并提供源码打包,供开发者参考学习。 Minifilter,全称为“迷你过滤驱动”,是微软Windows操作系统内核层过滤驱动的一种轻量级实现。它作为文件系统过滤驱动...
文件系统Minifilter驱动(WDK翻译)技术详解
07-10
Minifilter驱动是Microsoft开发的,作为传统File System Filter Driver(FSD)的轻量级替代方案,主要用于实现文件系统过滤、日志记录、数据加密等高级功能。在Windows Driver Kit(WDK)中,提供了详细的文档和示例...
minifilter 文件透明加密源码
08-05
基于minifilter框架下的透明加解密源码。 1 手工加载时自动增加system,explorer.exe,notepad.exe为监控进程
基于minifilter的分布式驱动级文件透明加解密案例
09-28
这是我参加中国软件杯比赛时写的基于驱动的文件透明加...驱动在系统内核级别对磁盘文件进行加密和解密,客户端实现了驱动的管理和通信,服务器端实现了加解密策略的定制,访问授权等。现在共享给需要研究驱动的同学。
FileFilter-文件隐藏.rar
08-28
基于minifilter文件隐藏 已测试过 R0与R3代码.. 【注意下载完进行评论时,要选择评论框上面的星级,这样减掉的分不仅能原数返回,而且还能多赠1分】
miniFilter(所有框架代码以及对应的PPT资料,可以直接拿来进行修改即可完成各种驱动)
07-24
miniFilter(所有框架代码以及对应的PPT资料,可以直接拿来进行修改即可完成各种驱动)
驱动级文件隐藏技术
03-25
驱动级文件隐藏技术 让你的文件资源深藏电脑之中
x64驱动遍历 DPC 定时器
LYSM
05-22 761
目的 拿到类似于 PChunter 中的信息: 过程 首先,要拿到系统的 _KPRCB ,也就是 KiProcessorBlock 的地址: 我这里显示了 4 地址,这是因为我的 CPU 是 4 核 —— (垃圾电脑勿喷) 对于 KiProcessorBlock 这个 API , Windows 没有导出: 但是可以通过另一种办法获取到这个地址: // 获取特殊寄存器中的值,拿 _KPRCB ULONG64 PrcbAddress = (ULONG64)__readmsr(0xC0000101)
青松卓然 js2854的博客 [MiniFilter]驱动隐藏文件夹的实现(支持Win7)
blackbean的专栏
07-18 2548
青松卓然 js2854的博客 [MiniFilter]驱动隐藏文件夹的实现(支持Win7) http://www.cnblogs.com/js2854/archive/2010/11/03/HideDir.html 刚完成一个利用驱动隐藏文件夹的程序,隐藏文件的类似,现在出来共享给大家。 代码相对比较简单,我是在别人代码的基础上改的。 因为现在在网上找到的代码
基于Minifilter框架的文件过滤驱动理解
weixin_34029949的博客
05-20 151
基于Minifilter框架的文件过滤驱动理解 转载于:https://www.cnblogs.com/endenvor/p/9063375.html
【windows内核驱动开发】文件系统微过滤驱动Minifilter——绑定指定的卷(磁盘分区)
zcr214的博客
11-28 4074
【我的】文件系统微过滤驱动Minifilter——绑定指定的卷(磁盘分区) 作者:zcr214 时间:2016/4/21   在编写文件系统微过滤驱动minifilter的时候,很有可能我们只对某一个特定的磁盘分区感兴趣,而其他的如系统盘的很多IRP对于我们要编写的驱动可能是不关注的,所以有必要使得我们的驱动只绑定指定的这个卷,从而减少其他的IRP带来的干扰,节省很多处理流程,比如系统盘的很
minifilter框架监控文件创建框架
Cosmopolitan的博客
09-20 1367
#include <fltKernel.h> #include <dontuse.h> #include <suppress.h> #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers") PFLT_FILT...
面向Windows的文件透明加解密解决方案(3)——透明加解密驱动程序一
某熊的技术之路
05-31 5260
Windows 操作系统是基于分层思路设计的,每层由若干个组件组成。如图2.1.1,Windows 操作系统简化图所示,Windows 操作系统总体上分为用户层和内核层,内核层的接口对用户层的应用程序提供服务。在用户层,应用程序各自调用相应的Win32 子系统,Win32 子系统将应用程序调用的API 接口转化为Native API 接口。在Native API 接口中调用转化为对系统服务函数的调
使用minifilter 双缓存机制实现透明加解密处理完整代码
最新发布
05-25
很抱歉,我无法为您提供完整的代码。但是,我可以为您提供一个简单的示例,以说明如何使用minifilter双缓存机制实现透明加解密处理。 在此示例中,我们将使用minifilter驱动程序来拦截文件访问,并使用双缓存机制对文件进行加解密处理。我们将使用AES算法进行加解密,并使用Windows CryptoAPI来实现加解密过程。 以下是示例代码的主要部分: ```c // 定义双缓存结构体 typedef struct _DOUBLE_BUFFER { PVOID DataBuffer; // 数据缓存 ULONG DataLength; // 数据长度 PVOID AuxBuffer; // 辅助缓存 ULONG AuxLength; // 辅助缓存长度 ULONG TotalLength; // 数据总长度 CRITICAL_SECTION Lock; // 互斥锁 } DOUBLE_BUFFER, *PDOUBLE_BUFFER; // 初始化双缓存 NTSTATUS InitializeDoubleBuffer(PDOUBLE_BUFFER pBuffer, ULONG TotalLength) { NTSTATUS status = STATUS_SUCCESS; pBuffer->DataBuffer = ExAllocatePoolWithTag(NonPagedPool, TotalLength, 'Tag1'); if (pBuffer->DataBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } pBuffer->DataLength = 0; pBuffer->AuxBuffer = ExAllocatePoolWithTag(NonPagedPool, TotalLength, 'Tag2'); if (pBuffer->AuxBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } pBuffer->AuxLength = 0; pBuffer->TotalLength = TotalLength; InitializeCriticalSection(&pBuffer->Lock); Exit: if (!NT_SUCCESS(status)) { if (pBuffer->DataBuffer != NULL) { ExFreePoolWithTag(pBuffer->DataBuffer, 'Tag1'); } if (pBuffer->AuxBuffer != NULL) { ExFreePoolWithTag(pBuffer->AuxBuffer, 'Tag2'); } } return status; } // 销毁双缓存 VOID DestroyDoubleBuffer(PDOUBLE_BUFFER pBuffer) { if (pBuffer->DataBuffer != NULL) { ExFreePoolWithTag(pBuffer->DataBuffer, 'Tag1'); } if (pBuffer->AuxBuffer != NULL) { ExFreePoolWithTag(pBuffer->AuxBuffer, 'Tag2'); } DeleteCriticalSection(&pBuffer->Lock); } // 读取文件到缓存 NTSTATUS ReadFileToBuffer(PFLT_CALLBACK_DATA Data, PFLT_RELATED_OBJECTS FltObjects, PVOID* pBuffer, PULONG pLength) { NTSTATUS status = STATUS_SUCCESS; HANDLE hFile = NULL; OBJECT_ATTRIBUTES objAttr; IO_STATUS_BLOCK ioStatus; FILE_STANDARD_INFORMATION fileInfo; LARGE_INTEGER byteOffset; ULONG length = 0; ULONG bytesRead = 0; InitializeObjectAttributes(&objAttr, &Data->Iopb->TargetFileObject->FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = FltCreateFile(FltObjects->Instance, FltObjects->FileObject, &hFile, FILE_READ_DATA, &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK); if (!NT_SUCCESS(status)) { goto Exit; } status = ZwQueryInformationFile(hFile, &ioStatus, &fileInfo, sizeof(fileInfo), FileStandardInformation); if (!NT_SUCCESS(status)) { goto Exit; } length = (ULONG)fileInfo.EndOfFile.QuadPart; *pBuffer = ExAllocatePoolWithTag(NonPagedPool, length, 'Tag3'); if (*pBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } byteOffset.QuadPart = 0; status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, *pBuffer, length, &byteOffset, NULL); if (!NT_SUCCESS(status)) { goto Exit; } bytesRead = (ULONG)ioStatus.Information; if (bytesRead != length) { status = STATUS_FILE_CORRUPT_ERROR; goto Exit; } *pLength = length; Exit: if (hFile != NULL) { ZwClose(hFile); } if (!NT_SUCCESS(status) && *pBuffer != NULL) { ExFreePoolWithTag(*pBuffer, 'Tag3'); *pBuffer = NULL; *pLength = 0; } return status; } // 写入缓存到文件 NTSTATUS WriteBufferToFile(PFLT_CALLBACK_DATA Data, PFLT_RELATED_OBJECTS FltObjects, PVOID pBuffer, ULONG Length) { NTSTATUS status = STATUS_SUCCESS; HANDLE hFile = NULL; OBJECT_ATTRIBUTES objAttr; IO_STATUS_BLOCK ioStatus; LARGE_INTEGER byteOffset; InitializeObjectAttributes(&objAttr, &Data->Iopb->TargetFileObject->FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = FltCreateFile(FltObjects->Instance, FltObjects->FileObject, &hFile, FILE_WRITE_DATA, &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK); if (!NT_SUCCESS(status)) { goto Exit; } byteOffset.QuadPart = 0; status = ZwWriteFile(hFile, NULL, NULL, NULL, &ioStatus, pBuffer, Length, &byteOffset, NULL); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (hFile != NULL) { ZwClose(hFile); } return status; } // AES加密 NTSTATUS EncryptData(PVOID pData, ULONG Length, PVOID pKey, ULONG KeyLength) { NTSTATUS status = STATUS_SUCCESS; HCRYPTPROV hProv = 0; HCRYPTKEY hKey = 0; ULONG blockSize = 0; ULONG bufferLength = 0; PVOID pBuffer = NULL; // 获取加密算法的块大小 if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, NULL, NULL)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptDeriveKey(hProv, CALG_AES_256, NULL, 0, &hKey)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptGetKeyParam(hKey, KP_BLOCKLEN, (PBYTE)&blockSize, &bufferLength, 0)) { status = STATUS_INTERNAL_ERROR; goto Exit; } // 分配缓存 bufferLength = ROUND_UP(Length, blockSize); pBuffer = ExAllocatePoolWithTag(NonPagedPool, bufferLength, 'Tag4'); if (pBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(pBuffer, bufferLength); RtlCopyMemory(pBuffer, pData, Length); // 加密数据 if (!CryptEncrypt(hKey, NULL, TRUE, 0, (PBYTE)pBuffer, &Length, bufferLength)) { status = STATUS_INTERNAL_ERROR; goto Exit; } RtlCopyMemory(pData, pBuffer, Length); Exit: if (hKey != 0) { CryptDestroyKey(hKey); } if (hProv != 0) { CryptReleaseContext(hProv, 0); } if (pBuffer != NULL) { ExFreePoolWithTag(pBuffer, 'Tag4'); } return status; } // AES解密 NTSTATUS DecryptData(PVOID pData, ULONG Length, PVOID pKey, ULONG KeyLength) { NTSTATUS status = STATUS_SUCCESS; HCRYPTPROV hProv = 0; HCRYPTKEY hKey = 0; ULONG blockSize = 0; ULONG bufferLength = 0; PVOID pBuffer = NULL; // 获取解密算法的块大小 if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, NULL, NULL)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptDeriveKey(hProv, CALG_AES_256, NULL, 0, &hKey)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptGetKeyParam(hKey, KP_BLOCKLEN, (PBYTE)&blockSize, &bufferLength, 0)) { status = STATUS_INTERNAL_ERROR; goto Exit; } // 分配缓存 bufferLength = ROUND_UP(Length, blockSize); pBuffer = ExAllocatePoolWithTag(NonPagedPool, bufferLength, 'Tag5'); if (pBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(pBuffer, bufferLength); RtlCopyMemory(pBuffer, pData, Length); // 解密数据 if (!CryptDecrypt(hKey, NULL, TRUE, 0, (PBYTE)pBuffer, &Length)) { status = STATUS_INTERNAL_ERROR; goto Exit; } RtlCopyMemory(pData, pBuffer, Length); Exit: if (hKey != 0) { CryptDestroyKey(hKey); } if (hProv != 0) { CryptReleaseContext(hProv, 0); } if (pBuffer != NULL) { ExFreePoolWithTag(pBuffer, 'Tag5'); } return status; } // 处理文件读取操作 FLT_PREOP_CALLBACK_STATUS PreReadCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) { NTSTATUS status = STATUS_SUCCESS; PFILE_OBJECT pFileObject = FltObjects->FileObject; PVOID pBuffer = NULL; ULONG length = 0; PDOUBLE_BUFFER pDoubleBuffer = NULL; // 检查文件对象是否是普通文件 if ((pFileObject->Flags & FO_STREAM_FILE) != 0) { goto Exit; } // 检查文件大小是否超过双缓存的总长度 if (pFileObject->SectionObjectPointer->FileSize.QuadPart > MAX_DOUBLE_BUFFER_LENGTH) { goto Exit; } // 创建双缓存 pDoubleBuffer = ExAllocatePoolWithTag(NonPagedPool, sizeof(DOUBLE_BUFFER), 'Tag6'); if (pDoubleBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = InitializeDoubleBuffer(pDoubleBuffer, (ULONG)pFileObject->SectionObjectPointer->FileSize.QuadPart); if (!NT_SUCCESS(status)) { goto Exit; } // 读取文件到缓存 status = ReadFileToBuffer(Data, FltObjects, &pDoubleBuffer->DataBuffer, &pDoubleBuffer->DataLength); if (!NT_SUCCESS(status)) { goto Exit; } // 复制数据到辅助缓存 EnterCriticalSection(&pDoubleBuffer->Lock); RtlCopyMemory(pDoubleBuffer->AuxBuffer, pDoubleBuffer->DataBuffer, pDoubleBuffer->DataLength); pDoubleBuffer->AuxLength = pDoubleBuffer->DataLength; LeaveCriticalSection(&pDoubleBuffer->Lock); // 加密缓存中的数据 status = EncryptData(pDoubleBuffer->DataBuffer, pDoubleBuffer->DataLength, g_Key, g_KeyLength); if (!NT_SUCCESS(status)) { goto Exit; } // 将双缓存设置为完成上下文 *CompletionContext = pDoubleBuffer; Exit: if (!NT_SUCCESS(status)) { if (pDoubleBuffer != NULL) { DestroyDoubleBuffer(pDoubleBuffer); ExFreePoolWithTag(pDoubleBuffer, 'Tag6'); } Data->IoStatus.Status = status; return FLT_PREOP_COMPLETE; } return FLT_PREOP_SYNCHRONIZE; } // 处理文件写入操作 FLT_POSTOP_CALLBACK_STATUS PostWriteCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags) { NTSTATUS status = STATUS_SUCCESS; PFILE_OBJECT pFileObject = FltObjects->FileObject; PDOUBLE_BUFFER pDoubleBuffer = (PDOUBLE_BUFFER)CompletionContext; // 检查文件对象是否是普通文件 if ((pFileObject->Flags & FO_STREAM_FILE) != 0) { goto Exit; } // 复制数据到辅助缓存 EnterCriticalSection(&pDoubleBuffer->Lock); RtlCopyMemory(pDoubleBuffer->AuxBuffer, pDoubleBuffer->DataBuffer, pDoubleBuffer->DataLength); pDoubleBuffer->AuxLength = pDoubleBuffer->DataLength; LeaveCriticalSection(&pDoubleBuffer->Lock); // 解密辅助缓存中的数据 status = DecryptData(pDoubleBuffer->AuxBuffer, pDoubleBuffer->AuxLength, g_Key, g_KeyLength); if (!NT_SUCCESS(status)) { goto Exit; } // 写入缓存到文件 status = WriteBufferToFile(Data, FltObjects, pDoubleBuffer->AuxBuffer, pDoubleBuffer->AuxLength); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (pDoubleBuffer != NULL) { DestroyDoubleBuffer(pDoubleBuffer); ExFreePoolWithTag(pDoubleBuffer, 'Tag6'); } Data->IoStatus.Status = status; return FLT_POSTOP_FINISHED_PROCESSING; } // 注册minifilter回调 FLT_PREOP_CALLBACK_STATUS PreOperationCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) { switch (Data->Iopb->MajorFunction) { case IRP_MJ_READ: return PreReadCallback(Data, FltObjects, CompletionContext); default: return FLT_PREOP_SUCCESS_WITH_CALLBACK; } } FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags) { switch (Data->Iopb->MajorFunction) { case IRP_MJ_WRITE: return PostWriteCallback(Data, FltObjects, CompletionContext, Flags); default: return FLT_POSTOP_FINISHED_PROCESSING; } } // 注册minifilter驱动程序 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { NTSTATUS status = STATUS_SUCCESS; PFLT_FILTER pFilter = NULL; OBJECT_ATTRIBUTES objAttr; UNICODE_STRING uniString; // 初始化互斥锁 InitializeCriticalSection(&g_Lock); // 初始化加密密钥 RtlInitUnicodeString(&uniString, L"Password"); status = BCryptGenerateSymmetricKey(&g_hKey, &g_Algorithm, NULL, 0, (PUCHAR)uniString.Buffer, uniString.Length, 0); if (!NT_SUCCESS(status)) { goto Exit; } // 创建过滤器 RtlInitUnicodeString(&uniString, L"FileEncryptionFilter"); InitializeObjectAttributes(&objAttr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = FltCreateFilter(&g_FilterHandle, FLT_REGISTRATION_VERSION, &g_FilterRegistration, &g_FilterContext, &pFilter); if (!NT_SUCCESS(status)) { goto Exit; } // 注册回调函数 status = FltRegisterFilter(pFilter, DriverObject, &uniString, &g_FilterHandle); if (!NT_SUCCESS(status)) { goto Exit; } status = FltStartFiltering(pFilter); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (!NT_SUCCESS(status)) { if (g_hKey != NULL) { BCryptDestroyKey(g_hKey); g_hKey = NULL; } if (pFilter != NULL) { FltUnregisterFilter(pFilter); } if (g_FilterHandle != NULL) { FltClose(g_FilterHandle); } DeleteCriticalSection(&g_Lock); } return status; } // 卸载minifilter驱动程序 VOID DriverUnload(PDRIVER_OBJECT DriverObject) { PFLT_FILTER pFilter = NULL; if (g_FilterHandle != NULL) { FltGetFilterFromInstance(g_FilterHandle, &pFilter); FltStopFiltering(pFilter); FltUnregisterFilter(pFilter); FltClose(g_FilterHandle); } if (g_hKey != NULL) { BCryptDestroyKey(g_hKey); g_hKey = NULL; } DeleteCriticalSection(&g_Lock); } ``` 这只是一个简单的示例,实际实现中可能需要更多的代码来处理各种情况和错误。此外,请注意,此示例仅用于演示目的,并且未经过完整测试或优化,因此可能存在问题。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值