//尝试挂接file system #include "Hookfilesystem.h" HANDLE hFileHandle; OBJECT_ATTRIBUTES ObjectAttrib; PDEVICE_OBJECT pFileDeviceObject; struct _DRIVER_OBJECT *pDeviceObject; PDRIVER_DISPATCH RealCreateDispatch; NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject ,IN PUNICODE_STRING RegistryPath) { UNICODE_STRING uninameString,unilinkString; NTSTATUS ntStatus; PDEVICE_OBJECT pDeviceObject; RtlInitUnicodeString(&uninameString,L"//Device//Shadow3"); ntStatus = IoCreateDevice(DriverObject, 0, &uninameString, FILE_DEVICE_UNKNOWN, 0, TRUE, &pDeviceObject ); if(!NT_SUCCESS(ntStatus)) //如果创建设备失败,则直接退出 return ntStatus; //创建Win32可见的符号连接 RtlInitUnicodeString( &unilinkString, L"//DosDevices//shadow3" ); ntStatus = IoCreateSymbolicLink(&unilinkString ,&uninameString); if(!NT_SUCCESS(ntStatus)) { return ntStatus; } //设置Dispatch DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatch; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispatch; //设置Unload DriverObject->DriverUnload = DriverUnload; //Hook File System HookFileSystem(); return 0; } NTSTATUS DriverDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (Irp,IO_NO_INCREMENT); return Irp->IoStatus.Status; } void DriverUnload(IN PDRIVER_OBJECT pDriverObject) { UNICODE_STRING uniNameString; RtlInitUnicodeString(&uniNameString, L"//DosDevices//shadow3"); IoDeleteSymbolicLink(&uniNameString); //删除win32可见 IoDeleteDevice(pDriverObject->DeviceObject); //删除设备 return ; } void HookFileSystem(void) { UNICODE_STRING uniDeviceName; NTSTATUS Ntstatus; IO_STATUS_BLOCK IoStatusBlock; PVOID pFileObject; RtlInitUnicodeString(&uniDeviceName ,L"//DosDevices//C://"); InitializeObjectAttributes(&ObjectAttrib ,&uniDeviceName ,OBJ_CASE_INSENSITIVE, NULL, NULL); //打开一个设备 Ntstatus = ZwCreateFile( &hFileHandle, SYNCHRONIZE|FILE_ANY_ACCESS, &ObjectAttrib, &IoStatusBlock, 0, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE, 0, 0 ); if(!NT_SUCCESS(Ntstatus)) { DbgPrint("ZwCreateFile Failed,ntstatus:%ld/n",Ntstatus); return; } //通过文件句柄得到与之向对应的文件对象 Ntstatus = ObReferenceObjectByHandle(hFileHandle,FILE_READ_DATA,0,0,&pFileObject,NULL); if(!NT_SUCCESS(Ntstatus)) { ZwClose(hFileHandle); DbgPrint("ObReferenceObjectByHandle Failed,ntstatus:%ld/n",Ntstatus); return; } //在通过该文件对象查找相对应的文件设备 pFileDeviceObject = IoGetRelatedDeviceObject(pFileObject); //文件对象引用计数器减一 ObDereferenceObject(pFileObject); ZwClose(hFileHandle); if(pFileDeviceObject==NULL) { DbgPrint("Get File Object Failed/n"); return ; } pDeviceObject = pFileDeviceObject->DriverObject; if(pDeviceObject->MajorFunction[IRP_MJ_CREATE] == HookCreateDispatch) { DbgPrint("already hook IRP_MJ_CREATE/n"); return ; } //保存IRP_MJ_CREATE处理的地址 RealCreateDispatch = pDeviceObject->MajorFunction[IRP_MJ_CREATE]; //Hook Create DisPatch pDeviceObject->MajorFunction[IRP_MJ_CREATE] = HookCreateDispatch; return; } NTSTATUS HookCreateDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { // DbgPrint("hook success/r/n"); PIO_STACK_LOCATION pIocurrentstack; PFILE_OBJECT pFileObject; DbgPrint("DeviceName:%S/r/n",DeviceObject->DriverObject->DriverName.Buffer); pIocurrentstack = IoGetCurrentIrpStackLocation(Irp); pFileObject = pIocurrentstack->FileObject; DbgPrint("FileName:%S/r/n",pFileObject->FileName.Buffer); _asm { push Irp push DeviceObject call RealCreateDispatch } return 0; } |