之前写的方法,都比较不正规,这次采用设备过滤器来拦截命名管道的创建和打开,下面是效果图
代码:
#include "ntifs.h"
typedef struct
{
PDEVICE_OBJECT LowerDeviceObject;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
PDEVICE_OBJECT g_MyFilterDevice = NULL;
void DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Npfs Filter Driver Unloadiang\n");
if (g_MyFilterDevice)
{
IoDetachDevice(((PDEVICE_EXTENSION)DriverObject->DeviceObject->DeviceExtension)->LowerDeviceObject);
IoDeleteDevice(g_MyFilterDevice);
g_MyFilterDevice = NULL;
}
}
NTSTATUS CommonDispath(PDEVICE_OBJECT Device, PIRP Irp)
{
// Only thing to do with this routine is passing the Irp to Next Level
IoCopyCurrentIrpStackLocationToNext(Irp);
return IoCallDriver(((PDEVICE_EXTENSION)Device->DeviceExtension)->LowerDeviceObject, Irp);
}
NTSTATUS FilterCreateNamedPipeCompletion(PDEVICE_OBJECT Device, PIRP Irp, PVOID Context)
{
UNREFERENCED_PARAMETER(Device);
UNREFERENCED_PARAMETER(Context);
if (Irp->IoStatus.Status == STATUS_SUCCESS)
{
DbgPrint("FilterCreateNamedPipeCompletion success\n");
}
if (Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}
return Irp->IoStatus.Status;
}
NTSTATUS FilterCreateRoutine(PDEVICE_OBJECT Device, PIRP Irp)
{
IoCopyCurrentIrpStackLocationToNext(Irp);
PIO_STACK_LOCATION Stack = IoGetCurrentIrpStackLocation(Irp);
DbgPrint("Openning NamedPipe:%wZ\n", &Stack->FileObject->FileName);
return IoCallDriver(((PDEVICE_EXTENSION)Device->DeviceExtension)->LowerDeviceObject, Irp);
}
NTSTATUS FilterCreateNamedPipeRoutine(PDEVICE_OBJECT Device, PIRP Irp)
{
IoCopyCurrentIrpStackLocationToNext(Irp);
// Do what we want here.
// Set an CompletionRoutine when the IRP finished and returned from the actual Deivce.
// so that we can gain the result of our interested content.
//IoSetCompletionRoutine(Irp, FilterCreateNamedPipeCompletion, NULL, TRUE, FALSE, FALSE);
PIO_STACK_LOCATION Stack = IoGetCurrentIrpStackLocation(Irp);
DbgPrint("Creating NamedPipe:%wZ\n",&Stack->FileObject->FileName);
return IoCallDriver(((PDEVICE_EXTENSION)Device->DeviceExtension)->LowerDeviceObject, Irp);
}
NTSTATUS InitAttachDevice(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING TargetName = RTL_CONSTANT_STRING(L"\\Device\\NamedPipe");
// 1st, we need to create our filter device object.
// 2st, using IoCraeteDevice to Attach our DeviceObject to NPFS DeviceObject
NTSTATUS Status = STATUS_UNSUCCESSFUL;
do
{
Status = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), NULL, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_MyFilterDevice);
if (!NT_SUCCESS(Status))
{
DbgPrint("IoCreateDevice Failed! Status:0x%08x\n", Status);
break;
}
g_MyFilterDevice->Flags |= DO_BUFFERED_IO;
g_MyFilterDevice->Flags &= ~DO_DEVICE_INITIALIZING;
RtlZeroMemory(g_MyFilterDevice->DeviceExtension, sizeof(DEVICE_EXTENSION));
Status = IoAttachDevice(g_MyFilterDevice, &TargetName, &((PDEVICE_EXTENSION)g_MyFilterDevice->DeviceExtension)->LowerDeviceObject);
if (!NT_SUCCESS(Status))
{
IoDeleteDevice(g_MyFilterDevice);
g_MyFilterDevice = NULL;
DbgPrint("IoAttachDevice Failed! Status:0x%08x\n", Status);
break;
}
} while (0);
return Status;
}
EXTERN_C_START
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
NTSTATUS Status = STATUS_UNSUCCESSFUL;
for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = CommonDispath;
}
DriverObject->MajorFunction[IRP_MJ_CREATE_NAMED_PIPE] = FilterCreateNamedPipeRoutine;
DriverObject->MajorFunction[IRP_MJ_CREATE] = FilterCreateRoutine;
DriverObject->DriverUnload = DriverUnload;
Status = InitAttachDevice(DriverObject);
if (!NT_SUCCESS(Status))
{
DbgPrint("InitAttachDevice Failed! Status:0x%08x\n",Status);
return Status;
}
return STATUS_SUCCESS;
}
EXTERN_C_END
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
