摘要: 我想做一个unlocker一样的程序,不管这个文件有没有被使用,先实现删除它。在查资料过程中,就知道了如果不访问磁盘扇区的话,除非写驱动才能做到。奈何时间有限,工作匆忙,一直没有完成。而且忽视了更简便的方法——在别的路径下把修改后的OCX控件重新注册一下就可以了。
这些都不要说了,这段闲暇时间,我写了一个过滤加密,就这么简单。在DDK的示例Sfilter基础上改的。
文件过滤加密的源代码
//过滤读
NTSTATUS SfRead(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp)
{
PIO_STACK_LOCATION irp_stack;
BOOLEAN is_crypt;
NTSTATUS status;
PSFILTER_DEVICE_EXTENSION devExt;
PAGED_CODE();
ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject ));
ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));
devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension);
if(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))
{
irp_stack = IoGetCurrentIrpStackLocation( Irp );
is_crypt = IsMyCryptFile(irp_stack->FileObject);
if(is_crypt) //是我的加密文件
{
//设置完成例程
IoCopyCurrentIrpStackLocationToNext( Irp );
IoSetCompletionRoutine(Irp, SfReadCompletion, 0, TRUE, FALSE, FALSE);
//调用原来的驱动
return IoCallDriver(devExt->AttachedToDeviceObject, Irp);
}
}
//非加密文件
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->AttachedToDeviceObject, Irp);
}
//读操作的完成例程
NTSTATUS SfReadCompletion(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp, __in PVOID Context)
{
ULONG length; //长度
PUCHAR buffer; //缓冲区
ULONG i;
PIO_STACK_LOCATION irp_stack;
irp_stack = IoGetCurrentIrpStackLocation( Irp );
ShowUnicodeString(&(irp_stack->FileObject->FileName));
DbgPrint(“SfReadCompletion 读文件解密”);
length = Irp->IoStatus.Information;
buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
for(i = 0; i < length; i++)
{
buffer[i] = buffer[i] – 17; //解密
}
return STATUS_SUCCESS;
}
//过滤写
NTSTATUS SfWrite(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp)
{
PIO_STACK_LOCATION irp_stack;
BOOLEAN is_crypt;
NTSTATUS status;
PSFILTER_DEVICE_EXTENSION devExt;
PAGED_CODE();
ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject ));
ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));
devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension);
if(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))
{
irp_stack = IoGetCurrentIrpStackLocation( Irp );
is_crypt = IsMyCryptFile(irp_stack->FileObject);
if(is_crypt)
{
ULONG length; //长度
PUCHAR buffer, buffer2; //原来缓冲区和加密后缓冲区
ULONG i;
PMDL new_mdl;
length = irp_stack->Parameters.Write.Length;
buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
//分配同样大小的空间
来自:码农源库,http://www.vcclass.net/wordpress/?p=248
http://www.vcclass.net/wordpress/sitemap.html
这些都不要说了,这段闲暇时间,我写了一个过滤加密,就这么简单。在DDK的示例Sfilter基础上改的。
文件过滤加密的源代码
//过滤读
NTSTATUS SfRead(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp)
{
PIO_STACK_LOCATION irp_stack;
BOOLEAN is_crypt;
NTSTATUS status;
PSFILTER_DEVICE_EXTENSION devExt;
PAGED_CODE();
ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject ));
ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));
devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension);
if(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))
{
irp_stack = IoGetCurrentIrpStackLocation( Irp );
is_crypt = IsMyCryptFile(irp_stack->FileObject);
if(is_crypt) //是我的加密文件
{
//设置完成例程
IoCopyCurrentIrpStackLocationToNext( Irp );
IoSetCompletionRoutine(Irp, SfReadCompletion, 0, TRUE, FALSE, FALSE);
//调用原来的驱动
return IoCallDriver(devExt->AttachedToDeviceObject, Irp);
}
}
//非加密文件
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(devExt->AttachedToDeviceObject, Irp);
}
//读操作的完成例程
NTSTATUS SfReadCompletion(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp, __in PVOID Context)
{
ULONG length; //长度
PUCHAR buffer; //缓冲区
ULONG i;
PIO_STACK_LOCATION irp_stack;
irp_stack = IoGetCurrentIrpStackLocation( Irp );
ShowUnicodeString(&(irp_stack->FileObject->FileName));
DbgPrint(“SfReadCompletion 读文件解密”);
length = Irp->IoStatus.Information;
buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
for(i = 0; i < length; i++)
{
buffer[i] = buffer[i] – 17; //解密
}
return STATUS_SUCCESS;
}
//过滤写
NTSTATUS SfWrite(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp)
{
PIO_STACK_LOCATION irp_stack;
BOOLEAN is_crypt;
NTSTATUS status;
PSFILTER_DEVICE_EXTENSION devExt;
PAGED_CODE();
ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject ));
ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject ));
devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension);
if(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO))
{
irp_stack = IoGetCurrentIrpStackLocation( Irp );
is_crypt = IsMyCryptFile(irp_stack->FileObject);
if(is_crypt)
{
ULONG length; //长度
PUCHAR buffer, buffer2; //原来缓冲区和加密后缓冲区
ULONG i;
PMDL new_mdl;
length = irp_stack->Parameters.Write.Length;
buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
//分配同样大小的空间
来自:码农源库,http://www.vcclass.net/wordpress/?p=248
http://www.vcclass.net/wordpress/sitemap.html