作者:pker
/*++
Module Name:
FSHook.c
Abstract:
I wanted to build a filter driver when I first thought about doing such
kind of things. But then I found that it's not realistic 'cause it have to
hook every filesystem driver to prevent from missing any IRPs. But we don't
know when there's a new driver coming. When we install a virtual CD-ROM
program, for instance, it installs a driver to control the virtual CD-ROM.
There can be viruses in the image of the disk, so we have to hook that
driver as well.
Then a new idea, which then I found that it's being used by most of the AV
softs, comes out of my head. The driver's final goal is to inercept all the
I/O behavior to disk A~Z, so we can use ObReferenceObjectByXXX to get the
_FILE_OBJECT of /??/X:/, then we can get the device chain by
IoGetRelatedDeviceObject. We are interested in the MajorFunction field of
the _DEVICE_OBJECT. We can hook the IRP_MJ_XXX we interest by replacing the
entries of the dispatch routines with our own.
Environment:
Kernel mode.
Copyright:
Copyright (c) 2005, pker / CVC.GB
--*/
#include "fshook.h"
///
//
// Global Variables
//
///
// save hooked device objects and driver objects
PDEVICE_OBJECT g_pDevObjTab[MAX_DISK]={NULL};
PDRIVER_OBJECT g_pDrvObjTab[MAX_DISK]={NULL};
// entries of original dispatch routines of each hooked driver
PAV_DRIVER_DISPATCH_ROUTINE g_pOriginalDispatch[MAX_DISK];
// process ID of the AV scanner
ULONG g_ulPid;
// shared memory address (kernel mode)
PVOID g_pKrnlSBuffer=NULL;
///
//
// Functions
//
///
ULONG
PAV_GetObjectTabIndex (<
最低0.47元/天 解锁文章
5355
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
