最近学习了一下文件系统微过滤驱动MiniFilter,其入门比起sFilter简单得多,下面是简单的MiniFilter框架实现了记事本文件无法使用的代码:
#include "fltKernel.h"
#include "ntddk.h"
#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pReg);
NTSTATUS NPUnload(FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS NPPreCreate(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext);
FLT_POSTOP_CALLBACK_STATUS NPPostCreate(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT,DriverEntry)
#pragma alloc_text(PAGE,NPUnload)
#pragma alloc_text(PAGE,NPPreCreate)
#endif
PFLT_FILTER gFilterHandle;
const FLT_OPERATION_REGISTRATION Callbacks[] =
{
{
IRP_MJ_CREATE,
0,
NPPreCreate,
NPPostCreate
},
{
IRP_MJ_OPERATION_END
}
};
const FLT_REGISTRATION FltRegistration =
{
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
Callbacks,
NPUnload,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pReg)
{
NTSTATUS st = STATUS_SUCCESS;
st = FltRegisterFilter(pDriverObject,&FltRegistration,&gFilterHandle);
if(NT_SUCCESS(st))
{
st = FltStartFiltering(gFilterHandle);
if(!NT_SUCCESS(st))
{
FltUnregisterFilter(gFilterHandle);
}
}
DbgPrint("[MiniFilter Entry]\n");
return st;
}
NTSTATUS NPUnload(FLT_FILTER_UNLOAD_FLAGS Flags)
{
UNREFERENCED_PARAMETER(Flags);
PAGED_CODE();
DbgPrint("[MiniFilter Unload]\n");
FltUnregisterFilter(gFilterHandle);
return STATUS_SUCCESS;
}
FLT_PREOP_CALLBACK_STATUS NPPreCreate(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext)
{
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
PAGED_CODE();
{
UCHAR MajorFunction = 0;
PFLT_FILE_NAME_INFORMATION nameInfo;
MajorFunction = Data->Iopb->MajorFunction;
if(IRP_MJ_CREATE == MajorFunction &&
NT_SUCCESS(FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,&nameInfo)))
{
if(NT_SUCCESS(FltParseFileNameInformation(nameInfo)))
{//查找notepad.exe字符串,并阻止
if(NULL!=wcsstr(nameInfo->Name.Buffer,L"notepad.exe"))
{
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
FltReleaseFileNameInformation(nameInfo);
return FLT_PREOP_COMPLETE;
}
}
FltReleaseFileNameInformation(nameInfo);
}
//DbgPrint("ENTER CREATE_CALLBACK\n");
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
FLT_POSTOP_CALLBACK_STATUS NPPostCreate(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags)
{
return FLT_POSTOP_FINISHED_PROCESSING;
}