文件过滤驱动是否能在系统启动的时候创建读写自己的日志文件?百分相送,需要完整的例子。
文件过滤驱动是否能在系统启动的时候创建读写自己的日志文件,例如拦截IRP_MJ_CREATE,当系统调用KERNEL32.dll时候进入我的MyCreate函数中,这个时候我将文件名写入日志,这个时候会蓝屏并自动reboot,有谁知道为什么?怎么解决这个问题?[b]百分相送,需要完整的例子。[/b][email]filter@redsec.org[/email]
注释:当启动启动完也就是显示出桌面的时候读写日志文件操作一切正常,读写操作用ZwCreateFile,ZwWriteFile,ZwReadFile函数完成。
驱动启动类型为start:0
=========================
typedef struct _FILELIST {
TCHAR szFullPathName[PATH_LEN + 1];
LIST_ENTRY FileListNext;
}FILELIST, *PFILELIST;
typedef struct _GLOBALS_FILELIST_INFO {
HANDLE g_FileListHandle;
PVOID g_ThreadObject;
BOOLEAN g_ThreadShouldStop;
KEVENT g_FileListEvent;
LIST_ENTRY g_FileListHead;
KSPIN_LOCK g_FileListSpinLock;
}GLOBALS_FILELIST_INFO, *PGLOBALS_FILELIST_INFO;
static GLOBALS_FILELIST_INFO g_FileList_Info;
VOID
FileListThread (IN PVOID Context)
{
ULONG uWriteSize = PATH_LEN * sizeof(TCHAR);
PLIST_ENTRY ListEntry = NULL;
PFILELIST pFileListNode = NULL;
IO_STATUS_BLOCK IoStatusBlock;
PGLOBALS_FILELIST_INFO pFileListInfo = (PGLOBALS_FILELIST_INFO)Context;
KeSetPriorityThread(
KeGetCurrentThread(),
LOW_REALTIME_PRIORITY);
while( TRUE )
{
KeWaitForSingleObject(
&pFileListInfo->g_FileListEvent,
Executive,
KernelMode,
FALSE,
NULL );
while( ListEntry = ExInterlockedRemoveHeadList (
&pFileListInfo->g_FileListHead,
&pFileListInfo->g_FileListSpinLock) )
{
pFileListNode = (PFILELIST)CONTAINING_RECORD(ListEntry, FILELIST, FileListNext);
ZwWriteFile(
pFileListInfo->g_FileListHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
pFileListNode->szFullPathName,
uWriteSize,
NULL,
NULL );
ExFreePool(pFileListNode);
}
if( pFileListInfo->g_ThreadShouldStop ) {
ZwClose(pFileListInfo->g_FileListHandle);
PsTerminateSystemThread(STATUS_SUCCESS);
}
}
}
NTSTATUS FileListOpenFile(WCHAR *wFileName)
{
NTSTATUS ntstatus = STATUS_SUCCESS;
UNICODE_STRING uniFileName;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
RtlInitUnicodeString(&uniFileName, wFileName);
InitializeObjectAttributes(
&ObjectAttributes,
&uniFileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
ntstatus = ZwCreateFile(&g_FileList_Info.g_FileListHandle,
GENERIC_READ | GENERIC_WRITE,
&ObjectAttributes,
&IoStatusBlock,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if( !NT_SUCCESS(ntstatus) ) {
//DbgPrint("Cannot ZwCreateFile %S : 0x%x\n", wFileName, ntstatus);
}
return ntstatus;
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
.............
ntStatus = FileListOpenFile(wFileName);
if (!NT_SUCCESS(ntStatus)){
//DbgPrint("Cannot Open FileList.lst\n");
}
KeInitializeSpinLock(&g_FileList_Info.g_FileListSpinLock);
KeInitializeEvent(
&g_FileList_Info.g_FileListEvent,
SynchronizationEvent,
FALSE );
InitializeListHead(&g_FileList_Info.g_FileListHead);
g_FileList_Info.g_ThreadShouldStop = FALSE;
ntStatus = PsCreateSystemThread(
&thread_handle,
(ACCESS_MASK) 0L,
NULL,
NULL,
NULL,
FileListThread,
&g_FileList_Info );
if (!NT_SUCCESS(ntStatus)){
//DbgPrint("FileMon: Create System Thread Failed\n");
}
ntStatus = ObReferenceObjectByHandle(
thread_handle,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
&g_FileList_Info.g_ThreadObject,
NULL );
if (!NT_SUCCESS(ntStatus))
{
ZwClose(thread_handle);
g_FileList_Info.g_ThreadShouldStop = TRUE;
KeSetEvent(
&g_FileList_Info.g_FileListEvent,
(KPRIORITY) 0,
FALSE);
}
ZwClose(thread_handle);
}
IRP_MJ_CREATE Routine 里加入下面代码
if( IsTerminateThread == FALSE )
{
pFileListNode = (PFILELIST)ExAllocatePool(NonPagedPool, sizeof(FILELIST));
if( pFileListNode != NULL )
{
memset(pFileListNode->szFullPathName, 0, sizeof(pFileListNode->szFullPathName));
// fullPathName 是在IRP_MJ_CREATE中得到的文件完整路径
_tcsncpy(pFileListNode->szFullPathName, fullPathName, PATH_LEN);
ExInterlockedInsertTailList(
&g_FileList_Info.g_FileListHead,
&pFileListNode->FileListNext,
&g_FileList_Info.g_FileListSpinLock );
KeSetEvent(
&g_FileList_Info.g_FileListEvent,
(KPRIORITY) 0,
FALSE);
}
else
{
g_FileList_Info.g_ThreadShouldStop = TRUE;
KeSetEvent(
&g_FileList_Info.g_FileListEvent,
(KPRIORITY) 0,
FALSE);
}
