Win64 驱动内核编程-17. MINIFILTER(文件保护)
?MINIFILTER(文件保護)
? ? 使用?HOOK?來監控文件操作的方法有很多,可以在?SSDT?上?HOOK?一堆和?FILE?有關的函數,也可以對?FSD?進行?IRP?HOOK,不過這些方法既不方便,也不安全。微軟推薦的文件操作過濾方法是使用過濾驅動,在?VISTA?之后,推薦使用?MINIFILTER?(字面翻譯是迷你過濾器)。MINIFILTER?基于標準的文件過濾驅動,但是微軟把它封裝得很好,使得大家不用注意太多細節,而專注于對?IRP?的過濾。
? ? 之前一直在看一些細節和各種配置文件設置,最后發現如果用VS當IDE的話直接就自動生成模板了。先說下創建一個MiniFilter驅動項目:
然后他會自動生成一個模板文件:
我們只需要在上面改東西就行了,賊方便。
編譯之后會有兩個文件:
***.sys?和?***.inf??把inf拷貝到相關虛擬機上右鍵安裝就行了。
安裝之后會生成類似如下注冊表:
OK這樣一個基本的MiniFilter驅動就安裝上了。
然后在cmd里對這個驅動的操作和服務是一樣的(但是注意這個不是服務,在服務里查不到)
Sc?start?MyMiniFilter?????開始
Sc?stop?MyMiniFilter?????停止
Sc?Delete?MyMiniFilter???刪除(刪除后記得自己清理system32/drivers\**.sys這個文件)
下面說下這個框架的細節:
創建這個項目之后,模板已經被自動創建好了,里面也有很多注釋。要自己看下,這里就說幾點關鍵:
?
CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_WRITE, 0, MinifilterPreOperation, MinifilterPostOperation }, #if 0 // TODO - List all of the requests to filter.{ IRP_MJ_CREATE,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_CREATE_NAMED_PIPE,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_CLOSE,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_READ,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_QUERY_INFORMATION,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_SET_INFORMATION,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_QUERY_EA,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_SET_EA,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_FLUSH_BUFFERS,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_QUERY_VOLUME_INFORMATION,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_SET_VOLUME_INFORMATION,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_DIRECTORY_CONTROL,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_FILE_SYSTEM_CONTROL,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_DEVICE_CONTROL,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_INTERNAL_DEVICE_CONTROL,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_SHUTDOWN,0,MinifilterPreOperationNoPostOperation,NULL }, //post operations not supported{ IRP_MJ_LOCK_CONTROL,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_CLEANUP,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_CREATE_MAILSLOT,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_QUERY_SECURITY,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_SET_SECURITY,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_QUERY_QUOTA,0,MinifilterPreOperation,MinifilterPostOperation },{ IRP_MJ_SET_QUOTA,0,MinifilterPreOperation,MinifilterPostOperation },.....? ? 上面的東西就是設置開啟哪些回調函數(所有回調函數格式一樣),Pre是之前的意思,Post是之后的意思。默認的模板是用的if?0給全都關閉了。我是開啟了?寫?的權限進行測試:
回調函數代碼如下(保護xxxx.txt文件):
FLT_PREOP_CALLBACK_STATUS MinifilterPreOperation (_Inout_ PFLT_CALLBACK_DATA Data,_In_ PCFLT_RELATED_OBJECTS FltObjects,_Flt_CompletionContext_Outptr_ PVOID *CompletionContext) { UNREFERENCED_PARAMETER(FltObjects); UNREFERENCED_PARAMETER(CompletionContext); PAGED_CODE(); { PFLT_FILE_NAME_INFORMATION nameInfo; //直接獲得文件名并檢查 if (NT_SUCCESS(FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo))) { if (NT_SUCCESS(FltParseFileNameInformation(nameInfo))) { WCHAR pTempBuf[512] = { 0 }; WCHAR *pNonPageBuf = NULL, *pTemp = pTempBuf; if (nameInfo->Name.MaximumLength > 512) { pNonPageBuf = ExAllocatePool(NonPagedPool, nameInfo->Name.MaximumLength); pTemp = pNonPageBuf; } RtlCopyMemory(pTemp, nameInfo->Name.Buffer, nameInfo->Name.MaximumLength); DbgPrint("[MiniFilter][IRP_MJ_WRITE]%wZ", &nameInfo->Name); _wcsupr(pTemp); if (NULL != wcsstr(pTemp, L"xxxx.txt")) / { if (NULL != pNonPageBuf) ExFreePool(pNonPageBuf); FltReleaseFileNameInformation(nameInfo); return FLT_PREOP_DISALLOW_FASTIO; } if (NULL != pNonPageBuf) ExFreePool(pNonPageBuf); } FltReleaseFileNameInformation(nameInfo); } } return FLT_PREOP_SUCCESS_NO_CALLBACK;} 執行效果如下:?
?
?
總結
以上是生活随笔為你收集整理的Win64 驱动内核编程-17. MINIFILTER(文件保护)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 12.PHP_PDO数据库抽象层
- 下一篇: Win64 驱动内核编程-18.SSDT