【ACCESS精品源码栏目提醒】:以下是网学会员为您推荐的ACCESS精品源码-使用IRP进行文件操作 - 其它资料,希望本篇文章对您学习有所帮助。
使用 IRP 进行文件操作 作者: LaoKaDDK 2008-04-27 首先声明这个是菜鸟—我的学习日记不是什么高深文章高手们慎看. 一定要先感谢为技术的进步而付出辛勤汗水的人感谢他们对技术的共享.一个通用 IRP 访问文件的十六进制编辑器开源代码 -- 被诅咒的神邪恶八进制信息安全团队Windows 平台内核级文件访问 -- baiyuanfan baiyuanfan163.com 特别感谢被诅咒的神他写的ltExTools v1.2gt里面包含了非常多 IRP 对文件操作的宝贵信息对初入门的我来说帮助非常大.大家可以去下载他的
源码参考. 虽然天气仍然好冻但文章是不写不快刚做好了一些函数希望共享出来之后对大家有小小帮助.这个月是放假时间比较充裕利用这些时间可以学好多知识.很久以前就对 pjf 写的 IceSword 感兴趣也很羡慕他能够写出这么强大的 Anti-Rootkit 软件如今终于实现类似他那样文件操作的功能好开心.我也不敢确定他是这样写的网上看到他是用 IRP 对文件操作的. 我写这些函数的过程好曲折幸好我没放弃我先是看了ltWindows 文件系统过滤驱动开发教程第二版-- 楚狂人gt没看完自己总结:就是将自己的驱动绑定在设备栈的栈顶让所有 IRP 都经过自己的驱动对 IRP 过滤其中细节非常多如果不是楚狂人做了这么好的说明教程光看微软给的例子可能就没那么容易了所以要感谢楚狂人.但对自己发送 IRP 帮助不大.再而看了 OSR_docs 里面的 pdf也不是全看看了一些关键的例如ltIrpMan.pdfgt里面的lt2.2.14.6 Kernel File Copy Examplegt这里面写了 4 个 IRP 的使用分别为 IRP_MJ_QUERY_INFORMATION IRP_MJ_SET_INFORMATION IRP_MJ_READ IRP_MJ_WRITE建议大家也去看看是非常好的参考资料.但这里没有写到 IRP_MJ_CREATE 的填写于是我参考着这些资料填写 IRP然后 IoCallDriver当然不成功拉.于是我跳过它先做 IRP_MJ_DIRECTORY_CONTROL 的也就是平时枚举文件用的 NtQueryDirectoryFile 最终要发送的 IRP成功了那时好开心.接下来在网上发现了被诅咒的神写的ltExTools v1.2gt的
源码有这么好的参考资料进度当然快好多啦.而ltExTools v1.2gt没的IRP_MJ_SET_INFORMATION 也帮您补上了_.现在完成了将成品共享给大家. 这里有个重点我引用ltWindows 平台内核级文件访问gt里面的一段话: 文件系统过滤驱动 Attach 在正常的文件系统之上,监视和过滤我们的文件访问。
文件系统驱动栈就是由这一连串的 Attach 起来的过滤驱动组成。
我们可以用 IoGetRelatedDeviceObject 这个函数来获得一个 FileObject 对应的最底层的那个功能驱动对象FDO。
但是这样虽然绕过了那些过滤驱动,却同时也绕过了正常的 FSD 如 Ntfs/Fastfat,因为正常的 FSD 也是作为一个过滤驱动存在的。
磁盘文件对象的对应的最底层的 FDO 是 Ftdisk.sys,它已经因为过于底层而不能处理我们投递的 IRP 请求。
其实正常的 FSD 信息存储在一个 Vpb 结构中,我们可以使用 IoGetBaseFileSystemDeviceObject 这个未公开的内核函数来得到它。
它就是我们发送 IRP 的目标了。
但既然是在 Vpb 里面有正常的 FSD我就直接用了以免调用了被 hook 的函数.知道文件过滤驱动原理就可以知道这样做可以绕过栈顶的驱动直接发送 IRP 到正常 FSD.这点很重要. 我写的大概有如下一些 IRP 的调用及其所对应的函数我也列出来好让像我这样的初学者明白.其实这里大部分都不是我写的_IRP_MJ_CREATE NtCreateFile 创建或新建文件返回句柄不过发 IRP 返回 的是 FILE_OBJECT线程无关的.IRP_MJ_CLEANUP NtClose 用于关闭 HANDLE 的IRP_MJ_CLOSE ObDereferenceObject 用于关闭 FILE_OBJECT 的IRP_MJ_DIRECTORY_CONTROL NtQueryDirectoryFile 枚举目录好多时候都被 hook 的IRP_MJ_QUERY_INFORMATION NtQueryInformationFile 取得文件信息IRP_MJ_SET_INFORMATION NtSetInformationFile 设置文件信息:删除改名改属性IRP_MJ_READ NtReadFile 读文件IRP_MJ_WRITE NtWriteFile 写文件 直接发送 IRP 对文件进行操作是可以避免一些 Rootkit 的干扰的除非 Hook IoCallDriver不过我在网上看到 pjf 写的 IceSword 是要先读取 ntkrnlpa.exe多核处理器使用或者 ntoskrnl.exe单核处理器使用里面的 IoCallDriver 的开头几字节然后还原一下防止被 hook.啊pjf 想得真周到羡慕哪天我能有他那么强咧_.好啦以下是代码了代码比较长参数比较复杂一个细节写错可能会 BSOD.我已经尽量依照好似微软给的 API 那样写的了有说明其实是复制 WDK 的_再一次声明代码大部分不是我写的我不过是改了点更方便大家使用习惯从中我也学了不少唉中国这些技术的文章真少是落后 如果发现这里面的函数调用会产生蓝屏而确认您的传入参数准确无误那么请在这里留言给我谢谢.include quotntifs.hquot//// Define the structure used by this driver module.//typedef struct _AUX_
ACCESS_DATA PPRIVILEGE_SET PrivilegesUsed GENERIC_MAPPING GenericMapping
ACCESS_MASK AccessesToAudit ULONG Reserve //unknow... AUX_
ACCESS_DATA PAUX_
ACCESS_DATA//// Define the local routines used by this driver module.//NTSTATUSObCreateObject IN KPROCESSOR_MODE ProbeMode IN POBJECT_TYPE ObjectType IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL IN KPROCESSOR_MODE OwnershipMode IN OUT PVOID ParseContext OPTIONAL IN ULONG ObjectBodySize IN ULONG PagedPoolCharge IN ULONG NonPagedPoolCharge OUT PVOID Object NTSTATUSSeCreateAccessState IN PACCESS_STATE AccessState IN PAUX_
ACCESS_DATA AuxData IN
ACCESS_MASK DesiredAccess IN PGENERIC_MAPPING GenericMapping OPTIONAL //// IoCompletionRoutine//// This routine is used to handle I/O read OR write completion//// Inputs:// DeviceObject - not used// Irp - the I/O operation being completed// Context - not used//// Outputs:// None.//// Returns:// STATUS_MORE_PROCESSING_REQUIRED//// Notes:// The purpose of this routine is to do quotcleanupquot on I/O operations// so we dont constantly throw away perfectly good MDLs as part of// completion processing.//NTSTATUSIoCompletionRoutine IN PDEVICE_OBJECT DeviceObject IN PIRP Irp IN PVOID Context //// IrpCreateFile//// This routine is used as NtCreateFile but first and third parameter.//// Inputs:// DesiredAccess - Specifies an
ACCESS_MASK value that determines// the requested
access to the object.// FilePath - Path of file to createas LquotC:WindowsquotUnicode.// AllocationSize - Pointer to a LARGE_INTEGER that contains the initial allocation// size in bytes for a file that is created or overwritten.// FileAttributes - Specifies one or more FILE_ATTRIBUTE_XXX flags which represent// the file attributes to set if you are creating or overwriting a file.// ShareAccess - Type of share
access.// CreateDisposition - Specifies the action to perform if the file does or does not exist.// CreateOptions - Specifies the options to apply when creating or opening the file.// EaBuffer - For device and intermediate drivers this parameter must be a NULL pointer.// EaLength - For device and intermediate drivers this parameter must be zero.//// Ouputs:// FileObject - Pointer to a PFILE_OBJECT variable that// receives a PFILE_OBJECT to the file.// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.//// Returns:// The IRP send status.//// Notes:// This is equivalent to NtCreateFilebut return FILE_OBJECT not HANDLE.//NTSTATUSIrpCreateFile OUT PFILE_OBJECT FileObject IN
ACCESS_MASK DesiredAccess IN PUNICODE_STRING FilePath OUT PIO_STATUS_BLOCK IoStatusBlock IN PLARGE_INTEGER AllocationSize OPTIONAL IN ULONG FileAttributes IN ULONG ShareAccess IN ULONG CreateDisposition IN ULONG CreateOptions IN PVOID EaBuffer OPTIONAL IN ULONG EaLength //// IrpClose//// This routine is used as ObDereferenceObject.//// Inputs:// FileObject - Pointer to a PFILE_OBJECT variable that will close//// Ouputs:// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.//// Returns:// The IRP send status.//// Notes:// This is equivalent to ObDereferenceObject//NTSTATUSIrpClose IN PFILE_OBJECT FileObject //// IrpQueryDirectoryFile//// This routine is used as NtQueryDirectoryFile.//// Inputs:// FileObject - Pointer to a PFILE_OBJECT.// Length - Size in bytes of the buffer pointed to by FileInformation. The caller// should set this parameter according to the given FileInformationClass.// FileInformationClass - Type of information to be returned about files in the directory.// FileName - Pointer to a caller-allocated Unicode string containing the name of a file// or multiple files if wildcards are used within the directory specified byFileHandle.// This parameter is optional and can be NULL.//// Ouputs:// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.// FileInformation - Pointer to a buffer that receives the desired// information about the file.//// Returns:// The IRP send status.//// Notes:// This is equivalent to NtQueryDirectoryFile but no ApcRoutine.//NTSTATUSIrpQueryDirectoryFile IN PFILE_OBJECT FileObject OUT PIO_STATUS_BLOCK IoStatusBlock OUT PVOID FileInformation IN ULONG Length IN FILE_INFORMATION_CLASS FileInformationClass IN PUNICODE_STRING FileName OPTIONAL //// IrpQueryInformationFile//// This routine is used as NtQueryInformationFile.//// Inputs:// FileObject - Pointer to a PFILE_OBJECT.// Length - Size in bytes of the buffer pointed to by FileInformation. The caller// should set this parameter according to the given FileInformationClass.// FileInformationClass - Type of information to be returned about files in the directory.//// Ouputs:// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.// FileInformation - Pointer to a buffer that receives the desired// information about the file.//// Returns:// The IRP send status.//// Notes:// This is equivalent to NtQueryInformationFile.//NTSTATUSIrpQueryInformationFile IN PFILE_OBJECT FileObject OUT PIO_STATUS_BLOCK IoStatusBlock OUT PVOID FileInformation IN ULONG Length IN FILE_INFORMATION_CLASS FileInformationClass //// IrpSetInformationFile//// This routine is used as NtSetInformationFile.//// Inputs:// FileObject - Pointer to a PFILE_OBJECT.// FileInformation - Pointer to a buffer that contains the information to set for the file.// Length - Size in bytes of the buffer pointed to by FileInformation. The caller// should set this parameter according to the given FileInformationClass.// FileInformationClass - Type of information to be returned about files in the directory.// ReplaceIfExists - Set to TRUE to specify that if a file with the same name already exists// it should be replaced with the given file. Set to FALSE if the rename// operation should fail if a file with the given name already exists.//// Ouputs:// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.//// Returns:// The IRP send status.//// Notes:// This is equivalent to NtSetInformationFile.//NTSTATUSIrpSetInformationFile IN PFILE_OBJECT FileObject OUT PIO_STATUS_BLOCK IoStatusBlock IN PVOID FileInformation IN ULONG Length IN FILE_INFORMATION_CLASS FileInformationClass IN BOOLEAN ReplaceIfExists //// IrpReadFile//// This routine is used as NtReadFile.//// Inputs:// FileObject - Pointer to a PFILE_OBJECT.// Buffer - Pointer to a caller-allocated buffer that receives the data read from the file.// Length - The size in bytes of the buffer pointed to by Buffer.// ByteOffset - Pointer to a variable that specifies the starting byte offset// in the file where the read operation will begin.//// Ouputs:// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.//// Returns:// The IRP send status.//// Notes:// This is equivalent to NtReadFile but no ApcRoutine.//NTSTATUSIrpReadFile IN PFILE_OBJECT FileObject OUT PIO_STATUS_BLOCK IoStatusBlock OUT PVOID Buffer IN ULONG Length IN PLARGE_INTEGER ByteOffset OPTIONAL //// IrpReadFile//// This routine is used as NtReadFile.//// Inputs:// FileObject - Pointer to a PFILE_OBJECT.// Buffer - Pointer to a caller-allocated buffer that contains the data to write to the file.// Length - The size in bytes of the buffer pointed to by Buffer.// ByteOffset - Pointer to a variable that specifies the starting byte offset// in the file for beginning the write operation.//// Ouputs:// IoStatusBlock - Pointer to an IO_STATUS_BLOCK structure that receives the final// completion status and information about the requested read operation.//// Returns:// The IRP send status.//// Notes:// This is equivalent to NtReadFile but no ApcRoutine.//NTSTATUSIrpWriteFile IN PFILE_OBJECT FileObject OUT PIO_STATUS_BLOCK IoStatusBlock IN PVOID Buffer IN ULONG Length IN PLARGE_INTEGER ByteOffset OPTIONAL //// Function start.//NTSTATUSIoCompletionRoutine IN PDEVICE_OBJECT DeviceObject IN PIRP Irp IN PVOID Context Irp-gtUserIosb Irp-gtIoStatus if Irp-gtUserEvent KeSetEventIrp-gtUserEvent IO_NO_INCREMENT 0 if Irp-gtMdlAddress IoFreeMdlIrp-gtMdlAddress Irp-gtMdlAddress NULL IoFreeIrpIrp return STATUS_MORE_PROCESSING_REQUIREDNTSTATUSIrpCreateFile OUT PFILE_OBJECT FileObject IN
ACCESS_MASK DesiredAccess IN PUNICODE_STRING FilePath OUT PIO_STATUS_BLOCK IoStatusBlock IN PLARGE_INTEGER AllocationSize OPTIONAL IN ULONG FileAttributes IN ULONG ShareAccess IN ULONG CreateDisposition IN ULONG CreateOptions IN PVOID EaBuffer OPTIONAL IN ULONG EaLength NTSTATUS ntStatus HANDLE hFile PFILE_OBJECT pFile _FileObject UNICODE_STRING UniDeviceNameString OBJECT_ATTRIBUTES ObjectAttributes PDEVICE_OBJECT DeviceObject RealDevice PIRP Irp KEVENT kEvent PIO_STACK_LOCATION IrpSp
ACCESS_STATE AccessState AUX_
ACCESS_DATA AuxData IO_SECURITY_CONTEXT SecurityContext ifFilePath-gtLength lt 6 return STATUS_INVALID_PARAMETER RtlInitUnicodeString ampUniDeviceNameString LquotDosDevices:quot UniDeviceNameString.Buffer12 FilePath-gtBuffer0 InitializeObjectAttributesampObjectAttributes ampUniDeviceNameString OBJ_KERNEL_HANDLENULL NULL ntStatus IoCreateFileamphFile GENERIC_READSYNCHRONIZE ampObjectAttributes IoStatusBlock NULL FILE_ATTRIBUTE_NORMAL FILE_SHARE_READFILE_SHARE_WRITEFILE_SHARE_DELETE FILE_OPEN FILE_SYNCHRONOUS_IO_NONALERT NULL 0 CreateFileTypeNone NULL IO_NO_PARAMETER_CHECKING ifNT_SUCCESSntStatus return ntStatus ntStatus ObReferenceObjectByHandlehFile FILE_READ_
ACCESS //
ACCESS_MASK .
上一篇:
易语言病毒注册项
下一篇:
电话销售英文简历范文