Minifilter驱动程序未阻止文件版本 [英] Minifilter driver not blocking file edition
问题描述
我正在尝试创建文件系统过滤器(Minifilter)驱动程序.为此,我正在遵循此处提供的教程: https://www.youtube.com/watch? v = ukUf3kSSTOU
I am trying to create a File System Filter (Minifilter) driver. For that I am following the tutorial provided here: https://www.youtube.com/watch?v=ukUf3kSSTOU
在本教程中,您将简要创建一个微型过滤器驱动程序,以阻止您写入名为OPENME.txt的文件.
In a brief way, in the tutorial you create a minifilter driver that stops you from writing into a file called OPENME.txt.
这是我的代码:
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>
PFLT_FILTER FilterHandle = NULL;
NTSTATUS MiniUnload(FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec, FLT_POST_OPERATION_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec);
FLT_PREOP_CALLBACK_STATUS MiniPreWrite(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec);
const FLT_OPERATION_REGISTRATION Callbacks[] =
{
{ IRP_MJ_CREATE,0,MiniPreCreate, MiniPostCreate },
{ IRP_MJ_WRITE,0,MiniPreWrite, NULL },
{ IRP_MJ_OPERATION_END }
};
const FLT_REGISTRATION FilterRegistration =
{
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
Callbacks,
MiniUnload,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
NTSTATUS MiniUnload(FLT_FILTER_UNLOAD_FLAGS Flags)
{
KdPrint(("driver unload \r\n"));
FltUnregisterFilter(FilterHandle);
return STATUS_SUCCESS;
}
FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec, FLT_POST_OPERATION_FLAGS Flags)
{
KdPrint(("post create running \r\n"));
return FLT_POSTOP_FINISHED_PROCESSING;
}
FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec)
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
WCHAR Name[200] = { 0 };
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
if (NT_SUCCESS(status))
{
status = FltParseFileNameInformation(FileNameInfo);
if (NT_SUCCESS(status))
{
if (FileNameInfo->Name.MaximumLength < 260)
{
RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
KdPrint(("create file: %wa \r\n", Name));
}
}
FltReleaseFileNameInformation(FileNameInfo);
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
FLT_PREOP_CALLBACK_STATUS MiniPreWrite(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContec)
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
WCHAR Name[200] = { 0 };
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
if (NT_SUCCESS(status))
{
status = FltParseFileNameInformation(FileNameInfo);
if (NT_SUCCESS(status))
{
if (FileNameInfo->Name.MaximumLength < 260)
{
RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
_wcsupr(Name);
if (wcsstr(Name, L"OPENME.txt") != NULL)
{
KdPrint(("write file %ws blocked \r\n", Name));
Data->IoStatus.Status = STATUS_INVALID_PARAMETER;
Data->IoStatus.Information = 0;
FltReleaseFileNameInformation(FileNameInfo);
return FLT_PREOP_COMPLETE;
}
KdPrint(("create file: %wa \r\n", Name));
}
}
FltReleaseFileNameInformation(FileNameInfo);
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
status = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle);
if (NT_SUCCESS(status))
{
status = FltStartFiltering(FilterHandle);
if (!NT_SUCCESS(status))
{
FltUnregisterFilter(FilterHandle);
}
}
return status;
}
和
;;;
;;; FsFilter2
;;;
[Version]
Signature = "$Windows NT$"
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963
; Class = "ActivityMonitor" ;This is determined by the work this filter driver does
; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value
Class = "ActivityMonitor"
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %ManufacturerName%
DriverVer = 01/26/2018,16.49.59.238
CatalogFile = FsFilter2.cat
[DestinationDirs]
DefaultDestDir = 12
MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers
;;
;; Default install sections
;;
[DefaultInstall]
OptionDesc = %ServiceDescription%
CopyFiles = MiniFilter.DriverFiles
[DefaultInstall.Services]
AddService = %ServiceName%,,MiniFilter.Service
;;
;; Default uninstall sections
;;
[DefaultUninstall]
DelFiles = MiniFilter.DriverFiles
[DefaultUninstall.Services]
DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting
;
; Services Section
;
[MiniFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
Dependencies = "FltMgr"
ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
StartType = 3 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
; TODO - Change the Load Order Group value
; LoadOrderGroup = "FSFilter Activity Monitor"
LoadOrderGroup = "FSFilter Activity Monitor"
AddReg = MiniFilter.AddRegistry
;
; Registry Modifications
;
[MiniFilter.AddRegistry]
HKR,,"DebugFlags",0x00010001 ,0x0
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
;
; Copy Files
;
[MiniFilter.DriverFiles]
%DriverName%.sys
[SourceDisksFiles]
FsFilter2.sys = 1,,
[SourceDisksNames]
1 = %DiskId1%,,,
;;
;; String Section
;;
[Strings]
; TODO - Add your manufacturer
ManufacturerName = "Template"
ServiceDescription = "FsFilter2 Mini-Filter Driver"
ServiceName = "FsFilter2"
DriverName = "FsFilter2"
DiskId1 = "FsFilter2 Device Installation Disk"
;Instances specific information.
DefaultInstance = "FsFilter2 Instance"
Instance1.Name = "FsFilter2 Instance"
; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers
Instance1.Altitude = "371000"
Instance1.Flags = 0x0 ; Allow all attachments
然后,在项目属性中,设置以下配置:
Then, in the project properties I set the following configurations:
- 平台:x64
- C/C ++>警告级别:级别1(/W1)
- 链接器>将链接器警告视为错误:否(/WX:NO)
- 驱动程序设置>目标操作系统版本:Windows 10或更高版本
- 驱动程序设置>目标平台:桌面
然后,我构建应用程序,并获得成功消息,并创建了.inf和.sys文件.
Then, I build the application, and I get the successful message, with the .inf and .sys files created.
我的目标计算机是Windows 10 x64,并且我已经设置了允许使用未签名的驱动程序的选项.
My target machine is Windows 10 x64, and I already have set the option to allow to use drivers not signed.
我运行以下命令:
pnputil/add-driver FsFilter2.inf
pnputil /add-driver FsFilter2.inf
驱动程序已成功安装.我得到了输出:
And the driver is successful installed. I get the output:
Microsoft PnP Utility
Adding driver package: FsFilter2.inf
Driver package added successfully.
Published Name: oem73.inf
Total driver packages: 1
Added driver packages: 1
然后,我通过执行以下操作来启动驱动器:
Then, I start the drive by doing:
net start FsFilter2
net start FsFilter2
并获得以下输出:
The FsFilter2 service was started successfully.
但是,我仍然可以写入OPENME.txt文件...而在本教程中这是不可能的...
Yet, I can still write into the OPENME.txt file... while in the tutorial its not possible...
我也在使用DebugView,但在其中看不到任何消息...
I am also using DebugView and can't see any of my messages in it...
有人知道我在做什么错吗?或我该怎么做才能找出问题所在?
Does anyone knows what am I doing wrong? or what can I do to find out my problem?
推荐答案
我当然希望Youtube视频不会教您以这种方式做事. 这里有很多错误,很多错误让我首先建议您检查一下Microsoft minifilter示例. 它们位于此处 更具体地说,我建议您检查一下扫描仪样本或avscan,但后者要复杂一些. 简而言之,这里有一些建议:
I certainly hope the Youtube video did not teach you to do things this way. There many many mistakes here, so many that I would first of all suggest you go and check out the Microsoft minifilter samples. They are situated here More specifically I would suggest you check out the scanner sample, or avscan, but the latter is a bit more complicated. In short here are a few suggestions:
- 由于您下面的文件系统尚未打开文件对象,因此请不要在创建后检查,因为FltGetFileNameInformation本身将执行FltCreateFile来打开文件以查询名称 li>
- 在PostCreate中,还决定是否要打开此文件.您应该检查完成打开的DesiredAccess,以及是否适合您的遮罩,在这种情况下, FILE_GENERIC_WRITE 会简单地拒绝创建.请参阅使用哪些API取消文件打开和
- Make your check in post-create not pre-create since the file object is not yet opened by the file-system below you and thus the FltGetFileNameInformation will itself do a FltCreateFile to open the file in order to query the name
- In PostCreate also decide if you want to allow this file to be opened. You should check the DesiredAccess that the open is done with and if it fits your mask, in this case a FILE_GENERIC_WRITE the simply deny the create. See with what API to cancel a file open and where the desired access is located
- Don't forget to set the Data->IoStatus.Status to STATUS_ACCESS_DENIED since STATUS_INVALID_PARAMETER is pretty ambiguous and it is not the case.
- Do not do any processing in the PreWrite for this as it is no, need you already have blocked the Create.
- Don't use unsafe string functions like wcsstr, maybe consider using API that are available in ntstrsafe.h and they do bounds check based on the provided length rather than assuming a NULL character at the end.
祝您好运,希望对您有所帮助.
Good luck, and hope this helps.
这篇关于Minifilter驱动程序未阻止文件版本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
