閱讀943 返回首頁    go 技術社區[雲棲]

文件監控(教學版)

參考FileSpy寫的文件監控程序,但比它的抽象多了。可能瑞星的文件驅動也是這樣寫的,否則它為什麼老阻止我安裝驅動呢。測試程序是一個命令行小程序,負責打開設備,開啟監控和關閉監控,運行時開啟和關閉兩次。

 

在DebugView中查看輸出信息,我隻是想看看能不能達到目的,所以信息量很少。

 

在驅動程序中開啟和關閉監控的代碼:

 

VOID AttachedToDeviceByName (__in PWSTR DeviceName, __in BOOLEAN attach)

{

  UCHAR tmp_buf1[50];

  UNICODE_STRING volumeName;

  NTSTATUS status;

  OBJECT_ATTRIBUTES objectAttributes;

  IO_STATUS_BLOCK openStatus;

  HANDLE fileHandle;

  PDEVICE_OBJECT volume_obj, fs_obj, spy_obj;

  PFILESPY_DEVICE_EXTENSION devExt;

  ULONG i;

  LARGE_INTEGER interval;

  PDEVICE_OBJECT current_obj, next_obj;

  PAGED_CODE();

 

  //應用程序傳過來的盤符

  RtlInitEmptyUnicodeString(&volumeName, (PWSTR)tmp_buf1, sizeof(tmp_buf1));

  RtlAppendUnicodeToString(&volumeName, L"\\DosDevices\\");

  status = RtlAppendUnicodeToString(&volumeName, DeviceName);

 

  InitializeObjectAttributes( &objectAttributes,

                &volumeName,

                OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,

                NULL,

                NULL );

  status = ZwCreateFile( &fileHandle,

               SYNCHRONIZE|FILE_READ_DATA,

               &objectAttributes,

               &openStatus,

               NULL,

               0,

               FILE_SHARE_READ|FILE_SHARE_WRITE,

               FILE_OPEN,

               FILE_SYNCHRONOUS_IO_NONALERT,

               NULL,

               0 );

  status = ObReferenceObjectByHandle( fileHandle,

                    FILE_READ_DATA,

                    *IoFileObjectType,

                    KernelMode,

                    &volume_obj,

                    NULL );

  fs_obj = IoGetBaseFileSystemDeviceObject( volume_obj );

  ObReferenceObject( fs_obj );

 

  if(attach)

  {    

    ObDereferenceObject( volume_obj );

    ZwClose( fileHandle );

 

    status = IoCreateDevice( gFileSpyDriverObject,

                sizeof( FILESPY_DEVICE_EXTENSION ),

                NULL,

                fs_obj->DeviceType,

                0,

                FALSE,

                &spy_obj );

 

    devExt = spy_obj->DeviceExtension;

    devExt->AttachedToDeviceObject = NULL;

 

    ASSERT( IS_FILESPY_DEVICE_OBJECT( spy_obj ) );

 

    SetFlag( spy_obj->Flags, FlagOn( fs_obj->Flags, (DO_BUFFERED_IO | DO_DIRECT_IO | DO_SUPPORTS_TRANSACTIONS)));

    SetFlag( spy_obj->Characteristics, FlagOn( fs_obj->Characteristics, (FILE_DEVICE_SECURE_OPEN) ));

 

    for (i=0; i < 8; i++)

    {

      status = IoAttachDeviceToDeviceStackSafe( spy_obj, fs_obj, &devExt->AttachedToDeviceObject );

      if (NT_SUCCESS(status) )

      {

        break;

      }

      interval.QuadPart = (500 * DELAY_ONE_MILLISECOND);

      KeDelayExecutionThread( KernelMode, FALSE, &interval );

    }

 

    ClearFlag(spy_obj->Flags, DO_DEVICE_INITIALIZING);

    ObDereferenceObject( fs_obj );

  }

  else

  {

    current_obj = IoGetAttachedDeviceReference( fs_obj );

 

    while (NULL != current_obj)

    {

      if (IS_FILESPY_DEVICE_OBJECT( current_obj ))

      {

        spy_obj = current_obj;

        break;

      }

      next_obj = IoGetLowerDeviceObject( current_obj );

      ObDereferenceObject( current_obj );

      current_obj = next_obj;

    }

 

    ObDereferenceObject( volume_obj );

    ZwClose( fileHandle );

 

    devExt = spy_obj->DeviceExtension;

    IoDetachDevice( devExt->AttachedToDeviceObject );

 

    IoDeleteDevice( spy_obj );

    ObDereferenceObject( spy_obj );

    ObDereferenceObject( spy_obj );

    ObDereferenceObject( spy_obj );

 

    interval.QuadPart = (5 * DELAY_ONE_SECOND); //等5秒

    KeDelayExecutionThread( KernelMode, FALSE, &interval );

    ObDereferenceObject( fs_obj );

  }  

}

寫的時候遇到一個有趣的問題是,驅動安裝卸載一次,然後再安裝,應用程序就不能訪問它了,GetError()提示說係統找不到指定的文件。原來是卸載的時候沒有卸幹淨,所以第二次不能用,程序中有相連的三句話“ObDereferenceObject( spy_obj);”正是我擔心spy_obj不釋放才出此下策。

最後更新:2017-04-03 15:21:56

  上一篇:go 開博首記
  下一篇:go struts2工作流程及各種文件詳解