首先ring3 int aa=_access("C:\\Program Files\\Common Files\\System\\abc.txt",0);
gstring::tip("%d",aa);
如果文件存在,返回值是0 ,不存在返回-1
驱动层控制些文件的访问
const FLT_OPERATION_REGISTRATION Callbacks[] =
{
{
IRP_MJ_NETWORK_QUERY_OPEN,
0,
SimRepPreCreate,
SimRepPostCreate
},
{
IRP_MJ_OPERATION_END
}
};
FLT_PREOP_CALLBACK_STATUS
SimRepPreCreate (
__inout PFLT_CALLBACK_DATA data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__out PVOID *CompletionContext
)
{
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PAGED_CODE();
{
PFLT_FILE_NAME_INFORMATION nameInfo;
//直接获得文件名并检查
if( NT_SUCCESS( FltGetFileNameInformation( data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo ) ) )
{
if( NT_SUCCESS( FltParseFileNameInformation( nameInfo ) ) )
{
WCHAR pTempBuf[ 512 ] = { 0 };
WCHAR *pNonPageBuf = NULL, *pTemp = pTempBuf;
if( nameInfo->Name.MaximumLength > 512 )
{
pNonPageBuf = ExAllocatePool( NonPagedPool, nameInfo->Name.MaximumLength );
pTemp = pNonPageBuf;
}
RtlCopyMemory( pTemp, nameInfo->Name.Buffer, nameInfo->Name.MaximumLength );
//DbgPrint("[MiniFilter][IRP_MJ_NETWORK_QUERY_OPEN]%wZ", &nameInfo->Name);
_wcslwr( pTemp );
if( NULL != wcsstr( pTemp, L"abc.txt" ) ) // 检查是不是要保护的文件
{
//DbgPrint( "\r\nIn NPPreWrite(), FilePath{%wZ} is forbided.", &nameInfo->Name );
DbgPrint("[MiniFilter][IRP_MJ_NETWORK_QUERY_OPEN]%wZ", &nameInfo->Name);
if( NULL != pNonPageBuf )
ExFreePool( pNonPageBuf );
//FltReleaseFileNameInformation( nameInfo );
data->IoStatus.Status = STATUS_ACCESS_DENIED;
data->IoStatus.Information = FILE_DOES_NOT_EXIST;
FltReleaseFileNameInformation( nameInfo );
//return FLT_PREOP_DISALLOW_FASTIO;
return FLT_PREOP_DISALLOW_FASTIO;
// return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if( NULL != pNonPageBuf )
ExFreePool( pNonPageBuf );
}
FltReleaseFileNameInformation( nameInfo );
}
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
驱动层怎么处理,让access函数返回-1呀??
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
