经验总结

  1. 首页 > 生活 > >

驱动开发:内核监控FileObject文件回调( 二 )

生活百科

对于开启了TypeInfo.SupportsObjectCallbacks属性的驱动来说自然就支持文件路径转换,当系统中有文件被加载则自动执行LySharkFileObjectpreCall回调事件,过滤掉无效路径后即可直接输出,完整代码如下所示;
// 署名权// right to sign one's name on a piece of work// PowerBy: LyShark// Email: me@lyshark.com#include "lyshark.h"PVOID obHandle;DRIVER_INITIALIZE DriverEntry;// 文件回调OB_PREOP_CALLBACK_STATUS LySharkFileObjectpreCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation){ UNICODE_STRING DosName; PFILE_OBJECT fileo = OperationInformation->Object; HANDLE CurrentProcessId = PsGetCurrentProcessId(); UNREFERENCED_PARAMETER(RegistrationContext); if (OperationInformation->ObjectType != *IoFileObjectType) {return OB_PREOP_SUCCESS; } // 过滤无效指针 if (fileo->FileName.Buffer == NULL ||!MmIsAddressValid(fileo->FileName.Buffer) ||fileo->DeviceObject == NULL ||!MmIsAddressValid(fileo->DeviceObject)) {return OB_PREOP_SUCCESS; } // 过滤无效路径 if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") ||!_wcsicmp(fileo->FileName.Buffer, L"?") ||!_wcsicmp(fileo->FileName.Buffer, L"\\.\\.") ||!_wcsicmp(fileo->FileName.Buffer, L"\\")) {return OB_PREOP_SUCCESS; } // 将对象转为DOS路径 RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName); DbgPrint("[LyShark] 进程PID = %ld | 文件路径 = %wZ%wZ \n", (ULONG64)CurrentProcessId, &DosName, &fileo->FileName); return OB_PREOP_SUCCESS;}VOID EnableObType(POBJECT_TYPE ObjectType){ PMY_OBJECT_TYPE myobtype = (PMY_OBJECT_TYPE)ObjectType; myobtype->TypeInfo.SupportsObjectCallbacks = 1;}VOID UnDriver(PDRIVER_OBJECT driver){ UNREFERENCED_PARAMETER(driver); ObUnRegisterCallbacks(obHandle);}NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ NTSTATUS status = STATUS_SUCCESS; PLDR_DATA ldr; DbgPrint("hello lyshark.com \n"); OB_CALLBACK_REGISTRATION obRegFileCallBack; OB_OPERATION_REGISTRATION opRegFileCallBack; // enable IoFileObjectType EnableObType(*IoFileObjectType); // bypass MmVerifyCallbackFunction ldr = (PLDR_DATA)Driver->DriverSection; ldr->Flags |= 0x20; // 初始化回调 memset(&obRegFileCallBack, 0, sizeof(obRegFileCallBack)); obRegFileCallBack.Version = ObGetFilterVersion(); obRegFileCallBack.OperationRegistrationCount = 1; obRegFileCallBack.RegistrationContext = NULL; RtlInitUnicodeString(&obRegFileCallBack.Altitude, L"321000"); obRegFileCallBack.OperationRegistration = &opRegFileCallBack; memset(&opRegFileCallBack, 0, sizeof(opRegFileCallBack)); opRegFileCallBack.ObjectType = IoFileObjectType; opRegFileCallBack.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; opRegFileCallBack.PreOperation = (POB_PRE_OPERATION_CALLBACK)&LySharkFileObjectpreCall; status = ObRegisterCallbacks(&obRegFileCallBack, &obHandle); if (!NT_SUCCESS(status)) {DbgPrint("注册回调错误 \n");status = STATUS_UNSUCCESSFUL; } UNREFERENCED_PARAMETER(RegistryPath); Driver->DriverUnload = &UnDriver; return status;}运行这个驱动程序,当系统中有新文件被加载时则自动输出该文件所属进程PID以及该文件的详细路径 。

驱动开发:内核监控FileObject文件回调

文章插图
至于如何阻止打开一个文件其实与《驱动开发:内核注册并监控对象回调》文章中使用的方法是一致的,首先判断OperationInformation->Operation是不是OB_OPERATION_HANDLE_CREATEOB_OPERATION_HANDLE_DUPLICATE如果是,则直接设置Parameters->CreateHandleInformation.DesiredAccess为0直接拒绝加载 。
// 文件回调OB_PREOP_CALLBACK_STATUS LySharkFileObjectpreCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation){ UNICODE_STRING DosName; PFILE_OBJECT fileo = OperationInformation->Object; HANDLE CurrentProcessId = PsGetCurrentProcessId(); UNREFERENCED_PARAMETER(RegistrationContext); if (OperationInformation->ObjectType != *IoFileObjectType) {return OB_PREOP_SUCCESS; } // 过滤无效指针 if (fileo->FileName.Buffer == NULL ||!MmIsAddressValid(fileo->FileName.Buffer) ||fileo->DeviceObject == NULL ||!MmIsAddressValid(fileo->DeviceObject)) {return OB_PREOP_SUCCESS; } // 过滤无效路径 if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") ||!_wcsicmp(fileo->FileName.Buffer, L"?") ||!_wcsicmp(fileo->FileName.Buffer, L"\\.\\.") ||!_wcsicmp(fileo->FileName.Buffer, L"\\")) {return OB_PREOP_SUCCESS; } // 阻止打开lyshark_com.txt文本 if (wcsstr(_wcslwr(fileo->FileName.Buffer), L"lyshark_com.txt")) {if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE){OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;}if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE){OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;}DbgPrint("[LyShark] 已拦截 lyshark_com 文件打开 \n"); } return OB_PREOP_SUCCESS;}

经验总结扩展阅读


上一篇:夸女人的美言佳句 评价女人漂亮经典语句

下一篇:花蛤怎么清洗