NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { DBG_PRINT("SecretStash!DriverEntry: Entered\n"); secretStashConfig.RegDataLoaded = FALSE; NTSTATUS status = STATUS_SUCCESS; try { LeaveOnFail(FltRegisterFilter(DriverObject, &FilterRegistration, &secretStashConfig.Filter)); // Register with FltMgr to tell it our callback routines LeaveOnFail(GetRegistryConfigData(RegistryPath)); LeaveOnFail(CreateCommunicationPort()); LeaveOnFail(FltStartFiltering(secretStashConfig.Filter)); } finally { if (!NT_SUCCESS(status)) { if (secretStashConfig.ComPortConfig.ServerPort != NULL) FltCloseCommunicationPort(secretStashConfig.ComPortConfig.ServerPort); if (secretStashConfig.Filter != NULL) FltUnregisterFilter(secretStashConfig.Filter); } } return status; }
/************************************************************************* MiniFilter initialization and unload routines. *************************************************************************/ NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) { NTSTATUS status; UNREFERENCED_PARAMETER( RegistryPath ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("minifilter0!DriverEntry: Entered\n") ); // // Register with FltMgr to tell it our callback routines // status = FltRegisterFilter( DriverObject, &FilterRegistration, &gFilterHandle ); ASSERT( NT_SUCCESS( status ) ); if (NT_SUCCESS( status )) { // // Start filtering i/o // status = FltStartFiltering( gFilterHandle ); if (!NT_SUCCESS( status )) FltUnregisterFilter( gFilterHandle ); } return status; }
NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for this miniFilter driver. This registers with FltMgr and initializes all global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { NTSTATUS status; UNREFERENCED_PARAMETER( RegistryPath ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!DriverEntry: Entered\n") ); // // Register with FltMgr to tell it our callback routines // status = FltRegisterFilter( DriverObject, &FilterRegistration, &gFilterHandle ); ASSERT( NT_SUCCESS( status ) ); if (NT_SUCCESS( status )) { // // Start filtering i/o // status = FltStartFiltering( gFilterHandle ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( gFilterHandle ); } } return status; }
__checkReturn NTSTATUS FileMgrStart ( ) { NTSTATUS status = FltStartFiltering( gFileMgr.m_FileFilter ); return status; }
NTSTATUS DriverEntry ( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for this miniFilter driver. This registers the miniFilter with FltMgr and initializes all its global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { NTSTATUS status; UNREFERENCED_PARAMETER( RegistryPath ); // // Register with FltMgr // status = FltRegisterFilter( DriverObject, &FilterRegistration, &NullFilterData.FilterHandle ); FLT_ASSERT( NT_SUCCESS( status ) ); if (NT_SUCCESS( status )) { // // Start filtering i/o // status = FltStartFiltering( NullFilterData.FilterHandle ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( NullFilterData.FilterHandle ); } } return status; }
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING str) { UNREFERENCED_PARAMETER(driver); UNREFERENCED_PARAMETER(str); NTSTATUS sta; driver->DriverUnload = unload; CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0, precreate, postcreate }, { IRP_MJ_OPERATION_END } }; FLT_REGISTRATION fr; fr.Size = sizeof(FLT_REGISTRATION); fr.ContextRegistration = 0; fr.FilterUnloadCallback = fltunload; fr.Flags = 0; fr.GenerateFileNameCallback = 0; fr.InstanceQueryTeardownCallback = 0; fr.InstanceSetupCallback = 0; fr.InstanceTeardownCompleteCallback = 0; fr.InstanceTeardownStartCallback = 0; fr.NormalizeContextCleanupCallback = 0; fr.NormalizeNameComponentCallback = 0; fr.NormalizeNameComponentExCallback = 0; fr.OperationRegistration = Callbacks; fr.SectionNotificationCallback = 0; fr.TransactionNotificationCallback = 0; fr.Version = FLT_REGISTRATION_VERSION; sta = FltRegisterFilter(driver, &fr, &pf); DbgPrint("0x%x\n", sta); if (NT_SUCCESS(sta)) { DbgPrint("MINI驱动\t create by:zlz 五邑大学\n"); DbgPrint("MINI驱动初始化成功,开始过滤\n"); FltStartFiltering(pf); } return STATUS_SUCCESS; }
VOID FltFilterInstall( DRIVER_OBJECT* DriverObject ) { NTSTATUS status; FLT_REGISTRATION FilterRegistration; FLT_CONTEXT_REGISTRATION ContextReg[]= { {FLT_CONTEXT_END} }; FLT_OPERATION_REGISTRATION OperationReg[]= { {IRP_MJ_CREATE, 0, FilterPreCreate, NULL, NULL}, {IRP_MJ_OPERATION_END} }; DbgPrint("[PUSH] => (PushFilterInstall)"); memset(&FilterRegistration,0,sizeof(FilterRegistration)); FilterRegistration.Size=sizeof(FilterRegistration); FilterRegistration.Version=FLT_REGISTRATION_VERSION; FilterRegistration.Flags=0; //we do not use any contexts yet FilterRegistration.ContextRegistration=ContextReg; FilterRegistration.OperationRegistration=OperationReg; FilterRegistration.FilterUnloadCallback = FilterUnload; status = FltRegisterFilter( DriverObject, &FilterRegistration, &FltFilterData ); if (NT_SUCCESS(status)) { FltStartFiltering(FltFilterData); FltInitialized = TRUE; } DbgPrint("[PUSH] <= (PushFilterInstall)"); }
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { NTSTATUS ntStatus = STATUS_SUCCESS; ntStatus = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle); ASSERT(NT_SUCCESS(ntStatus)); if (NT_SUCCESS(ntStatus)) { ntStatus = FltStartFiltering(FilterHandle); if (!NT_SUCCESS(ntStatus)) { FltUnregisterFilter(FilterHandle); } } return ntStatus; }
NTSTATUS FilemonEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { NTSTATUS status; FltData.Filter = NULL; status = FltRegisterFilter(pDriverObject, &FilterRegistration, &FltData.Filter); if(!NT_SUCCESS(status)) return status; status = FltStartFiltering(FltData.Filter); if(!NT_SUCCESS(status)) { FltUnregisterFilter(FltData.Filter); return status; } // 初始 KeInitializeSpinLock(&FltData.spinkLock); InitializeListHead(&FltData.listGuard); return STATUS_SUCCESS; }
//--------------------------------------------------------------- extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath) { NTSTATUS tRetStatus; PEPROCESS tCurProcess = PsGetCurrentProcess(); if(0 == tCurProcess) return 0; for(int i=0; i<3*PAGE_SIZE; i++) { if(0 == _strnicmp("System", (char*)tCurProcess + i, strlen("System"))) { ProcessNameOffset = i; break; } } if(0 == ProcessNameOffset) { return STATUS_UNSUCCESSFUL; } tRetStatus = FltRegisterFilter(pDriverObject, &g_FltRegistration, &g_FltFilterHandle); if(false == NT_SUCCESS(tRetStatus)) { Debug("FltRegisterFilter failed"); return STATUS_UNSUCCESSFUL; } tRetStatus = FltStartFiltering(g_FltFilterHandle); if(false == NT_SUCCESS(tRetStatus)) { Debug("FltStartFiltering failed"); FltUnregisterFilter(g_FltFilterHandle); return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; }
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { NTSTATUS status; UNREFERENCED_PARAMETER(RegistryPath); KdPrint(("Passthrough!DriverEntry: entered\n")); status = FltRegisterFilter(DriverObject, &FilterRegistration, &gFilterHandle); FLT_ASSERT(NT_SUCCESS(status)); if (NT_SUCCESS(status)) { status = FltStartFiltering(gFilterHandle); if (!NT_SUCCESS(status)) { FltUnregisterFilter(gFilterHandle); } KdPrint(("Passthrough!DriverEntry: start mini filter \n")); } return status; }
NTSTATUS DriverEntry ( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) /*++ Routine Description: This routine is called when a driver first loads. Its purpose is to initialize global state and then register with FltMgr to start filtering. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Status of the operation. --*/ { PSECURITY_DESCRIPTOR sd; OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; NTSTATUS status = STATUS_SUCCESS; try { // // Initialize global data structures. // MiniSpyData.LogSequenceNumber = 0; MiniSpyData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE; MiniSpyData.RecordsAllocated = 0; MiniSpyData.NameQueryMethod = DEFAULT_NAME_QUERY_METHOD; MiniSpyData.DriverObject = DriverObject; InitializeListHead( &MiniSpyData.OutputBufferList ); KeInitializeSpinLock( &MiniSpyData.OutputBufferLock ); ExInitializeNPagedLookasideList( &MiniSpyData.FreeBufferList, NULL, NULL, 0, RECORD_SIZE, SPY_TAG, 0 ); #if MINISPY_VISTA // // Dynamically import FilterMgr APIs for transaction support // #pragma warning(push) #pragma warning(disable:4055) // type cast from data pointer to function pointer MiniSpyData.PFltSetTransactionContext = (PFLT_SET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltSetTransactionContext" ); MiniSpyData.PFltGetTransactionContext = (PFLT_GET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltGetTransactionContext" ); MiniSpyData.PFltEnlistInTransaction = (PFLT_ENLIST_IN_TRANSACTION) FltGetRoutineAddress( "FltEnlistInTransaction" ); #pragma warning(pop) #endif // // Read the custom parameters for MiniSpy from the registry // SpyReadDriverParameters(RegistryPath); // // Now that our global configuration is complete, register with FltMgr. // status = FltRegisterFilter( DriverObject, &FilterRegistration, &MiniSpyData.Filter ); if (!NT_SUCCESS( status )) { leave; } status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS( status )) { leave; } RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME ); InitializeObjectAttributes( &oa, &uniString, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, sd ); status = FltCreateCommunicationPort( MiniSpyData.Filter, &MiniSpyData.ServerPort, &oa, NULL, SpyConnect, SpyDisconnect, SpyMessage, 1 ); FltFreeSecurityDescriptor( sd ); if (!NT_SUCCESS( status )) { leave; } // // We are now ready to start filtering // status = FltStartFiltering( MiniSpyData.Filter ); //If all went ok, register a process creation notification cb. if (NT_SUCCESS(status)) { status = PsSetCreateProcessNotifyRoutine(ProcessCreationCB, FALSE); } //If all went ok, register also a register filter. if (NT_SUCCESS(status)) { status = CmRegisterCallback(RegistryCallback, NULL, &g_CmCookie); } } finally { if (!NT_SUCCESS( status ) ) { if (NULL != MiniSpyData.ServerPort) { FltCloseCommunicationPort( MiniSpyData.ServerPort ); } if (NULL != MiniSpyData.Filter) { FltUnregisterFilter( MiniSpyData.Filter ); } ExDeleteNPagedLookasideList( &MiniSpyData.FreeBufferList ); } } return status; }
EXTERN_C NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { const FLT_OPERATION_REGISTRATION fltCallbacks[] = { { IRP_MJ_CLEANUP, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, nullptr, ScvnpPostCleanupAndFlushBuffers, }, { IRP_MJ_FLUSH_BUFFERS, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, nullptr, ScvnpPostCleanupAndFlushBuffers, }, {IRP_MJ_SET_INFORMATION, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, ScvnpPreSetInformation, nullptr}, {IRP_MJ_OPERATION_END}}; const FLT_REGISTRATION filterRegistration = { sizeof(filterRegistration), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags nullptr, // Context fltCallbacks, // Operation callbacks ScvnpUnload, // FilterUnload nullptr, // InstanceSetup nullptr, // InstanceQueryTeardown nullptr, // InstanceTeardownStart nullptr, // InstanceTeardownComplete nullptr, // GenerateFileName nullptr, // GenerateDestinationFileName nullptr, // NormalizeNameComponent }; PAGED_CODE(); UNREFERENCED_PARAMETER(RegistryPath); // DBG_BREAK(); auto status = ScvnpCreateDirectory(SCVNP_OUT_DIRECTORY_PATH); if (!NT_SUCCESS(status)) { return status; } // Initialize the Log system status = LogInitialization( SCVNP_LOG_LEVEL | LOG_OPT_DISABLE_TIME | LOG_OPT_DISABLE_FUNCTION_NAME, SCVNP_LOG_FILE_PATH, nullptr); if (!NT_SUCCESS(status)) { return status; } // Initialize the crypt APIs. status = BCryptOpenAlgorithmProvider(&g_ScvnpSha1AlgorithmHandle, BCRYPT_SHA1_ALGORITHM, nullptr, 0); if (!NT_SUCCESS(status)) { LOG_ERROR("BCryptOpenAlgorithmProvider failed (%08x)", status); LogTermination(nullptr); return status; } // Register and start a mini filter driver status = FltRegisterFilter(DriverObject, &filterRegistration, &g_ScvnpFilterHandle); if (!NT_SUCCESS(status)) { LOG_ERROR("FltRegisterFilter failed (%08x)", status); BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0); LogTermination(nullptr); return status; } status = FltStartFiltering(g_ScvnpFilterHandle); if (!NT_SUCCESS(status)) { LOG_ERROR("FltStartFiltering failed (%08x)", status); FltUnregisterFilter(g_ScvnpFilterHandle); BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0); LogTermination(nullptr); return status; } LOG_INFO("Scavenger installed"); return status; }
NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) { NTSTATUS status; // // This defines what we want to filter with FltMgr // CONST FLT_REGISTRATION filterRegistration = { sizeof( FLT_REGISTRATION ), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags NULL, // Context NULL, // Operation callbacks CdoUnload, // MiniFilterUnload CdoInstanceSetup, // InstanceSetup NULL, // InstanceQueryTeardown NULL, // InstanceTeardownStart NULL, // InstanceTeardownComplete NULL,NULL // NameProvider callbacks }; RtlZeroMemory( &Globals, sizeof( Globals ) ); #if DBG // // Initialize global debug level // CdoInitializeDebugLevel( RegistryPath ); #else UNREFERENCED_PARAMETER( RegistryPath ); #endif DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Cdo]: Driver being loaded\n") ); // // Initialize the resource // ExInitializeResourceLite( &Globals.Resource ); // // Record the driver object // Globals.FilterDriverObject = DriverObject; // // Register with FltMgr to tell it our callback routines // status = FltRegisterFilter( DriverObject, &filterRegistration, &Globals.Filter ); if (!NT_SUCCESS( status )) { ExDeleteResourceLite( &Globals.Resource ); return status; } // // Now create our control device object // status = CdoCreateControlDeviceObject( DriverObject ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( Globals.Filter ); ExDeleteResourceLite( &Globals.Resource ); return status; } // // Start filtering i/o // status = FltStartFiltering( Globals.Filter ); if (!NT_SUCCESS( status )) { CdoDeleteControlDeviceObject(); FltUnregisterFilter( Globals.Filter ); ExDeleteResourceLite( &Globals.Resource ); return status; } return status; }
NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for this miniFilter driver. This registers with FltMgr and initializes all global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { NTSTATUS status; BOOLEAN bInit = FALSE; PSECURITY_DESCRIPTOR sd; OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; UNREFERENCED_PARAMETER( RegistryPath ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("PassThrough!DriverEntry: Entered\n") ); try { status = FltRegisterFilter( DriverObject, &FilterRegistration, &gFilterHandle ); if (!NT_SUCCESS( status )) { leave; } #ifdef CV VirtualizerStart(); #endif status = InitDriverEntry( DriverObject,RegistryPath); #ifdef CV VirtualizerEnd(); #endif if (!NT_SUCCESS( status )) { bInit = FALSE; leave; } bInit = TRUE; status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS( status )) { leave; } RtlInitUnicodeString( &uniString, X70FSD_PORT_NAME ); InitializeObjectAttributes( &oa, &uniString, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, sd ); status = FltCreateCommunicationPort( gFilterHandle, &gServerPort, &oa, NULL, PtMiniConnect, PtMiniDisconnect, PtMiniMessage, 1 ); FltFreeSecurityDescriptor( sd ); if (!NT_SUCCESS( status )) { leave; } status = FltStartFiltering( gFilterHandle ); } finally { if (!NT_SUCCESS( status ) ) { if (NULL != gServerPort) { FltCloseCommunicationPort( gServerPort); } if (NULL != gFilterHandle) { FltUnregisterFilter( gFilterHandle ); } if(bInit) { UnloadDriver(); } } } DbgPrint("status = %x ",status); return status; }
NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) { NTSTATUS status; PSECURITY_DESCRIPTOR sd; OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; //for communication port name UNREFERENCED_PARAMETER( RegistryPath ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("NPminifilter!DriverEntry: Entered\n") ); // // Register with FltMgr to tell it our callback routines // status = FltRegisterFilter( DriverObject, &FilterRegistration, &gFilterHandle ); ASSERT( NT_SUCCESS( status ) ); if (NT_SUCCESS( status )) { // // Start filtering i/o // status = FltStartFiltering( gFilterHandle ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( gFilterHandle ); } } //Communication Port status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS( status )) { goto final; } status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS( status )) { goto final; } RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME ); InitializeObjectAttributes( &oa, &uniString, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, sd ); status = FltCreateCommunicationPort( gFilterHandle, &gServerPort, &oa, NULL, NPMiniConnect, NPMiniDisconnect, NPMiniMessage, 1 ); FltFreeSecurityDescriptor( sd ); if (!NT_SUCCESS( status )) { goto final; } final :
NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for this miniFilter driver. This registers with FltMgr and initializes all global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Routine can return non success error codes. --*/ { NTSTATUS status; OBJECT_ATTRIBUTES oa; PSECURITY_DESCRIPTOR sd; UNICODE_STRING uniString; //UNREFERENCED_PARAMETER(RegistryPath); PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("claimsman!DriverEntry: Entered\n")); // // Default to NonPagedPoolNx for non paged pool allocations where supported. // ExInitializeDriverRuntime(DrvRtPoolNxOptIn); // // Obtain the extensions to monitor from the registry // status = InitializeMonitoredExtensions(RegistryPath); if (!NT_SUCCESS(status)) { status = STATUS_SUCCESS; ClaimsmanData.MonitoredExtensions = &MonitoredExtensionDefault; ClaimsmanData.MonitoredExtensionCount = 1; } // // Obtain the ignored users from the registry // status = InitializeIgnoredUsers(RegistryPath); if (!NT_SUCCESS(status)) { status = STATUS_SUCCESS; ClaimsmanData.IgnoredUsers = &MonitoredExtensionDefault; ClaimsmanData.IgnoredUserCount = 1; } // // Register with FltMgr to tell it our callback routines // status = FltRegisterFilter(DriverObject, &FilterRegistration, &ClaimsmanData.Filter); if (!NT_SUCCESS(status)) { return status; } // // Initialize communication port // RtlInitUnicodeString(&uniString, ClaimsmanPortName); // Only ADMINs & SYSTEM can access the port status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS); if (NT_SUCCESS(status)) { InitializeObjectAttributes(&oa, &uniString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, sd); status = FltCreateCommunicationPort(ClaimsmanData.Filter, &ClaimsmanData.ServerPort, &oa, NULL, ClaimsmanConnect, ClaimsmanDisconnect, NULL, 1); // Not needed anymore FltFreeSecurityDescriptor(sd); if (!NT_SUCCESS(status)) { PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("claimsman!DriverEntry: Unable to create communication port: %d\n", status)); } else { // // Start filtering I/O. // status = FltStartFiltering(ClaimsmanData.Filter); if (!NT_SUCCESS(status)) { FltUnregisterFilter(ClaimsmanData.Filter); FltCloseCommunicationPort(ClaimsmanData.ServerPort); } } } return status; }
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { /* IRQL == PASSIVE_LEVEL */ UNREFERENCED_PARAMETER( DriverObject ); UNREFERENCED_PARAMETER( RegistryPath ); NTSTATUS status; DbgPrint( "file system protection filter start" ); /* initialize IRP */ InitializeIrpDispatchers( DriverObject ); /* create device */ UNICODE_STRING deviceObjectName; RtlInitUnicodeString( &deviceObjectName, L"\\device\\disklocker_fsprotdrv" ); PDEVICE_OBJECT DeviceObject; status = CreateIoDevice( deviceObjectName, DriverObject, &DeviceObject ); if (!NT_SUCCESS( status )) { DbgPrint( "CreateIoDevice() failed with code = %08x\n", status ); return status; } SetDeviceExt( DeviceObject->DeviceExtension ); /* initialize device extension */ GetDeviceExt()->DeviceObject = DeviceObject; GetDeviceExt()->DriverObject = DriverObject; GetDeviceExt()->UnloadRoutine = OnUnload; GetDeviceExt()->FileListHead = NULL; GetDeviceExt()->LastUniqueKey = 1; KeInitializeSpinLock( &(GetDeviceExt()->FileListAccessSpinLock) ); /* create symlink */ RtlInitUnicodeString( &SymbolicLinkName, L"\\DosDevices\\disklocker_fsprotdrv" ); status = IoCreateSymbolicLink( &SymbolicLinkName, &deviceObjectName ); if (!NT_SUCCESS( status )) { /* delete registered device */ IoDeleteDevice( GetDeviceExt()->DeviceObject ); DbgPrint( "IoCreateSymbolicLink() failed with code = %08x\n", status ); return status; } /* register filter */ status = FltRegisterFilter( DriverObject, &FilterRegistration, &(GetDeviceExt()->FltFilter) ); if (!NT_SUCCESS( status )) { /* delete registered symbolic link */ IoDeleteSymbolicLink( &SymbolicLinkName ); /* delete registered device */ IoDeleteDevice( GetDeviceExt()->DeviceObject ); DbgPrint( "FltRegisterFilter() failed with code = %08x\n", status ); return status; } /* start filtering */ status = FltStartFiltering( GetDeviceExt()->FltFilter ); if (!NT_SUCCESS( status )) { /* delete registered symbolic link */ IoDeleteSymbolicLink( &SymbolicLinkName ); /* delete registered device */ IoDeleteDevice( GetDeviceExt()->DeviceObject ); /* unregister filter */ FltUnregisterFilter( GetDeviceExt()->FltFilter ); DbgPrint( "FltStartFiltering() failed with code = %08x\n", status ); return status; } /* initialization done */ DbgPrint( "file system filter initialization done..." ); return STATUS_SUCCESS; }
/* * =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** * * * =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** */ NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { NTSTATUS Status; PSECURITY_DESCRIPTOR SecurityDescriptor; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING uPortName; // Open the registry and read in all the setting we will use in kernel mode EnumerateRegistryValues( theRegistryPath ); // DDK : "...Add itself to the global list of registered minifilters and to provide // the Filter Manager with a list of callback functions and other information // about the minifilter." Status = FltRegisterFilter( theDriverObject, &cfsd_FilterRegistration, &gFilterPointer ); if ( NT_SUCCESS( Status ) ) { #if ENABLE_USER_INTERFACE Status = FltBuildDefaultSecurityDescriptor( &SecurityDescriptor, FLT_PORT_ALL_ACCESS ); if ( NT_SUCCESS( Status ) ) { RtlInitUnicodeString( &uPortName, USER_COMMUNICATION_PORT_NAME ); InitializeObjectAttributes( &ObjectAttributes, &uPortName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, SecurityDescriptor ); KdPrint( (PRINT_TAG "Attempting to create Communication Port for user mode access\n") ); Status = FltCreateCommunicationPort( gFilterPointer, // Filter &gUserModeConnection.ServerPort,// *ServerPort &ObjectAttributes, // ObjectAttributes NULL, // ServerPortCookie cfsd_UserModeConnect, // ConnectNotifyCallback cfsd_UserModeDisconnect, // DisconnectNotifyCallback cfsd_UserModeCommunication, // MessageNotifyCallback 1 ); // MaxConnections FltFreeSecurityDescriptor( SecurityDescriptor ); // If we failed to create a communications port then we are going to fail the driver if ( !NT_SUCCESS( Status ) ) { KdPrint( (PRINT_TAG "Failed FltCreateCommunicationPort() with NTSTATUS 0x%x\n",Status ) ); // Release our hidden data memory ExFreePoolWithTag( gHiddenData, 'parC' ); return Status; } KdPrint( (PRINT_TAG "Created ServerPort 0x%X\n", gUserModeConnection.ServerPort ) ); } #endif // DDK : "...Notifies the Filter Manager that the minifilter is ready to // begin attaching to volumes and filtering I/O requests" Status = FltStartFiltering( gFilterPointer ); if ( !NT_SUCCESS( Status )) { #if ENABLE_USER_INTERFACE FltCloseCommunicationPort( gUserModeConnection.ServerPort ); #endif // If we failed FltStartFiltering() then we unregister ourself with the Filter Manager // so that we no longer recieve calls to process I/O operations. FltUnregisterFilter( gFilterPointer ); // Release our hidden data memory ExFreePoolWithTag( gHiddenData, 'parC' ); } } return Status; }
/*--------------------------------------------------------- 函数名称: DriverEntry 函数描述: 驱动程序入口,注册微过滤驱动,通信端口 输入参数: DriverObject 驱动对象 RegistryPath 驱动路径 输出参数: DriverObject 驱动对象 返回值: STATUS_SUCCESSFUL 为成功否则返回失败状态值 其他: 更新维护: 2011.3.20 最初版本 ---------------------------------------------------------*/ NTSTATUS DriverEntry( __inout PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) { DebugTrace(DEBUG_TRACE_LOAD_UNLOAD,"DriverEntry", ("[Antinvader]DriverEntry Enter.")); //返回值 NTSTATUS status = STATUS_SUCCESS; //初始化数据返回值 BOOLEAN bReturn = 0; //安全性叙述子 PSECURITY_DESCRIPTOR psdSecurityDescriptor; //对象权限结构 OBJECT_ATTRIBUTES oaObjectAttributes; //保存全局驱动对象 pdoGlobalDrvObj = DriverObject; // //注册过滤驱动 // if(NT_SUCCESS(status = FltRegisterFilter( DriverObject,//驱动对象 &FilterRegistration,//驱动注册信息 &pfltGlobalFilterHandle//驱动句柄,保存到全局变量 ))) { // //如果成功了 启动过滤 // DebugTrace(DEBUG_TRACE_NORMAL_INFO,"DriverEntry", ("[Antinvader]Register succeed!")); if(!NT_SUCCESS(status = FltStartFiltering( pfltGlobalFilterHandle ))) { // //如果启动失败 卸载驱动 // DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry", ("[Antinvader]Starting filter failed.")); FltUnregisterFilter(pfltGlobalFilterHandle); return status; } } else { // //如果连注册都没有成功 返回错误码 // DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry", ("[Antinvader]Register failed.")); return status; } // //建立通信端口 // // //初始化安全性叙述子,权限为FLT_PORT_ALL_ACCESS // status = FltBuildDefaultSecurityDescriptor( &psdSecurityDescriptor, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS( status )) { // //如果初始化失败 ,卸载驱动 // DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry", ("[Antinvader]Built security descriptor failed.")); FltUnregisterFilter( pfltGlobalFilterHandle ); // //返回信息 // return status; } //初始化对象权限结构 InitializeObjectAttributes( &oaObjectAttributes,//结构 &usCommunicatePortName,//对象名称 OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,//内核句柄 大小写不敏感 NULL, psdSecurityDescriptor ); //创建通信端口 status = FltCreateCommunicationPort( pfltGlobalFilterHandle,//过滤驱动句柄 &pfpGlobalServerPort,//服务端端口 &oaObjectAttributes,//权限 NULL, Antinvader_Connect, Antinvader_Disconnect, Antinvader_Message, 1//最大连接数 ); //释放安全性叙述子 FltFreeSecurityDescriptor( psdSecurityDescriptor ); if (!NT_SUCCESS( status )) { // //如果最终的操作失败 释放已经申请的资源 // DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry", ("[Antinvader]Creating communication port failed.")); if (NULL != pfpGlobalServerPort) { FltCloseCommunicationPort( pfpGlobalServerPort ); } if (NULL != pfltGlobalFilterHandle) { FltUnregisterFilter( pfltGlobalFilterHandle ); } } // //初始化进程名偏移 // InitProcessNameOffset(); // FctInitializeHashTable(); // //初始化机密进程表 // PctInitializeHashTable(); // //初始化旁视链表 // ExInitializeNPagedLookasideList( &nliNewFileHeaderLookasideList, NULL, NULL, 0, CONFIDENTIAL_FILE_HEAD_SIZE, MEM_FILE_TAG, 0 ); /* ExInitializeNPagedLookasideList( &nliCallbackContextLookasideList, NULL, NULL, 0, sizeof(_POST_CALLBACK_CONTEXT), MEM_CALLBACK_TAG, 0 ); ExInitializeNPagedLookasideList( &nliFileStreamContextLookasideList, NULL, NULL, 0, FILE_STREAM_CONTEXT_SIZE, MEM_TAG_FILE_TABLE, 0 );*/ // //结束 // DebugTrace(DEBUG_TRACE_LOAD_UNLOAD,"DriverEntry", ("[Antinvader]DriverEntry all succeed leave now.")); return status; }
NTSTATUS file_start (void) { NTSTATUS retval; const static FLT_OPERATION_REGISTRATION callbacks[] = { // {IRP_MJ_CLEANUP, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_CLOSE, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_CREATE, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_CREATE_MAILSLOT, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_CREATE_NAMED_PIPE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_DEVICE_CONTROL, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_DIRECTORY_CONTROL, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_FILE_SYSTEM_CONTROL, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_FLUSH_BUFFERS, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_INTERNAL_DEVICE_CONTROL, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_LOCK_CONTROL, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_PNP, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_QUERY_EA, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_QUERY_INFORMATION, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_QUERY_QUOTA, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_QUERY_SECURITY, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_QUERY_VOLUME_INFORMATION, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_READ, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_SET_EA, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_SET_INFORMATION, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_SET_QUOTA, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_SET_SECURITY, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_SET_VOLUME_INFORMATION, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_SHUTDOWN, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_SYSTEM_CONTROL, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_WRITE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_MDL_READ, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_MDL_READ_COMPLETE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_MDL_WRITE_COMPLETE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_NETWORK_QUERY_OPEN, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_PREPARE_MDL_WRITE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_RELEASE_FOR_CC_FLUSH, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_RELEASE_FOR_MOD_WRITE, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_VOLUME_DISMOUNT, 0, on_pre_op, on_post_op, NULL}, // {IRP_MJ_VOLUME_MOUNT, 0, on_pre_op, on_post_op, NULL}, {IRP_MJ_OPERATION_END} }; const static FLT_REGISTRATION reg = { sizeof(FLT_REGISTRATION), FLT_REGISTRATION_VERSION, 0, NULL, callbacks, NULL, NULL, // we don't want to be unloaded by the manager. NULL, NULL, NULL, NULL, NULL, NULL }; retval = FltRegisterFilter(driver_object, ®, &filter); if (retval != STATUS_SUCCESS) { DbgPrint("FltRegisterFilter failed: err=0x%8x\n", retval); return retval; } retval = FltStartFiltering(filter); if (retval != STATUS_SUCCESS) { DbgPrint("FltStartFiltering failed: err=0x%8x\n", retval); FltUnregisterFilter(filter); filter = NULL; return retval; } return STATUS_SUCCESS; }
NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) { OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; PSECURITY_DESCRIPTOR sd; NTSTATUS status; UNREFERENCED_PARAMETER( RegistryPath ); //Timeouts hardcoded for now FilterConf.ReadTimeout.QuadPart = (LONGLONG) - 30 * 1000 * 1000; //3 seconds FilterConf.WriteTimeout.QuadPart = (LONGLONG) - 1500 * 1000 * 1000; //150 seconds #ifdef DBG_PRINT DbgPrint("In DriverEntry"); #endif status = FltRegisterFilter( DriverObject, &FilterRegistration, &FilterConf.Filter ); if (!NT_SUCCESS( status )) { return status; } RtlInitUnicodeString( &uniString, MyDLPMFPortName ); status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (NT_SUCCESS( status )) { InitializeObjectAttributes( &oa, &uniString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, sd ); status = FltCreateCommunicationPort( FilterConf.Filter, &FilterConf.ServerPort, &oa, NULL, MyDLPMFPortConnect, MyDLPMFPortDisconnect, NULL, 1 ); FltFreeSecurityDescriptor( sd ); if (NT_SUCCESS( status )) { writeNotification = ExAllocatePoolWithTag( NonPagedPool, sizeof( MYDLPMF_WRITE_NOTIFICATION ), 'mdlp' ); if (writeNotification == NULL) { #ifdef DBG_PRINT DbgPrint("ExAllocatePoolWithTag failed for writeNotification!!!"); #endif FltCloseCommunicationPort( FilterConf.ServerPort ); FltUnregisterFilter( FilterConf.Filter ); return status; } fileNotification = ExAllocatePoolWithTag( NonPagedPool, sizeof( MYDLPMF_FILE_NOTIFICATION ), 'mdlp' ); if (fileNotification == NULL) { #ifdef DBG_PRINT DbgPrint("ExAllocatePoolWithTag failed for fileNotification!!!"); #endif FltCloseCommunicationPort( FilterConf.ServerPort ); FltUnregisterFilter( FilterConf.Filter ); return status; } notification = ExAllocatePoolWithTag( NonPagedPool, sizeof( MYDLPMF_NOTIFICATION ), 'mdlp' ); if (notification == NULL) { #ifdef DBG_PRINT DbgPrint("ExAllocatePoolWithTag failed for notification!!!"); #endif FltCloseCommunicationPort( FilterConf.ServerPort ); FltUnregisterFilter( FilterConf.Filter ); return status; } #ifdef DBG_PRINT DbgPrint("ExAllocatePoolWithTag success for notification!!!"); #endif reply = ExAllocatePoolWithTag( NonPagedPool, sizeof( MYDLPMF_REPLY ) + sizeof (FILTER_REPLY_HEADER), 'mdlp' ); if (reply == NULL) { #ifdef DBG_PRINT DbgPrint("ExAllocatePoolWithTag failed for reply!!!"); #endif FltCloseCommunicationPort( FilterConf.ServerPort ); FltUnregisterFilter( FilterConf.Filter ); return status; } confReply = ExAllocatePoolWithTag( NonPagedPool, sizeof( MYDLPMF_CONF_REPLY ) + sizeof (FILTER_REPLY_HEADER), 'mdlp' ); if (confReply == NULL) { #ifdef DBG_PRINT DbgPrint("ExAllocatePoolWithTag failed for confReply!!!"); #endif FltCloseCommunicationPort( FilterConf.ServerPort ); FltUnregisterFilter( FilterConf.Filter ); return status; } status = FltStartFiltering( FilterConf.Filter ); if (NT_SUCCESS( status )) { return STATUS_SUCCESS; } FltCloseCommunicationPort( FilterConf.ServerPort ); } } FltUnregisterFilter( FilterConf.Filter ); return status; }
/* * DriverEntry * * Main device driver entry point (the driver equivalent of "WinMain", 'cept for * drivers). This is the first routine called: * * http://msdn.microsoft.com/en-us/library/windows/hardware/ff557309(v=vs.85).aspx * * In this specific initialization, we register with something called the * "Filter Manager"...which gives us something like an "Application Framework" * where much of the boilerplate work is taken care of for us. Except this is * a "Driver Framework", and it allows us to provide only the parts we are * interested in writing and accept most of the defaults. By stylizing our code * in this way we are creating something known as a miniFilter: * * http://msdn.microsoft.com/en-us/library/windows/hardware/ff538896(v=vs.85).aspx */ NTSTATUS DriverEntry( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) { OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; PSECURITY_DESCRIPTOR sd; NTSTATUS status; UNREFERENCED_PARAMETER(RegistryPath); /* Register with filter manager. */ status = FltRegisterFilter( DriverObject, &FilterRegistration, &Globals.Filter ); if (!NT_SUCCESS(status)) { return status; } /* Create a communication port. */ RtlInitUnicodeString(&uniString, LockerPortName); /* We secure the port so only ADMINs & SYSTEM can access it. */ status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS); if (NT_SUCCESS(status)) { InitializeObjectAttributes( &oa, &uniString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, sd ); status = FltCreateCommunicationPort( Globals.Filter, &Globals.ServerPort, &oa, NULL, LockerPortConnect, LockerPortDisconnect, LockerMessage, 1 /* MaxConnections: Only accept one connection! */ ); /* * Free the security descriptor in all cases. It is not needed once * the call to FltCreateCommunicationPort() is made. */ FltFreeSecurityDescriptor(sd); if (NT_SUCCESS(status)) { /* * Start filtering I/O. This is blocking, and the minifilter * will keep running until the service is stopped, e.g. with * "SC STOP CloneLocker" at the command line or using a GUI * service manager. */ status = FltStartFiltering(Globals.Filter); if (NT_SUCCESS(status)) { return STATUS_SUCCESS; } FltCloseCommunicationPort(Globals.ServerPort); } } FltUnregisterFilter(Globals.Filter); return status; }
/* Main entry point into the driver, is called when the driver is loaded */ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status; OBJECT_ATTRIBUTES objectAttributes; PSECURITY_DESCRIPTOR pSecurityDescriptor; UNICODE_STRING fileMonitorPortName; LARGE_INTEGER fileEventsTimeout; busy = FALSE; fileManager.bReady = FALSE; fileManager.bCollectDeletedFiles = FALSE; KeInitializeSpinLock(&fileManager.lQueuedFileEventsSpinLock); InitializeListHead(&fileManager.lQueuedFileEvents); fileManager.pDriverObject = DriverObject; //fileManager.logDirectory.Buffer = NULL; /* Register driver with the filter manager */ status = FltRegisterFilter(DriverObject, &FilterRegistration, &fileManager.pFilter); if (!NT_SUCCESS(status)) { DbgPrint("CaptureFileMonitor: ERROR FltRegisterFilter - %08x\n", status); return status; } status = FltBuildDefaultSecurityDescriptor( &pSecurityDescriptor, FLT_PORT_ALL_ACCESS ); if (!NT_SUCCESS(status)) { DbgPrint("CaptureFileMonitor: ERROR FltBuildDefaultSecurityDescriptor - %08x\n", status); return status; } RtlInitUnicodeString( &fileMonitorPortName, CAPTURE_FILEMON_PORT_NAME ); InitializeObjectAttributes( &objectAttributes, &fileMonitorPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, pSecurityDescriptor); /* Create the communications port to communicate with the user space process (pipe) */ status = FltCreateCommunicationPort( fileManager.pFilter, &fileManager.pServerPort, &objectAttributes, NULL, ConnectCallback, DisconnectCallback, MessageCallback, 1 ); FltFreeSecurityDescriptor(pSecurityDescriptor); /* Start the filtering */ if(NT_SUCCESS(status)) { status = FltStartFiltering(fileManager.pFilter); if(!NT_SUCCESS(status)) { DbgPrint("CaptureFileMonitor: ERROR FltStartFiltering - %08x\n", status); } } else { DbgPrint("CaptureFileMonitor: ERROR FltCreateCommunicationPort - %08x\n", status); } /* If there was a problem during initialisation of the filter then uninstall everything */ if(!NT_SUCCESS(status)) { if (fileManager.pServerPort != NULL) FltCloseCommunicationPort(fileManager.pServerPort); if (fileManager.pFilter != NULL) FltUnregisterFilter(fileManager.pFilter); return status; } UpdateLastContactTime(); /* Create a DPC routine so that it can be called periodically */ KeInitializeDpc(&fileManager.connectionCheckerFunction, (PKDEFERRED_ROUTINE)ConnectionChecker, &fileManager); KeInitializeTimer(&fileManager.connectionCheckerTimer); fileEventsTimeout.QuadPart = 0; /* Set the ConnectionChecker routine to be called every so often */ KeSetTimerEx(&fileManager.connectionCheckerTimer, fileEventsTimeout, (USERSPACE_CONNECTION_TIMEOUT+(USERSPACE_CONNECTION_TIMEOUT/2))*1000, &fileManager.connectionCheckerFunction); fileManager.bReady = TRUE; fileManager.logDirectory.Length = 0; fileManager.logDirectory.Buffer = NULL; DbgPrint("CaptureFileMonitor: Successfully Loaded\n"); return STATUS_SUCCESS; }
NTSTATUS CtxDriverEntry ( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) #endif /*++ Routine Description: This is the initialization routine for this filter driver. It registers itself with the filter manager and initializes all its global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { NTSTATUS status; // // Filters callback routines // FLT_OPERATION_REGISTRATION callbacks[] = { { IRP_MJ_CREATE, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreCreate, CtxPostCreate }, { IRP_MJ_CLEANUP, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreCleanup, NULL }, { IRP_MJ_CLOSE, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreClose, NULL }, { IRP_MJ_SET_INFORMATION, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreSetInfo, CtxPostSetInfo }, { IRP_MJ_OPERATION_END } }; const FLT_CONTEXT_REGISTRATION contextRegistration[] = { { FLT_INSTANCE_CONTEXT, 0, CtxContextCleanup, CTX_INSTANCE_CONTEXT_SIZE, CTX_INSTANCE_CONTEXT_TAG }, { FLT_FILE_CONTEXT, 0, CtxContextCleanup, CTX_FILE_CONTEXT_SIZE, CTX_FILE_CONTEXT_TAG }, { FLT_STREAM_CONTEXT, 0, CtxContextCleanup, CTX_STREAM_CONTEXT_SIZE, CTX_STREAM_CONTEXT_TAG }, { FLT_STREAMHANDLE_CONTEXT, 0, CtxContextCleanup, CTX_STREAMHANDLE_CONTEXT_SIZE, CTX_STREAMHANDLE_CONTEXT_TAG }, { FLT_CONTEXT_END } }; // // Filters registration data structure // #if !__NDAS_FS_MINI__ FLT_REGISTRATION filterRegistration = { #else FLT_REGISTRATION CtxFilterRegistration = { #endif sizeof( FLT_REGISTRATION ), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags contextRegistration, // Context callbacks, // Operation callbacks CtxUnload, // Filters unload routine CtxInstanceSetup, // InstanceSetup routine CtxInstanceQueryTeardown, // InstanceQueryTeardown routine CtxInstanceTeardownStart, // InstanceTeardownStart routine CtxInstanceTeardownComplete, // InstanceTeardownComplete routine NULL, NULL, NULL // Unused naming support callbacks }; RtlZeroMemory( &Globals, sizeof( Globals ) ); #if DBG // // Initialize global debug level // CtxInitializeDebugLevel( RegistryPath ); #else UNREFERENCED_PARAMETER( RegistryPath ); #endif DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Ctx]: Driver being loaded\n") ); #if __NDAS_FS_MINI__ UNREFERENCED_PARAMETER( DriverObject ); UNREFERENCED_PARAMETER( RegistryPath ); status = STATUS_SUCCESS; #else // // Register with the filter manager // status = FltRegisterFilter( DriverObject, &filterRegistration, &Globals.Filter ); if (!NT_SUCCESS( status )) { return status; } // // Start filtering I/O // status = FltStartFiltering( Globals.Filter ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( Globals.Filter ); } DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Ctx]: Driver loaded complete (Status = 0x%08X)\n", status) ); #endif return status; } #if DBG VOID CtxInitializeDebugLevel ( __in PUNICODE_STRING RegistryPath ) /*++ Routine Description: This routine tries to read the filter DebugLevel parameter from the registry. This value will be found in the registry location indicated by the RegistryPath passed in. Arguments: RegistryPath - The path key passed to the driver during DriverEntry. Return Value: None. --*/ { OBJECT_ATTRIBUTES attributes; HANDLE driverRegKey; NTSTATUS status; ULONG resultLength; UNICODE_STRING valueName; UCHAR buffer[sizeof( KEY_VALUE_PARTIAL_INFORMATION ) + sizeof( LONG )]; Globals.DebugLevel = DEBUG_TRACE_ERROR; #if __NDAS_FS_MINI__ Globals.DebugLevel |= DEBUG_TRACE_INSTANCES; Globals.DebugLevel |= DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS; Globals.DebugLevel |= DEBUG_INFO_CREATE; //Globals.DebugLevel |= 0xFFFFFFFF; #endif // // Open the desired registry key // InitializeObjectAttributes( &attributes, RegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = ZwOpenKey( &driverRegKey, KEY_READ, &attributes ); if (NT_SUCCESS( status )) { // // Read the DebugFlags value from the registry. // RtlInitUnicodeString( &valueName, L"DebugLevel" ); status = ZwQueryValueKey( driverRegKey, &valueName, KeyValuePartialInformation, buffer, sizeof(buffer), &resultLength ); if (NT_SUCCESS( status )) { Globals.DebugLevel = *((PULONG) &(((PKEY_VALUE_PARTIAL_INFORMATION) buffer)->Data)); } } // // Close the registry entry // ZwClose( driverRegKey ); }
NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for this filter driver. It registers itself with the filter manager and initializes all its global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { NTSTATUS status; // // Filters callback routines // FLT_OPERATION_REGISTRATION callbacks[] = { { IRP_MJ_CREATE, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreCreate, CtxPostCreate }, { IRP_MJ_CLEANUP, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreCleanup, NULL }, { IRP_MJ_CLOSE, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreClose, NULL }, { IRP_MJ_SET_INFORMATION, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, CtxPreSetInfo, CtxPostSetInfo }, { IRP_MJ_OPERATION_END } }; const FLT_CONTEXT_REGISTRATION contextRegistration[] = { { FLT_INSTANCE_CONTEXT, 0, CtxContextCleanup, CTX_INSTANCE_CONTEXT_SIZE, CTX_INSTANCE_CONTEXT_TAG }, { FLT_FILE_CONTEXT, 0, CtxContextCleanup, CTX_FILE_CONTEXT_SIZE, CTX_FILE_CONTEXT_TAG }, { FLT_STREAM_CONTEXT, 0, CtxContextCleanup, CTX_STREAM_CONTEXT_SIZE, CTX_STREAM_CONTEXT_TAG }, { FLT_STREAMHANDLE_CONTEXT, 0, CtxContextCleanup, CTX_STREAMHANDLE_CONTEXT_SIZE, CTX_STREAMHANDLE_CONTEXT_TAG }, { FLT_CONTEXT_END } }; // // Filters registration data structure // FLT_REGISTRATION filterRegistration = { sizeof( FLT_REGISTRATION ), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags contextRegistration, // Context callbacks, // Operation callbacks CtxUnload, // Filters unload routine CtxInstanceSetup, // InstanceSetup routine CtxInstanceQueryTeardown, // InstanceQueryTeardown routine CtxInstanceTeardownStart, // InstanceTeardownStart routine CtxInstanceTeardownComplete, // InstanceTeardownComplete routine NULL, NULL, NULL // Unused naming support callbacks }; RtlZeroMemory( &Globals, sizeof( Globals ) ); #if DBG // // Initialize global debug level // CtxInitializeDebugLevel( RegistryPath ); #else UNREFERENCED_PARAMETER( RegistryPath ); #endif DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Ctx]: Driver being loaded\n") ); // // Register with the filter manager // status = FltRegisterFilter( DriverObject, &filterRegistration, &Globals.Filter ); if (!NT_SUCCESS( status )) { return status; } // // Start filtering I/O // status = FltStartFiltering( Globals.Filter ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( Globals.Filter ); } DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Ctx]: Driver loaded complete (Status = 0x%08X)\n", status) ); return status; }
NTSTATUS DriverEntry ( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for this filter driver. It registers itself with the filter manager and initializes all its global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { NTSTATUS status; // // Default to NonPagedPoolNx for non paged pool allocations where supported. // ExInitializeDriverRuntime( DrvRtPoolNxOptIn ); RtlZeroMemory( &Globals, sizeof( Globals ) ); #if DBG // // Initialize global debug level // CtxInitializeDebugLevel( RegistryPath ); #else UNREFERENCED_PARAMETER( RegistryPath ); #endif DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Ctx]: Driver being loaded\n") ); // // Register with the filter manager // status = FltRegisterFilter( DriverObject, &FilterRegistration, &Globals.Filter ); if (!NT_SUCCESS( status )) { return status; } // // Start filtering I/O // status = FltStartFiltering( Globals.Filter ); if (!NT_SUCCESS( status )) { FltUnregisterFilter( Globals.Filter ); } DebugTrace( DEBUG_TRACE_LOAD_UNLOAD, ("[Ctx]: Driver loaded complete (Status = 0x%08X)\n", status) ); return status; }
NTSTATUS DriverEntry ( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath ) /*++ Routine Description: This is the initialization routine for the Filter driver. This registers the Filter with the filter manager and initializes all its global data structures. Arguments: DriverObject - Pointer to driver object created by the system to represent this driver. RegistryPath - Unicode string identifying where the parameters for this driver are located in the registry. Return Value: Returns STATUS_SUCCESS. --*/ { OBJECT_ATTRIBUTES oa; UNICODE_STRING uniString; PSECURITY_DESCRIPTOR sd; NTSTATUS status; UNREFERENCED_PARAMETER( RegistryPath ); // // 向过滤管理器注册过滤器 // status = FltRegisterFilter( DriverObject, &FilterRegistration, &ScannerData.Filter ); if (!NT_SUCCESS( status )) { return status; } // // 创建一个通信端口 // RtlInitUnicodeString( &uniString, ScannerPortName ); // // We secure the port so only ADMINs & SYSTEM can acecss it. // 我们设置只有管理员权限用户与SYSTEM用户权限的程序可以接入这个端口 // status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS ); if (NT_SUCCESS( status )) { InitializeObjectAttributes( &oa, &uniString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, sd ); status = FltCreateCommunicationPort( ScannerData.Filter, &ScannerData.ServerPort, &oa, NULL, ScannerPortConnect, ScannerPortDisconnect, NULL, 1 ); // // 当调用FltCreateCommunicationPort()后,安全描述符已经没有需要了,应当释放掉。 // FltFreeSecurityDescriptor( sd ); if (NT_SUCCESS( status )) { // // 开始过滤IO // status = FltStartFiltering( ScannerData.Filter ); if (NT_SUCCESS( status )) { return STATUS_SUCCESS; } FltCloseCommunicationPort( ScannerData.ServerPort ); } } FltUnregisterFilter( ScannerData.Filter ); return status; }