【半原创】Irp占坑保护文件不被删除

其他 2018-10-19 01:41:09 阅读次数: 0

Irp操作出自125096的博客

http://blog.csdn.net/qq125096885/article/details/53033896


这里提下 博主的例子中使用irpclose文件对象,这可能会造成蓝屏。

见链接:https://bbs.pediy.com/thread-215269.htm

所以这里把IrpCloseFile改为ObDereferenceObject即可


但是如果是需要实现无法删除,那么就不需要调用ObDereferenceObject

原因你猜~

此方法使用Irp去删除是无法删除的~

见代码~

#include <ntddk.h>  

#ifndef MAX_PATH  
#define MAX_PATH          260  
#endif  

NTSTATUS ObOpenObjectByPointer(PVOID Object, ULONG HandleAttributes, PACCESS_STATE PassedAccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PHANDLE Handle);
NTSTATUS ObCreateObject(KPROCESSOR_MODE ProbeMode, POBJECT_TYPE ObjectType, POBJECT_ATTRIBUTES ObjectAttributes, KPROCESSOR_MODE OwnershipMode, PVOID ParseContext, ULONG ObjectBodySize, ULONG PagedPoolCharge, ULONG NonPagedPoolCharge, PVOID *Object);
NTSTATUS SeCreateAccessState(PACCESS_STATE AccessState, PVOID AuxData, ACCESS_MASK DesiredAccess, PGENERIC_MAPPING GenericMapping);

typedef struct _AUX_ACCESS_DATA {
	PPRIVILEGE_SET PrivilegesUsed;
	GENERIC_MAPPING GenericMapping;
	ACCESS_MASK AccessesToAudit;
	ACCESS_MASK MaximumAuditMask;
	ULONG Unknown[256];
} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;

//获取设备对象  
NTSTATUS GetDriveObject(PUNICODE_STRING pDriveName, PDEVICE_OBJECT *DeviceObject, PDEVICE_OBJECT *ReadDevice);

//IRP打开文件  
NTSTATUS IrpCreateFile(PUNICODE_STRING pFilePath, ACCESS_MASK DesiredAccess, PIO_STATUS_BLOCK pIoStatusBlock, PFILE_OBJECT *pFileObject);


VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	return;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	NTSTATUS status;
	DriverObject->DriverUnload = DriverUnload;

	UNICODE_STRING strFilePath;
	IO_STATUS_BLOCK IoStatusBlock = { 0 };
	PFILE_OBJECT pFileObject = NULL;
	RtlInitUnicodeString(&strFilePath, L"\\??\\c:\\test.exe");

	//打开文件  
	status = IrpCreateFile(&strFilePath, GENERIC_READ | DELETE, &IoStatusBlock, &pFileObject);
	if (NT_SUCCESS(status))
	{
		//关闭文件  发irp close会触发内存重复释放 应使用ObDereferenceObject
		// 如果不ObDereferenceObject 除关机.磁盘填0(怎么获取偏移是一个问题~)之外 无法删除文件
		// ObDereferenceObject(pFileObject);
	}
	return STATUS_SUCCESS;
}


//完成历程  
NTSTATUS IoCompletionRoutineEx(PDEVICE_OBJECT  DeviceObject, PIRP  Irp, PVOID  Context)
{

	*Irp->UserIosb = Irp->IoStatus;
	if (Irp->UserEvent)
		KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);

	if (Irp->MdlAddress)
	{
		IoFreeMdl(Irp->MdlAddress);
		Irp->MdlAddress = NULL;
	}

	IoFreeIrp(Irp);
	return STATUS_MORE_PROCESSING_REQUIRED;

}

//获取设备对象  
NTSTATUS GetDriveObject(PUNICODE_STRING pDriveName, PDEVICE_OBJECT *DeviceObject, PDEVICE_OBJECT *ReadDevice)
{

	//定义变量  
	NTSTATUS status;
	OBJECT_ATTRIBUTES objectAttributes;
	HANDLE DeviceHandle = NULL;
	IO_STATUS_BLOCK ioStatus;
	PFILE_OBJECT pFileObject;

	//参数效验  
	if (pDriveName == NULL || DeviceObject == NULL || ReadDevice == NULL)return STATUS_INVALID_PARAMETER;

	//  \\??\\C:  
	//打开设备  
	InitializeObjectAttributes(&objectAttributes, pDriveName, OBJ_CASE_INSENSITIVE, NULL, NULL);
	status = IoCreateFile(&DeviceHandle, SYNCHRONIZE | FILE_ANY_ACCESS, &objectAttributes, &ioStatus, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE, NULL, 0, CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING);
	if (!NT_SUCCESS(status))return status;

	//获取文件对象  
	status = ObReferenceObjectByHandle(DeviceHandle, FILE_READ_DATA, *IoFileObjectType, KernelMode, &pFileObject, NULL);
	if (!NT_SUCCESS(status))
	{
		ZwClose(DeviceHandle);
		return status;
	}

	//效验结果  
	if (pFileObject->Vpb == 0 || pFileObject->Vpb->RealDevice == NULL)
	{
		ObDereferenceObject(pFileObject);
		ZwClose(DeviceHandle);
		return STATUS_UNSUCCESSFUL;
	}

	//设置变量  
	*DeviceObject = pFileObject->Vpb->DeviceObject;
	*ReadDevice = pFileObject->Vpb->RealDevice;

	ObDereferenceObject(pFileObject);
	ZwClose(DeviceHandle);


	return STATUS_SUCCESS;
}

//IRP打开文件  
NTSTATUS IrpCreateFile(PUNICODE_STRING pFilePath, ACCESS_MASK DesiredAccess, PIO_STATUS_BLOCK pIoStatusBlock, PFILE_OBJECT *pFileObject)
{
	NTSTATUS ntStatus;
	PIRP pIrp;
	KEVENT kEvent;
	static ACCESS_STATE AccessState;
	static AUX_ACCESS_DATA AuxData;
	OBJECT_ATTRIBUTES ObjectAttributes;
	PFILE_OBJECT  pNewFileObject;
	IO_SECURITY_CONTEXT SecurityContext;
	PIO_STACK_LOCATION IrpSp;
	PDEVICE_OBJECT pDeviceObject = NULL;
	PDEVICE_OBJECT pReadDevice = NULL;
	UNICODE_STRING DriveName;
	wchar_t* pFileNameBuf = NULL;
	static wchar_t szFilePath[MAX_PATH] = { 0 };
#define SYMBOLICLINKLENG            6           //  \\??\\c:            \\windows\\notepad.exe  


	if (pFilePath == NULL || pIoStatusBlock == NULL || pFileObject == NULL || pFilePath->Length <= SYMBOLICLINKLENG)return STATUS_INVALID_PARAMETER;

	RtlZeroMemory(szFilePath, sizeof(szFilePath));
	RtlCopyMemory(szFilePath, pFilePath->Buffer, (SYMBOLICLINKLENG + 1) * sizeof(wchar_t));
	RtlInitUnicodeString(&DriveName, szFilePath);


	ntStatus = GetDriveObject(&DriveName, &pDeviceObject, &pReadDevice);
	if (!NT_SUCCESS(ntStatus))return ntStatus;

	RtlZeroMemory(szFilePath, sizeof(szFilePath));
	RtlCopyMemory(szFilePath, &pFilePath->Buffer[SYMBOLICLINKLENG], pFilePath->Length - SYMBOLICLINKLENG);
	RtlInitUnicodeString(&DriveName, szFilePath);
	pFileNameBuf = ExAllocatePool(NonPagedPool, DriveName.MaximumLength);
	if (pFileNameBuf == NULL)return STATUS_UNSUCCESSFUL;
	RtlZeroMemory(pFileNameBuf, DriveName.MaximumLength);
	RtlCopyMemory(pFileNameBuf, DriveName.Buffer, DriveName.Length);

	if (pDeviceObject == NULL || pReadDevice == NULL || pDeviceObject->StackSize <= 0)return STATUS_UNSUCCESSFUL;

	InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, NULL);
	ntStatus = ObCreateObject(KernelMode, *IoFileObjectType, &ObjectAttributes, KernelMode, NULL, sizeof(FILE_OBJECT), 0, 0, &pNewFileObject);
	if (!NT_SUCCESS(ntStatus))return ntStatus;

	pIrp = IoAllocateIrp(pDeviceObject->StackSize, FALSE);
	if (pIrp == NULL)
	{
		ObDereferenceObject(pNewFileObject);
		return STATUS_INSUFFICIENT_RESOURCES;
	}

	KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
	RtlZeroMemory(pNewFileObject, sizeof(FILE_OBJECT));
	pNewFileObject->Type = IO_TYPE_FILE;
	pNewFileObject->Size = sizeof(FILE_OBJECT);
	pNewFileObject->DeviceObject = pReadDevice;
	pNewFileObject->Flags = FO_SYNCHRONOUS_IO;
	RtlInitUnicodeString(&pNewFileObject->FileName, pFileNameBuf);
	KeInitializeEvent(&pNewFileObject->Lock, SynchronizationEvent, FALSE);
	KeInitializeEvent(&pNewFileObject->Event, NotificationEvent, FALSE);

	ntStatus = SeCreateAccessState(&AccessState, &AuxData, DesiredAccess, IoGetFileObjectGenericMapping());
	if (!NT_SUCCESS(ntStatus))
	{
		IoFreeIrp(pIrp);
		ObDereferenceObject(pNewFileObject);
		return ntStatus;
	}


	SecurityContext.SecurityQos = NULL;
	SecurityContext.AccessState = &AccessState;
	SecurityContext.DesiredAccess = DesiredAccess;
	SecurityContext.FullCreateOptions = 0;

	pIrp->MdlAddress = NULL;
	pIrp->AssociatedIrp.SystemBuffer = NULL;
	pIrp->Flags = IRP_CREATE_OPERATION | IRP_SYNCHRONOUS_API;
	pIrp->RequestorMode = KernelMode;
	pIrp->UserIosb = pIoStatusBlock;
	pIrp->UserEvent = &kEvent;
	pIrp->PendingReturned = FALSE;
	pIrp->Cancel = FALSE;
	pIrp->CancelRoutine = NULL;
	pIrp->Tail.Overlay.Thread = PsGetCurrentThread();
	pIrp->Tail.Overlay.AuxiliaryBuffer = NULL;
	pIrp->Tail.Overlay.OriginalFileObject = pNewFileObject;

	IrpSp = IoGetNextIrpStackLocation(pIrp);
	IrpSp->MajorFunction = IRP_MJ_CREATE;
	IrpSp->DeviceObject = pDeviceObject;
	IrpSp->FileObject = pNewFileObject;
	IrpSp->Parameters.Create.SecurityContext = &SecurityContext;
	IrpSp->Parameters.Create.Options = (FILE_OPEN_IF << 24) | 0;
	IrpSp->Parameters.Create.FileAttributes = FILE_ATTRIBUTE_NORMAL;
	IrpSp->Parameters.Create.ShareAccess = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;
	IrpSp->Parameters.Create.EaLength = 0;

	IoSetCompletionRoutine(pIrp, IoCompletionRoutineEx, 0, TRUE, TRUE, TRUE);
	ntStatus = IoCallDriver(pDeviceObject, pIrp);
	if (ntStatus == STATUS_PENDING)
		KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
	ntStatus = pIoStatusBlock->Status;

	if (!NT_SUCCESS(ntStatus))
	{
		pNewFileObject->DeviceObject = NULL;
		ObDereferenceObject(pNewFileObject);
	}
	else
	{
		InterlockedIncrement(&pNewFileObject->DeviceObject->ReferenceCount);
		if (pNewFileObject->Vpb)
			InterlockedIncrement(&pNewFileObject->Vpb->ReferenceCount);
		*pFileObject = pNewFileObject;

		//ObDereferenceObject(pNewFileObject);  
	}

	return ntStatus;
}

删除的思路

1.找到这个FileObject ObDereferenceObject~

2.找跟句柄、对象无关的删除方法~




猜你喜欢

转载自blog.csdn.net/zhuhuibeishadiao/article/details/78050887
今日推荐
技术解析 GPT-4o:即时语音交互的突破与 GenAI 发展策略
开源大模型与闭源大模型
微信小程序授权登录获取用户的openid
亿级流量系统架构设计与实战
人工智能时代的程序设计教学与课程设计
纽交所技术问题致伯克希尔 (BRK.A) 显示跌近 100%
探索 api.maynor1024.live:一站式 AI 服务平台
AI一键去衣技术:窥见深度学习在图像处理领域的革命(最后有彩蛋)
艾体宝案例 | 使用Redis和Spring Ai构建rag应用程序
Apple M1 vs 高通8Gen2 vs Apple A12Z各方面比较
【升职加薪必备架构图】Springboot学习路线汇总_springboot四层架构流程图
与Apollo共创生态:Apollo7周年大会自动驾驶生态利剑出鞘
周排行
事务隔离级及脏读、幻读和不可重复读
rtos:zephyr同步信号量
把对象转换为JSON格式的数据
iOS Dev (56) iTunes Store 销售日报更新时间
Failed to start mongod.service: Unit not found;mongodb in unbuntu
Upgrading PHP on CentOS 6.5 (Final)
(四)王道机试指南___排版问题
TensorFlow之手写体识别
xcode xib报错 Safe Area Layout Guide Before IOS 9.0
【LeetCode】76. Minimum Window Substring(C++)
每日归档
更多
2024-06-05(0)
2024-06-04(10)
2024-06-03(52)
2024-06-02(4)
2024-06-01(60)
2024-05-31(47)
2024-05-30(4)
2024-05-29(65)
2024-05-28(2)
2024-05-27(56)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022