如何在windows驱动中的READ及WRITE(代码中没有贴出) 中写日志,以下代码是可以直接运行的,在win7_32位上运行没问题
希望对大家有用
https://blog.csdn.net/feixi7358/article/details/84984154?tdsourcetag=s_pcqq_aiomsg
stdafx.h
#ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later.
#define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows.
#endif
#ifdef __cplusplus
extern "C"
{
#endif
#include <fltKernel.h>
#include <ntddk.h>
#include <ntddstor.h>
#include <mountdev.h>
#include <ntddvol.h>
#ifdef __cplusplus
};
#endif
typedef struct _HIDE_PATH_LIST
{
LIST_ENTRY listNode;
UNICODE_STRING msg;
CHAR xxPath[256]; //这个不能省略,否则出错,具体原因还不清楚,希望路过的大佬能给点提示
}LOG_LIST,*PLOG_LIST;
FLT_PREOP_CALLBACK_STATUS
preRead(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
);
NTSTATUS
FilterUnload (
__in FLT_FILTER_UNLOAD_FLAGS Flags
);
VOID ThreadProc();
VOID StartThread();
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_READ,
0,
preRead,
NULL,
},
{ IRP_MJ_OPERATION_END }
};
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
FilterUnload, // MiniFilterUnload
NULL, // InstanceSetup
NULL, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
writelog.cpp ,我用的minifilter过滤框架,但是在写文件的时候,我用的Zw-开头的函数,会引起重入,所以的只监控了D盘,而把日志写在C盘,故可以避免重入,但最好的做法是用minifilter的API,Flt开头的函数即可
#include "stdafx.h"
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
LIST_ENTRY HidePathListHeader;
KSPIN_LOCK HidePathListLock;
//minifilter 句柄
PFLT_FILTER gFilterHandle;
KEVENT s_Event;
BOOLEAN FLAG = TRUE;
#ifdef __cplusplus
extern "C" {
#endif
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
KdPrint(("DriverEntry \n"));
InitializeListHead(&HidePathListHeader);
KeInitializeSpinLock(&HidePathListLock);
//注册
status=FltRegisterFilter(DriverObject,
&FilterRegistration,
&gFilterHandle);
// ASSERT(NT_SUCCESS(status));
if (NT_SUCCESS(status))
{
//启动过滤器
status=FltStartFiltering(gFilterHandle);
if(!NT_SUCCESS(status))
{
FltUnregisterFilter(gFilterHandle);
}
}
KeInitializeEvent(&s_Event,SynchronizationEvent,FALSE);
StartThread();
return STATUS_SUCCESS;
}
#ifdef __cplusplus
}; // extern "C"
#endif
NTSTATUS FilterUnload(__in FLT_FILTER_UNLOAD_FLAGS Flags)
{
FltUnregisterFilter(gFilterHandle);
FLAG = FALSE;
KdPrint(("卸载成功\n"));
return STATUS_SUCCESS;
}
FLT_PREOP_CALLBACK_STATUS
preRead(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
NTSTATUS status;
PFLT_FILE_NAME_INFORMATION nameInfo;
UNICODE_STRING Directory_Of_Bait_files;
UNICODE_STRING log_msg;
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PAGED_CODE();
__try {
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );
if (NT_SUCCESS( status ))
{
FltParseFileNameInformation( nameInfo );
RtlInitUnicodeString( &Directory_Of_Bait_files, L"\\Device\\HarddiskVolume3\\");
RtlInitUnicodeString( &log_msg, L"\\Device\\HarddiskVolume3\\\r\n");//准备保存进程名
if (RtlPrefixUnicodeString(&Directory_Of_Bait_files,&nameInfo->Name,TRUE))
{
PLOG_LIST pathListNode;
pathListNode = (PLOG_LIST)ExAllocatePool(NonPagedPool,sizeof(LOG_LIST));
if (pathListNode == NULL)
{
KdPrint(("队列申请失败 \n"));
}
RtlCopyMemory(&pathListNode->msg,&log_msg,log_msg.Length);
InsertTailList(&HidePathListHeader,&pathListNode->listNode);//插入队尾
KeSetEvent(&s_Event,IO_NO_INCREMENT,FALSE);
}
FltReleaseFileNameInformation( nameInfo );
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {
DbgPrint("NPPreCreate EXCEPTION_EXECUTE_HANDLER\n");
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
VOID ThreadProc()
{
DbgPrint("CreateThread Successfully\n");
PLOG_LIST hideList;
PLIST_ENTRY pListNode;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK iostatus;
HANDLE hfile;
NTSTATUS status;
UNICODE_STRING logFileUnicodeString;
RtlInitUnicodeString( &logFileUnicodeString, L"\\??\\C:\\1.LOG");
while(FLAG){
KeWaitForSingleObject(&s_Event,Executive,KernelMode,FALSE,NULL);
while (!IsListEmpty(&HidePathListHeader))
{
LIST_ENTRY *pEntry = RemoveHeadList(&HidePathListHeader); //移除第一个节点
hideList = CONTAINING_RECORD(pEntry,LOG_LIST,listNode);
InitializeObjectAttributes(&objectAttributes,
&logFileUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
status = ZwCreateFile( &hfile, //创建文件
FILE_APPEND_DATA,
&objectAttributes,
&iostatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN_IF,//存在该文件则打开 ,不存在则创建
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0 );
if (!NT_SUCCESS(status))
{
KdPrint(("The file is not exist!\n"));
return;
}
KdPrint(("msg = %wZ\n",&hideList->msg));
ZwWriteFile(hfile,NULL,NULL,NULL,&iostatus,hideList->msg.Buffer,hideList->msg.Length,NULL,NULL);
ZwClose(hfile);
ExFreePool(hideList);
}
}
KdPrint(("线程函数结束\n"));
//结束自己
PsTerminateSystemThread(STATUS_SUCCESS);
return ;
}
VOID StartThread()
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE hThread = NULL;
status = PsCreateSystemThread(&hThread, //创建新线程
(ACCESS_MASK)THREAD_ALL_ACCESS,
NULL,
NULL,//NtCurrentProcess(),线程所在地址空间的进程的handle
NULL,
(PKSTART_ROUTINE)ThreadProc,
NULL); //(PVOID)&kEvent StartContext 对应ThreadProc中的参数
if (!NT_SUCCESS(status))
{
KdPrint(("创建失败 \n"));
ZwClose(hThread);
return ;
}
KdPrint(("创建成功 \n"));
ZwClose(hThread);
return ;
}
1.LOG中的内容
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
\Device\HarddiskVolume3\
希望对大家有帮助,只做有用的,不做垃圾;
要转载的话请标明出处 https://blog.csdn.net/feixi7358/article/details/84984154?tdsourcetag=s_pcqq_aiomsg