参考FileSpy写的文件监控程序,但比它的抽象多了。可能瑞星的文件驱动也是这样写的,否则它为什么老阻止我安装驱动呢。测试程序是一个命令行小程序,负责打开设备,开启监控和关闭监控,运行时开启和关闭两次。
在DebugView中查看输出信息,我只是想看看能不能达到目的,所以信息量很少。
在驱动程序中开启和关闭监控的代码:
VOID AttachedToDeviceByName (__in PWSTR DeviceName, __in BOOLEAN attach)
{
UCHAR tmp_buf1[50];
UNICODE_STRING volumeName;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK openStatus;
HANDLE fileHandle;
PDEVICE_OBJECT volume_obj, fs_obj, spy_obj;
PFILESPY_DEVICE_EXTENSION devExt;
ULONG i;
LARGE_INTEGER interval;
PDEVICE_OBJECT current_obj, next_obj;
PAGED_CODE();
//应用程序传过来的盘符
RtlInitEmptyUnicodeString(&volumeName, (PWSTR)tmp_buf1, sizeof(tmp_buf1));
RtlAppendUnicodeToString(&volumeName, L"\\DosDevices\\");
status = RtlAppendUnicodeToString(&volumeName, DeviceName);
InitializeObjectAttributes( &objectAttributes,
&volumeName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL );
status = ZwCreateFile( &fileHandle,
SYNCHRONIZE|FILE_READ_DATA,
&objectAttributes,
&openStatus,
NULL,
0,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0 );
status = ObReferenceObjectByHandle( fileHandle,
FILE_READ_DATA,
*IoFileObjectType,
KernelMode,
&volume_obj,
NULL );
fs_obj = IoGetBaseFileSystemDeviceObject( volume_obj );
ObReferenceObject( fs_obj );
if(attach)
{
ObDereferenceObject( volume_obj );
ZwClose( fileHandle );
status = IoCreateDevice( gFileSpyDriverObject,
sizeof( FILESPY_DEVICE_EXTENSION ),
NULL,
fs_obj->DeviceType,
0,
FALSE,
&spy_obj );
devExt = spy_obj->DeviceExtension;
devExt->AttachedToDeviceObject = NULL;
ASSERT( IS_FILESPY_DEVICE_OBJECT( spy_obj ) );
SetFlag( spy_obj->Flags, FlagOn( fs_obj->Flags, (DO_BUFFERED_IO | DO_DIRECT_IO | DO_SUPPORTS_TRANSACTIONS)));
SetFlag( spy_obj->Characteristics, FlagOn( fs_obj->Characteristics, (FILE_DEVICE_SECURE_OPEN) ));
for (i=0; i < 8; i++)
{
status = IoAttachDeviceToDeviceStackSafe( spy_obj, fs_obj, &devExt->AttachedToDeviceObject );
if (NT_SUCCESS(status) )
{
break;
}
interval.QuadPart = (500 * DELAY_ONE_MILLISECOND);
KeDelayExecutionThread( KernelMode, FALSE, &interval );
}
ClearFlag(spy_obj->Flags, DO_DEVICE_INITIALIZING);
ObDereferenceObject( fs_obj );
}
else
{
current_obj = IoGetAttachedDeviceReference( fs_obj );
while (NULL != current_obj)
{
if (IS_FILESPY_DEVICE_OBJECT( current_obj ))
{
spy_obj = current_obj;
break;
}
next_obj = IoGetLowerDeviceObject( current_obj );
ObDereferenceObject( current_obj );
current_obj = next_obj;
}
ObDereferenceObject( volume_obj );
ZwClose( fileHandle );
devExt = spy_obj->DeviceExtension;
IoDetachDevice( devExt->AttachedToDeviceObject );
IoDeleteDevice( spy_obj );
ObDereferenceObject( spy_obj );
ObDereferenceObject( spy_obj );
ObDereferenceObject( spy_obj );
interval.QuadPart = (5 * DELAY_ONE_SECOND); //等5秒
KeDelayExecutionThread( KernelMode, FALSE, &interval );
ObDereferenceObject( fs_obj );
}
}
写的时候遇到一个有趣的问题是,驱动安装卸载一次,然后再安装,应用程序就不能访问它了,GetError()提示说系统找不到指定的文件。原来是卸载的时候没有卸干净,所以第二次不能用,程序中有相连的三句话“ObDereferenceObject( spy_obj);”正是我担心spy_obj不释放才出此下策。