note : Get FilePathName from FILE_OBJECT

转自：http://blog.csdn.net/lostspeed/article/details/11738311

封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName

在WinXpSp3下测试通过.

函数定义

[cpp] view plain copy

1. BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr);  

[cpp] view plain copy

1. BOOLEAN GetFilePathNameFromFileObject(  
2.     FILE_OBJECT * pFileObj,   
3.     UNICODE_STRING * puniFilePathName);  

函数实现

[cpp] view plain copy

1. BOOLEAN GetFilePathNameFromFileObject(  
2.     FILE_OBJECT * pFileObj,   
3.     UNICODE_STRING * puniFilePathName)  
4. {  
5.     /// puniFilePathName 已经被 RtlInitUnicodeString 初始化过,   
6.     /// .Buffer 有MAX_PATH宽字符长度  
7.       
8.     BOOLEAN bValidFN_FileObj = FALSE;  
9.     BOOLEAN bValidFN_RelatedFileObj = FALSE;  
10.   
11.     PFILE_OBJECT pRelatedFileObject = NULL;  
12.     UNICODE_STRING ustrTmp;  
13.     UNICODE_STRING ustrLink; ///< 分隔符号, e.g. L'\'  
14.   
15.     if ((NULL == pFileObj) || (NULL == puniFilePathName))  
16.         return FALSE;  
17.   
18.     /// 初始化数据  
19.     RtlInitUnicodeString(&ustrTmp, NULL);  
20.     RtlInitUnicodeString(&ustrLink, L"\");  
21.     RtlZeroMemory(puniFilePathName->Buffer, puniFilePathName->MaximumLength);  
22.     puniFilePathName->Length = 0;  
23.   
24.     pRelatedFileObject = pFileObj->RelatedFileObject;  
25.     bValidFN_FileObj = IsValidUnicodeString(&pFileObj->FileName);  
26.     bValidFN_RelatedFileObj =   
27.         IsValidUnicodeString(&pRelatedFileObject->FileName);  
28.   
29.     /// 盘符  
30.     IoVolumeDeviceToDosName(pFileObj->DeviceObject, &ustrTmp);  
31.     RtlCopyUnicodeString(puniFilePathName, &ustrTmp);  
32.     RtlFreeUnicodeString(&ustrTmp); ///< !  
33.       
34.     /// 相对路径  
35.     /// pRelatedFileObject->FileName 也有可能是空的  
36.     /// 相对全路径名称全部在 pFileObj->FileName  
37.     if (bValidFN_RelatedFileObj)  
38.     {  
39.         /// pRelatedFileObject->FileName.Buffer 可能是有效的  
40.         /// 却不是一个可见的宽字符串, 以 L''开头  
41.         if ((L'\' != pRelatedFileObject->FileName.Buffer[0])  
42.             &&(L'' != pRelatedFileObject->FileName.Buffer[0]))  
43.         {  
44.             RtlUnicodeStringCat(puniFilePathName, &ustrLink);  
45.         }  
46.               
47.         RtlUnicodeStringCat(puniFilePathName, &pRelatedFileObject->FileName);  
48.     }  
49.   
50.     /// 文件名, 也有可能是包含相对路径的全路径名称.  
51.     /// e.g. "WindowsSystemxx.yyy"  
52.     if (bValidFN_FileObj)  
53.     {  
54.         if ((L'\' != pFileObj->FileName.Buffer[0])  
55.             && (L'' != pFileObj->FileName.Buffer[0]))  
56.         {  
57.             RtlUnicodeStringCat(puniFilePathName, &ustrLink);  
58.         }  
59.   
60.         RtlUnicodeStringCat(puniFilePathName, &pFileObj->FileName);  
61.     }  
62.   
63.     return (bValidFN_FileObj || bValidFN_RelatedFileObj);  
64. }  

[cpp] view plain copy

1. BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr)  
2. {  
3.     BOOLEAN bRc = FALSE;  
4.     ULONG   ulIndex = 0;  
5.   
6.     __try  
7.     {  
8.         if (!MmIsAddressValid(pstr))  
9.             return FALSE;  
10.   
11.         if ((NULL == pstr->Buffer) || (0 == pstr->Length))  
12.             return FALSE;  
13.   
14.         for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++)  
15.         {  
16.             if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex))  
17.                 return FALSE;  
18.         }  
19.   
20.         bRc = TRUE;  
21.     }  
22.       
23.     __except(EXCEPTION_EXECUTE_HANDLER)  
24.     {  
25.         bRc = FALSE;  
26.     }  
27.   
28.     return bRc;  
29. }  

在分派例程中得到 FILE_OBJECT 方法

[cpp] view plain copy

1. pIoStack = IoGetCurrentIrpStackLocation(pIrp);  

[cpp] view plain copy

1. pFileObject = pIoStack->FileObject;  

入参的准备

[cpp] view plain copy

1. WCHAR               cFilePathNameW[MAX_PATH];  
2. UNICODE_STRING      unistrFilePathName;  
3.   
4. RtlZeroMemory(cFilePathNameW, sizeof(cFilePathNameW));  
5. RtlInitUnicodeString(&unistrFilePathName, cFilePathNameW);  
6. unistrFilePathName.MaximumLength = sizeof(cFilePathNameW); ///< !  

效果图

[cpp] view plain copy

1. DisPatchDeviceControl IOCTL 0x22e000  
2. cFilePathName[0] = C:   
3. cFilePathName[1] = C:Documents and SettingsAll UsersApplication DataVMware   
4. cFilePathName[2] = C:Documents and SettingsAll UsersApplication DataVMwareVMware Tools   
5. cFilePathName[3] = C:Documents and SettingsAll UsersApplication DataVMwareVMware Tools   
6. cFilePathName[4] = C:WINDOWSsystem32Msimtf.dll   
7. cFilePathName[5] = C:WINDOWSsystem32NOTEPAD.EXE   
8. cFilePathName[6] = C:WINDOWSAppPatchsysmain.sdb   
9. cFilePathName[7] = C:WINDOWSAppPatchsystest.sdb   
10. cFilePathName[8] = C:WINDOWSsystem32   
11. cFilePathName[9] = C:WINDOWS   
12. cFilePathName[10] = C:WINDOWSsystem32NOTEPAD.EXE.Manifest   
13. cFilePathName[11] = C:WINDOWSsystem32NOTEPAD.EXE.Config   
14. cFilePathName[12] = C:WINDOWSWinSxSPoliciesx86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CN_f3ffe327   
15. cFilePathName[13] = C:WINDOWSAssemblyGACPolicy.6.0.Microsoft.Windows.Common-Controls   
16. cFilePathName[14] = C:WINDOWSWinSxSPoliciesx86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CHS_6bff526c   
17. cFilePathName[15] = C:WINDOWSWinSxSPoliciesx86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775   
18. cFilePathName[16] = C:WINDOWSWinSxSPoliciesx86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad7756.0.2600.5512.Policy   
19. cFilePathName[17] = C:WINDOWSWinSxSPoliciesx86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CN_b45a2b14   
20. cFilePathName[18] = C:WINDOWSAssemblyGACPolicy.6.0.Microsoft.Windows.Common-Controls.mui   
21. cFilePathName[19] = C:WINDOWSWinSxSPoliciesx86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CHS_2c599a59   
22. cFilePathName[20] = C:WINDOWSWinSxSManifestsx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest   
23. cFilePathName[21] = C:WINDOWSPrefetchNOTEPAD.EXE-336351A9.pf   
24. cFilePathName[22] = C:Documents and SettingsAdministrator   
25. cFilePathName[23] = C:Documents and SettingsAdministrator桌面   
26. cFilePathName[24] = C:DOCUME~1   
27. cFilePathName[25] = C:DOCUME~1ADMINI~1   
28. cFilePathName[26] = C:DOCUME~1ADMINI~1LOCALS~1   
29. cFilePathName[27] = C:Documents and SettingsAdministrator桌面abc.txt   
30. cFilePathName[28] = C:Documents and SettingsAdministrator桌面   
31. cFilePathName[29] = C:SYSTEM VOLUME INFORMATION   
32. cFilePathName[30] = C:Documents and SettingsAdministratorRecent   
33. cFilePathName[31] = C:Documents and SettingsAdministratorRecentabc.txt.lnk   
34. cFilePathName[32] = C:SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}   
35. cFilePathName[33] = C:SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}RP4   
36. cFilePathName[34] = C:WINDOWSAPPPATCH   
37. cFilePathName[35] = C:WINDOWSWINSXS   
38. cFilePathName[36] = C:WINDOWSWINSXSX86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83   
39. cFilePathName[37] = C:WINDOWSSYSTEM32NTDLL.DLL   
40. cFilePathName[38] = C:WINDOWSSYSTEM32KERNEL32.DLL   
41. cFilePathName[39] = C:WINDOWSSYSTEM32UNICODE.NLS   
42. cFilePathName[40] = C:WINDOWSSYSTEM32LOCALE.NLS   
43. cFilePathName[41] = C:WINDOWSSYSTEM32SORTTBLS.NLS   
44. cFilePathName[42] = C:WINDOWSSYSTEM32COMDLG32.DLL   
45. cFilePathName[43] = C:WINDOWSSYSTEM32ADVAPI32.DLL   
46. cFilePathName[44] = C:WINDOWSSYSTEM32RPCRT4.DLL   
47. cFilePathName[45] = C:WINDOWSSYSTEM32SECUR32.DLL   
48. cFilePathName[46] = C:WINDOWSWINSXSX86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83COMCTL32.DLL   
49. cFilePathName[47] = C:WINDOWSSYSTEM32MSVCRT.DLL   
50. cFilePathName[48] = C:WINDOWSSYSTEM32GDI32.DLL   
51. cFilePathName[49] = C:WINDOWSSYSTEM32USER32.DLL   
52. cFilePathName[50] = C:WINDOWSSYSTEM32SHLWAPI.DLL   
53. cFilePathName[51] = C:WINDOWSSYSTEM32SHELL32.DLL   
54. cFilePathName[52] = C:WINDOWSSYSTEM32WINSPOOL.DRV   
55. cFilePathName[53] = C:WINDOWSSYSTEM32SHIMENG.DLL   
56. cFilePathName[54] = C:WINDOWSAPPPATCHACGENRAL.DLL   
57. cFilePathName[55] = C:WINDOWSSYSTEM32WINMM.DLL   
58. cFilePathName[56] = C:WINDOWSSYSTEM32OLE32.DLL   
59. cFilePathName[57] = C:WINDOWSSYSTEM32OLEAUT32.DLL   
60. cFilePathName[58] = C:WINDOWSSYSTEM32MSACM32.DLL   
61. cFilePathName[59] = C:WINDOWSSYSTEM32VERSION.DLL   
62. cFilePathName[60] = C:WINDOWSSYSTEM32USERENV.DLL   
63. cFilePathName[61] = C:WINDOWSSYSTEM32UXTHEME.DLL   
64. cFilePathName[62] = C:WINDOWSSYSTEM32CTYPE.NLS   
65. cFilePathName[63] = C:WINDOWSSYSTEM32IMM32.DLL   
66. cFilePathName[64] = C:WINDOWSSYSTEM32LPK.DLL   
67. cFilePathName[65] = C:WINDOWSSYSTEM32USP10.DLL   
68. cFilePathName[66] = C:WINDOWSWINDOWSSHELL.MANIFEST   
69. cFilePathName[67] = C:WINDOWSSYSTEM32MSCTF.DLL   
70. cFilePathName[68] = C:WINDOWSSYSTEM32MSCTFIME.IME   
71. cFilePathName[69] = C:SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}RP4CHANGE.LOG   
72. cFilePathName[70] = C:BOOT.INI   
73. cFilePathName[71] = C:WINDOWSSYSTEM32WIN32K.SYS   
74. cFilePathName[72] = C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83   
75. cFilePathName[73] = C:Documents and Settings   
76. cFilePathName[74] = C:Documents and SettingsAdministratorLocal Settings   
77. cFilePathName[75] = C:Documents and SettingsAdministratorLocal SettingsHistorydesktop.ini   
78. cFilePathName[76] = C:WINDOWSWindowsShell.Config   
79. cFilePathName[77] = C:WINDOWSsystem32SHELL32.dll.124.Manifest   
80. cFilePathName[78] = C:WINDOWSsystem32SHELL32.dll.124.Config   
81. cFilePathName[79] = C:WINDOWSPrefetch   
82. cFilePathName[80] = C:WINDOWSsystem32804   
83. cFilePathName[81] = C:WINDOWSMUIFallback804   
84. cFilePathName[82] = C:WINDOWSsystem32DRIVERSMUI804   
85. cFilePathName[83] = C:WINDOWSsystem32DRIVERSACPI.sys   
86. cFilePathName[84] = C:WINDOWSsystem32DRIVERSmssmbios.sys   
87. cFilePathName[85] = C:WINDOWSsystem32DRIVERSintelppm.sys   
88. cFilePathName[86] = C:WINDOWSsystem32DRIVERSipnat.sys   
89. cFilePathName[87] = C:WINDOWSSystem32DriversHTTP.sys   
90. cFilePathName[88] = C:WINDOWSsystem32WBEMLogswmiprov.log   
91. cFilePathName[89] = C:WINDOWSSoftwareDistributionDataStore   
92. cFilePathName[90] = C:WINDOWSSoftwareDistributionDataStoreDataStore.edb   
93. cFilePathName[91] = C:WINDOWSSoftwareDistributionDataStoreDataStore.edb   
94. cFilePathName[92] = C:WINDOWSSoftwareDistributionDataStore   
95. cFilePathName[93] = C:WINDOWSSoftwareDistribution   
96. cFilePathName[94] = C:WINDOWSSoftwareDistribution   
97. cFilePathName[95] = C:WINDOWS   
98. cFilePathName[96] = C:WINDOWSSoftwareDistributionDataStoreLogsedb.chk   
99. cFilePathName[97] = C:WINDOWSSoftwareDistributionDataStoreLogsedb.chk   
100. cFilePathName[98] = C:WINDOWSSoftwareDistributionDataStoreLogs   
101. cFilePathName[99] = C:WINDOWSsystem32xpsp2res.dll