- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
minifilter,sfilter也可以做这类事情,但是写起来有一大坨~翻了一下硬盘发现很久很久以前写的一个代码~
主要代码如下,其他代码部分都是可以自己写写完事了~
代码:
//SSDT hook???? or inline hook?
Hookstru OrigZwCreateFile;
Hookstru OrigZwOpenFile;
wchar_t m_wcGoodFile[][MAX_PATH] =
{
L"*\\GAME.TRC",
};
BOOLEAN IsGoodFileName(PUNICODE_STRING usName)
{
size_t i;
// enumerate known modules
for (i = 0; i < sizeof(m_wcGoodFile) / sizeof(m_wcGoodFile[0]); i++)
{
UNICODE_STRING usExpression;
RtlInitUnicodeString(&usExpression, m_wcGoodFile[i]);
// match name by mask
if (FsRtlIsNameInExpression(&usExpression, usName, TRUE, NULL))
{
return TRUE;
}
}
return FALSE;
}
wchar_t m_wcBadFile[][MAX_PATH] =
{
L"*\\~DMP*.TMP",
L"*.CMP",
L"*.DMP",
L"*.TRC",
L"*.CPP",
L"*.C",
L"*.H",
L"*.E",
L"*.LUA",
L"*.LOG"
};
BOOLEAN IsBadFileName(PUNICODE_STRING usName)
{
size_t i;
// enumerate known modules
for (i = 0; i < sizeof(m_wcBadFile) / sizeof(m_wcBadFile[0]); i++)
{
UNICODE_STRING usExpression;
RtlInitUnicodeString(&usExpression, m_wcBadFile[i]);
// match name by mask
if (FsRtlIsNameInExpression(&usExpression, usName, TRUE, NULL))
{
return TRUE;
}
}
return FALSE;
}
const char normalProcesslist[][33]={
"explorer.exe",
"svchost.exe",
"ctfmon.exe",
"conime.exe",
"csrss.exe",
"winlogon.exe",
"wmiprvse.exe",
"services.exe",
"rthdcpl.exe",
"lsass.exe",
"devenv.exe",
"nvsvc32.exe",
"cmd.exe",
"firefox.exe",
"notepad.exe",
"iPodService.exe",
"QQPYCloud.exe",
"notepad++.exe",
"vmware-hostd.ex",
"QQPYConfig.exe",
"TSVNCache.exe",
"iTunesHelper.ex",
"AGPLoader.exe",
"od.exe",
"Dbgview.exe",
"vcpkgsrv.exe",
"MSBuild.exe",
"AutoVersion.exe",
"build.exe",
"nmake.exe",
"calc.exe",
"link.exe",
"idaq.exe",
"verclsid.exe",
};
BOOL IsNormalProcess(PEPROCESS Process)
{
char processname[128];
int i=0;
RtlZeroMemory(processname,128);
strncpy(processname,PsGetProcessImageFileName(Process),16);
for (i=0;i<sizeof(normalProcesslist)/sizeof(normalProcesslist[0]);i++)
{
if (_stricmp(processname,normalProcesslist[i])==0)
{
return TRUE;
}
}
return FALSE;
}
NTSTATUS NTAPI
OnNtCreateFile (
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
NTSTATUS ns;
T_ZwCreateFile OldZwCreateFile=NULL;
OldZwCreateFile = (T_ZwCreateFile)OrigZwCreateFile.oritocall;
if(ExGetPreviousMode()==UserMode&&!IsNormalProcess(PsGetCurrentProcess()))
{
__try
{
if (MmIsAddressValid(ObjectAttributes))
{
if(ValidateUnicodeString(ObjectAttributes->ObjectName))
{
if (IsGoodFileName(ObjectAttributes->ObjectName))
{
goto PassThrugh;
}
if (IsBadFileName(ObjectAttributes->ObjectName))
{
return STATUS_ACCESS_DENIED;
}
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
PassThrugh:
ns = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
return ns;
}
NTSTATUS NTAPI
OnNtOpenFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions
)
{
NTSTATUS ns;
T_ZwOpenFile OldZwOpenFile=NULL;
OldZwOpenFile = (T_ZwOpenFile)OrigZwOpenFile.oritocall;
if(ExGetPreviousMode()==UserMode&&!IsNormalProcess(PsGetCurrentProcess()))
{
__try
{
if (MmIsAddressValid(ObjectAttributes))
{
if(ValidateUnicodeString(ObjectAttributes->ObjectName))
{
if (IsGoodFileName(ObjectAttributes->ObjectName))
{
goto PassThrugh;
}
if (IsBadFileName(ObjectAttributes->ObjectName))
{
return STATUS_ACCESS_DENIED;
}
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
PassThrugh:
ns =OldZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);
return ns;
} |
|
发表于 2013-4-2 08:57:29