转载自http://www.misssir.cn/art/_show.aspx?art=49 摘要: 我想做一个unlocker一样的程序,不管这个文件有没有被使用,先实现删除它。在查资料过程中,就知道了如果不访问磁盘扇区的话,除非写驱动才能做到。奈何时间有限,工作匆忙,一直没有完成。而且忽视了更简便的方法——在别的路径下把修改后的OCX控件重新注册一下就可以了。 |
文件过滤加密的源代码 //过滤读 NTSTATUS SfRead(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp) { PIO_STACK_LOCATION irp_stack; BOOLEAN is_crypt; NTSTATUS status; PSFILTER_DEVICE_EXTENSION devExt; PAGED_CODE(); ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject )); ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject )); devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension); if(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO)) { irp_stack = IoGetCurrentIrpStackLocation( Irp ); is_crypt = IsMyCryptFile(irp_stack->FileObject); if(is_crypt) //是我的加密文件 { //设置完成例程 IoCopyCurrentIrpStackLocationToNext( Irp ); IoSetCompletionRoutine(Irp, SfReadCompletion, 0, TRUE, FALSE, FALSE); //调用原来的驱动 return IoCallDriver(devExt->AttachedToDeviceObject, Irp); } } //非加密文件 IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(devExt->AttachedToDeviceObject, Irp); } //读操作的完成例程 NTSTATUS SfReadCompletion(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp, __in PVOID Context) { ULONG length; //长度 PUCHAR buffer; //缓冲区 ULONG i; PIO_STACK_LOCATION irp_stack; irp_stack = IoGetCurrentIrpStackLocation( Irp ); ShowUnicodeString(&(irp_stack->FileObject->FileName)); DbgPrint("SfReadCompletion 读文件解密"); length = Irp->IoStatus.Information; buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); for(i = 0; i < length; i++) { buffer[i] = buffer[i] - 17; //解密 } return STATUS_SUCCESS; } //过滤写 NTSTATUS SfWrite(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp) { PIO_STACK_LOCATION irp_stack; BOOLEAN is_crypt; NTSTATUS status; PSFILTER_DEVICE_EXTENSION devExt; PAGED_CODE(); ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT( DeviceObject )); ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject )); devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension); if(Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO)) { irp_stack = IoGetCurrentIrpStackLocation( Irp ); is_crypt = IsMyCryptFile(irp_stack->FileObject); if(is_crypt) { ULONG length; //长度 PUCHAR buffer, buffer2; //原来缓冲区和加密后缓冲区 ULONG i; PMDL new_mdl; length = irp_stack->Parameters.Write.Length; buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); //分配同样大小的空间 buffer2 = (PUCHAR)ExAllocatePool(NonPagedPool, length); if(buffer2 != 0) { ShowUnicodeString(&(irp_stack->FileObject->FileName)); DbgPrint("SfWrite 写文件加密"); for(i = 0; i < length; i++) { buffer2[i] = buffer[i] + 17; //加密 } //设置完成例程 IoCopyCurrentIrpStackLocationToNext( Irp ); IoSetCompletionRoutine(Irp, SfWriteCompletion, Irp->MdlAddress, TRUE, TRUE, TRUE);
//替换成新的缓冲区 new_mdl = IoAllocateMdl(buffer2, length, FALSE, TRUE, NULL); MmBuildMdlForNonPagedPool(new_mdl); Irp->MdlAddress = new_mdl; //调用原来的驱动 return IoCallDriver(devExt->AttachedToDeviceObject, Irp); } else { ShowUnicodeString(&(irp_stack->FileObject->FileName)); DbgPrint("SfWrite 写不能分配内存"); Irp->IoStatus.Status = STATUS_INSUFFICIENT_RESOURCES; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return Irp->IoStatus.Status; } } } //非加密文件 IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(devExt->AttachedToDeviceObject, Irp); } //写完成后就把分配的空间给删除掉 NTSTATUS SfWriteCompletion(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp, __in PVOID Context) { PMDL old_mdl, new_mdl; PUCHAR buffer2; //我分配的缓冲区 PIO_STACK_LOCATION irp_stack; irp_stack = IoGetCurrentIrpStackLocation( Irp ); ShowUnicodeString(&(irp_stack->FileObject->FileName)); DbgPrint("完成: SfWriteCompletion"); new_mdl = Irp->MdlAddress; old_mdl = (PMDL)Context; //还是指向原来的缓冲区 Irp->MdlAddress = old_mdl; //删除掉我分配的缓冲区 buffer2 = MmGetSystemAddressForMdlSafe(new_mdl, NormalPagePriority); IoFreeMdl(new_mdl); ExFreePool(buffer2); return STATUS_SUCCESS; } //文件打开的时候调用 NTSTATUS SfCreate(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp) { NTSTATUS status; PSFILTER_DEVICE_EXTENSION devExt; PAGED_CODE(); //如果不是过滤驱动设备就退出 if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject )); devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension); //设置完成例程 IoCopyCurrentIrpStackLocationToNext( Irp ); IoSetCompletionRoutine(Irp, SfCreateCompletion, 0, TRUE, FALSE, FALSE); //调用原来的驱动 return IoCallDriver( devExt->AttachedToDeviceObject, Irp ); } //在打开文件的完成例程中记录文件对象 NTSTATUS SfCreateCompletion(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp, __in PVOID Context) { PIO_STACK_LOCATION irp_stack; PFILE_OBJECT file_obj; BOOLEAN is_crypt; irp_stack = IoGetCurrentIrpStackLocation(Irp); file_obj = irp_stack->FileObject; is_crypt = IsMyCryptFile(file_obj); if(is_crypt) { if(CcIsFileCached(file_obj)) { ShowUnicodeString(&(file_obj->FileName)); DbgPrint("打开时清除缓存 \n"); CcPurgeCacheSection(file_obj->SectionObjectPointer, 0, 0, FALSE); } } return STATUS_SUCCESS; } //关闭文件后的清理工作 NTSTATUS SfCleanupClose(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp) { NTSTATUS status; PSFILTER_DEVICE_EXTENSION devExt; PIO_STACK_LOCATION irp_stack; PFILE_OBJECT file_obj; BOOLEAN is_crypt; PAGED_CODE(); if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject)) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } ASSERT(IS_MY_DEVICE_OBJECT( DeviceObject )); irp_stack = IoGetCurrentIrpStackLocation(Irp); file_obj = irp_stack->FileObject; is_crypt = IsMyCryptFile(file_obj); if(is_crypt) { if(CcIsFileCached(file_obj)) { ShowUnicodeString(&(file_obj->FileName)); DbgPrint("关闭时清除缓存 \n"); CcPurgeCacheSection(file_obj->SectionObjectPointer, 0, 0, FALSE); } } IoSkipCurrentIrpStackLocation( Irp ); devExt = (PSFILTER_DEVICE_EXTENSION)(DeviceObject->DeviceExtension); return IoCallDriver(devExt->AttachedToDeviceObject, Irp); } 开始写的时候,我本想保持保持缓冲区的数据同磁盘上一样,也是密文,这样就不用清理缓冲区了。但是试验没能成功,因为程序要是按照内存文件映射的方法或者DMA的方法读写缓冲区,我找不到机会解密。 |
过滤驱动加密文件(代码)
摘要:
艺术=49摘要:我想创建一个解锁程序。无论文件是否被使用,都要先删除它。在数据查询期间,已知如果磁盘扇区未被访问,则只能通过写入驱动器来完成。然而,由于时间有限,我很匆忙,没有完成工作。不用谢。在业余时间,我写了一个过滤器加密,就这么简单。文件过滤加密源代码//过滤读取NTSTATUSSfRead{PIO_STACK_LOCATIONirp_STACK;BOOLANIs_crypt;NTSTATUSStatus;PSFILTER_DEVICE_EXTENSIONdevExt;PAGED_code();ASSERT(!IS_MY_CONTROL_DEVICE_OBJECT);ASSET;devExt=;if{irp_STACK=IoGetCurrentIrpStackLocation;IS_crypt=IsMyCryptFile;if//这是我的加密文件{//设置完成例程IoCopyCurrentIrpStackLocationToNext;IoSetCompletionRoutine;//调用原始驱动程序returnIoCallDriver;}}//未加密文件IoSkipCurrentIrpStackLocation;returnIoCallDriver;}//读取操作NTSTATUSSfReadCompletion的完成例程{ULONGlenth;//长度PUCHARbuffer;//缓冲区ULONGi;PIO_STACK_LOCATIONirp_STACK;irp_STACK=IoGetCurrentIrpStackLocation;ShowUnicodeString;DbgPrint;长度=irp-˃IoStatus.Information;缓冲区=MmGetSystemAddressForMdlSafe;对于{Buffer[i]=Buffer[i]-17;//解密}returnSTATUS_SSUCCESS;}//筛选器写入NTSTATUSSfWrite{PIO_stack_LOCATIONirp_stack;BOOLANIS_crypt;NTSTATUSstatus;PSFILTER_DEVICE_EXTENSIONdevExt;PAGED_CODE();ASSERT(!
免责声明:文章转载自《过滤驱动加密文件(代码)》仅用于学习参考。如对内容有疑问,请及时联系本站处理。
上篇Hibernate的批量处理layer弹出层的关闭问题下篇
宿迁高防,2C2G15M,22元/月;香港BGP,2C5G5M,25元/月 雨云优惠码:MjYwNzM=