Minifiter 文件监控 (Windows黑客编程技术详解)
时间:2019-01-17
本文章向大家介绍Minifiter 文件监控 (Windows黑客编程技术详解),主要包括Minifiter 文件监控 (Windows黑客编程技术详解)使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
最近感觉有点浮躁 不知道为什么 可能是学习 驱动学的有点心态崩吧。。。。。 但是还是咬咬牙坚持了 、
因为感觉自己现在还差了远 如果自己 寒假不好好学习 内核这方面的知识 下学期 还要去 撸关于CTF的东西 自己一直海峡那个去看看 编译原理 所以 感觉 任务比较多呀!!!!!!!!!!
然后这次 博客 是根据 Windows黑客编程技术详解 一书所写 感觉很惭愧 感觉博客写的不怎么样 但是 寒假 所写的博客 主要是 让自己 看着不忘 为以后 写出更好的博客 打基础 如果有些的不好的话 还请各位见谅
然后这次文件监控 是用 Minifiter框架写的 然后这个框架比较好理解 虽然说 代码看起来很多
但是主要的就是
设置程序过滤的irp 所要监控的文件操作
使用FitRegisterFilter 注册过滤器
使用FtlStarFilering 开启注册器
然后 在DriverUnload 受用FitUnregisterFilter卸载过滤器
然后 在vs2013 的项目中直接选择
我鼠标选定的项目即可
然后
首先 设置要过滤的IRP
然后 在回调里面写入然后 设置就行了
代码如下
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_READ,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_WRITE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_SET_INFORMATION,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
#if 0 // TODO - List all of the requests to filter.
{ IRP_MJ_CREATE_NAMED_PIPE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_CLOSE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_QUERY_INFORMATION,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_QUERY_EA,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_SET_EA,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_FLUSH_BUFFERS,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_QUERY_VOLUME_INFORMATION,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_SET_VOLUME_INFORMATION,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_DIRECTORY_CONTROL,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_FILE_SYSTEM_CONTROL,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_DEVICE_CONTROL,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_INTERNAL_DEVICE_CONTROL,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_SHUTDOWN,
0,
Minifilter_FileMonitor_TestPreOperationNoPostOperation,
NULL }, //post operations not supported
{ IRP_MJ_LOCK_CONTROL,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_CLEANUP,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_CREATE_MAILSLOT,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_QUERY_SECURITY,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_SET_SECURITY,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_QUERY_QUOTA,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_SET_QUOTA,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_PNP,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_ACQUIRE_FOR_MOD_WRITE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_RELEASE_FOR_MOD_WRITE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_ACQUIRE_FOR_CC_FLUSH,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_RELEASE_FOR_CC_FLUSH,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_NETWORK_QUERY_OPEN,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_MDL_READ,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_MDL_READ_COMPLETE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_PREPARE_MDL_WRITE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_MDL_WRITE_COMPLETE,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_VOLUME_MOUNT,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
{ IRP_MJ_VOLUME_DISMOUNT,
0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation },
#endif // TODO
{ IRP_MJ_OPERATION_END }
};
然后开启和关闭过滤器的代码 vs2013也生成好了 然后主要是回调函数 代码是 windows 黑客编程技术详解的源代码
BOOLEAN IsProtectionFile(PFLT_FILE_NAME_INFORMATION lpNameInfo)
{
BOOLEAN bProtect = FALSE;
PWCHAR lpszProtectionFileName, lpszFileName;
// 申请内存
lpszProtectionFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
lpszFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 512);
// 初始化内存
RtlZeroMemory(lpszProtectionFileName, 256);
RtlZeroMemory(lpszFileName, 512);
// 复制数据
RtlCopyMemory(lpszFileName, lpNameInfo->Name.Buffer, (sizeof(WCHAR) + lpNameInfo->Name.Length));
RtlCopyMemory(lpszProtectionFileName, L"520.exe", (sizeof(WCHAR) + wcslen(L"520.exe")));
// 判断
if (NULL != wcsstr(lpszFileName, lpszProtectionFileName))
{
bProtect = TRUE;
}
// 释放内存
ExFreePool(lpszProtectionFileName);
ExFreePool(lpszFileName);
return bProtect;
}
/*************************************************************************
MiniFilter callback routines.
*************************************************************************/
FLT_PREOP_CALLBACK_STATUS
Minifilter_FileMonitor_TestPreOperation (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
/*++
Routine Description:
This routine is a pre-operation dispatch routine for this miniFilter.
This is non-pageable because it could be called on the paging path
Arguments:
Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and
file object.
CompletionContext - The context for the completion routine for this
operation.
Return Value:
The return value is the status of the operation.
--*/
{
NTSTATUS status;
UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation: Entered\n") );
/*
要进行监控的话,通常在PreXXX里处理,而要进行监视的话,则通常在PostXXX里
处理(当然监视在PreXXX里处理也行).
下面对监控文件的读写、删除、重命名、改属性的操作,并且禁止对指定文件520.exe
做任何操作。
原理是:在传入的参数里获取文件名,并打印出来,如果发现是被保护的文件,就返回操作。
*/
// 获取文件路径
UCHAR MajorFunction = Data->Iopb->MajorFunction;
PFLT_FILE_NAME_INFORMATION lpNameInfo = NULL;
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &lpNameInfo);
if (NT_SUCCESS(status))
{
status = FltParseFileNameInformation(lpNameInfo);
if (NT_SUCCESS(status))
{
// CREATE
if (IRP_MJ_CREATE == MajorFunction)
{
if (IsProtectionFile(lpNameInfo))
{
KdPrint(("[IRP_MJ_CREATE]%wZ", &lpNameInfo->Name));
return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO;
}
}
// 读取
else if (IRP_MJ_READ == MajorFunction)
{
if (IsProtectionFile(lpNameInfo))
{
KdPrint(("[IRP_MJ_READ]%wZ", &lpNameInfo->Name));
return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO;
}
}
// 文件写入
else if (IRP_MJ_WRITE == MajorFunction)
{
if (IsProtectionFile(lpNameInfo))
{
KdPrint(("[IRP_MJ_WRITE]%wZ", &lpNameInfo->Name));
return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO;
}
}
// 修改文件信息
else if (IRP_MJ_SET_INFORMATION == MajorFunction)
{
if (IsProtectionFile(lpNameInfo))
{
KdPrint(("[IRP_MJ_SET_INFORMATION]%wZ", &lpNameInfo->Name));
return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO;
}
}
}
}
/*
//
// See if this is an operation we would like the operation status
// for. If so request it.
//
// NOTE: most filters do NOT need to do this. You only need to make
// this call if, for example, you need to know if the oplock was
// actually granted.
//
if (Minifilter_FileMonitor_TestDoRequestOperationStatus( Data )) {
status = FltRequestOperationStatusCallback( Data,
Minifilter_FileMonitor_TestOperationStatusCallback,
(PVOID)(++OperationStatusCtx) );
if (!NT_SUCCESS(status)) {
PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation: FltRequestOperationStatusCallback Failed, status=%08x\n",
status) );
}
}
// This template code does not do anything with the callbackData, but
// rather returns FLT_PREOP_SUCCESS_WITH_CALLBACK.
// This passes the request down to the next miniFilter in the chain.
*/
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
然后就这样了 书上还表示要采用inf的方式
选定inf文件 鼠标右键 安装
用管理员CMD输入 net start 服务名 启动服务 这个服务名是驱动名字
要是停止服务 输入 net stop 服务名即可
- 同样的SQL语句在查询分析器执行很快,但是网站上执行超时的诡异问题
- PDF.NET数据开发框架操作MySQL实体类操作实例
- 使用PDF.NET数据开发框架的实体操作语言OQL构造复杂查询条件
- 鲶鱼CMS存储XSS漏洞披露
- 【分享】 纯 js 表单控件 —— 让 “增改查” 更轻松!
- K-近邻算法(KNN)概述
- 不使用DalFactory和IDAL,支持多种数据库应用
- MVC和三层,我的一个不成熟的看法,大家批批
- 实体类的二进制序列化
- 多任务验证码识别
- 一加手机系统预装APP被曝存在后门
- 单数据库,多数据库,单实例,多实例不同情况下的数据访问效率测试
- 打造轻量级的实体类数据容器
- “设计应对变化”--实例讲解一个数据同步系统
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 探究 Android 签名机制和原理
- “有迹可循”的灰盒测试分析
- 想用 Gitee 做图床工具,失败了~~
- Nginx系列:配置跳转的常用方式
- Python骚操作:一行代码实现探索性数据分析
- 吊打 Tomcat ,Undertow 性能很炸!!
- 关于在android平台使用nanohttpd实现的http服务在WIFI环境下响应明显太慢的问题
- Vue.js组件库Element中的Select选择器、Cascader级联选择器、Switch开关和Slider滑块
- 年收200万+的Facebook前端工程师(E5)都要求些啥能力?
- 重学数据结构(二、栈)
- 基于深度学习的人员跟踪
- 为了给女朋友独特的七夕惊喜,我学会了人像美肤算法!
- 12种降低开发者工作效率的方法
- 想掌握Android面试官必问的 Binder 机制?那别想绕开 Binder 驱动源码分析!
- TCP协议的3次握手与4次挥手过程详解