最近感觉有点浮躁   不知道为什么 可能是学习 驱动学的有点心态崩吧。。。。。 但是还是咬咬牙坚持了    、

因为感觉自己现在还差了远   如果自己 寒假不好好学习 内核这方面的知识 下学期 还要去 撸关于CTF的东西  自己一直海峡那个去看看 编译原理   所以
感觉 任务比较多呀!!!!!!!!!!

然后这次  博客 是根据 Windows黑客编程技术详解 一书所写   感觉很惭愧 感觉博客写的不怎么样  但是 寒假 所写的博客 主要是 让自己
看着不忘  为以后 写出更好的博客 打基础  如果有些的不好的话  还请各位见谅

 

然后这次文件监控 是用 Minifiter框架写的  然后这个框架比较好理解 虽然说 代码看起来很多  

但是主要的就是

设置程序过滤的irp  所要监控的文件操作

使用FitRegisterFilter 注册过滤器 

使用FtlStarFilering 开启注册器

然后 在DriverUnload 受用FitUnregisterFilter卸载过滤器 

然后 在vs2013 的项目中直接选择 

我鼠标选定的项目即可 

然后 

首先 设置要过滤的IRP

然后 在回调里面写入然后 设置就行了

代码如下
CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #if 0 // TODO - List all of the
requests to filter. { IRP_MJ_CREATE_NAMED_PIPE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLOSE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_EA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FLUSH_BUFFERS, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_VOLUME_INFORMATION,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_VOLUME_INFORMATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DIRECTORY_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_DEVICE_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_INTERNAL_DEVICE_CONTROL,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SHUTDOWN, 0,
Minifilter_FileMonitor_TestPreOperationNoPostOperation, NULL }, //post
operations not supported { IRP_MJ_LOCK_CONTROL, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CLEANUP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_CREATE_MAILSLOT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_SECURITY, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_QUERY_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_SET_QUOTA, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PNP, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, {
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
0, Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_NETWORK_QUERY_OPEN, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_READ_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_PREPARE_MDL_WRITE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_MDL_WRITE_COMPLETE, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_MOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, { IRP_MJ_VOLUME_DISMOUNT, 0,
Minifilter_FileMonitor_TestPreOperation,
Minifilter_FileMonitor_TestPostOperation }, #endif // TODO {
IRP_MJ_OPERATION_END } };
然后开启和关闭过滤器的代码 vs2013也生成好了 然后主要是回调函数  代码是 windows 黑客编程技术详解的源代码

 
BOOLEAN IsProtectionFile(PFLT_FILE_NAME_INFORMATION lpNameInfo) { BOOLEAN
bProtect = FALSE; PWCHAR lpszProtectionFileName, lpszFileName; // 申请内存
lpszProtectionFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
lpszFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 512); // 初始化内存
RtlZeroMemory(lpszProtectionFileName, 256); RtlZeroMemory(lpszFileName, 512);
// 复制数据 RtlCopyMemory(lpszFileName, lpNameInfo->Name.Buffer, (sizeof(WCHAR) +
lpNameInfo->Name.Length)); RtlCopyMemory(lpszProtectionFileName, L"520.exe",
(sizeof(WCHAR) + wcslen(L"520.exe"))); // 判断 if (NULL != wcsstr(lpszFileName,
lpszProtectionFileName)) { bProtect = TRUE; } // 释放内存
ExFreePool(lpszProtectionFileName); ExFreePool(lpszFileName); return bProtect;
} /*************************************************************************
MiniFilter callback routines.
*************************************************************************/
FLT_PREOP_CALLBACK_STATUS Minifilter_FileMonitor_TestPreOperation ( _Inout_
PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext ) /*++ Routine
Description: This routine is a pre-operation dispatch routine for this
miniFilter. This is non-pageable because it could be called on the paging path
Arguments: Data - Pointer to the filter callbackData that is passed to us.
FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing
opaque handles to this filter, instance, its associated volume and file object.
CompletionContext - The context for the completion routine for this operation.
Return Value: The return value is the status of the operation. --*/ { NTSTATUS
status; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER(
CompletionContext ); PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
Entered\n") ); /* 要进行监控的话,通常在PreXXX里处理,而要进行监视的话,则通常在PostXXX里
处理(当然监视在PreXXX里处理也行). 下面对监控文件的读写、删除、重命名、改属性的操作,并且禁止对指定文件520.exe 做任何操作。
原理是:在传入的参数里获取文件名,并打印出来,如果发现是被保护的文件,就返回操作。 */ // 获取文件路径 UCHAR MajorFunction =
Data->Iopb->MajorFunction; PFLT_FILE_NAME_INFORMATION lpNameInfo = NULL; status
= FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT, &lpNameInfo); if (NT_SUCCESS(status)) { status =
FltParseFileNameInformation(lpNameInfo); if (NT_SUCCESS(status)) { // CREATE if
(IRP_MJ_CREATE == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_CREATE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // 读取 else if (IRP_MJ_READ ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_READ]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE; //
return FLT_PREOP_DISALLOW_FASTIO; } } // 文件写入 else if (IRP_MJ_WRITE ==
MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_WRITE]%wZ", &lpNameInfo->Name)); return FLT_PREOP_COMPLETE;
// return FLT_PREOP_DISALLOW_FASTIO; } } // 修改文件信息 else if
(IRP_MJ_SET_INFORMATION == MajorFunction) { if (IsProtectionFile(lpNameInfo)) {
KdPrint(("[IRP_MJ_SET_INFORMATION]%wZ", &lpNameInfo->Name)); return
FLT_PREOP_COMPLETE; // return FLT_PREOP_DISALLOW_FASTIO; } } } } /* // // See
if this is an operation we would like the operation status // for. If so
request it. // // NOTE: most filters do NOT need to do this. You only need to
make // this call if, for example, you need to know if the oplock was //
actually granted. // if (Minifilter_FileMonitor_TestDoRequestOperationStatus(
Data )) { status = FltRequestOperationStatusCallback( Data,
Minifilter_FileMonitor_TestOperationStatusCallback,
(PVOID)(++OperationStatusCtx) ); if (!NT_SUCCESS(status)) { PT_DBG_PRINT(
PTDBG_TRACE_OPERATION_STATUS,
("Minifilter_FileMonitor_Test!Minifilter_FileMonitor_TestPreOperation:
FltRequestOperationStatusCallback Failed, status=%08x\n", status) ); } } //
This template code does not do anything with the callbackData, but // rather
returns FLT_PREOP_SUCCESS_WITH_CALLBACK. // This passes the request down to the
next miniFilter in the chain. */ return FLT_PREOP_SUCCESS_WITH_CALLBACK; }
然后就这样了  书上还表示要采用inf的方式  

选定inf文件 鼠标右键 安装

用管理员CMD输入 net start 服务名  启动服务  这个服务名是驱动名字

要是停止服务 输入 net stop 服务名即可 

 

技术
©2020 ioDraw All rights reserved
PHP调用shell命令centos7部署springboot jar包一个学生关于鸿蒙系统的一些看法逆向工程核心原理笔记(一)——Hello World-1苹果iPhone 12全系售价泄露:官方最高售价近1万元 疫情过后 学哪个编程有前景抖音比较火的 黑客帝国-代码雨(免费送)error: (-215:Assertion failed)解决方案变量有哪些类型?深入理解指针:一文让你彻底理解指针