2,644
社区成员




if ( ObjectAttributes->ObjectName->Buffer && wcsstr( ObjectAttributes->ObjectName->Buffer, L"111.txt" ) )
{
// 拒绝操作
FileHandle = NULL;
IoStatusBlock->Information = 0;
IoStatusBlock->Status = STATUS_UNSUCCESSFUL;
return STATUS_UNSUCCESSFUL;
}
if ( ObjectAttributes->ObjectName->Buffer && wcsstr( ObjectAttributes->ObjectName->Buffer, L"111.txt" ) )
{
// ¾Ü¾ø²Ù×÷
FileHandle = NULL;
IoStatusBlock->Information = 0;
IoStatusBlock->Status = STATUS_UNSUCCESSFUL;
return STATUS_UNSUCCESSFUL;
}
/**
* 根据文件句柄获取文件 DOS 全路径
*/
BOOL ApiHookFsGetFilenameByHandle( IN HANDLE hFileHandle, OUT PCHAR pszFilename, IN USHORT uSize )
{
if ( NULL == hFileHandle )
{
return FALSE;
}
BOOL bRet = FALSE;
NTSTATUS ntStatus;
PWCHAR pBuffer;
PFILE_OBJECT pstFileObject;
POBJECT_NAME_INFORMATION pstObjectNameInfo;
ntStatus = ObReferenceObjectByHandle( hFileHandle, FILE_READ_DATA, *IoFileObjectType, KernelMode, (void **)&pstFileObject, NULL );
if ( NT_SUCCESS( ntStatus ) )
{
ntStatus = IoQueryFileDosDeviceName( pstFileObject, &pstObjectNameInfo );
if ( NT_SUCCESS( ntStatus ) )
{
ntStatus = drvfunc_w2a( pstObjectNameInfo->Name.Buffer, pszFilename, uSize );
if ( NT_SUCCESS( ntStatus ) )
{
bRet = TRUE;
}
}
}
return bRet;
}
CHAR szFileName[ MAX_PATH ];
if ( FILE_WRITE_DATA == ( FILE_WRITE_DATA & DesiredAccess ) ||
FILE_APPEND_DATA == ( FILE_APPEND_DATA & DesiredAccess ) )
{
RtlZeroMemory( szFileName, sizeof(szFileName) );
if ( ApiHookFsGetFilenameByHandle( FileHandle, szFileName, sizeof(szFileName) ) )
{
if ( APIHOOKFS_ACTION_DENIED == ApiHookFsCheckAction( szFileName ) )
{
// ¾Ü¾ø²Ù×÷
return STATUS_ACCESS_DENIED;
}
}
}