SSDT HOOK ZwSetInformationFile 有时出现蓝屏问题
关键段的代码 测试就是蓝在这个函数里
NTSTATUS NewZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
)
{
NTSTATUS nStatus = STATUS_SUCCESS;
NTSTATUS Status=NULL;
NTSTATUS statusp=STATUS_ACCESS_DENIED;
WCHAR buf[1024];
PFILE_OBJECT Object;
PWCHAR pBuffer;
IO_STATUS_BLOCK IoStatus;
PFILE_NAME_INFORMATION pstNameInfo;
UNICODE_STRING volumeDosName;
UNICODE_STRING midstr;
UNICODE_STRING lpuName;
RtlInitEmptyUnicodeString(&volumeDosName,buf,1024*sizeof(WCHAR));
RtlInitEmptyUnicodeString(&lpuName,NULL,0);
if(FileInformationClass == FileDispositionInformation )//删除
{
if(ObReferenceObjectByHandle(FileHandle,0 ,0,KernelMode,
&Object , NULL ) == STATUS_SUCCESS )
{
RtlInitEmptyUnicodeString(&midstr,NULL,0);
IoVolumeDeviceToDosName(Object->DeviceObject,&midstr);
RtlCopyUnicodeString(&volumeDosName,&midstr);
ObDereferenceObject(Object) ;
}
pBuffer = (PWCHAR)ExAllocatePoolWithTag( NonPagedPool, 1024,'MyTt' );
RtlZeroMemory( pBuffer, 1024 );
pstNameInfo = (PFILE_NAME_INFORMATION)pBuffer;
Status = ZwQueryInformationFile( FileHandle, &IoStatus, pstNameInfo, 512, FileNameInformation );
if ( NT_SUCCESS(Status) )
{
lpuName.Buffer=(PWSTR)pstNameInfo->FileName;
lpuName.Length=wcslen(pstNameInfo->FileName)*2;
}
ExFreePool(pBuffer);
RtlAppendUnicodeStringToString(&volumeDosName,&lpuName);
// DbgPrint("path is %ws",volumeDosName.Buffer);
// DbgPrint("Path is %ws",Upath);
// DbgPrint("Path is %d",len);
// if(0 == memcmp(volumeDosName.Buffer,Upath,wcslen(Upath)*2))
if(0 == memcmp(volumeDosName.Buffer,L"C:\\123",12))
return statusp;
else
{
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
}
if(FileInformationClass ==0x0A)//移动
{
if(ObReferenceObjectByHandle(FileHandle,0 ,0,KernelMode,
&Object , NULL ) == STATUS_SUCCESS )
{
RtlInitEmptyUnicodeString(&midstr,NULL,0);
IoVolumeDeviceToDosName(Object->DeviceObject,&midstr);
RtlCopyUnicodeString(&volumeDosName,&midstr);
ObDereferenceObject(Object) ;
}
pBuffer = (PWCHAR)ExAllocatePoolWithTag( NonPagedPool, 1024,'MyTt' );
RtlZeroMemory( pBuffer, 1024 );
pstNameInfo = (PFILE_NAME_INFORMATION)pBuffer;
Status = ZwQueryInformationFile( FileHandle, &IoStatus, pstNameInfo, 512, FileNameInformation );
if ( NT_SUCCESS(Status) )
{
lpuName.Buffer=(PWSTR)pstNameInfo->FileName;
lpuName.Length=wcslen(pstNameInfo->FileName)*2;
}
ExFreePool(pBuffer);
RtlAppendUnicodeStringToString(&volumeDosName,&lpuName);
// DbgPrint("path is %ws",volumeDosName.Buffer);
// DbgPrint("Path is %ws",Upath);
// DbgPrint("Path is %d",len);
// if(0 == memcmp(volumeDosName.Buffer,Upath,wcslen(Upath)*2))
if(0 == memcmp(volumeDosName.Buffer,L"C:\\123",12))
return statusp;
else
{
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
}
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
我想做的是一个指定用户输入路径传到ring0里面进行指定的文件保护 Upath是用户的路径 但是运行后 只要操作指定路径的文件夹后(可以保护) 但不一会电脑就蓝了 然后我又直接换成字符串常量进行判断 还是会蓝 我驱动的基础不是很好 望大牛们多多指点 小弟先谢谢各位了