70,021
社区成员
发帖
与我相关
我的任务
分享SSDT HOOK ZwSetInformationFile 有时出现蓝屏问题
关键段的代码 测试就是蓝在这个函数里
NTSTATUS NewZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
)
{
NTSTATUS nStatus = STATUS_SUCCESS;
NTSTATUS Status=NULL;
NTSTATUS statusp=STATUS_ACCESS_DENIED;
WCHAR buf[1024];
PFILE_OBJECT Object;
PWCHAR pBuffer;
IO_STATUS_BLOCK IoStatus;
PFILE_NAME_INFORMATION pstNameInfo;
UNICODE_STRING volumeDosName;
UNICODE_STRING midstr;
UNICODE_STRING lpuName;
RtlInitEmptyUnicodeString(&volumeDosName,buf,1024*sizeof(WCHAR));
RtlInitEmptyUnicodeString(&lpuName,NULL,0);
if(FileInformationClass == FileDispositionInformation )//删除
{
if(ObReferenceObjectByHandle(FileHandle,0 ,0,KernelMode,
&Object , NULL ) == STATUS_SUCCESS )
{
RtlInitEmptyUnicodeString(&midstr,NULL,0);
IoVolumeDeviceToDosName(Object->DeviceObject,&midstr);
RtlCopyUnicodeString(&volumeDosName,&midstr);
ObDereferenceObject(Object) ;
}
pBuffer = (PWCHAR)ExAllocatePoolWithTag( NonPagedPool, 1024,'MyTt' );
RtlZeroMemory( pBuffer, 1024 );
pstNameInfo = (PFILE_NAME_INFORMATION)pBuffer;
Status = ZwQueryInformationFile( FileHandle, &IoStatus, pstNameInfo, 512, FileNameInformation );
if ( NT_SUCCESS(Status) )
{
lpuName.Buffer=(PWSTR)pstNameInfo->FileName;
lpuName.Length=wcslen(pstNameInfo->FileName)*2;
}
ExFreePool(pBuffer);
RtlAppendUnicodeStringToString(&volumeDosName,&lpuName);
// DbgPrint("path is %ws",volumeDosName.Buffer);
// DbgPrint("Path is %ws",Upath);
// DbgPrint("Path is %d",len);
// if(0 == memcmp(volumeDosName.Buffer,Upath,wcslen(Upath)*2))
if(0 == memcmp(volumeDosName.Buffer,L"C:\\123",12))
return statusp;
else
{
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
}
if(FileInformationClass ==0x0A)//移动
{
if(ObReferenceObjectByHandle(FileHandle,0 ,0,KernelMode,
&Object , NULL ) == STATUS_SUCCESS )
{
RtlInitEmptyUnicodeString(&midstr,NULL,0);
IoVolumeDeviceToDosName(Object->DeviceObject,&midstr);
RtlCopyUnicodeString(&volumeDosName,&midstr);
ObDereferenceObject(Object) ;
}
pBuffer = (PWCHAR)ExAllocatePoolWithTag( NonPagedPool, 1024,'MyTt' );
RtlZeroMemory( pBuffer, 1024 );
pstNameInfo = (PFILE_NAME_INFORMATION)pBuffer;
Status = ZwQueryInformationFile( FileHandle, &IoStatus, pstNameInfo, 512, FileNameInformation );
if ( NT_SUCCESS(Status) )
{
lpuName.Buffer=(PWSTR)pstNameInfo->FileName;
lpuName.Length=wcslen(pstNameInfo->FileName)*2;
}
ExFreePool(pBuffer);
RtlAppendUnicodeStringToString(&volumeDosName,&lpuName);
// DbgPrint("path is %ws",volumeDosName.Buffer);
// DbgPrint("Path is %ws",Upath);
// DbgPrint("Path is %d",len);
// if(0 == memcmp(volumeDosName.Buffer,Upath,wcslen(Upath)*2))
if(0 == memcmp(volumeDosName.Buffer,L"C:\\123",12))
return statusp;
else
{
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
}
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
我想做的是一个指定用户输入路径传到ring0里面进行指定的文件保护 Upath是用户的路径 但是运行后 只要操作指定路径的文件夹后(可以保护) 但不一会电脑就蓝了 然后我又直接换成字符串常量进行判断 还是会蓝 我驱动的基础不是很好 望大牛们多多指点 小弟先谢谢各位了
NTSTATUS NewZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
)
{
NTSTATUS nStatus = STATUS_SUCCESS;
NTSTATUS Status=NULL;
NTSTATUS statusp=STATUS_ACCESS_DENIED;
WCHAR buf[1024];
PFILE_OBJECT Object;
PWCHAR pBuffer;
IO_STATUS_BLOCK IoStatus;
PFILE_NAME_INFORMATION pstNameInfo;
UNICODE_STRING volumeDosName;
UNICODE_STRING midstr;
UNICODE_STRING lpuName;
RtlInitEmptyUnicodeString(&volumeDosName,buf,1024*sizeof(WCHAR));
RtlInitEmptyUnicodeString(&lpuName,NULL,0);
if(FileInformationClass == FileDispositionInformation )//删除
{
if(ObReferenceObjectByHandle(FileHandle,0 ,0,KernelMode,
&Object , NULL ) == STATUS_SUCCESS )
{
RtlInitEmptyUnicodeString(&midstr,NULL,0);
IoVolumeDeviceToDosName(Object->DeviceObject,&midstr);
RtlCopyUnicodeString(&volumeDosName,&midstr);
ObDereferenceObject(Object) ;
}
pBuffer = (PWCHAR)ExAllocatePoolWithTag( NonPagedPool, 1024,'MyTt' );
RtlZeroMemory( pBuffer, 1024 );
pstNameInfo = (PFILE_NAME_INFORMATION)pBuffer;
Status = ZwQueryInformationFile( FileHandle, &IoStatus, pstNameInfo, 512, FileNameInformation );
if ( NT_SUCCESS(Status) )
{
lpuName.Buffer=(PWSTR)pstNameInfo->FileName;
lpuName.Length=wcslen(pstNameInfo->FileName)*2;
}
ExFreePool(pBuffer);
RtlAppendUnicodeStringToString(&volumeDosName,&lpuName);
// DbgPrint("path is %ws",volumeDosName.Buffer);
// DbgPrint("Path is %ws",Upath);
// DbgPrint("Path is %d",len);
// if(0 == memcmp(volumeDosName.Buffer,Upath,wcslen(Upath)*2))
if(0 == memcmp(volumeDosName.Buffer,L"C:\\123",12))
return statusp;
else
{
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
}
if(FileInformationClass ==0x0A)//移动
{
if(ObReferenceObjectByHandle(FileHandle,0 ,0,KernelMode,
&Object , NULL ) == STATUS_SUCCESS )
{
RtlInitEmptyUnicodeString(&midstr,NULL,0);
IoVolumeDeviceToDosName(Object->DeviceObject,&midstr);
RtlCopyUnicodeString(&volumeDosName,&midstr);
ObDereferenceObject(Object) ;
}
pBuffer = (PWCHAR)ExAllocatePoolWithTag( NonPagedPool, 1024,'MyTt' );
RtlZeroMemory( pBuffer, 1024 );
pstNameInfo = (PFILE_NAME_INFORMATION)pBuffer;
Status = ZwQueryInformationFile( FileHandle, &IoStatus, pstNameInfo, 512, FileNameInformation );
if ( NT_SUCCESS(Status) )
{
lpuName.Buffer=(PWSTR)pstNameInfo->FileName;
lpuName.Length=wcslen(pstNameInfo->FileName)*2;
}
ExFreePool(pBuffer);
RtlAppendUnicodeStringToString(&volumeDosName,&lpuName);
// DbgPrint("path is %ws",volumeDosName.Buffer);
// DbgPrint("Path is %ws",Upath);
// DbgPrint("Path is %d",len);
// if(0 == memcmp(volumeDosName.Buffer,Upath,wcslen(Upath)*2))
if(0 == memcmp(volumeDosName.Buffer,L"C:\\123",12))
return statusp;
else
{
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
}
nStatus = OldZwSetInformationFile( FileHandle , IoStatusBlock ,
FileInformation , Length , FileInformationClass ) ;
return nStatus ;
}
我想做的是一个指定用户输入路径传到ring0里面进行指定的文件保护 Upath是用户的路径 但是运行后 只要操作指定路径的文件夹后(可以保护) 但不一会电脑就蓝了 然后我又直接换成字符串常量进行判断 还是会蓝 我驱动的基础不是很好 望大牛们多多指点 小弟先谢谢各位了
...全文
请发表友善的回复…
发表回复
linmei19840721 2010-02-08
- 打赏
- 举报
调试到那句蓝的????
cyndy_li 2010-02-07
- 打赏
- 举报
最好用windbg + 虚拟机调试一下,设中断,可以源代码调试,执行到那一句蓝的,好找一下原因。
cyndy_li 2010-02-07
- 打赏
- 举报
在你的代码里出现了OldZwSetInformationFile
又出现了ZwQueryInformationFile,query这个函数你有没有hook
还有old前面是不是要用指针函数类型转换一下,就是之前保存的真实函数指针,要((ZWSETINFORMATIONFILE)OldZwSetInformationFile)(参数。。。)
又出现了ZwQueryInformationFile,query这个函数你有没有hook
还有old前面是不是要用指针函数类型转换一下,就是之前保存的真实函数指针,要((ZWSETINFORMATIONFILE)OldZwSetInformationFile)(参数。。。)
nevergone 2010-01-01
- 打赏
- 举报
一点驱动开发常识都没有
beginnow 2010-01-01
- 打赏
- 举报
你可以用softice加载这个驱动,当出现问题的时候softice会截获这个错误,
另外机器蓝屏之后会生成转储文件,可以分析一下这个文件
另外机器蓝屏之后会生成转储文件,可以分析一下这个文件
Sunny_wwc 2010-01-01
- 打赏
- 举报
[Quote=引用 2 楼 nevergone 的回复:]
一点驱动开发常识都没有
[/Quote]
麻烦高人指点为什么蓝屏
一点驱动开发常识都没有
[/Quote]
麻烦高人指点为什么蓝屏
