• Minifilter过滤驱动与R3程序通讯实现文件保护


    实现保护文件或目录、R3层通过与过滤驱动通讯通知要保护的文件或目录,可执行创建不可删除或修改。
    
    • 1
    R3层
    #include
    #include
    #include
    HANDLE g_hPort = INVALID_HANDLE_VALUE;//初始化句柄
    #define NPMINI_NAME L"FileiPortMin"
    #define NPMINI_PORT_NAME L"\\FileiPortMin"
    #pragma comment (lib,"fltLib.lib")
    typedef struct _COMAND_MESSAGE
    {
    	wchar_t Command[512];
    }COMMAND_MESSAGE, * PCOMMAND_MESSAGE;
    int NPSendMessage(PVOID InputBuffer) {
    	DWORD bytesReturned = 0;
    	DWORD hResult = 0;
    	PCOMMAND_MESSAGE command_message = (PCOMMAND_MESSAGE)InputBuffer;
    	hResult=FilterSendMessage(g_hPort, command_message,sizeof(COMMAND_MESSAGE),NULL,NULL,&bytesReturned);
    	if (hResult!=S_OK) {
    		printf("消息发送失败:%d\r\n", hResult);
    		return hResult;
    	}
    	else {
    		return true;
    	}
    }
    LPWSTR ConvertAnsiToUnicode(LPSTR ansiString) {
    	int requiredSize = MultiByteToWideChar(CP_ACP, 0, ansiString, -1, NULL, 0);
    
    	if (requiredSize > 0) {
    		LPWSTR unicodeString = (LPWSTR)malloc(requiredSize * sizeof(wchar_t));
    
    		if (unicodeString != NULL) {
    			MultiByteToWideChar(CP_ACP, 0, ansiString, -1, unicodeString, requiredSize);
    			return unicodeString;
    		}
    	}
    
    	return NULL; // 转换失败或内存分配失败
    }
    int main(){
    
    	DWORD hResult = FilterConnectCommunicationPort(NPMINI_PORT_NAME, 0, NULL, 0, NULL, &g_hPort);
    	if (hResult != S_OK) {
    		printf("通讯失败\r\n");
    		printf("%d\r\n", hResult);
    		return hResult;
    	}
    	else {
    		printf("通讯成功\r\n");
    		wchar_t buffer[512];
    		LPWSTR cmdLineW = GetCommandLine();
    		LPSTR cmdLineA = GetCommandLineA();
    		int argc;
    		if (cmdLineW != NULL && cmdLineW[0] != L'\0' && wcslen(cmdLineW) > 0) {
    			LPWSTR* argv = CommandLineToArgvW(cmdLineW, &argc);
    			if (argv[1] != NULL) {
    				ZeroMemory(buffer, 512);
    				wcscpy(buffer, argv[1]);
    				printf("w:%ws", buffer);
    				NPSendMessage(buffer);
    				exit(0);
    			}
    		}
    		if (cmdLineA != NULL && cmdLineA[0] != '\0' && strlen(cmdLineA) > 0) {
    			LPWSTR res = ConvertAnsiToUnicode(cmdLineA);
    			LPWSTR* argv = CommandLineToArgvW(res, &argc);
    			if (argv[1] != NULL) {
    				ZeroMemory(buffer, 512);
    				wcscpy(buffer, argv[1]);
    				printf("A:%ws", buffer);
    				NPSendMessage(buffer);
    				exit(0);
    			}
    		}
    	}
    	
    	return 0;
    }
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    内核层
    #include 
    #include 
    #include 
    #define MINISPY_PORT_NAME                                L"\\FileiPortMin"  //通信端口名字
    
    PFLT_PORT     gServerPort;//服务端口
    PFLT_PORT     gClientPort;//客户端口
    static UNICODE_STRING ProtectedExtention = RTL_CONSTANT_STRING(L"com");
    wchar_t fileName[512]=L"mimikatz";
    //wchar_t* fileName = L"mimikatz.exe";
    //  Defines the commands between the utility and the filter
    typedef enum _MINI_COMMAND {
        ENUM_PASS = 0,
        ENUM_BLOCK
    } MINI_COMMAND;
    
    //  Defines the command structure between the utility and the filter.
    typedef struct _COMMAND_MESSAGE {
        MINI_COMMAND     Command;
    } COMMAND_MESSAGE, * PCOMMAND_MESSAGE;
    FLT_PREOP_CALLBACK_STATUS NPPreCreate(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID* CompletionContext) {
        UNREFERENCED_PARAMETER(CompletionContext);
        PAGED_CODE();
        FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
        NTSTATUS status;
        PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
        //文件IO执行放过可以执行
        if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
            if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DISALLOW_EXCLUSIVE)) {
                return ret;
            }
        }
        if (FltObjects->FileObject != NULL) {
            status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
            if (NT_SUCCESS(status)) {
                //获取文件信息
                FltParseFileNameInformation(FileNameInfo);
                WCHAR pTempBuf[512] = { 0 };
                RtlCopyMemory(pTempBuf, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
                //文件名称过滤
                if (wcsstr(pTempBuf, fileName) != NULL) {
                    Data->IoStatus.Status = STATUS_ACCESS_DENIED;
                    Data->IoStatus.Information = 0;
                    ret = FLT_PREOP_COMPLETE;
                }
                // 判断拓展名COM
                if (RtlCompareUnicodeString(&FileNameInfo->Extension, &ProtectedExtention, TRUE) == 0) {
                //IO拒绝请求
                    Data->IoStatus.Status = STATUS_ACCESS_DENIED;
                    Data->IoStatus.Information = 0;
                    ret = FLT_PREOP_COMPLETE;
                }
                // Clean up file name information.
                FltReleaseFileNameInformation(FileNameInfo);
            }
        }
        return ret;
    }
    CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
        { IRP_MJ_CREATE, 0, NPPreCreate, NULL },				// DELETE_ON_CLOSE creation flag.
        { IRP_MJ_SET_INFORMATION, 0, NPPreCreate, NULL },		// FileInformationClass == FileDispositionInformation(Ex).
        { IRP_MJ_OPERATION_END }
    };
    PFLT_FILTER gFileterHandle;
    NTSTATUS PtUnload(__in FLT_FILTER_UNLOAD_FLAGS Flags) {
        UNREFERENCED_PARAMETER(Flags);
        FltUnregisterFilter(gFileterHandle);
        return STATUS_SUCCESS;
    }
    
    CONST FLT_REGISTRATION FilterRegistration = {
        sizeof(FLT_REGISTRATION),
        FLT_REGISTRATION_VERSION,
        0,
        NULL,
        Callbacks,//回调函数
        PtUnload,//卸载回调
        NULL,
        NULL,
        NULL,
        NULL,
        NULL,
        NULL,
        NULL
    
    };
    //通讯
    NTSTATUS OnConnectInternal(
        IN PFLT_PORT ClientPort,
        IN PVOID ServerPortCookie,
        IN PVOID ConnectionContext,
        IN ULONG SizeOfContext,
        OUT PVOID* ConnectionPortCookie
    ) {
        DbgPrint("OnConnectInternal");
        return 0;
    }
    
    VOID OnDisconnectInternal(
        IN PVOID ConnectionContext
    ) {
        DbgPrint("OnDisconnectInternal");
        //return 0;
    }
    
    VOID MessData(__in PVOID ConnectionCookie,
        __in_bcount_opt(InputBufferSize) PVOID InputBuffer,
        __in ULONG InputBufferSize,
        __out_bcount_part_opt(OutputBufferSize, *ReturnOutputBufferLength) PVOID OutputBuffer,
        __in ULONG OutputBufferSize,
        __out PULONG ReturnOutputBufferLength) {
        MINI_COMMAND command;
        NTSTATUS status;
    
        PAGED_CODE();
    
        UNREFERENCED_PARAMETER(ConnectionCookie);
        UNREFERENCED_PARAMETER(OutputBufferSize);
        UNREFERENCED_PARAMETER(OutputBuffer);
        if (InputBufferSize>0) {
            //DbgPrint("InputBuffer: %p\r\n", InputBuffer);
            DbgPrint("InputBuffer: %s\r\n", (wchar_t*)InputBuffer);
            RtlCopyMemory(fileName, InputBuffer, InputBufferSize);
        }
    }
    
    NTSTATUS
    DriverEntry(
        _In_ PDRIVER_OBJECT DriverObject,
        _In_ PUNICODE_STRING RegistryPath
    )
    {
        DbgPrint("DriverEntryOK\r\n");
        NTSTATUS status;
        PSECURITY_DESCRIPTOR sd;
        OBJECT_ATTRIBUTES oa;
        UNICODE_STRING uniString;
    
        UNREFERENCED_PARAMETER(RegistryPath);
    
        /*PT_DBG_PRINT(PTDBG_TRACE_ROUTINES,
            ("MiniFilter!DriverEntry: Entered\n"));*/
    
        //
        //  Register with FltMgr to tell it our callback routines
        //
    
        status = FltRegisterFilter(DriverObject,
            &FilterRegistration,
            &gFileterHandle);
    
        FLT_ASSERT(NT_SUCCESS(status));
    
        if (NT_SUCCESS(status)) {
    
            status = FltStartFiltering(gFileterHandle);
    
            if (!NT_SUCCESS(status)) {
    
                FltUnregisterFilter(gFileterHandle);
            }
        }
    
        //产生一个安全性叙述子
        status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
        RtlInitUnicodeString(&uniString, MINISPY_PORT_NAME);
    
        //初始化对象属性
        InitializeObjectAttributes(&oa,
            &uniString,
            OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
            NULL,
            sd);
    
        //内核建立通信端口
        status = FltCreateCommunicationPort(gFileterHandle, &gServerPort, &oa, NULL, OnConnectInternal, OnDisconnectInternal, MessData, 1);
        //FltFreeSecurityDescriptor(sd);
        DbgPrint("FltCreateCommunicationPort OK\r\n");
        return status;
    }
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106
    • 107
    • 108
    • 109
    • 110
    • 111
    • 112
    • 113
    • 114
    • 115
    • 116
    • 117
    • 118
    • 119
    • 120
    • 121
    • 122
    • 123
    • 124
    • 125
    • 126
    • 127
    • 128
    • 129
    • 130
    • 131
    • 132
    • 133
    • 134
    • 135
    • 136
    • 137
    • 138
    • 139
    • 140
    • 141
    • 142
    • 143
    • 144
    • 145
    • 146
    • 147
    • 148
    • 149
    • 150
    • 151
    • 152
    • 153
    • 154
    • 155
    • 156
    • 157
    • 158
    • 159
    • 160
    • 161
    • 162
    • 163
    • 164
    • 165
    • 166
    • 167
    • 168
    • 169
    • 170
    • 171
    • 172
    • 173
    • 174
    • 175
    • 176
    • 177
    • 178
    • 179
    • 180
  • 相关阅读:
    TypeScript学习笔记
    java实现物流查询(使用阿里云物流查询接口)
    【算法题】1488. 避免洪水泛滥
    C++基础学习01
    美团技术官用时一个月精心整理这本Spring(第4版)实战学习文档
    基于springboot的校园跑腿平台
    【SQL】NodeJs 连接 MySql 、MySql 常见语句
    SaaSBase:什么是BoardMix?
    怎么用一个二维码展示多个内容?二维码汇总一个的方法
    8-12外部排序
  • 原文地址:https://blog.csdn.net/qq_18811919/article/details/132740321