Minifilter过滤驱动与R3程序通讯实现文件保护

实现保护文件或目录、R3层通过与过滤驱动通讯通知要保护的文件或目录,可执行创建不可删除或修改。
1

R3层

#include
#include
#include
HANDLE g_hPort = INVALID_HANDLE_VALUE;//初始化句柄
#define NPMINI_NAME L"FileiPortMin"
#define NPMINI_PORT_NAME L"\\FileiPortMin"
#pragma comment (lib,"fltLib.lib")
typedef struct _COMAND_MESSAGE
{
	wchar_t Command[512];
}COMMAND_MESSAGE, * PCOMMAND_MESSAGE;
int NPSendMessage(PVOID InputBuffer) {
	DWORD bytesReturned = 0;
	DWORD hResult = 0;
	PCOMMAND_MESSAGE command_message = (PCOMMAND_MESSAGE)InputBuffer;
	hResult=FilterSendMessage(g_hPort, command_message,sizeof(COMMAND_MESSAGE),NULL,NULL,&bytesReturned);
	if (hResult!=S_OK) {
		printf("消息发送失败:%d\r\n", hResult);
		return hResult;
	}
	else {
		return true;
	}
}
LPWSTR ConvertAnsiToUnicode(LPSTR ansiString) {
	int requiredSize = MultiByteToWideChar(CP_ACP, 0, ansiString, -1, NULL, 0);

	if (requiredSize > 0) {
		LPWSTR unicodeString = (LPWSTR)malloc(requiredSize * sizeof(wchar_t));

		if (unicodeString != NULL) {
			MultiByteToWideChar(CP_ACP, 0, ansiString, -1, unicodeString, requiredSize);
			return unicodeString;
		}
	}

	return NULL; // 转换失败或内存分配失败
}
int main(){

	DWORD hResult = FilterConnectCommunicationPort(NPMINI_PORT_NAME, 0, NULL, 0, NULL, &g_hPort);
	if (hResult != S_OK) {
		printf("通讯失败\r\n");
		printf("%d\r\n", hResult);
		return hResult;
	}
	else {
		printf("通讯成功\r\n");
		wchar_t buffer[512];
		LPWSTR cmdLineW = GetCommandLine();
		LPSTR cmdLineA = GetCommandLineA();
		int argc;
		if (cmdLineW != NULL && cmdLineW[0] != L'\0' && wcslen(cmdLineW) > 0) {
			LPWSTR* argv = CommandLineToArgvW(cmdLineW, &argc);
			if (argv[1] != NULL) {
				ZeroMemory(buffer, 512);
				wcscpy(buffer, argv[1]);
				printf("w:%ws", buffer);
				NPSendMessage(buffer);
				exit(0);
			}
		}
		if (cmdLineA != NULL && cmdLineA[0] != '\0' && strlen(cmdLineA) > 0) {
			LPWSTR res = ConvertAnsiToUnicode(cmdLineA);
			LPWSTR* argv = CommandLineToArgvW(res, &argc);
			if (argv[1] != NULL) {
				ZeroMemory(buffer, 512);
				wcscpy(buffer, argv[1]);
				printf("A:%ws", buffer);
				NPSendMessage(buffer);
				exit(0);
			}
		}
	}
	
	return 0;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

内核层

#include 
#include 
#include 
#define MINISPY_PORT_NAME                                L"\\FileiPortMin"  //通信端口名字

PFLT_PORT     gServerPort;//服务端口
PFLT_PORT     gClientPort;//客户端口
static UNICODE_STRING ProtectedExtention = RTL_CONSTANT_STRING(L"com");
wchar_t fileName[512]=L"mimikatz";
//wchar_t* fileName = L"mimikatz.exe";
//  Defines the commands between the utility and the filter
typedef enum _MINI_COMMAND {
    ENUM_PASS = 0,
    ENUM_BLOCK
} MINI_COMMAND;

//  Defines the command structure between the utility and the filter.
typedef struct _COMMAND_MESSAGE {
    MINI_COMMAND     Command;
} COMMAND_MESSAGE, * PCOMMAND_MESSAGE;
FLT_PREOP_CALLBACK_STATUS NPPreCreate(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(CompletionContext);
    PAGED_CODE();
    FLT_PREOP_CALLBACK_STATUS ret = FLT_PREOP_SUCCESS_NO_CALLBACK;
    NTSTATUS status;
    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    //文件IO执行放过可以执行
    if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {
        if (!FlagOn(Data->Iopb->Parameters.Create.Options, FILE_DISALLOW_EXCLUSIVE)) {
            return ret;
        }
    }
    if (FltObjects->FileObject != NULL) {
        status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
        if (NT_SUCCESS(status)) {
            //获取文件信息
            FltParseFileNameInformation(FileNameInfo);
            WCHAR pTempBuf[512] = { 0 };
            RtlCopyMemory(pTempBuf, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
            //文件名称过滤
            if (wcsstr(pTempBuf, fileName) != NULL) {
                Data->IoStatus.Status = STATUS_ACCESS_DENIED;
                Data->IoStatus.Information = 0;
                ret = FLT_PREOP_COMPLETE;
            }
            // 判断拓展名COM
            if (RtlCompareUnicodeString(&FileNameInfo->Extension, &ProtectedExtention, TRUE) == 0) {
            //IO拒绝请求
                Data->IoStatus.Status = STATUS_ACCESS_DENIED;
                Data->IoStatus.Information = 0;
                ret = FLT_PREOP_COMPLETE;
            }
            // Clean up file name information.
            FltReleaseFileNameInformation(FileNameInfo);
        }
    }
    return ret;
}
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
    { IRP_MJ_CREATE, 0, NPPreCreate, NULL },				// DELETE_ON_CLOSE creation flag.
    { IRP_MJ_SET_INFORMATION, 0, NPPreCreate, NULL },		// FileInformationClass == FileDispositionInformation(Ex).
    { IRP_MJ_OPERATION_END }
};
PFLT_FILTER gFileterHandle;
NTSTATUS PtUnload(__in FLT_FILTER_UNLOAD_FLAGS Flags) {
    UNREFERENCED_PARAMETER(Flags);
    FltUnregisterFilter(gFileterHandle);
    return STATUS_SUCCESS;
}

CONST FLT_REGISTRATION FilterRegistration = {
    sizeof(FLT_REGISTRATION),
    FLT_REGISTRATION_VERSION,
    0,
    NULL,
    Callbacks,//回调函数
    PtUnload,//卸载回调
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL

};
//通讯
NTSTATUS OnConnectInternal(
    IN PFLT_PORT ClientPort,
    IN PVOID ServerPortCookie,
    IN PVOID ConnectionContext,
    IN ULONG SizeOfContext,
    OUT PVOID* ConnectionPortCookie
) {
    DbgPrint("OnConnectInternal");
    return 0;
}

VOID OnDisconnectInternal(
    IN PVOID ConnectionContext
) {
    DbgPrint("OnDisconnectInternal");
    //return 0;
}

VOID MessData(__in PVOID ConnectionCookie,
    __in_bcount_opt(InputBufferSize) PVOID InputBuffer,
    __in ULONG InputBufferSize,
    __out_bcount_part_opt(OutputBufferSize, *ReturnOutputBufferLength) PVOID OutputBuffer,
    __in ULONG OutputBufferSize,
    __out PULONG ReturnOutputBufferLength) {
    MINI_COMMAND command;
    NTSTATUS status;

    PAGED_CODE();

    UNREFERENCED_PARAMETER(ConnectionCookie);
    UNREFERENCED_PARAMETER(OutputBufferSize);
    UNREFERENCED_PARAMETER(OutputBuffer);
    if (InputBufferSize>0) {
        //DbgPrint("InputBuffer: %p\r\n", InputBuffer);
        DbgPrint("InputBuffer: %s\r\n", (wchar_t*)InputBuffer);
        RtlCopyMemory(fileName, InputBuffer, InputBufferSize);
    }
}

NTSTATUS
DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
)
{
    DbgPrint("DriverEntryOK\r\n");
    NTSTATUS status;
    PSECURITY_DESCRIPTOR sd;
    OBJECT_ATTRIBUTES oa;
    UNICODE_STRING uniString;

    UNREFERENCED_PARAMETER(RegistryPath);

    /*PT_DBG_PRINT(PTDBG_TRACE_ROUTINES,
        ("MiniFilter!DriverEntry: Entered\n"));*/

    //
    //  Register with FltMgr to tell it our callback routines
    //

    status = FltRegisterFilter(DriverObject,
        &FilterRegistration,
        &gFileterHandle);

    FLT_ASSERT(NT_SUCCESS(status));

    if (NT_SUCCESS(status)) {

        status = FltStartFiltering(gFileterHandle);

        if (!NT_SUCCESS(status)) {

            FltUnregisterFilter(gFileterHandle);
        }
    }

    //产生一个安全性叙述子
    status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
    RtlInitUnicodeString(&uniString, MINISPY_PORT_NAME);

    //初始化对象属性
    InitializeObjectAttributes(&oa,
        &uniString,
        OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
        NULL,
        sd);

    //内核建立通信端口
    status = FltCreateCommunicationPort(gFileterHandle, &gServerPort, &oa, NULL, OnConnectInternal, OnDisconnectInternal, MessData, 1);
    //FltFreeSecurityDescriptor(sd);
    DbgPrint("FltCreateCommunicationPort OK\r\n");
    return status;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180