使用Legacy Filters过滤创建和打开命名管道

最新推荐文章于 2022-10-24 12:57:10 发布

原创最新推荐文章于 2022-10-24 12:57:10 发布 · 404 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#命名管道 #NamedPipe

内核开发专栏收录该内容

29 篇文章

订阅专栏

本文介绍了一种使用设备过滤器来拦截命名管道创建和打开的方法，通过在内核级别进行操作，可以精确控制和监视命名管道的交互过程。

之前写的方法，都比较不正规，这次采用设备过滤器来拦截命名管道的创建和打开，下面是效果图
在这里插入图片描述

代码：

#include "ntifs.h"

typedef struct
{
	PDEVICE_OBJECT LowerDeviceObject;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;

PDEVICE_OBJECT g_MyFilterDevice = NULL;
void DriverUnload(PDRIVER_OBJECT DriverObject)
{
	DbgPrint("Npfs Filter Driver Unloadiang\n");
	if (g_MyFilterDevice)
	{
		IoDetachDevice(((PDEVICE_EXTENSION)DriverObject->DeviceObject->DeviceExtension)->LowerDeviceObject);
		IoDeleteDevice(g_MyFilterDevice);
		g_MyFilterDevice = NULL;
	}
}

NTSTATUS CommonDispath(PDEVICE_OBJECT Device, PIRP Irp)
{
	// Only thing to do with this routine is passing the Irp to Next Level 
	IoCopyCurrentIrpStackLocationToNext(Irp);
	return IoCallDriver(((PDEVICE_EXTENSION)Device->DeviceExtension)->LowerDeviceObject, Irp);
}

NTSTATUS FilterCreateNamedPipeCompletion(PDEVICE_OBJECT Device, PIRP Irp, PVOID Context)
{
	UNREFERENCED_PARAMETER(Device);
	UNREFERENCED_PARAMETER(Context);

	if (Irp->IoStatus.Status == STATUS_SUCCESS)
	{
		DbgPrint("FilterCreateNamedPipeCompletion success\n");
	}

	if (Irp->PendingReturned)
	{
		IoMarkIrpPending(Irp);
	}

	return Irp->IoStatus.Status;
}

NTSTATUS FilterCreateRoutine(PDEVICE_OBJECT Device, PIRP Irp)
{
	IoCopyCurrentIrpStackLocationToNext(Irp);
	PIO_STACK_LOCATION Stack = IoGetCurrentIrpStackLocation(Irp);
	DbgPrint("Openning NamedPipe:%wZ\n", &Stack->FileObject->FileName);
	return IoCallDriver(((PDEVICE_EXTENSION)Device->DeviceExtension)->LowerDeviceObject, Irp);
}

NTSTATUS FilterCreateNamedPipeRoutine(PDEVICE_OBJECT Device, PIRP Irp)
{
	IoCopyCurrentIrpStackLocationToNext(Irp);

	// Do what we want here.
	// Set an CompletionRoutine when the IRP finished and returned from the actual Deivce.
	// so that we can gain the result of our interested content.
	//IoSetCompletionRoutine(Irp, FilterCreateNamedPipeCompletion, NULL, TRUE, FALSE, FALSE);

	PIO_STACK_LOCATION Stack = IoGetCurrentIrpStackLocation(Irp);
	DbgPrint("Creating NamedPipe:%wZ\n",&Stack->FileObject->FileName);
	return IoCallDriver(((PDEVICE_EXTENSION)Device->DeviceExtension)->LowerDeviceObject, Irp);
}



NTSTATUS InitAttachDevice(PDRIVER_OBJECT DriverObject)
{
	UNICODE_STRING TargetName = RTL_CONSTANT_STRING(L"\\Device\\NamedPipe");

	// 1st, we need to create our filter device object.
	// 2st, using IoCraeteDevice to Attach our DeviceObject to NPFS DeviceObject
	NTSTATUS Status = STATUS_UNSUCCESSFUL;
	do
	{

		Status = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), NULL, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_MyFilterDevice);
		if (!NT_SUCCESS(Status))
		{
			DbgPrint("IoCreateDevice Failed! Status:0x%08x\n", Status);
			break;
		}

		g_MyFilterDevice->Flags |= DO_BUFFERED_IO;
		g_MyFilterDevice->Flags &= ~DO_DEVICE_INITIALIZING;

		RtlZeroMemory(g_MyFilterDevice->DeviceExtension, sizeof(DEVICE_EXTENSION));

		Status = IoAttachDevice(g_MyFilterDevice, &TargetName, &((PDEVICE_EXTENSION)g_MyFilterDevice->DeviceExtension)->LowerDeviceObject);
		if (!NT_SUCCESS(Status))
		{
			IoDeleteDevice(g_MyFilterDevice);
			g_MyFilterDevice = NULL;
			DbgPrint("IoAttachDevice Failed! Status:0x%08x\n", Status);
			break;
		}

	} while (0);

	return Status;

}

EXTERN_C_START
NTSTATUS DriverEntry(PDRIVER_OBJECT  DriverObject, PUNICODE_STRING RegistryPath)
{
	UNREFERENCED_PARAMETER(RegistryPath);
	NTSTATUS Status = STATUS_UNSUCCESSFUL;

	for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		DriverObject->MajorFunction[i] = CommonDispath;
	}

	DriverObject->MajorFunction[IRP_MJ_CREATE_NAMED_PIPE] = FilterCreateNamedPipeRoutine;
	DriverObject->MajorFunction[IRP_MJ_CREATE] = FilterCreateRoutine;
	DriverObject->DriverUnload = DriverUnload;

	Status = InitAttachDevice(DriverObject);
	if (!NT_SUCCESS(Status))
	{
		DbgPrint("InitAttachDevice Failed! Status:0x%08x\n",Status);
		return Status;
	}

	return STATUS_SUCCESS;

}
EXTERN_C_END