IRP_MJ_CREATE派遣例程里能获取的信息

    在IRP_MJ_CREATE里面能够得到的调用ZwCreateFile传递的参数值,分析参数获取所需要过滤的文件信息.

    详细说明的请参考下面代码框内容:

 

/*++ 1.irpSp->Parameters.Create: struct { PIO_SECURITY_CONTEXT SecurityContext; ULONG Options; USHORT POINTER_ALIGNMENT FileAttributes; USHORT ShareAccess; ULONG POINTER_ALIGNMENT EaLength; } Create; 2.IO_SECURITY_CONTEXT: typedef struct _IO_SECURITY_CONTEXT { PSECURITY_QUALITY_OF_SERVICE SecurityQos; PACCESS_STATE AccessState; ACCESS_MASK DesiredAccess; ULONG FullCreateOptions; } IO_SECURITY_CONTEXT, *PIO_SECURITY_CONTEXT; 3.ZwCreateFile NTSTATUS ZwCreateFile( __out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess,// __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, // __in ULONG ShareAccess, // __in ULONG CreateDisposition, // __in ULONG CreateOptions, // __in_opt PVOID EaBuffer, __in ULONG EaLength ); 4.Information DesiredAccess => irpSp->Parameters.Create.SecurityContext->DesiredAccess FileAttributes => irpSp->Parameters.Create.FileAttributes ShareAccess => irpSp->Parameters.Create.ShareAccess CreateDispostion => irpSp->Parameters.Create.Options(High 8 bits) CreateOptions => irpSp->Parameters.Create.Options(Low 24 bits) 5.Details // // Define the create disposition values // #define FILE_SUPERSEDE 0x00000000 #define FILE_OPEN 0x00000001 #define FILE_CREATE 0x00000002 #define FILE_OPEN_IF 0x00000003 #define FILE_OVERWRITE 0x00000004 #define FILE_OVERWRITE_IF 0x00000005 #define FILE_MAXIMUM_DISPOSITION 0x00000005 // // Define the create/open option flags // #define FILE_DIRECTORY_FILE 0x00000001 #define FILE_WRITE_THROUGH 0x00000002 #define FILE_SEQUENTIAL_ONLY 0x00000004 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define FILE_NON_DIRECTORY_FILE 0x00000040 #define FILE_CREATE_TREE_CONNECTION 0x00000080 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 #define FILE_NO_EA_KNOWLEDGE 0x00000200 #define FILE_OPEN_REMOTE_INSTANCE 0x00000400 #define FILE_RANDOM_ACCESS 0x00000800 #define FILE_DELETE_ON_CLOSE 0x00001000 #define FILE_OPEN_BY_FILE_ID 0x00002000 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 #define FILE_NO_COMPRESSION 0x00008000 #if (NTDDI_VERSION >= NTDDI_WIN7) #define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 #define FILE_DISALLOW_EXCLUSIVE 0x00020000 #endif // NTDDI_VERSION >= NTDDI_WIN7 #define FILE_RESERVE_OPFILTER 0x00100000 #define FILE_OPEN_REPARSE_POINT 0x00200000 #define FILE_OPEN_NO_RECALL 0x00400000 #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 #define FILE_VALID_OPTION_FLAGS 0x00ffffff #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 #define FILE_VALID_SET_FLAGS 0x00000036 // // Define access rights to files and directories // #define FILE_READ_DATA ( 0x0001 ) // file & pipe #define FILE_LIST_DIRECTORY ( 0x0001 ) // directory #define FILE_WRITE_DATA ( 0x0002 ) // file & pipe #define FILE_ADD_FILE ( 0x0002 ) // directory #define FILE_APPEND_DATA ( 0x0004 ) // file #define FILE_ADD_SUBDIRECTORY ( 0x0004 ) // directory #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) // named pipe #define FILE_READ_EA ( 0x0008 ) // file & directory #define FILE_WRITE_EA ( 0x0010 ) // file & directory #define FILE_EXECUTE ( 0x0020 ) // file #define FILE_TRAVERSE ( 0x0020 ) // directory #define FILE_DELETE_CHILD ( 0x0040 ) // directory #define FILE_READ_ATTRIBUTES ( 0x0080 ) // all #define FILE_WRITE_ATTRIBUTES ( 0x0100 ) // all #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) #define FILE_GENERIC_READ (STANDARD_RIGHTS_READ |/ FILE_READ_DATA |/ FILE_READ_ATTRIBUTES |/ FILE_READ_EA |/ SYNCHRONIZE) #define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |/ FILE_WRITE_DATA |/ FILE_WRITE_ATTRIBUTES |/ FILE_WRITE_EA |/ FILE_APPEND_DATA |/ SYNCHRONIZE) #define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |/ FILE_READ_ATTRIBUTES |/ FILE_EXECUTE |/ SYNCHRONIZE) #define DELETE (0x00010000L) #define READ_CONTROL (0x00020000L) #define WRITE_DAC (0x00040000L) #define WRITE_OWNER (0x00080000L) #define SYNCHRONIZE (0x00100000L) #define STANDARD_RIGHTS_REQUIRED (0x000F0000L) #define STANDARD_RIGHTS_READ (READ_CONTROL) #define STANDARD_RIGHTS_WRITE (READ_CONTROL) #define STANDARD_RIGHTS_EXECUTE (READ_CONTROL) 6.Log & Analyze @@ CreateFlag is 05000060 @@ DesiredAccess is 001F01FF ReverseC.exe in IRP: IRP_MJ_CREATE irpSp->FileObject: TestCreate.txt @@ CreateFlag is 05000060 => FILE_OVERWRITE_IF(High 8 bits) | FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE (Low 24 bits) #define FILE_OVERWRITE_IF 0x00000005 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define FILE_NON_DIRECTORY_FILE 0x00000040 @@ DesiredAccess is 001F01FF => FILE_ALL_ACCESS #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF) --*/

 

 

    DeleteFile()产生的IRP_MJ_CREATE如下,一般判断DELETE位足够,不必担心FILE_ALL_ACCESS的干扰.

/*++ DELETE is on! @@ CreateFlag is 01200040 @@ DesiredAccess is 00010080 irpSp->FileObject: /Test/TestCreate.txt @@ CreateFlag is 01200040 => FILE_READ_ATTRIBUTES | DELETE --*/