InitializeObjectAttributes

最新推荐文章于 2018-03-23 19:35:44 发布
最新推荐文章于 2018-03-23 19:35:44 发布
阅读量3k 收藏
点赞数
分类专栏: WDK Document 文章标签: attributes object structure descriptor properties security
本文详细介绍了InitializeObjectAttributes宏的使用方法及其参数说明。该宏用于初始化OBJECT_ATTRIBUTES结构体,指定打开对象句柄的属性。文章涵盖了如何设置各种标志位及参数以实现不同功能。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

InitializeObjectAttributes

The InitializeObjectAttributes macro initializes the opaque OBJECT_ATTRIBUTES structure, which specifies the properties of an object handle to routines that open handles.

VOID
InitializeObjectAttributes(
    OUT POBJECT_ATTRIBUTES InitializedAttributes ,
    IN PUNICODE_STRING ObjectName ,
    IN ULONG Attributes ,
    IN HANDLE RootDirectory ,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor
    );

Parameters
InitializedAttributes
Specifies the OBJECT_ATTRIBUTES structure to initialize.
ObjectName
Specifies the Unicode string name of the object for which a handle is to be opened. This must either be a fully qualified object name, or a relative path name to the object directory specified by the RootDirectory parameter.
Attributes
Specifies one or more of the following flags:
OBJ_INHERIT
This handle can be inherited by child processes of the current process.
OBJ_PERMANENT
This flag only applies to objects that are named within the object manager. By default, such objects are deleted when all open handles to them are closed. If this flag is specified, the object is not deleted when all open handles are closed. Drivers can use ZwMakeTemporaryObject to delete permanent objects.
OBJ_EXCLUSIVE
Only a single handle can be open for this object.
OBJ_CASE_INSENSITIVE
If this flag is specified, a case-insensitive comparison is used when matching the ObjectName parameter against the names of existing objects. Otherwise, object names are compared using the default system settings.
OBJ_OPENIF
If this flag is specified to a routine that creates objects, and that object already exists then the routine should open that object. Otherwise, the routine creating the object returns an NTSTATUS code of STATUS_OBJECT_NAME_COLLISION.
OBJ_KERNEL_HANDLE
Specifies that the handle can only be accessed in kernel mode.
OBJ_FORCE_ACCESS_CHECK
The routine opening the handle should enforce all access checks for the object, even if the handle is being opened in kernel mode.
RootDirectory
Specifies a handle to the root object directory for the path name specified in the ObjectName parameter. If ObjectName parameter is a fully-qualified object name, RootDirectory is NULL. Use ZwCreateDirectoryObject to obtain a handle to an object directory.
SecurityDescriptor
Specifies a security descriptor to apply to an object when it is created. Drivers can specify NULL to accept the default security for the object. This parameter is optional.
Return Value

None

Comments

InitializeObjectAttributes initializes an OBJECT_ATTRIBUTES structure that specifies the properties of an object handle to be opened. The caller can then pass a pointer to this structure to a routine that actually opens the handle.

Driver routines that run in a process context other than that of the system process must set the OBJ_KERNEL_HANDLE flag for the Attributes parameter. This flag restricts the use of a handle opened for that object to processes running only in kernel mode. Otherwise, the handle can be accessed by the process in whose context the driver is running.

Note that InitializeObjectAttributes always sets the SecurityQualityOfService member of OBJECT_ATTRIBUTES to NULL. Drivers that require a non-NULL value can set SecurityQualityOfService directly.

Requirements

Headers: Declared in Ntdef.h . Include Wdm.h or Ntddk.h .

《Windows内核安全与驱动编程》-第四章学习
WocW的博客
04-19 1143
文章目录文件、注册表、线程4.1 文件操作4.1.1 使用 OBJECT_ATTRIBUTES4.1.2 打开和关闭文件4.1.3 文件读/写操作4.2 注册表操作4.2.1 注册表键的打开4.2.2 注册表键的读4.2.3 注册表键的写4.3 时间与定时器4.3.1 获取当前“滴答”数4.3.2 获取当前系统时间4.3.3 使用定时器4.4 线程与事件4.4.1 使用系统线程4.4.2 在线程中...
SSDT HOOK技术(1)——获得SSDT函数索引号
苞米地里捉小鸡的博客
08-19 999
1.SSDT是什么? SSDT全程是System Services Discriptor Table 翻译过来就是系统服务描述符表,那么系统服务描述符是什么呢?根据官方的解释ssdt表就是把ring3的Win32 API和ring0的内核API联系起来。SSDT并不仅仅只包含一个庞大的地址索引表,它还包含着一些其它有用的信息,诸如地址索引的基地址、服务函数个数等。 那么我们可以理解为SSDT就是一个很庞大的数组,它被用来保存windows系统服务地址。 比如我们在R3层调用了CreateFile这个A
InitializeObjectAttributes.
12-03
得到到处函数指针InitializeObjectAttributes. ntdll
InitializeObjectAttributes
HXC_HUANG的博客
03-07 2373
InitializeObjectAttributes宏初始化一个OBJECT_ATTRIBUTES 结构体, 当一个例程打开对象时由此结构体指定目标对象的属性 参数 InitializedAttributes [out] 指定需初始化的OBJECT_ATTRIBUTES结构体。 ObjectName [in] 指向Unicode字符串的指针,它包含将要打开句柄的对象名称
InitializeObjectAttributes 【MSDN翻译】
死胖子的博客
02-03 6129
InitializeObjectAttributes 初始化一个 OBJECT_ATTRIBUTES 结构用于指定一个需要打开的对象的属性。用于调用者在实际打开此句柄的例程中传入此结构体的指针。 除了在系统进程上下文运行中的驱动例程外执行此函数时都必须在参数Attributes 中指定OBJ_KERNEL_HANDLE 属性。此参数限定了句柄仅能被在内核模式下运行的进程打开。
InitializeObjectAttributes
weixin_30339457的博客
06-03 263
InitializeObjectAttributes 宏 用googlet翻译的,欢迎指正。 The InitializeObjectAttributes macro initializes the opaque OBJECT_ATTRIBUTES structure, which specifies the properties of an object handle to routines...
易语言枚举内核驱动
08-21
易语言枚举内核驱动源码系统结构:驱动操作_枚举内核驱动,进制转换_Unicode转Ansi,lblexit,InitializeObjectAttributes,进制转换_Ansi转Unicode,内存读写_读字节集内存,lms520_ZwOpenDirectoryObject,lms520_Loc
在应用层使用ntdll.dll中的未导出函数
fengkuangfj的专栏
06-05 3716
// Test.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" typedef NTSTATUS (NTAPI* NTCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO
InitializeObjectAttributesOBJECT_ATTRIBUTES
autumn20080101的专栏
12-24 2332
/* # Exploit Title: Avira Premium Security Suite NtCreateKey Race Condition Vulnerability # Date: 2010-11-03 # Author: Nikita Tarakanov (CISS Research Team) # Software Link: http://www.avira.com/ # V
关于不结束进程强删文件一点点看法
tianshibaijia
09-25 236
这也是好久以前的代码了。我是菜鸟,在这个问题上研究的不够深,说错了还请大牛指正。 这个问题也是一个老问题,不过我是菜鸟我有话要说。我在做这个问题的时候查阅了好多资料,其实这个问题不能算解决,这篇文章你将会看到一段比较长的代码,其实这段代码不是我写的,是网上一个比较有名的人(人称MJ)写的,据说这段代码是通过360文件粉碎机逆向出来的。 我查了好多资料,发现能够实现标题所说的功能大概有两...
ZwMakeTemporaryObject
yiyunoo的专栏
09-22 697
InitializeObjectAttributes(         &object_attributes,         &device_dir_name,         OBJ_PERMANENT, //永久性的对象         NULL,         NULL         ); 创建一个永久性对象后,马上调用    ZwMakeTemporaryObje
驱动中通过设备链接名取得磁盘符号的方法
qycer的专栏
08-07 5258
主要思路: 从驱动层设备链接名获取DosName很难做到通用,但DosName->DeviceSymblinkName可以做到通用,这样的话就有一种思路: 查询一个设备链接名对应的磁盘盘符的方法: 获取从A到Z的盘的设备链接名,如果有一个和传入的参数(设备链接名)完全匹配,那么其对应的盘符就是该设备链接名对应的盘符。 GetSymbolicLink( IN PUNICOD
查询注册表键默认值
kdebug的专栏
04-09 3286
HANDLE hNameKey = NULL; OBJECT_ATTRIBUTES attrName = {0}; RtlInitUnicodeString(&strUserName,wszUsersCodes); InitializeObjectAttributes(&attrName,&strUserName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,N
Windows内核编程基础篇之文件操作(一)
知其所以然
09-01 1557
使用OBJECT_ATTRIBUTES    通常来讲,打开文件应该传入文件的路径。但是内核并不接受这一字符串,使用者必须填写一个 OBJECT_ATTRIBUTES 结构。这个结构是非透明的。但是这个结构体 被函数 InitializeObjectAttributes 初始化。     下面是对 InitializeObjectAttributes 说明。 函数原型: VOID In
获取一个文件的attributes
allanGold
03-23 398
NSDictionary *attrs = [fm attributesOfItemAtPath:tempPath error:nil];id obj = attrs[NSFileCreationDate];注意这个 obj就是NSDate对象
使用minifilter 双缓存机制实现透明加解密处理完整代码
05-25
很抱歉,我无法为您提供完整的代码。但是,我可以为您提供一个简单的示例,以说明如何使用minifilter双缓存机制实现透明加解密处理。 在此示例中,我们将使用minifilter驱动程序来拦截文件访问,并使用双缓存机制对文件进行加解密处理。我们将使用AES算法进行加解密,并使用Windows CryptoAPI来实现加解密过程。 以下是示例代码的主要部分: ```c // 定义双缓存结构体 typedef struct _DOUBLE_BUFFER { PVOID DataBuffer; // 数据缓存 ULONG DataLength; // 数据长度 PVOID AuxBuffer; // 辅助缓存 ULONG AuxLength; // 辅助缓存长度 ULONG TotalLength; // 数据总长度 CRITICAL_SECTION Lock; // 互斥锁 } DOUBLE_BUFFER, *PDOUBLE_BUFFER; // 初始化双缓存 NTSTATUS InitializeDoubleBuffer(PDOUBLE_BUFFER pBuffer, ULONG TotalLength) { NTSTATUS status = STATUS_SUCCESS; pBuffer->DataBuffer = ExAllocatePoolWithTag(NonPagedPool, TotalLength, 'Tag1'); if (pBuffer->DataBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } pBuffer->DataLength = 0; pBuffer->AuxBuffer = ExAllocatePoolWithTag(NonPagedPool, TotalLength, 'Tag2'); if (pBuffer->AuxBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } pBuffer->AuxLength = 0; pBuffer->TotalLength = TotalLength; InitializeCriticalSection(&pBuffer->Lock); Exit: if (!NT_SUCCESS(status)) { if (pBuffer->DataBuffer != NULL) { ExFreePoolWithTag(pBuffer->DataBuffer, 'Tag1'); } if (pBuffer->AuxBuffer != NULL) { ExFreePoolWithTag(pBuffer->AuxBuffer, 'Tag2'); } } return status; } // 销毁双缓存 VOID DestroyDoubleBuffer(PDOUBLE_BUFFER pBuffer) { if (pBuffer->DataBuffer != NULL) { ExFreePoolWithTag(pBuffer->DataBuffer, 'Tag1'); } if (pBuffer->AuxBuffer != NULL) { ExFreePoolWithTag(pBuffer->AuxBuffer, 'Tag2'); } DeleteCriticalSection(&pBuffer->Lock); } // 读取文件到缓存 NTSTATUS ReadFileToBuffer(PFLT_CALLBACK_DATA Data, PFLT_RELATED_OBJECTS FltObjects, PVOID* pBuffer, PULONG pLength) { NTSTATUS status = STATUS_SUCCESS; HANDLE hFile = NULL; OBJECT_ATTRIBUTES objAttr; IO_STATUS_BLOCK ioStatus; FILE_STANDARD_INFORMATION fileInfo; LARGE_INTEGER byteOffset; ULONG length = 0; ULONG bytesRead = 0; InitializeObjectAttributes(&objAttr, &Data->Iopb->TargetFileObject->FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = FltCreateFile(FltObjects->Instance, FltObjects->FileObject, &hFile, FILE_READ_DATA, &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK); if (!NT_SUCCESS(status)) { goto Exit; } status = ZwQueryInformationFile(hFile, &ioStatus, &fileInfo, sizeof(fileInfo), FileStandardInformation); if (!NT_SUCCESS(status)) { goto Exit; } length = (ULONG)fileInfo.EndOfFile.QuadPart; *pBuffer = ExAllocatePoolWithTag(NonPagedPool, length, 'Tag3'); if (*pBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } byteOffset.QuadPart = 0; status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, *pBuffer, length, &byteOffset, NULL); if (!NT_SUCCESS(status)) { goto Exit; } bytesRead = (ULONG)ioStatus.Information; if (bytesRead != length) { status = STATUS_FILE_CORRUPT_ERROR; goto Exit; } *pLength = length; Exit: if (hFile != NULL) { ZwClose(hFile); } if (!NT_SUCCESS(status) && *pBuffer != NULL) { ExFreePoolWithTag(*pBuffer, 'Tag3'); *pBuffer = NULL; *pLength = 0; } return status; } // 写入缓存到文件 NTSTATUS WriteBufferToFile(PFLT_CALLBACK_DATA Data, PFLT_RELATED_OBJECTS FltObjects, PVOID pBuffer, ULONG Length) { NTSTATUS status = STATUS_SUCCESS; HANDLE hFile = NULL; OBJECT_ATTRIBUTES objAttr; IO_STATUS_BLOCK ioStatus; LARGE_INTEGER byteOffset; InitializeObjectAttributes(&objAttr, &Data->Iopb->TargetFileObject->FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = FltCreateFile(FltObjects->Instance, FltObjects->FileObject, &hFile, FILE_WRITE_DATA, &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK); if (!NT_SUCCESS(status)) { goto Exit; } byteOffset.QuadPart = 0; status = ZwWriteFile(hFile, NULL, NULL, NULL, &ioStatus, pBuffer, Length, &byteOffset, NULL); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (hFile != NULL) { ZwClose(hFile); } return status; } // AES加密 NTSTATUS EncryptData(PVOID pData, ULONG Length, PVOID pKey, ULONG KeyLength) { NTSTATUS status = STATUS_SUCCESS; HCRYPTPROV hProv = 0; HCRYPTKEY hKey = 0; ULONG blockSize = 0; ULONG bufferLength = 0; PVOID pBuffer = NULL; // 获取加密算法的块大小 if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, NULL, NULL)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptDeriveKey(hProv, CALG_AES_256, NULL, 0, &hKey)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptGetKeyParam(hKey, KP_BLOCKLEN, (PBYTE)&blockSize, &bufferLength, 0)) { status = STATUS_INTERNAL_ERROR; goto Exit; } // 分配缓存 bufferLength = ROUND_UP(Length, blockSize); pBuffer = ExAllocatePoolWithTag(NonPagedPool, bufferLength, 'Tag4'); if (pBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(pBuffer, bufferLength); RtlCopyMemory(pBuffer, pData, Length); // 加密数据 if (!CryptEncrypt(hKey, NULL, TRUE, 0, (PBYTE)pBuffer, &Length, bufferLength)) { status = STATUS_INTERNAL_ERROR; goto Exit; } RtlCopyMemory(pData, pBuffer, Length); Exit: if (hKey != 0) { CryptDestroyKey(hKey); } if (hProv != 0) { CryptReleaseContext(hProv, 0); } if (pBuffer != NULL) { ExFreePoolWithTag(pBuffer, 'Tag4'); } return status; } // AES解密 NTSTATUS DecryptData(PVOID pData, ULONG Length, PVOID pKey, ULONG KeyLength) { NTSTATUS status = STATUS_SUCCESS; HCRYPTPROV hProv = 0; HCRYPTKEY hKey = 0; ULONG blockSize = 0; ULONG bufferLength = 0; PVOID pBuffer = NULL; // 获取解密算法的块大小 if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, NULL, NULL)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptDeriveKey(hProv, CALG_AES_256, NULL, 0, &hKey)) { status = STATUS_INTERNAL_ERROR; goto Exit; } if (!CryptGetKeyParam(hKey, KP_BLOCKLEN, (PBYTE)&blockSize, &bufferLength, 0)) { status = STATUS_INTERNAL_ERROR; goto Exit; } // 分配缓存 bufferLength = ROUND_UP(Length, blockSize); pBuffer = ExAllocatePoolWithTag(NonPagedPool, bufferLength, 'Tag5'); if (pBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } RtlZeroMemory(pBuffer, bufferLength); RtlCopyMemory(pBuffer, pData, Length); // 解密数据 if (!CryptDecrypt(hKey, NULL, TRUE, 0, (PBYTE)pBuffer, &Length)) { status = STATUS_INTERNAL_ERROR; goto Exit; } RtlCopyMemory(pData, pBuffer, Length); Exit: if (hKey != 0) { CryptDestroyKey(hKey); } if (hProv != 0) { CryptReleaseContext(hProv, 0); } if (pBuffer != NULL) { ExFreePoolWithTag(pBuffer, 'Tag5'); } return status; } // 处理文件读取操作 FLT_PREOP_CALLBACK_STATUS PreReadCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) { NTSTATUS status = STATUS_SUCCESS; PFILE_OBJECT pFileObject = FltObjects->FileObject; PVOID pBuffer = NULL; ULONG length = 0; PDOUBLE_BUFFER pDoubleBuffer = NULL; // 检查文件对象是否是普通文件 if ((pFileObject->Flags & FO_STREAM_FILE) != 0) { goto Exit; } // 检查文件大小是否超过双缓存的总长度 if (pFileObject->SectionObjectPointer->FileSize.QuadPart > MAX_DOUBLE_BUFFER_LENGTH) { goto Exit; } // 创建双缓存 pDoubleBuffer = ExAllocatePoolWithTag(NonPagedPool, sizeof(DOUBLE_BUFFER), 'Tag6'); if (pDoubleBuffer == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; goto Exit; } status = InitializeDoubleBuffer(pDoubleBuffer, (ULONG)pFileObject->SectionObjectPointer->FileSize.QuadPart); if (!NT_SUCCESS(status)) { goto Exit; } // 读取文件到缓存 status = ReadFileToBuffer(Data, FltObjects, &pDoubleBuffer->DataBuffer, &pDoubleBuffer->DataLength); if (!NT_SUCCESS(status)) { goto Exit; } // 复制数据到辅助缓存 EnterCriticalSection(&pDoubleBuffer->Lock); RtlCopyMemory(pDoubleBuffer->AuxBuffer, pDoubleBuffer->DataBuffer, pDoubleBuffer->DataLength); pDoubleBuffer->AuxLength = pDoubleBuffer->DataLength; LeaveCriticalSection(&pDoubleBuffer->Lock); // 加密缓存中的数据 status = EncryptData(pDoubleBuffer->DataBuffer, pDoubleBuffer->DataLength, g_Key, g_KeyLength); if (!NT_SUCCESS(status)) { goto Exit; } // 将双缓存设置为完成上下文 *CompletionContext = pDoubleBuffer; Exit: if (!NT_SUCCESS(status)) { if (pDoubleBuffer != NULL) { DestroyDoubleBuffer(pDoubleBuffer); ExFreePoolWithTag(pDoubleBuffer, 'Tag6'); } Data->IoStatus.Status = status; return FLT_PREOP_COMPLETE; } return FLT_PREOP_SYNCHRONIZE; } // 处理文件写入操作 FLT_POSTOP_CALLBACK_STATUS PostWriteCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags) { NTSTATUS status = STATUS_SUCCESS; PFILE_OBJECT pFileObject = FltObjects->FileObject; PDOUBLE_BUFFER pDoubleBuffer = (PDOUBLE_BUFFER)CompletionContext; // 检查文件对象是否是普通文件 if ((pFileObject->Flags & FO_STREAM_FILE) != 0) { goto Exit; } // 复制数据到辅助缓存 EnterCriticalSection(&pDoubleBuffer->Lock); RtlCopyMemory(pDoubleBuffer->AuxBuffer, pDoubleBuffer->DataBuffer, pDoubleBuffer->DataLength); pDoubleBuffer->AuxLength = pDoubleBuffer->DataLength; LeaveCriticalSection(&pDoubleBuffer->Lock); // 解密辅助缓存中的数据 status = DecryptData(pDoubleBuffer->AuxBuffer, pDoubleBuffer->AuxLength, g_Key, g_KeyLength); if (!NT_SUCCESS(status)) { goto Exit; } // 写入缓存到文件 status = WriteBufferToFile(Data, FltObjects, pDoubleBuffer->AuxBuffer, pDoubleBuffer->AuxLength); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (pDoubleBuffer != NULL) { DestroyDoubleBuffer(pDoubleBuffer); ExFreePoolWithTag(pDoubleBuffer, 'Tag6'); } Data->IoStatus.Status = status; return FLT_POSTOP_FINISHED_PROCESSING; } // 注册minifilter回调 FLT_PREOP_CALLBACK_STATUS PreOperationCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) { switch (Data->Iopb->MajorFunction) { case IRP_MJ_READ: return PreReadCallback(Data, FltObjects, CompletionContext); default: return FLT_PREOP_SUCCESS_WITH_CALLBACK; } } FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags) { switch (Data->Iopb->MajorFunction) { case IRP_MJ_WRITE: return PostWriteCallback(Data, FltObjects, CompletionContext, Flags); default: return FLT_POSTOP_FINISHED_PROCESSING; } } // 注册minifilter驱动程序 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { NTSTATUS status = STATUS_SUCCESS; PFLT_FILTER pFilter = NULL; OBJECT_ATTRIBUTES objAttr; UNICODE_STRING uniString; // 初始化互斥锁 InitializeCriticalSection(&g_Lock); // 初始化加密密钥 RtlInitUnicodeString(&uniString, L"Password"); status = BCryptGenerateSymmetricKey(&g_hKey, &g_Algorithm, NULL, 0, (PUCHAR)uniString.Buffer, uniString.Length, 0); if (!NT_SUCCESS(status)) { goto Exit; } // 创建过滤器 RtlInitUnicodeString(&uniString, L"FileEncryptionFilter"); InitializeObjectAttributes(&objAttr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = FltCreateFilter(&g_FilterHandle, FLT_REGISTRATION_VERSION, &g_FilterRegistration, &g_FilterContext, &pFilter); if (!NT_SUCCESS(status)) { goto Exit; } // 注册回调函数 status = FltRegisterFilter(pFilter, DriverObject, &uniString, &g_FilterHandle); if (!NT_SUCCESS(status)) { goto Exit; } status = FltStartFiltering(pFilter); if (!NT_SUCCESS(status)) { goto Exit; } Exit: if (!NT_SUCCESS(status)) { if (g_hKey != NULL) { BCryptDestroyKey(g_hKey); g_hKey = NULL; } if (pFilter != NULL) { FltUnregisterFilter(pFilter); } if (g_FilterHandle != NULL) { FltClose(g_FilterHandle); } DeleteCriticalSection(&g_Lock); } return status; } // 卸载minifilter驱动程序 VOID DriverUnload(PDRIVER_OBJECT DriverObject) { PFLT_FILTER pFilter = NULL; if (g_FilterHandle != NULL) { FltGetFilterFromInstance(g_FilterHandle, &pFilter); FltStopFiltering(pFilter); FltUnregisterFilter(pFilter); FltClose(g_FilterHandle); } if (g_hKey != NULL) { BCryptDestroyKey(g_hKey); g_hKey = NULL; } DeleteCriticalSection(&g_Lock); } ``` 这只是一个简单的示例,实际实现中可能需要更多的代码来处理各种情况和错误。此外,请注意,此示例仅用于演示目的,并且未经过完整测试或优化,因此可能存在问题。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值