#include <ntifs.h>
#include <ntddk.h>
#include <Ntstrsafe.h>
#include <fltKernel.h>
//删除指针
#define SafeFreeDelete(pData) { if(pData){ExFreePool(pData);pData=NULL;} }
//减少对象引用计数
#define SafeDereferenceObject(Object) { if(Object){ObDereferenceObject(Object);Object=NULL;} }
//关闭句柄
#define SafeCloseHandle(Handle) { if(Handle){ZwClose(Handle);Handle=NULL;} }
//分配内存
PUNICODE_STRING ExAllocateUnicodeStingPool(PUNICODE_STRING strBuff)
{
PUNICODE_STRING AllocateString = NULL;
if (MmIsAddressValid(strBuff) == FALSE || strBuff == NULL || strBuff->Buffer == NULL || strBuff->Length < sizeof(wchar_t))
{
ASSERT(FALSE);
return NULL;
}
AllocateString = ExAllocatePool(NonPagedPool, sizeof(UNICODE_STRING) + strBuff->Length + sizeof(wchar_t));
if (AllocateString == NULL)
{
ASSERT(FALSE);
return NULL;
}
RtlZeroMemory(AllocateString, sizeof(UNICODE_STRING) + strBuff->Length + sizeof(wchar_t));
AllocateString->Length = strBuff->Length;
AllocateString->MaximumLength = AllocateString->Length + sizeof(wchar_t);
AllocateString->Buffer = (PWSTR)(((PUCHAR)AllocateString) + sizeof(UNICODE_STRING));
RtlCopyMemory(AllocateString->Buffer, strBuff->Buffer, strBuff->Length);
return AllocateString;
}
//获取符号链接对象
NTSTATUS GetSymbolicLinkObject(PUNICODE_STRING pDeviceLinkName, PDEVICE_OBJECT* pDeviceObject, PFILE_OBJECT* pFileObject,PUNICODE_STRING* pDeviceVolumeName)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE LinkHandle = NULL;
do
{
ASSERT(pDeviceLinkName);
ASSERT(pDeviceObject);
ASSERT(pFileObject);
ASSERT(pDeviceVolumeName);
if (pDeviceLinkName==NULL || pDeviceObject==NULL || pFileObject==NULL || pDeviceVolumeName==NULL)
{
return STATUS_UNSUCCESSFUL;
}
InitializeObjectAttributes(&ObjectAttributes, pDeviceLinkName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 0, 0);
status = ZwOpenSymbolicLinkObject(&LinkHandle, FILE_READ_ATTRIBUTES, &ObjectAttributes);
if (!NT_SUCCESS(status))break;
status = STATUS_UNSUCCESSFUL;
*pDeviceVolumeName = ExAllocatePool(NonPagedPool, PAGE_SIZE);
if (*pDeviceVolumeName == NULL)break;
RtlZeroMemory(*pDeviceVolumeName, PAGE_SIZE);
(*pDeviceVolumeName)->Length = (*pDeviceVolumeName)->MaximumLength = PAGE_SIZE - sizeof(UNICODE_STRING);
(*pDeviceVolumeName)->Buffer = (PWSTR)(((PUCHAR)(*pDeviceVolumeName)) + sizeof(UNICODE_STRING));
status = ZwQuerySymbolicLinkObject(LinkHandle,(*pDeviceVolumeName), NULL);
if (!NT_SUCCESS(status))break;
status = IoGetDeviceObjectPointer((*pDeviceVolumeName), FILE_READ_ATTRIBUTES, pFileObject, pDeviceObject);
if (!NT_SUCCESS(status))break;
} while (FALSE);
if (!NT_SUCCESS(status))
{
SafeFreeDelete((*pDeviceVolumeName));
}
SafeCloseHandle(LinkHandle);
return status;
}
PUNICODE_STRING SymbolicLinkDeviceObjectToVolume(PDEVICE_OBJECT DeviceObject,PUNICODE_STRING pFileName)
{
PUNICODE_STRING pVolume ;
PUNICODE_STRING pName = NULL;
NTSTATUS status;
PDEVICE_OBJECT pDeviceObject;
PFILE_OBJECT pFileObject=NULL;
UNICODE_STRING unicodestring;
static wchar_t szText[PAGE_SIZE];
do
{
for (wchar_t Volume = L'A'; Volume <= L'Z'; Volume++)
{
RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"\\??\\%c:",Volume);
RtlInitUnicodeString(&unicodestring, szText);
status = GetSymbolicLinkObject(&unicodestring, &pDeviceObject, &pFileObject, &pVolume);
if (!NT_SUCCESS(status) || pFileObject == NULL)continue;
//判断是否相等
if (DeviceObject == pFileObject->DeviceObject)
{
RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ%wZ", pVolume, pFileName);
RtlInitUnicodeString(&unicodestring, szText);
pName = ExAllocateUnicodeStingPool(&unicodestring);
SafeFreeDelete(pVolume);
SafeDereferenceObject(pFileObject);
break;
}
SafeFreeDelete(pVolume);
SafeDereferenceObject(pFileObject);
}
//status = IoVolumeDeviceToDosName(pFileObject->DeviceObject, pVolume);
//if (!NT_SUCCESS(status))
//{
//if (KeAreAllApcsDisabled())
//{
// KdPrint(("error\n"));
//}
// SafeFreeDelete(pVolume);
//}
} while (FALSE);
return pName;
}
//镜像加载通知回调函数
VOID loadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO pImageInfo)
{
NTSTATUS status;
do
{
if (pImageInfo == NULL)
{
ASSERT(FALSE);
break;
}
if (pImageInfo->SystemModeImage && pImageInfo->ImageAddressingMode == IMAGE_ADDRESSING_MODE_32BIT && PsGetCurrentProcess() == PsInitialSystemProcess)
{
KdPrint(("%wZ\n", FullImageName));
}
//win7以上系统执行
if (pImageInfo->ExtendedInfoPresent)
{
PIMAGE_INFO_EX pImageInfoEx;
pImageInfoEx = CONTAINING_RECORD(pImageInfo, IMAGE_INFO_EX, ImageInfo);
if (pImageInfoEx == NULL || pImageInfoEx->Size != sizeof(IMAGE_INFO_EX))
{
ASSERT(FALSE);
break;
}
//KeAreAllApcsDisabled()//2017年11月9日09:46:08 IoQueryFileDosDeviceName会卡住系统需要KeAreAllApcsDisabled判断是否禁用内核APC
//status = IoQueryFileDosDeviceName(pImageInfoEx->FileObject, &fileNameInfo);
PFLT_FILE_NAME_INFORMATION FileNameInformation = NULL;
status = FltGetFileNameInformationUnsafe(pImageInfoEx->FileObject, NULL, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInformation);
if (NT_SUCCESS(status))
{
KdPrint(("%wZ\n", &FileNameInformation->Name));
FltReleaseFileNameInformation(FileNameInformation);
}
}
#ifndef _WIN64
else
{
if (FullImageName==NULL || ProcessId==NULL)
{
KdPrint(("%wZ\n", FullImageName));
break;
}
PFILE_OBJECT pFileObject = CONTAINING_RECORD(FullImageName, FILE_OBJECT, FileName);
if (!MmIsAddressValid(pFileObject)|| pFileObject->Type !=5)
{
KdPrint(("%wZ\n", FullImageName));
break;
//POBJECT_NAME_INFORMATION FileNameInfo; MmGetFileNameForSection (Process->SectionObject, &FileNameInfo);
//L"\\SystemRoot\\System32\\ntdll.dll");
}
PUNICODE_STRING pName=SymbolicLinkDeviceObjectToVolume(pFileObject->DeviceObject,&pFileObject->FileName);
if (pName)
{
KdPrint(("%wZ\n", pName));
SafeFreeDelete(pName);
}
}
#endif
} while (FALSE);
return;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgBreakPoint();
PsSetLoadImageNotifyRoutine(loadImageNotifyRoutine);
return STATUS_SUCCESS;
}
#include <ntddk.h>
#include <Ntstrsafe.h>
#include <fltKernel.h>
//删除指针
#define SafeFreeDelete(pData) { if(pData){ExFreePool(pData);pData=NULL;} }
//减少对象引用计数
#define SafeDereferenceObject(Object) { if(Object){ObDereferenceObject(Object);Object=NULL;} }
//关闭句柄
#define SafeCloseHandle(Handle) { if(Handle){ZwClose(Handle);Handle=NULL;} }
//分配内存
PUNICODE_STRING ExAllocateUnicodeStingPool(PUNICODE_STRING strBuff)
{
PUNICODE_STRING AllocateString = NULL;
if (MmIsAddressValid(strBuff) == FALSE || strBuff == NULL || strBuff->Buffer == NULL || strBuff->Length < sizeof(wchar_t))
{
ASSERT(FALSE);
return NULL;
}
AllocateString = ExAllocatePool(NonPagedPool, sizeof(UNICODE_STRING) + strBuff->Length + sizeof(wchar_t));
if (AllocateString == NULL)
{
ASSERT(FALSE);
return NULL;
}
RtlZeroMemory(AllocateString, sizeof(UNICODE_STRING) + strBuff->Length + sizeof(wchar_t));
AllocateString->Length = strBuff->Length;
AllocateString->MaximumLength = AllocateString->Length + sizeof(wchar_t);
AllocateString->Buffer = (PWSTR)(((PUCHAR)AllocateString) + sizeof(UNICODE_STRING));
RtlCopyMemory(AllocateString->Buffer, strBuff->Buffer, strBuff->Length);
return AllocateString;
}
//获取符号链接对象
NTSTATUS GetSymbolicLinkObject(PUNICODE_STRING pDeviceLinkName, PDEVICE_OBJECT* pDeviceObject, PFILE_OBJECT* pFileObject,PUNICODE_STRING* pDeviceVolumeName)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE LinkHandle = NULL;
do
{
ASSERT(pDeviceLinkName);
ASSERT(pDeviceObject);
ASSERT(pFileObject);
ASSERT(pDeviceVolumeName);
if (pDeviceLinkName==NULL || pDeviceObject==NULL || pFileObject==NULL || pDeviceVolumeName==NULL)
{
return STATUS_UNSUCCESSFUL;
}
InitializeObjectAttributes(&ObjectAttributes, pDeviceLinkName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 0, 0);
status = ZwOpenSymbolicLinkObject(&LinkHandle, FILE_READ_ATTRIBUTES, &ObjectAttributes);
if (!NT_SUCCESS(status))break;
status = STATUS_UNSUCCESSFUL;
*pDeviceVolumeName = ExAllocatePool(NonPagedPool, PAGE_SIZE);
if (*pDeviceVolumeName == NULL)break;
RtlZeroMemory(*pDeviceVolumeName, PAGE_SIZE);
(*pDeviceVolumeName)->Length = (*pDeviceVolumeName)->MaximumLength = PAGE_SIZE - sizeof(UNICODE_STRING);
(*pDeviceVolumeName)->Buffer = (PWSTR)(((PUCHAR)(*pDeviceVolumeName)) + sizeof(UNICODE_STRING));
status = ZwQuerySymbolicLinkObject(LinkHandle,(*pDeviceVolumeName), NULL);
if (!NT_SUCCESS(status))break;
status = IoGetDeviceObjectPointer((*pDeviceVolumeName), FILE_READ_ATTRIBUTES, pFileObject, pDeviceObject);
if (!NT_SUCCESS(status))break;
} while (FALSE);
if (!NT_SUCCESS(status))
{
SafeFreeDelete((*pDeviceVolumeName));
}
SafeCloseHandle(LinkHandle);
return status;
}
PUNICODE_STRING SymbolicLinkDeviceObjectToVolume(PDEVICE_OBJECT DeviceObject,PUNICODE_STRING pFileName)
{
PUNICODE_STRING pVolume ;
PUNICODE_STRING pName = NULL;
NTSTATUS status;
PDEVICE_OBJECT pDeviceObject;
PFILE_OBJECT pFileObject=NULL;
UNICODE_STRING unicodestring;
static wchar_t szText[PAGE_SIZE];
do
{
for (wchar_t Volume = L'A'; Volume <= L'Z'; Volume++)
{
RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"\\??\\%c:",Volume);
RtlInitUnicodeString(&unicodestring, szText);
status = GetSymbolicLinkObject(&unicodestring, &pDeviceObject, &pFileObject, &pVolume);
if (!NT_SUCCESS(status) || pFileObject == NULL)continue;
//判断是否相等
if (DeviceObject == pFileObject->DeviceObject)
{
RtlStringCbPrintfExW(szText, sizeof(szText), NULL, NULL, STRSAFE_FILL_BEHIND_NULL, L"%wZ%wZ", pVolume, pFileName);
RtlInitUnicodeString(&unicodestring, szText);
pName = ExAllocateUnicodeStingPool(&unicodestring);
SafeFreeDelete(pVolume);
SafeDereferenceObject(pFileObject);
break;
}
SafeFreeDelete(pVolume);
SafeDereferenceObject(pFileObject);
}
//status = IoVolumeDeviceToDosName(pFileObject->DeviceObject, pVolume);
//if (!NT_SUCCESS(status))
//{
//if (KeAreAllApcsDisabled())
//{
// KdPrint(("error\n"));
//}
// SafeFreeDelete(pVolume);
//}
} while (FALSE);
return pName;
}
//镜像加载通知回调函数
VOID loadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO pImageInfo)
{
NTSTATUS status;
do
{
if (pImageInfo == NULL)
{
ASSERT(FALSE);
break;
}
if (pImageInfo->SystemModeImage && pImageInfo->ImageAddressingMode == IMAGE_ADDRESSING_MODE_32BIT && PsGetCurrentProcess() == PsInitialSystemProcess)
{
KdPrint(("%wZ\n", FullImageName));
}
//win7以上系统执行
if (pImageInfo->ExtendedInfoPresent)
{
PIMAGE_INFO_EX pImageInfoEx;
pImageInfoEx = CONTAINING_RECORD(pImageInfo, IMAGE_INFO_EX, ImageInfo);
if (pImageInfoEx == NULL || pImageInfoEx->Size != sizeof(IMAGE_INFO_EX))
{
ASSERT(FALSE);
break;
}
//KeAreAllApcsDisabled()//2017年11月9日09:46:08 IoQueryFileDosDeviceName会卡住系统需要KeAreAllApcsDisabled判断是否禁用内核APC
//status = IoQueryFileDosDeviceName(pImageInfoEx->FileObject, &fileNameInfo);
PFLT_FILE_NAME_INFORMATION FileNameInformation = NULL;
status = FltGetFileNameInformationUnsafe(pImageInfoEx->FileObject, NULL, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInformation);
if (NT_SUCCESS(status))
{
KdPrint(("%wZ\n", &FileNameInformation->Name));
FltReleaseFileNameInformation(FileNameInformation);
}
}
#ifndef _WIN64
else
{
if (FullImageName==NULL || ProcessId==NULL)
{
KdPrint(("%wZ\n", FullImageName));
break;
}
PFILE_OBJECT pFileObject = CONTAINING_RECORD(FullImageName, FILE_OBJECT, FileName);
if (!MmIsAddressValid(pFileObject)|| pFileObject->Type !=5)
{
KdPrint(("%wZ\n", FullImageName));
break;
//POBJECT_NAME_INFORMATION FileNameInfo; MmGetFileNameForSection (Process->SectionObject, &FileNameInfo);
//L"\\SystemRoot\\System32\\ntdll.dll");
}
PUNICODE_STRING pName=SymbolicLinkDeviceObjectToVolume(pFileObject->DeviceObject,&pFileObject->FileName);
if (pName)
{
KdPrint(("%wZ\n", pName));
SafeFreeDelete(pName);
}
}
#endif
} while (FALSE);
return;
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgBreakPoint();
PsSetLoadImageNotifyRoutine(loadImageNotifyRoutine);
return STATUS_SUCCESS;
}