回調(diào)監(jiān)控文件

????使用?ObRegisterCallbacks?實(shí)現(xiàn)保護(hù)進(jìn)程，其實(shí)稍微?PATCH?下內(nèi)核，這個(gè)函數(shù)還能實(shí)現(xiàn)文件操作監(jiān)視。但可惜只能在?WIN7X64?上用。因?yàn)樵?WIN7X64?上?PATCH?對象結(jié)構(gòu)的成員（ObjectType->TypeInfo.SupportsObjectCallbacks）是合法的，在?WIN8X64?以及之后系統(tǒng)上會(huì)觸發(fā)?PATCHGUARD。但是經(jīng)過實(shí)際測試，我手里的Win7?64?是可以在不修改myobtype->TypeInfo.SupportsObjectCallbacks?=?1;的前提下直接注冊回調(diào)，但是win8?64不行，win8?64?修改了myobtype->TypeInfo.SupportsObjectCallbacks?=?1;之后發(fā)現(xiàn)沒有藍(lán)屏并且目前可以成功進(jìn)行回調(diào)處理（只測試了手里的一臺(tái)win8?64）。文件回調(diào)容易出問題，頻率非常高。使用的時(shí)候建議使用成熟的文件過濾框架。

使用的時(shí)候和進(jìn)程線程的回調(diào)句柄處理一樣，需要修改標(biāo)記使得無簽名可以正常注冊回調(diào)，然后在修改文件的myobtype->TypeInfo.SupportsObjectCallbacks?=?1;然后在進(jìn)行回調(diào)注冊就行了。

注冊： // init callbacks OB_CALLBACK_REGISTRATION obReg; OB_OPERATION_REGISTRATION opReg; memset(&obReg, 0, sizeof(obReg)); obReg.Version = ObGetFilterVersion(); obReg.OperationRegistrationCount = 1; obReg.RegistrationContext = NULL; RtlInitUnicodeString(&obReg.Altitude, L"321000"); obReg.OperationRegistration = &opReg; memset(&opReg, 0, sizeof(opReg)); opReg.ObjectType = IoFileObjectType; opReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall; //opReg.PostOperation = (POB_POST_OPERATION_CALLBACK)&postCall;//不需要 // register callbacks status = ObRegisterCallbacks(&obReg, &obHandle); 注銷： ObUnRegisterCallbacks(obHandle);回調(diào)函數(shù)： PVOID obHandle;OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) { UNICODE_STRING DosName; PFILE_OBJECT fileo = OperationInformation->Object; HANDLE CurrentProcessId = PsGetCurrentProcessId(); UNREFERENCED_PARAMETER(RegistrationContext); if( OperationInformation->ObjectType!=*IoFileObjectType ) return OB_PREOP_SUCCESS; //過濾無效指針 if( fileo->FileName.Buffer==NULL || !MmIsAddressValid(fileo->FileName.Buffer) || fileo->DeviceObject==NULL || !MmIsAddressValid(fileo->DeviceObject) ) return OB_PREOP_SUCCESS; //過濾無效路徑 if( !_wcsicmp(fileo->FileName.Buffer,L"\\Endpoint") || !_wcsicmp(fileo->FileName.Buffer,L"?") || !_wcsicmp(fileo->FileName.Buffer,L"\\.\\.") || !_wcsicmp(fileo->FileName.Buffer,L"\\")) return OB_PREOP_SUCCESS; //阻止訪問readme.txt if(wcsstr(_wcslwr(fileo->FileName.Buffer),L"xxxx.txt")) { if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) { OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0; } if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE) { OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0; } } RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName); DbgPrint("[FILE_MONITOR_X64][PID]%ld [File]%wZ%wZ\n", (ULONG64)CurrentProcessId, &DosName, &fileo->FileName); return OB_PREOP_SUCCESS; }文件標(biāo)記處理相關(guān)結(jié)構(gòu)體： typedef struct _OBJECT_TYPE_INITIALIZER // 25 elements, 0x70 bytes (sizeof) { /*0x000*/ UINT16 Length;union // 2 elements, 0x1 bytes (sizeof){ /*0x002*/ UINT8 ObjectTypeFlags;struct // 7 elements, 0x1 bytes (sizeof){ /*0x002*/ UINT8 CaseInsensitive : 1; // 0 BitPosition /*0x002*/ UINT8 UnnamedObjectsOnly : 1; // 1 BitPosition /*0x002*/ UINT8 UseDefaultObject : 1; // 2 BitPosition /*0x002*/ UINT8 SecurityRequired : 1; // 3 BitPosition /*0x002*/ UINT8 MaintainHandleCount : 1; // 4 BitPosition /*0x002*/ UINT8 MaintainTypeList : 1; // 5 BitPosition /*0x002*/ UINT8 SupportsObjectCallbacks : 1; // 6 BitPosition};}; /*0x004*/ ULONG32 ObjectTypeCode; /*0x008*/ ULONG32 InvalidAttributes; /*0x00C*/ struct _GENERIC_MAPPING GenericMapping; // 4 elements, 0x10 bytes (sizeof) /*0x01C*/ ULONG32 ValidAccessMask; /*0x020*/ ULONG32 RetainAccess; /*0x024*/ enum _POOL_TYPE PoolType; /*0x028*/ ULONG32 DefaultPagedPoolCharge; /*0x02C*/ ULONG32 DefaultNonPagedPoolCharge; /*0x030*/ PVOID DumpProcedure; /*0x038*/ PVOID OpenProcedure; /*0x040*/ PVOID CloseProcedure; /*0x048*/ PVOID DeleteProcedure; /*0x050*/ PVOID ParseProcedure; /*0x058*/ PVOID SecurityProcedure; /*0x060*/ PVOID QueryNameProcedure; /*0x068*/ PVOID OkayToCloseProcedure; }OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;typedef struct _EX_PUSH_LOCK // 7 elements, 0x8 bytes (sizeof) {union // 3 elements, 0x8 bytes (sizeof){struct // 5 elements, 0x8 bytes (sizeof){ /*0x000*/ UINT64 Locked : 1; // 0 BitPosition /*0x000*/ UINT64 Waiting : 1; // 1 BitPosition /*0x000*/ UINT64 Waking : 1; // 2 BitPosition /*0x000*/ UINT64 MultipleShared : 1; // 3 BitPosition /*0x000*/ UINT64 Shared : 60; // 4 BitPosition}; /*0x000*/ UINT64 Value; /*0x000*/ VOID* Ptr;}; }EX_PUSH_LOCK, *PEX_PUSH_LOCK;typedef struct _MY_OBJECT_TYPE // 12 elements, 0xD0 bytes (sizeof) { /*0x000*/ struct _LIST_ENTRY TypeList; // 2 elements, 0x10 bytes (sizeof) /*0x010*/ struct _UNICODE_STRING Name; // 3 elements, 0x10 bytes (sizeof) /*0x020*/ VOID* DefaultObject; /*0x028*/ UINT8 Index; /*0x029*/ UINT8 _PADDING0_[0x3]; /*0x02C*/ ULONG32 TotalNumberOfObjects; /*0x030*/ ULONG32 TotalNumberOfHandles; /*0x034*/ ULONG32 HighWaterNumberOfObjects; /*0x038*/ ULONG32 HighWaterNumberOfHandles; /*0x03C*/ UINT8 _PADDING1_[0x4]; /*0x040*/ struct _OBJECT_TYPE_INITIALIZER TypeInfo; // 25 elements, 0x70 bytes (sizeof) /*0x0B0*/ struct _EX_PUSH_LOCK TypeLock; // 7 elements, 0x8 bytes (sizeof) /*0x0B8*/ ULONG32 Key; /*0x0BC*/ UINT8 _PADDING2_[0x4]; /*0x0C0*/ struct _LIST_ENTRY CallbackList; // 2 elements, 0x10 bytes (sizeof) }MY_OBJECT_TYPE, *PMY_OBJECT_TYPE;處理文件標(biāo)記： VOID EnableObType(POBJECT_TYPE ObjectType) { PMY_OBJECT_TYPE myobtype = (PMY_OBJECT_TYPE)ObjectType; myobtype->TypeInfo.SupportsObjectCallbacks = 1; } EnableObType(*IoFileObjectType); 結(jié)果：

Win7?64

?

Win8?64

?

?

總結(jié)

以上是生活随笔為你收集整理的Win64 驱动内核编程-14.回调监控文件的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。