windows驅動寫日誌
阿新 • • 發佈:2018-12-14
如何在windows驅動中的READ及WRITE(程式碼中沒有貼出) 中寫日誌,以下程式碼是可以直接執行的,在win7_32位上執行沒問題
希望對大家有用
https://blog.csdn.net/feixi7358/article/details/84984154?tdsourcetag=s_pcqq_aiomsg
stdafx.h
#ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later. #define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows. #endif #ifdef __cplusplus extern "C" { #endif #include <fltKernel.h> #include <ntddk.h> #include <ntddstor.h> #include <mountdev.h> #include <ntddvol.h> #ifdef __cplusplus }; #endif typedef struct _HIDE_PATH_LIST { LIST_ENTRY listNode; UNICODE_STRING msg; CHAR xxPath[256]; //這個不能省略,否則出錯,具體原因還不清楚,希望路過的大佬能給點提示 }LOG_LIST,*PLOG_LIST; FLT_PREOP_CALLBACK_STATUS preRead( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ); NTSTATUS FilterUnload ( __in FLT_FILTER_UNLOAD_FLAGS Flags ); VOID ThreadProc(); VOID StartThread(); CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_READ, 0, preRead, NULL, }, { IRP_MJ_OPERATION_END } }; CONST FLT_REGISTRATION FilterRegistration = { sizeof( FLT_REGISTRATION ), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags NULL, // Context Callbacks, // Operation callbacks FilterUnload, // MiniFilterUnload NULL, // InstanceSetup NULL, // InstanceQueryTeardown NULL, // InstanceTeardownStart NULL, // InstanceTeardownComplete NULL, // GenerateFileName NULL, // GenerateDestinationFileName NULL // NormalizeNameComponent };
writelog.cpp ,我用的minifilter過濾框架,但是在寫檔案的時候,我用的Zw-開頭的函式,會引起重入,所以的只監控了D盤,而把日誌寫在C盤,故可以避免重入,但最好的做法是用minifilter的API,Flt開頭的函式即可
#include "stdafx.h" #ifdef __cplusplus extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); #endif LIST_ENTRY HidePathListHeader; KSPIN_LOCK HidePathListLock; //minifilter 控制代碼 PFLT_FILTER gFilterHandle; KEVENT s_Event; BOOLEAN FLAG = TRUE; #ifdef __cplusplus extern "C" { #endif NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS status; KdPrint(("DriverEntry \n")); InitializeListHead(&HidePathListHeader); KeInitializeSpinLock(&HidePathListLock); //註冊 status=FltRegisterFilter(DriverObject, &FilterRegistration, &gFilterHandle); // ASSERT(NT_SUCCESS(status)); if (NT_SUCCESS(status)) { //啟動過濾器 status=FltStartFiltering(gFilterHandle); if(!NT_SUCCESS(status)) { FltUnregisterFilter(gFilterHandle); } } KeInitializeEvent(&s_Event,SynchronizationEvent,FALSE); StartThread(); return STATUS_SUCCESS; } #ifdef __cplusplus }; // extern "C" #endif NTSTATUS FilterUnload(__in FLT_FILTER_UNLOAD_FLAGS Flags) { FltUnregisterFilter(gFilterHandle); FLAG = FALSE; KdPrint(("解除安裝成功\n")); return STATUS_SUCCESS; } FLT_PREOP_CALLBACK_STATUS preRead( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ) { NTSTATUS status; PFLT_FILE_NAME_INFORMATION nameInfo; UNICODE_STRING Directory_Of_Bait_files; UNICODE_STRING log_msg; UNREFERENCED_PARAMETER( FltObjects ); UNREFERENCED_PARAMETER( CompletionContext ); PAGED_CODE(); __try { status = FltGetFileNameInformation( Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo ); if (NT_SUCCESS( status )) { FltParseFileNameInformation( nameInfo ); RtlInitUnicodeString( &Directory_Of_Bait_files, L"\\Device\\HarddiskVolume3\\"); RtlInitUnicodeString( &log_msg, L"\\Device\\HarddiskVolume3\\\r\n");//準備儲存程序名 if (RtlPrefixUnicodeString(&Directory_Of_Bait_files,&nameInfo->Name,TRUE)) { PLOG_LIST pathListNode; pathListNode = (PLOG_LIST)ExAllocatePool(NonPagedPool,sizeof(LOG_LIST)); if (pathListNode == NULL) { KdPrint(("佇列申請失敗 \n")); } RtlCopyMemory(&pathListNode->msg,&log_msg,log_msg.Length); InsertTailList(&HidePathListHeader,&pathListNode->listNode);//插入隊尾 KeSetEvent(&s_Event,IO_NO_INCREMENT,FALSE); } FltReleaseFileNameInformation( nameInfo ); } } __except(EXCEPTION_EXECUTE_HANDLER) { DbgPrint("NPPreCreate EXCEPTION_EXECUTE_HANDLER\n"); } return FLT_PREOP_SUCCESS_NO_CALLBACK; } VOID ThreadProc() { DbgPrint("CreateThread Successfully\n"); PLOG_LIST hideList; PLIST_ENTRY pListNode; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK iostatus; HANDLE hfile; NTSTATUS status; UNICODE_STRING logFileUnicodeString; RtlInitUnicodeString( &logFileUnicodeString, L"\\??\\C:\\1.LOG"); while(FLAG){ KeWaitForSingleObject(&s_Event,Executive,KernelMode,FALSE,NULL); while (!IsListEmpty(&HidePathListHeader)) { LIST_ENTRY *pEntry = RemoveHeadList(&HidePathListHeader); //移除第一個節點 hideList = CONTAINING_RECORD(pEntry,LOG_LIST,listNode); InitializeObjectAttributes(&objectAttributes, &logFileUnicodeString, OBJ_CASE_INSENSITIVE,//對大小寫敏感 NULL, NULL ); status = ZwCreateFile( &hfile, //建立檔案 FILE_APPEND_DATA, &objectAttributes, &iostatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF,//存在該檔案則開啟 ,不存在則建立 FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) { KdPrint(("The file is not exist!\n")); return; } KdPrint(("msg = %wZ\n",&hideList->msg)); ZwWriteFile(hfile,NULL,NULL,NULL,&iostatus,hideList->msg.Buffer,hideList->msg.Length,NULL,NULL); ZwClose(hfile); ExFreePool(hideList); } } KdPrint(("執行緒函式結束\n")); //結束自己 PsTerminateSystemThread(STATUS_SUCCESS); return ; } VOID StartThread() { NTSTATUS status = STATUS_SUCCESS; HANDLE hThread = NULL; status = PsCreateSystemThread(&hThread, //建立新執行緒 (ACCESS_MASK)THREAD_ALL_ACCESS, NULL, NULL,//NtCurrentProcess(),執行緒所在地址空間的程序的handle NULL, (PKSTART_ROUTINE)ThreadProc, NULL); //(PVOID)&kEvent StartContext 對應ThreadProc中的引數 if (!NT_SUCCESS(status)) { KdPrint(("建立失敗 \n")); ZwClose(hThread); return ; } KdPrint(("建立成功 \n")); ZwClose(hThread); return ; }
1.LOG中的內容
\Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\ \Device\HarddiskVolume3\
希望對大家有幫助,只做有用的,不做垃圾;
要轉載的話請標明出處 https://blog.csdn.net/feixi7358/article/details/84984154?tdsourcetag=s_pcqq_aiomsg