我的Windows 7x64文件系统minifilter驱动程序必须拒绝访问某些文件。我得到它,但相关的应用程序仍然有效。我想用这个应用程序终止进程。例如,当用户尝试打开* .txt文件时,必须关闭文件和记事本的关联副本。我使用了WDK(Minispy)中的示例,并使用了ZwTerminateProcess和PsGetCurrentProcessId。现在,当用户进入监控目录时,我的minifilter关闭explorer.exe。示例代码:
minispy.c ...
NTSTATUS TermFunction( HANDLE ProcessID )
{
NTSTATUS ntStatus = STATUS_SUCCESS;
HANDLE hProcess;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
DbgPrint( "drvTerminateProcess( %u )", ProcessID );
InitializeObjectAttributes( &ObjectAttributes, NULL, OBJ_INHERIT, NULL, NULL );
ClientId.UniqueProcess = (HANDLE)ProcessID;
ClientId.UniqueThread = NULL;
__try
{
ntStatus = ZwOpenProcess( &hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId );
if( NT_SUCCESS(ntStatus) )
{
ntStatus = ZwTerminateProcess( hProcess, 0 );
if( !NT_SUCCESS(ntStatus) )
DbgPrint( "ZwTerminateProcess failed with status : %08X\n", ntStatus );
ZwClose( hProcess );
}
else
DbgPrint( "ZwOpenProcess failed with status : %08X\n", ntStatus );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
ntStatus = STATUS_UNSUCCESSFUL;
DbgPrint( "Exception caught in drvTerminateProcess()" );
}
return ntStatus;
}
...
FLT_PREOP_CALLBACK_STATUS
SpyPreOperationCallback (
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
{
UNICODE_STRING old_name;
PUNICODE_STRING new_old_name;
...
if (NT_SUCCESS( status )) {
nameToUse = &nameInfo->Name;
//
// Parse the name if requested
//
//Start of My func
RtlInitUnicodeString( &old_name, L"\\Device\\HarddiskVolume2\\secretfile.txt" );
new_old_name = &old_name;
if(RtlCompareUnicodeString(nameToUse, new_old_name, FALSE) == 0){
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
TermFunction(PsGetCurrentProcessId);
return FLT_PREOP_COMPLETE;
}
...
}
....
}
有什么想法吗? (对不起,如果我的英语不好)