├── FileLogger Package ├── FileLogger Package.vcxproj └── FileLogger Package.vcxproj.filters ├── FileLogger.opensdf ├── FileLogger.sln ├── FileLogger ├── Container.c ├── Container.h ├── FileLogger.aps ├── FileLogger.c ├── FileLogger.inf ├── FileLogger.rc ├── FileLogger.vcxproj ├── FileLogger.vcxproj.filters ├── FileLogger.vcxproj.user ├── FileLoggerData.c ├── FileLoggerData.h ├── FileLoggerFilter.c ├── FileLoggerFilter.h ├── FileLoggerFunction.c ├── FileLoggerFunction.h ├── HashFunction.c ├── HashFunction.h ├── StringHashMap.c └── StringHashMap.h ├── README.md ├── Win7Debug ├── FileLogger.cer ├── FileLogger.inf └── FileLogger.sys ├── Win8.1Debug ├── FileLogger.cer ├── FileLogger.inf └── FileLogger.sys └── x64 └── Win7Debug └── FileLogger.inf /FileLogger Package/FileLogger Package.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Win8.1 Debug 6 | Win32 7 | 8 | 9 | Win8.1 Release 10 | Win32 11 | 12 | 13 | Win8 Debug 14 | Win32 15 | 16 | 17 | Win8 Release 18 | Win32 19 | 20 | 21 | Win7 Debug 22 | Win32 23 | 24 | 25 | Win7 Release 26 | Win32 27 | 28 | 29 | Win8.1 Debug 30 | x64 31 | 32 | 33 | Win8.1 Release 34 | x64 35 | 36 | 37 | Win8 Debug 38 | x64 39 | 40 | 41 | Win8 Release 42 | x64 43 | 44 | 45 | Win7 Debug 46 | x64 47 | 48 | 49 | Win7 Release 50 | x64 51 | 52 | 53 | 54 | {759923EF-CE8A-4498-A548-82930EA3C577} 55 | {4605da2c-74a5-4865-98e1-152ef136825f} 56 | v4.5 57 | 11.0 58 | Win8.1 Debug 59 | Win32 60 | FileLogger_Package 61 | 62 | 63 | 64 | WindowsV6.3 65 | true 66 | WindowsKernelModeDriver8.1 67 | Utility 68 | Package 69 | true 70 | 71 | 72 | WindowsV6.3 73 | false 74 | WindowsKernelModeDriver8.1 75 | Utility 76 | Package 77 | true 78 | 79 | 80 | Windows8 81 | true 82 | WindowsKernelModeDriver8.1 83 | Utility 84 | Package 85 | true 86 | 87 | 88 | Windows8 89 | false 90 | WindowsKernelModeDriver8.1 91 | Utility 92 | Package 93 | true 94 | 95 | 96 | Windows7 97 | true 98 | WindowsKernelModeDriver8.1 99 | Utility 100 | Package 101 | true 102 | 103 | 104 | Windows7 105 | false 106 | WindowsKernelModeDriver8.1 107 | Utility 108 | Package 109 | true 110 | 111 | 112 | WindowsV6.3 113 | true 114 | WindowsKernelModeDriver8.1 115 | Utility 116 | Package 117 | true 118 | 119 | 120 | WindowsV6.3 121 | false 122 | WindowsKernelModeDriver8.1 123 | Utility 124 | Package 125 | true 126 | 127 | 128 | Windows8 129 | true 130 | WindowsKernelModeDriver8.1 131 | Utility 132 | Package 133 | true 134 | 135 | 136 | Windows8 137 | false 138 | WindowsKernelModeDriver8.1 139 | Utility 140 | Package 141 | true 142 | 143 | 144 | Windows7 145 | true 146 | WindowsKernelModeDriver8.1 147 | Utility 148 | Package 149 | true 150 | 151 | 152 | Windows7 153 | false 154 | WindowsKernelModeDriver8.1 155 | Utility 156 | Package 157 | true 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | DbgengKernelDebugger 169 | False 170 | True 171 | 172 | 173 | 174 | False 175 | False 176 | True 177 | 178 | 133563 179 | 180 | 181 | DbgengKernelDebugger 182 | False 183 | True 184 | 185 | 186 | 187 | False 188 | False 189 | True 190 | 191 | 133563 192 | 193 | 194 | DbgengKernelDebugger 195 | False 196 | True 197 | 198 | 199 | 200 | False 201 | False 202 | True 203 | 204 | 133563 205 | 206 | 207 | DbgengKernelDebugger 208 | False 209 | True 210 | 211 | 212 | 213 | False 214 | False 215 | True 216 | 217 | 133563 218 | 219 | 220 | DbgengKernelDebugger 221 | False 222 | True 223 | 224 | 225 | 226 | False 227 | False 228 | True 229 | 230 | 133563 231 | 232 | 233 | DbgengKernelDebugger 234 | False 235 | True 236 | 237 | 238 | 239 | False 240 | False 241 | True 242 | 243 | 133563 244 | 245 | 246 | DbgengKernelDebugger 247 | False 248 | True 249 | 250 | 251 | 252 | False 253 | False 254 | True 255 | 256 | 133563 257 | 258 | 259 | DbgengKernelDebugger 260 | False 261 | True 262 | 263 | 264 | 265 | False 266 | False 267 | True 268 | 269 | 133563 270 | 271 | 272 | DbgengKernelDebugger 273 | False 274 | True 275 | 276 | 277 | 278 | False 279 | False 280 | True 281 | 282 | 133563 283 | 284 | 285 | DbgengKernelDebugger 286 | False 287 | True 288 | 289 | 290 | 291 | False 292 | False 293 | True 294 | 295 | 133563 296 | 297 | 298 | DbgengKernelDebugger 299 | False 300 | True 301 | 302 | 303 | 304 | False 305 | False 306 | True 307 | 308 | 133563 309 | 310 | 311 | DbgengKernelDebugger 312 | False 313 | True 314 | 315 | 316 | 317 | False 318 | False 319 | True 320 | 321 | 133563 322 | 323 | 324 | 325 | 326 | 327 | 328 | {463f5cf6-1142-483f-bce6-1add297c1c16} 329 | 330 | 331 | 332 | 333 | 334 | -------------------------------------------------------------------------------- /FileLogger Package/FileLogger Package.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {8E41214B-6785-4CFE-B992-037D68949A14} 6 | inf;inv;inx;mof;mc; 7 | 8 | 9 | -------------------------------------------------------------------------------- /FileLogger.opensdf: -------------------------------------------------------------------------------- 1 | adtis-lixtADTIS-LIXT-PC -------------------------------------------------------------------------------- /FileLogger.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.31101.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FileLogger", "FileLogger\FileLogger.vcxproj", "{463F5CF6-1142-483F-BCE6-1ADD297C1C16}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FileLogger Package", "FileLogger Package\FileLogger Package.vcxproj", "{759923EF-CE8A-4498-A548-82930EA3C577}" 9 | ProjectSection(ProjectDependencies) = postProject 10 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16} = {463F5CF6-1142-483F-BCE6-1ADD297C1C16} 11 | EndProjectSection 12 | EndProject 13 | Global 14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 15 | Win7 Debug|Win32 = Win7 Debug|Win32 16 | Win7 Debug|x64 = Win7 Debug|x64 17 | Win7 Release|Win32 = Win7 Release|Win32 18 | Win7 Release|x64 = Win7 Release|x64 19 | Win8 Debug|Win32 = Win8 Debug|Win32 20 | Win8 Debug|x64 = Win8 Debug|x64 21 | Win8 Release|Win32 = Win8 Release|Win32 22 | Win8 Release|x64 = Win8 Release|x64 23 | Win8.1 Debug|Win32 = Win8.1 Debug|Win32 24 | Win8.1 Debug|x64 = Win8.1 Debug|x64 25 | Win8.1 Release|Win32 = Win8.1 Release|Win32 26 | Win8.1 Release|x64 = Win8.1 Release|x64 27 | EndGlobalSection 28 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 29 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32 30 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32 31 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32 32 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64 33 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Debug|x64.Build.0 = Win7 Debug|x64 34 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64 35 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32 36 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Release|Win32.Build.0 = Win7 Release|Win32 37 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32 38 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Release|x64.ActiveCfg = Win7 Release|x64 39 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Release|x64.Build.0 = Win7 Release|x64 40 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win7 Release|x64.Deploy.0 = Win7 Release|x64 41 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32 42 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32 43 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32 44 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64 45 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Debug|x64.Build.0 = Win8 Debug|x64 46 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64 47 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32 48 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Release|Win32.Build.0 = Win8 Release|Win32 49 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32 50 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Release|x64.ActiveCfg = Win8 Release|x64 51 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Release|x64.Build.0 = Win8 Release|x64 52 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8 Release|x64.Deploy.0 = Win8 Release|x64 53 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32 54 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32 55 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32 56 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64 57 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64 58 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64 59 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32 60 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32 61 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32 62 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64 63 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64 64 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64 65 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32 66 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32 67 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32 68 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64 69 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Debug|x64.Build.0 = Win7 Debug|x64 70 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64 71 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32 72 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Release|Win32.Build.0 = Win7 Release|Win32 73 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32 74 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Release|x64.ActiveCfg = Win7 Release|x64 75 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Release|x64.Build.0 = Win7 Release|x64 76 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win7 Release|x64.Deploy.0 = Win7 Release|x64 77 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32 78 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32 79 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32 80 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64 81 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Debug|x64.Build.0 = Win8 Debug|x64 82 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64 83 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32 84 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Release|Win32.Build.0 = Win8 Release|Win32 85 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32 86 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Release|x64.ActiveCfg = Win8 Release|x64 87 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Release|x64.Build.0 = Win8 Release|x64 88 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8 Release|x64.Deploy.0 = Win8 Release|x64 89 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32 90 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32 91 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32 92 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64 93 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64 94 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64 95 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32 96 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32 97 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32 98 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64 99 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64 100 | {759923EF-CE8A-4498-A548-82930EA3C577}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64 101 | EndGlobalSection 102 | GlobalSection(SolutionProperties) = preSolution 103 | HideSolutionNode = FALSE 104 | EndGlobalSection 105 | EndGlobal 106 | -------------------------------------------------------------------------------- /FileLogger/Container.c: -------------------------------------------------------------------------------- 1 | #include "Container.h" 2 | #include "FileLoggerData.h" 3 | 4 | #define hashFun(x) (((x)/4)%VALUE_COUNT) 5 | 6 | #define AllocatePoolTag 'FLCN' 7 | 8 | NTSTATUS hashInsert(PHASH_MAP pHashMap, ULONG processId, PUNICODE_STRING strProcessName, PUNICODE_STRING strUserName) 9 | { 10 | PAGED_CODE(); 11 | 12 | InterlockedIncrement(&pHashMap->threadCount); 13 | if (pHashMap->threadCount <= 0)//when destroy! 14 | goto ERROR_EXIT; 15 | 16 | KIRQL oldIrql; 17 | KeAcquireSpinLock(&pHashMap->hashMapModifyLock, &oldIrql); 18 | 19 | PHASH_MAP_VALUE *ppValue = pHashMap->valueArray + hashFun(processId); 20 | 21 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, (" valueArray[%d]==> value:%d\n", \ 22 | ppValue - pHashMap->valueArray, processId)); 23 | 24 | while (*ppValue != NULL) 25 | { 26 | ppValue = &(*ppValue)->pNextNode; 27 | } 28 | 29 | if (pHashMap->pFreeList == NULL)//new valuePool 30 | { 31 | HASH_MAP_POOL *oldValuePool = NULL; 32 | //pHashMap->poolSize *= 2; 33 | HASH_MAP_POOL *newValuePool = ExAllocatePoolWithTag(PagedPool, pHashMap->pValuePool->poolSize * sizeof(HASH_MAP_VALUE) \ 34 | + sizeof(HASH_MAP_POOL), AllocatePoolTag); 35 | if (newValuePool == NULL) 36 | { 37 | goto ERROR_EXIT; 38 | } 39 | for (oldValuePool = pHashMap->pValuePool; oldValuePool->pNextNode != NULL; oldValuePool = oldValuePool->pNextNode); 40 | oldValuePool->pNextNode = newValuePool; 41 | newValuePool->poolSize = pHashMap->pValuePool->poolSize; 42 | newValuePool->pNextNode = NULL; 43 | 44 | pHashMap->pFreeList = newValuePool->poolArray; 45 | for (ULONG i = 0; i < newValuePool->poolSize; i++) 46 | { 47 | newValuePool->poolArray[i].value = -1; 48 | newValuePool->poolArray[i].pNextNode = &newValuePool->poolArray[i + 1]; 49 | newValuePool->poolArray[i].info = NULL; 50 | newValuePool->poolArray[i].processNameLenth = 0; 51 | newValuePool->poolArray[i].userNameLenth = 0; 52 | } 53 | newValuePool->poolArray[newValuePool->poolSize - 1].pNextNode = NULL;//链表必须以NULL结尾，否则无法确定是否结束，造成越界 54 | } 55 | HASH_MAP_VALUE *pNewValue = pHashMap->pFreeList; 56 | pNewValue->info = ExAllocatePoolWithTag(PagedPool, strProcessName->Length \ 57 | + strUserName->Length + 2 * sizeof(WCHAR), AllocatePoolTag); 58 | if (pNewValue->info == NULL) 59 | goto ERROR_EXIT; 60 | InterlockedExchange(&pHashMap->pFreeList, pNewValue->pNextNode); 61 | 62 | pNewValue->pNextNode = NULL; 63 | pNewValue->value = processId; 64 | pNewValue->processNameLenth = strProcessName->Length /sizeof(WCHAR); 65 | pNewValue->userNameLenth = strUserName->Length / sizeof(WCHAR); 66 | 67 | //注意避免前面出错后，lenth出现奇数的情况，导致memcpy越界蓝屏 68 | memcpy(pNewValue->info, strProcessName->Buffer, pNewValue->processNameLenth*sizeof(WCHAR)); 69 | pNewValue->info[pNewValue->processNameLenth] = L'\0'; 70 | 71 | memcpy(pNewValue->info + pNewValue->processNameLenth + 1, strUserName->Buffer, pNewValue->userNameLenth*sizeof(WCHAR)); 72 | pNewValue->info[pNewValue->processNameLenth + 1 + pNewValue->userNameLenth] = L'\0'; 73 | 74 | *ppValue = pNewValue; 75 | //printfHashMap(pHashMap); 76 | { 77 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("Insert:PHASH_MAP->pValuePool->poolArray[%d]==> value:%d, processName:%S, userName:%S\n", \ 78 | pNewValue - pHashMap->pValuePool->poolArray, processId, \ 79 | pNewValue->info, pNewValue->info + pNewValue->processNameLenth + 1)); 80 | } 81 | 82 | KeReleaseSpinLock(&pHashMap->hashMapModifyLock, oldIrql); 83 | InterlockedDecrement(&pHashMap->threadCount); 84 | return 1; 85 | 86 | ERROR_EXIT: 87 | KeReleaseSpinLock(&pHashMap->hashMapModifyLock, oldIrql); 88 | InterlockedDecrement(&pHashMap->threadCount); 89 | return -1; 90 | } 91 | 92 | NTSTATUS hashRemove(PHASH_MAP pHashMap, ULONG processId) 93 | { 94 | PAGED_CODE(); 95 | 96 | InterlockedIncrement(&pHashMap->threadCount); 97 | if (pHashMap->threadCount <= 0)//when destroy! 98 | { 99 | InterlockedDecrement(&pHashMap->threadCount); 100 | return -1; 101 | } 102 | 103 | KIRQL oldIrql; 104 | KeAcquireSpinLock(&pHashMap->hashMapModifyLock, &oldIrql); 105 | 106 | PHASH_MAP_VALUE *ppValue = pHashMap->valueArray + hashFun(processId); 107 | 108 | while (*ppValue != NULL && (*ppValue)->value != processId) 109 | { 110 | ppValue = &(*ppValue)->pNextNode; 111 | } 112 | if (*ppValue == NULL) 113 | goto ERROR_EXIT; 114 | 115 | PHASH_MAP_VALUE pValue = *ppValue; 116 | if (pValue->info != NULL) 117 | { 118 | PHASH_MAP_VALUE pOldValue = InterlockedExchangePointer(ppValue, (*ppValue)->pNextNode); 119 | 120 | if (pOldValue != NULL) 121 | { 122 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("Remove:PHASH_MAP->pValuePool->poolArray[%d]==> value:%d, processName:%S, userName:%S,processNameLenth:%d,userNameLenth:%d\n", \ 123 | pOldValue - pHashMap->pValuePool->poolArray, pOldValue->value, pOldValue->info,\ 124 | pOldValue->info + pOldValue->processNameLenth + 1, \ 125 | pOldValue->processNameLenth, pOldValue->userNameLenth)); 126 | 127 | ExFreePool(pOldValue->info); 128 | pOldValue->info = NULL; 129 | pOldValue->pNextNode = pHashMap->pFreeList; 130 | pHashMap->pFreeList = pOldValue; 131 | } 132 | } 133 | 134 | KeReleaseSpinLock(&pHashMap->hashMapModifyLock, oldIrql); 135 | InterlockedDecrement(&pHashMap->threadCount); 136 | return 1; 137 | 138 | ERROR_EXIT: 139 | KeReleaseSpinLock(&pHashMap->hashMapModifyLock, oldIrql); 140 | InterlockedDecrement(&pHashMap->threadCount); 141 | return -1; 142 | } 143 | 144 | 145 | NTSTATUS hashInit(PHASH_MAP pInitHashMap, ULONG initSize) 146 | { 147 | PAGED_CODE(); 148 | 149 | //KeInitializeSpinLock(&pInitHashMap->hashMapModifyLock); 150 | InitFilterRules(); 151 | 152 | if (pInitHashMap == NULL) 153 | return -1; 154 | 155 | //pInitHashMap->threadCount = 0; 156 | InterlockedExchange(&pInitHashMap->threadCount, 0); 157 | for (ULONG i = 0; i < sizeof(pInitHashMap->valueArray) / sizeof(pInitHashMap->valueArray[0]); i++) 158 | { 159 | pInitHashMap->valueArray[i] = NULL; 160 | //InterlockedExchange((ULONG *)(pInitHashMap->valueArray + i), -1); 161 | } 162 | 163 | PHASH_MAP_POOL pPool = ExAllocatePoolWithTag(PagedPool, initSize * sizeof(HASH_MAP_VALUE) + sizeof(HASH_MAP_POOL), AllocatePoolTag); 164 | if (pPool == NULL) 165 | { 166 | ExFreePool(pPool); 167 | return -1; 168 | } 169 | else 170 | { 171 | pInitHashMap->pValuePool = pPool; 172 | pPool->poolSize = initSize; 173 | pInitHashMap->pFreeList = pPool->poolArray; 174 | pPool->pNextNode = NULL; 175 | for (ULONG i = 0; i < pPool->poolSize; i++) 176 | { 177 | pPool->poolArray[i].value = -1; 178 | pPool->poolArray[i].pNextNode = &pPool->poolArray[i + 1]; 179 | pPool->poolArray[i].info = NULL; 180 | pPool->poolArray[i].processNameLenth = 0; 181 | pPool->poolArray[i].userNameLenth = 0; 182 | } 183 | pPool->poolArray[pPool->poolSize - 1].pNextNode = NULL; 184 | } 185 | return 1; 186 | } 187 | 188 | NTSTATUS hashDestroy(PHASH_MAP pHashMap) 189 | { 190 | 191 | PAGED_CODE(); 192 | 193 | InterlockedIncrement(&pHashMap->threadCount); 194 | if (pHashMap->threadCount <= 0)//when destroy! 195 | { 196 | InterlockedDecrement(&pHashMap->threadCount); 197 | return -1; 198 | } 199 | LONG threadCount = InterlockedExchange(&pHashMap->threadCount, -1); 200 | while (threadCount + pHashMap->threadCount > 0)// threadCount + pHashMap->threadCount != 0 201 | { 202 | keSleepMsec(1000); 203 | } 204 | for (PHASH_MAP_POOL pValuePool = pHashMap->pValuePool; pValuePool != NULL;) 205 | { 206 | PHASH_MAP_POOL pPool; 207 | for (ULONG i = 0; i < pValuePool->poolSize; i++) 208 | { 209 | if (pValuePool->poolArray[i].info != NULL) 210 | { 211 | ExFreePool(pValuePool->poolArray[i].info); 212 | pValuePool->poolArray[i].info = NULL; 213 | } 214 | } 215 | pPool = pValuePool; 216 | pValuePool = pValuePool->pNextNode; 217 | ExFreePool(pPool); 218 | } 219 | pHashMap->pValuePool = NULL; 220 | 221 | InterlockedDecrement(&pHashMap->threadCount); 222 | return 1; 223 | } 224 | 225 | #define DELAY_ONE_MICROSECOND (-10) 226 | #define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000) 227 | VOID keSleepMsec(LONG msec) 228 | { 229 | LARGE_INTEGER my_interval; 230 | my_interval.QuadPart = DELAY_ONE_MILLISECOND; 231 | my_interval.QuadPart *= msec; 232 | KeDelayExecutionThread(KernelMode, 0, &my_interval); 233 | } 234 | 235 | VOID printfHashMap(PHASH_MAP pHashMap) 236 | { 237 | PAGED_CODE(); 238 | InterlockedIncrement(&pHashMap->threadCount); 239 | if (pHashMap->threadCount <= 0)//when destroy! 240 | { 241 | InterlockedDecrement(&pHashMap->threadCount); 242 | return -1; 243 | } 244 | 245 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->threadCount:%d\n", pHashMap->threadCount)); 246 | /*for (ULONG i = 0; i < sizeof(pHashMap->valueArray) / sizeof(pHashMap->valueArray[0]); i++) 247 | { 248 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->valueArray[%d]:%ulld\n", i, pHashMap->valueArray[i])); 249 | }*/ 250 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->pFreeList:%ulld\n", pHashMap->pFreeList)); 251 | if (pHashMap->pValuePool == NULL) 252 | { 253 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->valuePool:NULL\n")); 254 | } 255 | else 256 | { 257 | for (PHASH_MAP_POOL pValuePool = pHashMap->pValuePool; pValuePool != NULL; pValuePool = pValuePool->pNextNode) 258 | { 259 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->poolSize:%d\n", pValuePool->poolSize)); 260 | for (ULONG i = 0; i < pValuePool->poolSize; i++) 261 | { 262 | HASH_MAP_VALUE *pValue = &pValuePool->poolArray[i]; 263 | if (pValue->info != NULL) 264 | { 265 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->valueArray[%d]==> value:%d, processName:%S, userName:%S, nextNode:%ulld\n",\ 266 | i, pValue->value, pValue->info, pValue->info + pValue->processNameLenth + 1, pValue->pNextNode\ 267 | )); 268 | } 269 | else 270 | { 271 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("PHASH_MAP->valueArray[%d]==> value:%d, pValue->info == NULL, nextNode:%ulld",\ 272 | i, pValue->value, pValue->pNextNode\ 273 | )); 274 | } 275 | } 276 | } 277 | } 278 | InterlockedDecrement(&pHashMap->threadCount); 279 | } 280 | 281 | 282 | -------------------------------------------------------------------------------- /FileLogger/Container.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | #define HASH_MAP_CAN_INC 5 | #define VALUE_COUNT 1024 6 | 7 | typedef struct _HASH_MAP_VALUE{ 8 | struct _HASH_MAP_VALUE *pNextNode; //write:InterlockedExchange( &nextIndex, newNextIndex ),read:1,get;2,InterlockedCompareExchange 9 | 10 | ULONG value;//processId 11 | ULONG IsFilter;//是否要过滤掉（在pre中如果过滤掉，则，把上下文设为NULL，在pro中看到NULL的上下文则，直接退出） 12 | 13 | PWCHAR info;//"[ProcessName\0][UserName\0]" 14 | USHORT processNameLenth; 15 | USHORT userNameLenth; 16 | 17 | //KSPIN_LOCK changeLock;;//KIRQL oldIrql; KeAcquireSpinLock(&OutputBufferLock, &oldIrql); KeReleaseSpinLock(&OutputBufferLock, oldIrql); 18 | }HASH_MAP_VALUE, *PHASH_MAP_VALUE; 19 | 20 | typedef struct _HASH_MAP_POOL{ 21 | struct _HASH_MAP_POOL *pNextNode; 22 | ULONG poolSize; 23 | HASH_MAP_VALUE poolArray[1]; 24 | }HASH_MAP_POOL, *PHASH_MAP_POOL; 25 | 26 | typedef struct _HASH_MAP { 27 | PHASH_MAP_VALUE valueArray[VALUE_COUNT]; 28 | 29 | __volatile LONG threadCount;//InterlockedIncrement,InterlockedDecrement,InterlockedExchangeAdd 30 | //用于退出时确认没有进程使用后，方能删除缓冲区 31 | PHASH_MAP_POOL pValuePool;//emery pool; index:0~max ; index==-1:NULL;InterlockedExchangePointer 32 | __volatile PHASH_MAP_VALUE pFreeList;//InterlockedIncrement,InterlockedDecrement,InterlockedExchangeAdd 33 | 34 | KSPIN_LOCK hashMapModifyLock;//KIRQL oldIrql; KeAcquireSpinLock(&OutputBufferLock, &oldIrql); KeReleaseSpinLock(&OutputBufferLock, oldIrql); 35 | }HASH_MAP, *PHASH_MAP; 36 | 37 | VOID keSleepMsec(LONG msec); 38 | PHASH_MAP getHashMapInstance();//采用工厂模式? 39 | NTSTATUS hashFun(); 40 | NTSTATUS hashInit(PHASH_MAP pInitHashMap, ULONG initSize); 41 | NTSTATUS hashInsert(PHASH_MAP pHashMap, ULONG processId, PUNICODE_STRING strProcessName, PUNICODE_STRING strUserName); 42 | NTSTATUS hashRemove(PHASH_MAP pHashMap, ULONG processId); 43 | NTSTATUS hashDestroy(PHASH_MAP pHashMap); 44 | VOID printfHashMap(PHASH_MAP pInitHashMap); 45 | -------------------------------------------------------------------------------- /FileLogger/FileLogger.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lxt1045/FileLogger/a11e57318496b3c9495a8512ea1f3ffba6ef05a5/FileLogger/FileLogger.aps -------------------------------------------------------------------------------- /FileLogger/FileLogger.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | FileLogger.c 6 | 7 | Abstract: 8 | 9 | This is the main module of the FileLogger miniFilter driver. 10 | 11 | Environment: 12 | 13 | Kernel mode 14 | 15 | --*/ 16 | 17 | //#include "FileLoggerFunction.h" 18 | //#include 19 | //#include 20 | //#include 21 | 22 | //#include "c1.h" 23 | #include "FileLoggerData.h" 24 | #include "FileLoggerFunction.h" 25 | #include "ntifs.h" 26 | //#pragma comment(lib,"Ksecdd.lib") //加入链接库 27 | 28 | //PFLT_FILTER gFilterHandle; 29 | ULONG_PTR OperationStatusCtx = 1; 30 | 31 | ULONG gTraceFlags = PTDBG_TRACE_ROUTINES | PTDBG_TRACE_OPERATION_STATUS; 32 | 33 | #pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers") 34 | 35 | /************************************************************************* 36 | Prototypes 37 | *************************************************************************/ 38 | #pragma region 函数预定义 39 | 40 | NTSTATUS 41 | FileLoggerInstanceSetup( 42 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 43 | _In_ FLT_INSTANCE_SETUP_FLAGS Flags, 44 | _In_ DEVICE_TYPE VolumeDeviceType, 45 | _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType 46 | ); 47 | 48 | VOID 49 | FileLoggerInstanceTeardownStart( 50 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 51 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 52 | ); 53 | 54 | VOID 55 | FileLoggerInstanceTeardownComplete( 56 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 57 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 58 | ); 59 | 60 | NTSTATUS 61 | FileLoggerUnload( 62 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 63 | ); 64 | 65 | NTSTATUS 66 | FileLoggerInstanceQueryTeardown( 67 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 68 | _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags 69 | ); 70 | 71 | 72 | FLT_PREOP_CALLBACK_STATUS 73 | FileLoggerPreOperation( 74 | _Inout_ PFLT_CALLBACK_DATA Data, 75 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 76 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 77 | ); 78 | 79 | VOID 80 | FileLoggerOperationStatusCallback( 81 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 82 | _In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, 83 | _In_ NTSTATUS OperationStatus, 84 | _In_ PVOID RequesterContext 85 | ); 86 | 87 | FLT_POSTOP_CALLBACK_STATUS 88 | FileLoggerPostOperation( 89 | _Inout_ PFLT_CALLBACK_DATA Data, 90 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 91 | _In_opt_ PVOID CompletionContext, 92 | _In_ FLT_POST_OPERATION_FLAGS Flags 93 | ); 94 | 95 | FLT_PREOP_CALLBACK_STATUS 96 | FileLoggerPreOperationNoPostOperation( 97 | _Inout_ PFLT_CALLBACK_DATA Data, 98 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 99 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 100 | ); 101 | 102 | BOOLEAN 103 | FileLoggerDoRequestOperationStatus( 104 | _In_ PFLT_CALLBACK_DATA Data 105 | ); 106 | 107 | #if FLT_MGR_LONGHORN 108 | // 清理上下文 109 | VOID 110 | FileLoggerDeleteContext( 111 | __inout PFLT_CONTEXT Context, 112 | __in FLT_CONTEXT_TYPE ContextType 113 | ); 114 | #endif 115 | // 116 | // Assign text sections for each routine. 117 | // 118 | #if FLT_MGR_LONGHORN 119 | NTSTATUS 120 | FileLoggerKtmNotificationCallback( 121 | __in PCFLT_RELATED_OBJECTS FltObjects, 122 | __in PFLT_CONTEXT TransactionContext, 123 | __in ULONG TransactionNotification 124 | ); 125 | #endif 126 | 127 | 128 | NTSTATUS 129 | FileLoggerMessage( 130 | __in PVOID ConnectionCookie, 131 | __in_bcount_opt(InputBufferSize) PVOID InputBuffer, 132 | __in ULONG InputBufferSize, 133 | __out_bcount_part_opt(OutputBufferSize, *ReturnOutputBufferLength) PVOID OutputBuffer, 134 | __in ULONG OutputBufferSize, 135 | __out PULONG ReturnOutputBufferLength 136 | ); 137 | 138 | NTSTATUS 139 | FileLoggerConnect( 140 | __in PFLT_PORT ClientPort, 141 | __in PVOID ServerPortCookie, 142 | __in_bcount(SizeOfContext) PVOID ConnectionContext, 143 | __in ULONG SizeOfContext, 144 | __deref_out_opt PVOID *ConnectionCookie 145 | ); 146 | 147 | VOID 148 | FileLoggerDisconnect( 149 | __in_opt PVOID ConnectionCookie 150 | ); 151 | 152 | 153 | DRIVER_INITIALIZE DriverEntry; 154 | NTSTATUS 155 | DriverEntry ( 156 | _In_ PDRIVER_OBJECT DriverObject, 157 | _In_ PUNICODE_STRING RegistryPath 158 | ); 159 | #pragma endregion 160 | 161 | #ifdef ALLOC_PRAGMA 162 | #pragma alloc_text(INIT, DriverEntry) 163 | #pragma alloc_text(PAGE, FileLoggerUnload) 164 | #pragma alloc_text(PAGE, FileLoggerInstanceQueryTeardown) 165 | #pragma alloc_text(PAGE, FileLoggerInstanceSetup) 166 | #pragma alloc_text(PAGE, FileLoggerInstanceTeardownStart) 167 | #pragma alloc_text(PAGE, FileLoggerInstanceTeardownComplete) 168 | #endif 169 | 170 | #pragma region 171 | #pragma endregion 172 | #pragma region 一些上下文需求 173 | // 174 | // operation registration 175 | // 176 | 177 | CONST FLT_OPERATION_REGISTRATION Callbacks[] = { 178 | 179 | #if 1 // TODO - List all of the requests to filter. 180 | { IRP_MJ_CREATE, 181 | 0, 182 | FileLoggerPreOperation, 183 | FileLoggerPostOperation }, 184 | 185 | { IRP_MJ_CREATE_NAMED_PIPE, 186 | 0, 187 | FileLoggerPreOperation, 188 | FileLoggerPostOperation }, 189 | 190 | { IRP_MJ_CLOSE, 191 | 0, 192 | FileLoggerPreOperation, 193 | FileLoggerPostOperation }, 194 | 195 | { IRP_MJ_READ, 196 | 0, 197 | FileLoggerPreOperation, 198 | FileLoggerPostOperation }, 199 | 200 | { IRP_MJ_WRITE, 201 | 0, 202 | FileLoggerPreOperation, 203 | FileLoggerPostOperation }, 204 | 205 | { IRP_MJ_QUERY_INFORMATION, 206 | 0, 207 | FileLoggerPreOperation, 208 | FileLoggerPostOperation }, 209 | 210 | { IRP_MJ_SET_INFORMATION, 211 | 0, 212 | FileLoggerPreOperation, 213 | FileLoggerPostOperation }, 214 | 215 | { IRP_MJ_QUERY_EA, 216 | 0, 217 | FileLoggerPreOperation, 218 | FileLoggerPostOperation }, 219 | 220 | { IRP_MJ_SET_EA, 221 | 0, 222 | FileLoggerPreOperation, 223 | FileLoggerPostOperation }, 224 | 225 | { IRP_MJ_FLUSH_BUFFERS, 226 | 0, 227 | FileLoggerPreOperation, 228 | FileLoggerPostOperation }, 229 | 230 | { IRP_MJ_QUERY_VOLUME_INFORMATION, 231 | 0, 232 | FileLoggerPreOperation, 233 | FileLoggerPostOperation }, 234 | 235 | { IRP_MJ_SET_VOLUME_INFORMATION, 236 | 0, 237 | FileLoggerPreOperation, 238 | FileLoggerPostOperation }, 239 | 240 | { IRP_MJ_DIRECTORY_CONTROL, 241 | 0, 242 | FileLoggerPreOperation, 243 | FileLoggerPostOperation }, 244 | 245 | { IRP_MJ_FILE_SYSTEM_CONTROL, 246 | 0, 247 | FileLoggerPreOperation, 248 | FileLoggerPostOperation }, 249 | 250 | { IRP_MJ_DEVICE_CONTROL, 251 | 0, 252 | FileLoggerPreOperation, 253 | FileLoggerPostOperation }, 254 | 255 | { IRP_MJ_INTERNAL_DEVICE_CONTROL, 256 | 0, 257 | FileLoggerPreOperation, 258 | FileLoggerPostOperation }, 259 | 260 | { IRP_MJ_SHUTDOWN, 261 | 0, 262 | FileLoggerPreOperationNoPostOperation, 263 | NULL }, //post operations not supported 264 | 265 | { IRP_MJ_LOCK_CONTROL, 266 | 0, 267 | FileLoggerPreOperation, 268 | FileLoggerPostOperation }, 269 | 270 | { IRP_MJ_CLEANUP, 271 | 0, 272 | FileLoggerPreOperation, 273 | FileLoggerPostOperation }, 274 | 275 | { IRP_MJ_CREATE_MAILSLOT, 276 | 0, 277 | FileLoggerPreOperation, 278 | FileLoggerPostOperation }, 279 | 280 | { IRP_MJ_QUERY_SECURITY, 281 | 0, 282 | FileLoggerPreOperation, 283 | FileLoggerPostOperation }, 284 | 285 | { IRP_MJ_SET_SECURITY, 286 | 0, 287 | FileLoggerPreOperation, 288 | FileLoggerPostOperation }, 289 | 290 | { IRP_MJ_QUERY_QUOTA, 291 | 0, 292 | FileLoggerPreOperation, 293 | FileLoggerPostOperation }, 294 | 295 | { IRP_MJ_SET_QUOTA, 296 | 0, 297 | FileLoggerPreOperation, 298 | FileLoggerPostOperation }, 299 | 300 | { IRP_MJ_PNP, 301 | 0, 302 | FileLoggerPreOperation, 303 | FileLoggerPostOperation }, 304 | 305 | { IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 306 | 0, 307 | FileLoggerPreOperation, 308 | FileLoggerPostOperation }, 309 | 310 | { IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 311 | 0, 312 | FileLoggerPreOperation, 313 | FileLoggerPostOperation }, 314 | 315 | { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 316 | 0, 317 | FileLoggerPreOperation, 318 | FileLoggerPostOperation }, 319 | 320 | { IRP_MJ_RELEASE_FOR_MOD_WRITE, 321 | 0, 322 | FileLoggerPreOperation, 323 | FileLoggerPostOperation }, 324 | 325 | { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 326 | 0, 327 | FileLoggerPreOperation, 328 | FileLoggerPostOperation }, 329 | 330 | /* { IRP_MJ_NOTIFY_STREAM_FILE_OBJECT, 331 | 0, 332 | FileLoggerPreOperation, 333 | FslPostOperationCallback },//*/ 334 | 335 | { IRP_MJ_RELEASE_FOR_CC_FLUSH, 336 | 0, 337 | FileLoggerPreOperation, 338 | FileLoggerPostOperation }, 339 | 340 | { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 341 | 0, 342 | FileLoggerPreOperation, 343 | FileLoggerPostOperation }, 344 | 345 | { IRP_MJ_NETWORK_QUERY_OPEN, 346 | 0, 347 | FileLoggerPreOperation, 348 | FileLoggerPostOperation }, 349 | 350 | { IRP_MJ_MDL_READ, 351 | 0, 352 | FileLoggerPreOperation, 353 | FileLoggerPostOperation }, 354 | 355 | { IRP_MJ_MDL_READ_COMPLETE, 356 | 0, 357 | FileLoggerPreOperation, 358 | FileLoggerPostOperation }, 359 | 360 | { IRP_MJ_PREPARE_MDL_WRITE, 361 | 0, 362 | FileLoggerPreOperation, 363 | FileLoggerPostOperation }, 364 | 365 | { IRP_MJ_MDL_WRITE_COMPLETE, 366 | 0, 367 | FileLoggerPreOperation, 368 | FileLoggerPostOperation }, 369 | 370 | { IRP_MJ_VOLUME_MOUNT, 371 | 0, 372 | FileLoggerPreOperation, 373 | FileLoggerPostOperation }, 374 | 375 | { IRP_MJ_VOLUME_DISMOUNT, 376 | 0, 377 | FileLoggerPreOperation, 378 | FileLoggerPostOperation }, 379 | 380 | #endif // TODO 381 | 382 | { IRP_MJ_OPERATION_END } 383 | }; 384 | 385 | const FLT_CONTEXT_REGISTRATION Contexts[] = { 386 | 387 | #if FLT_MGR_LONGHORN 388 | 389 | { FLT_TRANSACTION_CONTEXT, 390 | 0, 391 | FileLoggerDeleteContext, 392 | sizeof(FLOG_TRANSACTION_CONTEXT), 393 | 'Lixt' }, 394 | 395 | #endif 396 | 397 | { FLT_CONTEXT_END } 398 | }; 399 | 400 | // 401 | // This defines what we want to filter with FltMgr 402 | // 403 | 404 | CONST FLT_REGISTRATION FilterRegistration = { 405 | 406 | sizeof( FLT_REGISTRATION ), // Size 407 | FLT_REGISTRATION_VERSION, // Version 408 | 0, // Flags 409 | 410 | Contexts, // Context 411 | Callbacks, // Operation callbacks 412 | 413 | FileLoggerUnload, // MiniFilterUnload 414 | 415 | FileLoggerInstanceSetup, // InstanceSetup 416 | FileLoggerInstanceQueryTeardown, // InstanceQueryTeardown 417 | FileLoggerInstanceTeardownStart, // InstanceTeardownStart 418 | FileLoggerInstanceTeardownComplete, // InstanceTeardownComplete 419 | 420 | NULL, // GenerateFileName 421 | NULL, // GenerateDestinationFileName 422 | NULL // NormalizeNameComponent 423 | 424 | #if FLT_MGR_LONGHORN 425 | , 426 | FileLoggerKtmNotificationCallback // KTM notification callback 427 | 428 | #endif // FSLOG_LONGHORN 429 | #if FLT_MGR_WIN8 430 | , 431 | NULL // KTM notification callback 432 | 433 | #endif // FSLOG_LONGHORN 434 | }; 435 | 436 | #pragma endregion 437 | 438 | /************************************************************************* 439 | MiniFilter initialization and unload routines. 440 | *************************************************************************/ 441 | // 442 | // Global variables 443 | // 444 | 445 | FLOG_DATA FLogData; 446 | 447 | NTSTATUS StatusToBreakOn = 0; 448 | 449 | WCHAR logfilePath[MAX_FILENAME] = L""; 450 | HASH_MAP g_hashMap; 451 | 452 | NTSTATUS 453 | DriverEntry ( 454 | _In_ PDRIVER_OBJECT DriverObject, 455 | _In_ PUNICODE_STRING RegistryPath 456 | ) 457 | /*++ 458 | 459 | Routine Description: 460 | 461 | This is the initialization routine for this miniFilter driver. This 462 | registers with FltMgr and initializes all global data structures. 463 | 464 | Arguments: 465 | 466 | DriverObject - Pointer to driver object created by the system to 467 | represent this driver. 468 | 469 | RegistryPath - Unicode string identifying where the parameters for this 470 | driver are located in the registry. 471 | 472 | Return Value: 473 | 474 | Routine can return non success error codes. 475 | 476 | --*/ 477 | { 478 | NTSTATUS status; 479 | 480 | PSECURITY_DESCRIPTOR sd; 481 | OBJECT_ATTRIBUTES oa; 482 | UNICODE_STRING uniString; 483 | int i; 484 | UNREFERENCED_PARAMETER( RegistryPath ); 485 | 486 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, ("FileLogger!DriverEntry: Entered\n") ); 487 | 488 | try { 489 | 490 | // 491 | // Initialize global data structures. 492 | // 493 | 494 | FLogData.LogSequenceNumber = 0; 495 | FLogData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE; 496 | FLogData.RecordsAllocated = 0; 497 | FLogData.NameQueryMethod = FLT_FILE_NAME_QUERY_DEFAULT; 498 | 499 | FLogData.DriverObject = DriverObject; 500 | 501 | InitializeListHead(&FLogData.OutputBufferList); 502 | KeInitializeSpinLock(&FLogData.OutputBufferLock); 503 | 504 | ExInitializeNPagedLookasideList(&FLogData.FreeBufferList, 505 | NULL, 506 | NULL, 507 | 0, 508 | RECORD_SIZE, 509 | FL_TAG, 510 | 0); 511 | 512 | #if FLT_MGR_LONGHORN 513 | 514 | // 515 | // Dynamically import FilterMgr APIs for transaction support 516 | // 517 | 518 | FLogData.PFltSetTransactionContext = FltGetRoutineAddress("FltSetTransactionContext"); 519 | FLogData.PFltGetTransactionContext = FltGetRoutineAddress("FltGetTransactionContext"); 520 | FLogData.PFltEnlistInTransaction = FltGetRoutineAddress("FltEnlistInTransaction"); 521 | 522 | #endif 523 | 524 | /////////////////////////////////////////////// 525 | 526 | // 527 | // Register with FltMgr to tell it our callback routines 528 | // 529 | status = FltRegisterFilter( DriverObject, 530 | &FilterRegistration, 531 | &FLogData.Filter); 532 | 533 | if (!NT_SUCCESS(status)) { 534 | leave;//out from to finally 535 | } 536 | 537 | status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS); 538 | 539 | if (!NT_SUCCESS(status)) { 540 | leave; 541 | } 542 | 543 | RtlInitUnicodeString(&uniString, FLOG_PORT_NAME); 544 | 545 | InitializeObjectAttributes(&oa, 546 | &uniString, 547 | OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 548 | NULL, 549 | sd); 550 | 551 | //in FileLoggerUnload : must call FltCloseCommunicationPort befor FltUnregisterFilter 552 | status = FltCreateCommunicationPort(FLogData.Filter, 553 | &FLogData.ServerPort, 554 | &oa, 555 | NULL, 556 | FileLoggerConnect, 557 | FileLoggerDisconnect, 558 | FileLoggerMessage, 559 | 1); 560 | 561 | FltFreeSecurityDescriptor(sd); 562 | 563 | if (!NT_SUCCESS(status)) { 564 | leave; 565 | } 566 | 567 | // 568 | // Start filtering i/o 569 | // 570 | 571 | //status = FltStartFiltering(FLogData.Filter); 572 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("FileLogger!DriverEntry: FltStartFiltering...\n")); 573 | /////////////////////////////////////////////// 574 | } 575 | finally { 576 | 577 | if (!NT_SUCCESS(status)) { 578 | 579 | if (NULL != FLogData.ServerPort) { 580 | FltCloseCommunicationPort(FLogData.ServerPort); 581 | } 582 | 583 | if (NULL != FLogData.Filter) { 584 | FltUnregisterFilter(FLogData.Filter); 585 | } 586 | 587 | ExDeleteNPagedLookasideList(&FLogData.FreeBufferList); 588 | } 589 | } 590 | 591 | 592 | 593 | if (hashInit(&g_hashMap, 64) >= 0)//256 594 | { 595 | EnumProcessInfo(); 596 | PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE); 597 | 598 | //printfHashMap(&g_hashMap); 599 | //hashDestroy(&g_hashMap); 600 | } 601 | 602 | return status; 603 | } 604 | 605 | /************************************************************************* 606 | MiniFilter callback routines. 607 | *************************************************************************/ 608 | FLT_PREOP_CALLBACK_STATUS 609 | FileLoggerPreOperation ( 610 | _Inout_ PFLT_CALLBACK_DATA Data, 611 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 612 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 613 | ) 614 | /*++ 615 | 616 | Routine Description: 617 | 618 | This routine is a pre-operation dispatch routine for this miniFilter. 619 | 620 | This is non-pageable because it could be called on the paging path 621 | 622 | Arguments: 623 | 624 | Data - Pointer to the filter callbackData that is passed to us. 625 | 626 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 627 | opaque handles to this filter, instance, its associated volume and 628 | file object. 629 | 630 | CompletionContext - The context for the completion routine for this 631 | operation. 632 | 633 | Return Value: 634 | 635 | The return value is the status of the operation. 636 | 637 | --*/ 638 | { 639 | NTSTATUS status; 640 | 641 | FILE_ID ProcessId; 642 | FILE_ID ThreadId; 643 | 644 | UNREFERENCED_PARAMETER( FltObjects ); 645 | UNREFERENCED_PARAMETER( CompletionContext ); 646 | 647 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 648 | ("-------------------FileLogger!FileLoggerPreOperation: Entered-------------------\n") ); 649 | 650 | 651 | ProcessId = (FILE_ID)PsGetCurrentProcessId(); 652 | ThreadId = (FILE_ID)PsGetCurrentThreadId(); 653 | 654 | 655 | //PEPROCESS pEprocess;//NtosKrnl.lib 656 | //pEprocess = PsGetCurrentProcess();//PEPROCESS IoGetCurrentProcess(void); 657 | //DbgPrint("=======================ImageFileName: %.16s\n", PsGetProcessImageFileName(pProcess)); 658 | 659 | 660 | 661 | 662 | 663 | 664 | // 665 | // See if this is an operation we would like the operation status 666 | // for. If so request it. 667 | // 668 | // NOTE: most filters do NOT need to do this. You only need to make 669 | // this call if, for example, you need to know if the oplock was 670 | // actually granted. 671 | // 672 | 673 | if (FileLoggerDoRequestOperationStatus( Data )) { 674 | 675 | status = FltRequestOperationStatusCallback( Data, 676 | FileLoggerOperationStatusCallback, 677 | (PVOID)(++OperationStatusCtx) ); 678 | if (!NT_SUCCESS(status)) { 679 | 680 | PT_DBG_PRINT( PTDBG_TRACE_OPERATION_STATUS, 681 | ("FileLogger!FileLoggerPreOperation: FltRequestOperationStatusCallback Failed, status=%08x\n", 682 | status) ); 683 | } 684 | } 685 | 686 | // This template code does not do anything with the callbackData, but 687 | // rather returns FLT_PREOP_SUCCESS_WITH_CALLBACK. 688 | // This passes the request down to the next miniFilter in the chain. 689 | 690 | return FLT_PREOP_SUCCESS_WITH_CALLBACK; 691 | } 692 | 693 | FLT_POSTOP_CALLBACK_STATUS 694 | FileLoggerPostOperation ( 695 | _Inout_ PFLT_CALLBACK_DATA Data, 696 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 697 | _In_opt_ PVOID CompletionContext, 698 | _In_ FLT_POST_OPERATION_FLAGS Flags 699 | ) 700 | /*++ 701 | 702 | Routine Description: 703 | 704 | This routine is the post-operation completion routine for this 705 | miniFilter. 706 | 707 | This is non-pageable because it may be called at DPC level. 708 | 709 | Arguments: 710 | 711 | Data - Pointer to the filter callbackData that is passed to us. 712 | 713 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 714 | opaque handles to this filter, instance, its associated volume and 715 | file object. 716 | 717 | CompletionContext - The completion context set in the pre-operation routine. 718 | 719 | Flags - Denotes whether the completion is successful or is being drained. 720 | 721 | Return Value: 722 | 723 | The return value is the status of the operation. 724 | 725 | --*/ 726 | { 727 | UNREFERENCED_PARAMETER( Data ); 728 | UNREFERENCED_PARAMETER( FltObjects ); 729 | UNREFERENCED_PARAMETER( CompletionContext ); 730 | UNREFERENCED_PARAMETER( Flags ); 731 | 732 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 733 | ("FileLogger!FileLoggerPostOperation: Entered\n") ); 734 | 735 | return FLT_POSTOP_FINISHED_PROCESSING; 736 | } 737 | 738 | 739 | FLT_PREOP_CALLBACK_STATUS 740 | FileLoggerPreOperationNoPostOperation ( 741 | _Inout_ PFLT_CALLBACK_DATA Data, 742 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 743 | _Flt_CompletionContext_Outptr_ PVOID *CompletionContext 744 | ) 745 | /*++ 746 | 747 | Routine Description: 748 | 749 | This routine is a pre-operation dispatch routine for this miniFilter. 750 | 751 | This is non-pageable because it could be called on the paging path 752 | 753 | Arguments: 754 | 755 | Data - Pointer to the filter callbackData that is passed to us. 756 | 757 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 758 | opaque handles to this filter, instance, its associated volume and 759 | file object. 760 | 761 | CompletionContext - The context for the completion routine for this 762 | operation. 763 | 764 | Return Value: 765 | 766 | The return value is the status of the operation. 767 | 768 | --*/ 769 | { 770 | UNREFERENCED_PARAMETER( Data ); 771 | UNREFERENCED_PARAMETER( FltObjects ); 772 | UNREFERENCED_PARAMETER( CompletionContext ); 773 | 774 | PT_DBG_PRINT( PTDBG_TRACE_ROUTINES, 775 | ("FileLogger!FileLoggerPreOperationNoPostOperation: Entered\n") ); 776 | 777 | // This template code does not do anything with the callbackData, but 778 | // rather returns FLT_PREOP_SUCCESS_NO_CALLBACK. 779 | // This passes the request down to the next miniFilter in the chain. 780 | 781 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 782 | } 783 | 784 | 785 | BOOLEAN 786 | FileLoggerDoRequestOperationStatus( 787 | _In_ PFLT_CALLBACK_DATA Data 788 | ) 789 | /*++ 790 | 791 | Routine Description: 792 | 793 | This identifies those operations we want the operation status for. These 794 | are typically operations that return STATUS_PENDING as a normal completion 795 | status. 796 | 797 | Arguments: 798 | 799 | Return Value: 800 | 801 | TRUE - If we want the operation status 802 | FALSE - If we don't 803 | 804 | --*/ 805 | { 806 | PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb; 807 | 808 | // 809 | // return boolean state based on which operations we are interested in 810 | // 811 | 812 | 813 | return (BOOLEAN) 814 | 815 | // 816 | // Check for oplock operations 817 | // 818 | 819 | (((iopb->MajorFunction == IRP_MJ_FILE_SYSTEM_CONTROL) && 820 | ((iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_FILTER_OPLOCK) || 821 | (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_BATCH_OPLOCK) || 822 | (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_1) || 823 | (iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_REQUEST_OPLOCK_LEVEL_2))) 824 | 825 | || 826 | 827 | // 828 | // Check for directy change notification 829 | // 830 | 831 | ((iopb->MajorFunction == IRP_MJ_DIRECTORY_CONTROL) && 832 | (iopb->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY)) 833 | ); 834 | } 835 | 836 | 837 | NTSTATUS 838 | FileLoggerInstanceSetup( 839 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 840 | _In_ FLT_INSTANCE_SETUP_FLAGS Flags, 841 | _In_ DEVICE_TYPE VolumeDeviceType, 842 | _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType 843 | ) 844 | /*++ 845 | 846 | Routine Description: 847 | 848 | This routine is called whenever a new instance is created on a volume. This 849 | gives us a chance to decide if we need to attach to this volume or not. 850 | 851 | If this routine is not defined in the registration structure, automatic 852 | instances are always created. 853 | 854 | Arguments: 855 | 856 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 857 | opaque handles to this filter, instance and its associated volume. 858 | 859 | Flags - Flags describing the reason for this attach request. 860 | 861 | Return Value: 862 | 863 | STATUS_SUCCESS - attach 864 | STATUS_FLT_DO_NOT_ATTACH - do not attach 865 | 866 | --*/ 867 | { 868 | UNREFERENCED_PARAMETER(FltObjects); 869 | UNREFERENCED_PARAMETER(Flags); 870 | UNREFERENCED_PARAMETER(VolumeDeviceType); 871 | UNREFERENCED_PARAMETER(VolumeFilesystemType); 872 | 873 | PAGED_CODE(); 874 | 875 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, 876 | ("FileLogger!FileLoggerInstanceSetup: Entered\n")); 877 | //DbgPrint("-----------FslInstanceSetup runing=====\n"); 878 | 879 | return STATUS_SUCCESS; 880 | } 881 | 882 | 883 | NTSTATUS 884 | FileLoggerInstanceQueryTeardown( 885 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 886 | _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags 887 | ) 888 | /*++ 889 | 890 | Routine Description: 891 | 892 | This is called when an instance is being manually deleted by a 893 | call to FltDetachVolume or FilterDetach thereby giving us a 894 | chance to fail that detach request. 895 | 896 | If this routine is not defined in the registration structure, explicit 897 | detach requests via FltDetachVolume or FilterDetach will always be 898 | failed. 899 | 900 | Arguments: 901 | 902 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 903 | opaque handles to this filter, instance and its associated volume. 904 | 905 | Flags - Indicating where this detach request came from. 906 | 907 | Return Value: 908 | 909 | Returns the status of this operation. 910 | 911 | --*/ 912 | { 913 | UNREFERENCED_PARAMETER(FltObjects); 914 | UNREFERENCED_PARAMETER(Flags); 915 | 916 | PAGED_CODE(); 917 | 918 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, 919 | ("FileLogger!FileLoggerInstanceQueryTeardown: Entered\n")); 920 | 921 | return STATUS_SUCCESS; 922 | } 923 | 924 | 925 | VOID 926 | FileLoggerInstanceTeardownStart( 927 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 928 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 929 | ) 930 | /*++ 931 | 932 | Routine Description: 933 | 934 | This routine is called at the start of instance teardown. 935 | 936 | Arguments: 937 | 938 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 939 | opaque handles to this filter, instance and its associated volume. 940 | 941 | Flags - Reason why this instance is being deleted. 942 | 943 | Return Value: 944 | 945 | None. 946 | 947 | --*/ 948 | { 949 | UNREFERENCED_PARAMETER(FltObjects); 950 | UNREFERENCED_PARAMETER(Flags); 951 | 952 | PAGED_CODE(); 953 | 954 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, 955 | ("FileLogger!FileLoggerInstanceTeardownStart: Entered\n")); 956 | } 957 | 958 | 959 | VOID 960 | FileLoggerInstanceTeardownComplete( 961 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 962 | _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags 963 | ) 964 | /*++ 965 | 966 | Routine Description: 967 | 968 | This routine is called at the end of instance teardown. 969 | 970 | Arguments: 971 | 972 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 973 | opaque handles to this filter, instance and its associated volume. 974 | 975 | Flags - Reason why this instance is being deleted. 976 | 977 | Return Value: 978 | 979 | None. 980 | 981 | --*/ 982 | { 983 | UNREFERENCED_PARAMETER(FltObjects); 984 | UNREFERENCED_PARAMETER(Flags); 985 | 986 | PAGED_CODE(); 987 | 988 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, 989 | ("FileLogger!FileLoggerInstanceTeardownComplete: Entered\n")); 990 | } 991 | 992 | 993 | NTSTATUS 994 | FileLoggerUnload( 995 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 996 | ) 997 | /*++ 998 | 999 | Routine Description: 1000 | 1001 | This is the unload routine for this miniFilter driver. This is called 1002 | when the minifilter is about to be unloaded. We can fail this unload 1003 | request if this is not a mandatory unload indicated by the Flags 1004 | parameter. 1005 | 1006 | Arguments: 1007 | 1008 | Flags - Indicating if this is a mandatory unload. 1009 | 1010 | Return Value: 1011 | 1012 | Returns STATUS_SUCCESS. 1013 | 1014 | --*/ 1015 | { 1016 | UNREFERENCED_PARAMETER(Flags); 1017 | PAGED_CODE(); 1018 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, 1019 | ("FileLogger!FileLoggerUnload: Entered\n")); 1020 | 1021 | FltCloseCommunicationPort(FLogData.ServerPort); 1022 | FltUnregisterFilter(FLogData.Filter); 1023 | //FslEmptyOutputBufferList(); 1024 | ExDeleteNPagedLookasideList(&FLogData.FreeBufferList); 1025 | 1026 | PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, TRUE);//delete 1027 | 1028 | printfHashMap(&g_hashMap); 1029 | hashDestroy(&g_hashMap); 1030 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("FileLogger!FileLoggerUnload: hashDestroy(&g_hashMap) Succes!\n")); 1031 | 1032 | return STATUS_SUCCESS; 1033 | } 1034 | 1035 | 1036 | VOID 1037 | FileLoggerOperationStatusCallback( 1038 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 1039 | _In_ PFLT_IO_PARAMETER_BLOCK ParameterSnapshot, 1040 | _In_ NTSTATUS OperationStatus, 1041 | _In_ PVOID RequesterContext 1042 | ) 1043 | /*++ 1044 | 1045 | Routine Description: 1046 | 1047 | This routine is called when the given operation returns from the call 1048 | to IoCallDriver. This is useful for operations where STATUS_PENDING 1049 | means the operation was successfully queued. This is useful for OpLocks 1050 | and directory change notification operations. 1051 | 1052 | This callback is called in the context of the originating thread and will 1053 | never be called at DPC level. The file object has been correctly 1054 | referenced so that you can access it. It will be automatically 1055 | dereferenced upon return. 1056 | 1057 | This is non-pageable because it could be called on the paging path 1058 | 1059 | Arguments: 1060 | 1061 | FltObjects - Pointer to the FLT_RELATED_OBJECTS data structure containing 1062 | opaque handles to this filter, instance, its associated volume and 1063 | file object. 1064 | 1065 | RequesterContext - The context for the completion routine for this 1066 | operation. 1067 | 1068 | OperationStatus - 1069 | 1070 | Return Value: 1071 | 1072 | The return value is the status of the operation. 1073 | 1074 | --*/ 1075 | { 1076 | UNREFERENCED_PARAMETER(FltObjects); 1077 | 1078 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, 1079 | ("FileLogger!FileLoggerOperationStatusCallback: Entered\n")); 1080 | 1081 | PT_DBG_PRINT(PTDBG_TRACE_OPERATION_STATUS, 1082 | ("FileLogger!FileLoggerOperationStatusCallback: Status=%08x ctx=%p IrpMj=%02x.%02x \"%s\"\n", 1083 | OperationStatus, 1084 | RequesterContext, 1085 | ParameterSnapshot->MajorFunction, 1086 | ParameterSnapshot->MinorFunction, 1087 | FltGetIrpName(ParameterSnapshot->MajorFunction))); 1088 | } 1089 | 1090 | 1091 | #if FLT_MGR_LONGHORN 1092 | VOID 1093 | FileLoggerDeleteContext( 1094 | __inout PFLOG_TRANSACTION_CONTEXT Context, 1095 | __in FLT_CONTEXT_TYPE ContextType 1096 | ) 1097 | { 1098 | UNREFERENCED_PARAMETER(Context); 1099 | UNREFERENCED_PARAMETER(ContextType); 1100 | 1101 | ASSERT(FLT_TRANSACTION_CONTEXT == ContextType); 1102 | ASSERT(Context->Count != 0); 1103 | } 1104 | 1105 | #endif 1106 | #if FLT_MGR_LONGHORN 1107 | 1108 | NTSTATUS 1109 | FileLoggerKtmNotificationCallback( 1110 | __in PCFLT_RELATED_OBJECTS FltObjects, 1111 | __in PFLT_CONTEXT TransactionContext, 1112 | __in ULONG TransactionNotification 1113 | ) 1114 | { 1115 | /* 1116 | PRECORD_LIST recordList; 1117 | 1118 | // 1119 | // Try and get a log record 1120 | // 1121 | 1122 | recordList = FslNewRecord(); 1123 | 1124 | if (recordList) { 1125 | 1126 | FslLogTransactionNotify(FltObjects, recordList, TransactionNotification); 1127 | 1128 | // 1129 | // Send the logged information to the user service. 1130 | // 1131 | 1132 | FslLog(recordList); 1133 | } 1134 | //*/ 1135 | 1136 | return STATUS_SUCCESS; 1137 | } 1138 | 1139 | #endif 1140 | 1141 | NTSTATUS 1142 | FileLoggerConnect( 1143 | __in PFLT_PORT ClientPort, 1144 | __in PVOID ServerPortCookie, 1145 | __in_bcount(SizeOfContext) PVOID ConnectionContext, 1146 | __in ULONG SizeOfContext, 1147 | __deref_out_opt PVOID *ConnectionCookie 1148 | ) 1149 | /*++ 1150 | 1151 | Routine Description 1152 | 1153 | This is called when user-mode connects to the server 1154 | port - to establish a connection 1155 | 1156 | Arguments 1157 | 1158 | ClientPort - This is the pointer to the client port that 1159 | will be used to send messages from the filter. 1160 | ServerPortCookie - unused 1161 | ConnectionContext - unused 1162 | SizeofContext - unused 1163 | ConnectionCookie - unused 1164 | 1165 | Return Value 1166 | 1167 | STATUS_SUCCESS - to accept the connection 1168 | --*/ 1169 | { 1170 | 1171 | PAGED_CODE(); 1172 | 1173 | UNREFERENCED_PARAMETER(ServerPortCookie); 1174 | UNREFERENCED_PARAMETER(ConnectionContext); 1175 | UNREFERENCED_PARAMETER(SizeOfContext); 1176 | UNREFERENCED_PARAMETER(ConnectionCookie); 1177 | 1178 | ASSERT(FLogData.ClientPort == NULL); 1179 | FLogData.ClientPort = ClientPort; 1180 | 1181 | // FslHookAllDrives (TRUE); 1182 | 1183 | return STATUS_SUCCESS; 1184 | } 1185 | 1186 | 1187 | VOID 1188 | FileLoggerDisconnect( 1189 | __in_opt PVOID ConnectionCookie 1190 | ) 1191 | /*++ 1192 | 1193 | Routine Description 1194 | 1195 | This is called when the connection is torn-down. We use it to close our handle to the connection 1196 | 1197 | Arguments 1198 | 1199 | ConnectionCookie - unused 1200 | 1201 | Return value 1202 | 1203 | None 1204 | --*/ 1205 | { 1206 | 1207 | PAGED_CODE(); 1208 | 1209 | UNREFERENCED_PARAMETER(ConnectionCookie); 1210 | 1211 | // FslHookAllDrives (FALSE); 1212 | 1213 | // 1214 | // Close our handle 1215 | // 1216 | if(FLogData.ClientPort != NULL) 1217 | FltCloseClientPort(FLogData.Filter, &FLogData.ClientPort); 1218 | } 1219 | 1220 | 1221 | NTSTATUS 1222 | FileLoggerMessage( 1223 | __in PVOID ConnectionCookie, 1224 | __in_bcount_opt(InputBufferSize) PVOID InputBuffer, 1225 | __in ULONG InputBufferSize, 1226 | __out_bcount_part_opt(OutputBufferSize, *ReturnOutputBufferLength) PVOID OutputBuffer, 1227 | __in ULONG OutputBufferSize, 1228 | __out PULONG ReturnOutputBufferLength 1229 | ) 1230 | /*++ 1231 | 1232 | Routine Description: 1233 | 1234 | This is called whenever a user mode application wishes to communicate 1235 | with this minifilter. 1236 | 1237 | Arguments: 1238 | 1239 | ConnectionCookie - unused 1240 | 1241 | OperationCode - An identifier describing what type of message this 1242 | is. These codes are defined by the MiniFilter. 1243 | InputBuffer - A buffer containing input data, can be NULL if there 1244 | is no input data. 1245 | InputBufferSize - The size in bytes of the InputBuffer. 1246 | OutputBuffer - A buffer provided by the application that originated 1247 | the communication in which to store data to be returned to this 1248 | application. 1249 | OutputBufferSize - The size in bytes of the OutputBuffer. 1250 | ReturnOutputBufferSize - The size in bytes of meaningful data 1251 | returned in the OutputBuffer. 1252 | 1253 | Return Value: 1254 | 1255 | Returns the status of processing the message. 1256 | 1257 | --*/ 1258 | { 1259 | 1260 | FLOG_COMMAND command; 1261 | NTSTATUS status; 1262 | BOOLEAN bAttach; 1263 | 1264 | PAGED_CODE(); 1265 | 1266 | UNREFERENCED_PARAMETER(ConnectionCookie); 1267 | 1268 | // 1269 | // **** PLEASE READ **** 1270 | // 1271 | // The INPUT and OUTPUT buffers are raw user mode addresses. The filter 1272 | // manager has already done a ProbedForRead (on InputBuffer) and 1273 | // ProbedForWrite (on OutputBuffer) which guarentees they are valid 1274 | // addresses based on the access (user mode vs. kernel mode). The 1275 | // minifilter does not need to do their own probe. 1276 | // 1277 | // The filter manager is NOT doing any alignment checking on the pointers. 1278 | // The minifilter must do this themselves if they care (see below). 1279 | // 1280 | // The minifilter MUST continue to use a try/except around any access to 1281 | // these buffers. 1282 | // 1283 | 1284 | 1285 | //DbgPrint("[LogVFileMonDrv.sys]: FslMessage ... ...\n"); 1286 | 1287 | if ((InputBuffer != NULL) && 1288 | (InputBufferSize >= (FIELD_OFFSET(COMMAND_MESSAGE, Command) + sizeof(FLOG_COMMAND)))) { 1289 | try { 1290 | // 1291 | // Probe and capture input message: the message is raw user mode 1292 | // buffer, so need to protect with exception handler 1293 | // 1294 | command = ((PCOMMAND_MESSAGE)InputBuffer)->Command; 1295 | } except(EXCEPTION_EXECUTE_HANDLER) { 1296 | return GetExceptionCode(); } 1297 | 1298 | switch (command) { 1299 | case GetFileLog: 1300 | // 1301 | // Return as many log records as can fit into the OutputBuffer 1302 | // 1303 | if ((OutputBuffer == NULL) || (OutputBufferSize == 0)) { 1304 | status = STATUS_INVALID_PARAMETER; 1305 | break; 1306 | } 1307 | // 1308 | // We want to validate that the given buffer is POINTER 1309 | // aligned. But if this is a 64bit system and we want to 1310 | // support 32bit applications we need to be careful with how 1311 | // we do the check. Note that the way FslGetLog is written 1312 | // it actually does not care about alignment but we are 1313 | // demonstrating how to do this type of check. 1314 | // 1315 | #if defined(_WIN64) 1316 | if (IoIs32bitProcess(NULL)) { 1317 | // 1318 | // Validate alignment for the 32bit process on a 64bit 1319 | // system 1320 | // 1321 | if (!IS_ALIGNED(OutputBuffer, sizeof(ULONG))) { 1322 | status = STATUS_DATATYPE_MISALIGNMENT; 1323 | break; 1324 | } 1325 | } 1326 | else { 1327 | #endif 1328 | if (!IS_ALIGNED(OutputBuffer, sizeof(PVOID))) { 1329 | status = STATUS_DATATYPE_MISALIGNMENT; 1330 | break; 1331 | } 1332 | #if defined(_WIN64) 1333 | } 1334 | #endif 1335 | //status = GetFileLog(OutputBuffer, OutputBufferSize, ReturnOutputBufferLength); 1336 | break; 1337 | 1338 | case GetFileLogVersion: 1339 | // 1340 | // Return version of the FSLog filter driver. Verify 1341 | // we have a valid user buffer including valid 1342 | // alignment 1343 | // 1344 | if ((OutputBufferSize < sizeof(FLOGVER)) || 1345 | (OutputBuffer == NULL)) { 1346 | status = STATUS_INVALID_PARAMETER; 1347 | break; 1348 | } 1349 | // 1350 | // Validate Buffer alignment. If a minifilter cares about 1351 | // the alignment value of the buffer pointer they must do 1352 | // this check themselves. Note that a try/except will not 1353 | // capture alignment faults. 1354 | // 1355 | if (!IS_ALIGNED(OutputBuffer, sizeof(ULONG))) { 1356 | status = STATUS_DATATYPE_MISALIGNMENT; 1357 | break; 1358 | } 1359 | // 1360 | // Protect access to raw user-mode output buffer with an 1361 | // exception handler 1362 | // 1363 | try { 1364 | ((PFLOGVER)OutputBuffer)->Major = FSLOG_MAJ_VERSION; 1365 | ((PFLOGVER)OutputBuffer)->Minor = FSLOG_MIN_VERSION; 1366 | } except(EXCEPTION_EXECUTE_HANDLER) { 1367 | return GetExceptionCode(); 1368 | } 1369 | *ReturnOutputBufferLength = sizeof(FLOGVER); 1370 | status = STATUS_SUCCESS; 1371 | break; 1372 | 1373 | case SetFileLogFilePath: 1374 | wcscpy(logfilePath, (PWCHAR)(((PCOMMAND_MESSAGE)InputBuffer)->Data)); 1375 | status = STATUS_SUCCESS; 1376 | break; 1377 | 1378 | case SetFileLogAttach: 1379 | bAttach = (BOOLEAN)(((PCOMMAND_MESSAGE)InputBuffer)->Data[0]); 1380 | //status = FslHookAllDrives(bAttach); 1381 | break; 1382 | 1383 | default: 1384 | status = STATUS_INVALID_PARAMETER; 1385 | break; 1386 | } 1387 | 1388 | } 1389 | else { 1390 | 1391 | status = STATUS_INVALID_PARAMETER; 1392 | } 1393 | 1394 | return status; 1395 | } 1396 | 1397 | 1398 | 1399 | 1400 | -------------------------------------------------------------------------------- /FileLogger/FileLogger.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileLogger 3 | ;;; 4 | ;;; 5 | ;;; Copyright (c) 2015 - 2025, LiXiantu 6 | ;;; 7 | 8 | [Version] 9 | Signature = "$Windows NT$" 10 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963 11 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 12 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 13 | Class = "_TODO_Change_Class_appropriately_" 14 | ClassGuid = {_TODO_Change_ClassGuid_appropriately_} 15 | Provider = %ManufacturerName% 16 | DriverVer = 08/12/2015,0.1.0.0 17 | CatalogFile = FileLogger.cat 18 | 19 | [DestinationDirs] 20 | DefaultDestDir = 12 21 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 22 | 23 | ;; 24 | ;; Default install sections 25 | ;; 26 | 27 | [DefaultInstall] 28 | OptionDesc = %ServiceDescription% 29 | CopyFiles = MiniFilter.DriverFiles 30 | 31 | [DefaultInstall.Services] 32 | AddService = %ServiceName%,,MiniFilter.Service 33 | 34 | ;; 35 | ;; Default uninstall sections 36 | ;; 37 | 38 | [DefaultUninstall] 39 | DelFiles = MiniFilter.DriverFiles 40 | 41 | [DefaultUninstall.Services] 42 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 43 | 44 | ; 45 | ; Services Section 46 | ; 47 | 48 | [MiniFilter.Service] 49 | DisplayName = %ServiceName% 50 | Description = %ServiceDescription% 51 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 52 | Dependencies = "FltMgr" 53 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 54 | StartType = 3 ;SERVICE_DEMAND_START 55 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 56 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 57 | LoadOrderGroup = "FSFilter Activity Monitor" 58 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 59 | AddReg = MiniFilter.AddRegistry 60 | 61 | ; 62 | ; Registry Modifications 63 | ; 64 | 65 | [MiniFilter.AddRegistry] 66 | HKR,,"DebugFlags",0x00010001 ,0x0 67 | HKR,,"SupportedFeatures",0x00010001,0x3 68 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 69 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 70 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 71 | 72 | ; 73 | ; Copy Files 74 | ; 75 | 76 | [MiniFilter.DriverFiles] 77 | %DriverName%.sys 78 | 79 | [SourceDisksFiles] 80 | FileLogger.sys = 1,, 81 | 82 | [SourceDisksNames] 83 | 1 = %DiskId1%,,, 84 | 85 | ;; 86 | ;; String Section 87 | ;; 88 | 89 | [Strings] 90 | ; TODO - Add your manufacturer 91 | ManufacturerName = "Lxt1045" 92 | ServiceDescription = "FileLogger Mini-Filter Driver" 93 | ServiceName = "FileLogger" 94 | DriverName = "FileLogger" 95 | DiskId1 = "FileLogger Device Installation Disk" 96 | 97 | ;Instances specific information. 98 | DefaultInstance = "FileLogger Instance" 99 | Instance1.Name = "FileLogger Instance" 100 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 101 | Instance1.Altitude = "370030" 102 | ;Instance.Altitude = "_TODO_Change_Altitude_appropriately_" 103 | Instance1.Flags = 0x0 ; Allow all attachments 104 | -------------------------------------------------------------------------------- /FileLogger/FileLogger.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_DRV 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 7 | #define VER_FILEDESCRIPTION_STR "FileLogger Filter Driver" 8 | #define VER_INTERNALNAME_STR "FileLogger.sys" 9 | 10 | #include "common.ver" 11 | -------------------------------------------------------------------------------- /FileLogger/FileLogger.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Win8.1 Debug 6 | Win32 7 | 8 | 9 | Win8.1 Release 10 | Win32 11 | 12 | 13 | Win8 Debug 14 | Win32 15 | 16 | 17 | Win8 Release 18 | Win32 19 | 20 | 21 | Win7 Debug 22 | Win32 23 | 24 | 25 | Win7 Release 26 | Win32 27 | 28 | 29 | Win8.1 Debug 30 | x64 31 | 32 | 33 | Win8.1 Release 34 | x64 35 | 36 | 37 | Win8 Debug 38 | x64 39 | 40 | 41 | Win8 Release 42 | x64 43 | 44 | 45 | Win7 Debug 46 | x64 47 | 48 | 49 | Win7 Release 50 | x64 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | {463F5CF6-1142-483F-BCE6-1ADD297C1C16} 66 | {f2f62967-0815-4fd7-9b86-6eedcac766eb} 67 | v4.5 68 | 11.0 69 | Win8.1 Debug 70 | Win32 71 | FileLogger 72 | 73 | 74 | 75 | WindowsV6.3 76 | true 77 | WindowsKernelModeDriver8.1 78 | Driver 79 | WDM 80 | 81 | 82 | WindowsV6.3 83 | false 84 | WindowsKernelModeDriver8.1 85 | Driver 86 | WDM 87 | 88 | 89 | Windows8 90 | true 91 | WindowsKernelModeDriver8.1 92 | Driver 93 | WDM 94 | 95 | 96 | Windows8 97 | false 98 | WindowsKernelModeDriver8.1 99 | Driver 100 | WDM 101 | 102 | 103 | Windows7 104 | true 105 | WindowsKernelModeDriver8.1 106 | Driver 107 | WDM 108 | 109 | 110 | Windows7 111 | false 112 | WindowsKernelModeDriver8.1 113 | Driver 114 | WDM 115 | 116 | 117 | WindowsV6.3 118 | true 119 | WindowsKernelModeDriver8.1 120 | Driver 121 | WDM 122 | 123 | 124 | WindowsV6.3 125 | false 126 | WindowsKernelModeDriver8.1 127 | Driver 128 | WDM 129 | 130 | 131 | Windows8 132 | true 133 | WindowsKernelModeDriver8.1 134 | Driver 135 | WDM 136 | 137 | 138 | Windows8 139 | false 140 | WindowsKernelModeDriver8.1 141 | Driver 142 | WDM 143 | 144 | 145 | Windows7 146 | true 147 | WindowsKernelModeDriver8.1 148 | Driver 149 | WDM 150 | 151 | 152 | Windows7 153 | false 154 | WindowsKernelModeDriver8.1 155 | Driver 156 | WDM 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | DbgengKernelDebugger 168 | 169 | 170 | DbgengKernelDebugger 171 | 172 | 173 | DbgengKernelDebugger 174 | 175 | 176 | DbgengKernelDebugger 177 | 178 | 179 | DbgengKernelDebugger 180 | 181 | 182 | DbgengKernelDebugger 183 | 184 | 185 | DbgengKernelDebugger 186 | 187 | 188 | DbgengKernelDebugger 189 | 190 | 191 | DbgengKernelDebugger 192 | 193 | 194 | DbgengKernelDebugger 195 | 196 | 197 | DbgengKernelDebugger 198 | 199 | 200 | DbgengKernelDebugger 201 | 202 | 203 | 204 | $(DDK_LIB_PATH)\fltmgr.lib;Ksecdd.lib;%(AdditionalDependencies) 205 | false 206 | 207 | 208 | false 209 | 210 | 211 | 212 | 213 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 214 | 215 | 216 | 217 | 218 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 219 | 220 | 221 | 222 | 223 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 224 | 225 | 226 | 227 | 228 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 229 | false 230 | 231 | 232 | false 233 | 234 | 235 | 236 | 237 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 238 | 239 | 240 | 241 | 242 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 243 | 244 | 245 | 246 | 247 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 248 | 249 | 250 | 251 | 252 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 253 | 254 | 255 | 256 | 257 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 258 | 259 | 260 | 261 | 262 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 263 | false 264 | 265 | 266 | false 267 | 268 | 269 | 270 | 271 | $(DDK_LIB_PATH)\fltmgr.lib;%(AdditionalDependencies) 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | -------------------------------------------------------------------------------- /FileLogger/FileLogger.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | Source Files 47 | 48 | 49 | 50 | 51 | Resource Files 52 | 53 | 54 | 55 | 56 | Header Files 57 | 58 | 59 | Header Files 60 | 61 | 62 | Header Files 63 | 64 | 65 | Header Files 66 | 67 | 68 | Header Files 69 | 70 | 71 | Header Files 72 | 73 | 74 | -------------------------------------------------------------------------------- /FileLogger/FileLogger.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | CN="WDKTestCert adtis-lixt,130874721062752063" | 04DE638FAA909F8F04124F01BAA41549A921A024 5 | 6 | -------------------------------------------------------------------------------- /FileLogger/FileLoggerData.c: -------------------------------------------------------------------------------- 1 | #include "FileLoggerData.h" 2 | 3 | 4 | -------------------------------------------------------------------------------- /FileLogger/FileLoggerData.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) 1989-2002 Microsoft Corporation 4 | 5 | Module Name: 6 | 7 | FSLogKern.h 8 | 9 | Abstract: 10 | Header file which contains the structures, type definitions, 11 | constants, global variables and function prototypes that are 12 | only visible within the kernel. 13 | 14 | Environment: 15 | 16 | Kernel mode 17 | 18 | --*/ 19 | #pragma once 20 | //#ifndef __FLOGDATA_H__ 21 | //#define __FLOGDATA_H__ 22 | 23 | #include 24 | //#include 25 | #include 26 | #include "Container.h" 27 | #include "FileLoggerFilter.h" 28 | 29 | #define MAX_FILENAME 254 30 | #define USE_ADVLOG_FORMAT 1 31 | 32 | 33 | #define AllocatePoolTag "FLOG" 34 | 35 | //========================================================================= 36 | #define PTDBG_TRACE_ROUTINES 0x00000001 37 | #define PTDBG_TRACE_OPERATION_STATUS 0x00000002 38 | //ULONG gTraceFlags = PTDBG_TRACE_ROUTINES | PTDBG_TRACE_OPERATION_STATUS; 39 | extern ULONG gTraceFlags; 40 | #define PT_DBG_PRINT( _dbgLevel, _string ) \ 41 | (FlagOn(gTraceFlags,(_dbgLevel)) ? \ 42 | DbgPrint _string : \ 43 | ((int)0)) 44 | //========================================================================= 45 | 46 | // 47 | // The maximum size of a record that can be passed from the filter 48 | // 49 | #ifdef USE_ADVLOG_FORMAT 50 | #define RECORD_SIZE 2048 51 | #else 52 | #define RECORD_SIZE 512 53 | #endif 54 | 55 | #define DEFAULT_MAX_RECORDS_TO_ALLOCATE 8000//3000 56 | #define FL_TAG 'FLTG' 57 | #define FLOG_PORT_NAME L"\\FLogPort" 58 | 59 | typedef ULONG_PTR FILE_ID; 60 | 61 | 62 | /* 63 | typedef struct _SYSTEM_PROCESSES 64 | { 65 | ULONG NextEntryDelta; //构成结构序列的偏移量; 66 | ULONG ThreadCount; //线程数目; 67 | ULONG Reserved1[6]; 68 | LARGE_INTEGER CreateTime; //创建时间; 69 | LARGE_INTEGER UserTime;//用户模式(Ring 3)的CPU时间; 70 | LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间; 71 | UNICODE_STRING ProcessName; //进程名称; 72 | KPRIORITY BasePriority;//进程优先权; 73 | ULONG ProcessId; //进程标识符; 74 | ULONG InheritedFromProcessId; //父进程的标识符; 75 | ULONG HandleCount; //句柄数目; 76 | ULONG Reserved2[2]; 77 | VM_COUNTERS VmCounters; //虚拟存储器的结构，见下; 78 | IO_COUNTERS IoCounters; //IO计数结构，见下; 79 | SYSTEM_THREADS Threads[1]; //进程相关线程的结构数组 80 | }SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;//*/ 81 | typedef struct _SYSTEM_PROCESSES 82 | { 83 | ULONG NextEntryDelta; 84 | ULONG ThreadCount; 85 | ULONG Reserved[6]; 86 | LARGE_INTEGER CreateTime; 87 | LARGE_INTEGER UserTime; 88 | LARGE_INTEGER KernelTime; 89 | UNICODE_STRING ProcessName; 90 | KPRIORITY BasePriority; 91 | ULONG ProcessId; 92 | ULONG InheritedFromProcessId; 93 | ULONG HandleCount; 94 | ULONG Reserved2[2]; 95 | VM_COUNTERS VmCounters; 96 | IO_COUNTERS IoCounters; 97 | } _SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; 98 | typedef enum _SYSTEM_INFORMATION_CLASS { 99 | SystemBasicInformation, // 0 Y N 100 | SystemProcessorInformation, // 1 Y N 101 | SystemPerformanceInformation, // 2 Y N 102 | SystemTimeOfDayInformation, // 3 Y N 103 | SystemNotImplemented1, // 4 Y N 104 | SystemProcessesAndThreadsInformation, // 5 Y N 105 | SystemCallCounts, // 6 Y N 106 | SystemConfigurationInformation, // 7 Y N 107 | SystemProcessorTimes, // 8 Y N 108 | SystemGlobalFlag, // 9 Y Y 109 | SystemNotImplemented2, // 10 Y N 110 | SystemModuleInformation, // 11 Y N 111 | SystemLockInformation, // 12 Y N 112 | SystemNotImplemented3, // 13 Y N 113 | SystemNotImplemented4, // 14 Y N 114 | SystemNotImplemented5, // 15 Y N 115 | SystemHandleInformation, // 16 Y N 116 | SystemObjectInformation, // 17 Y N 117 | SystemPagefileInformation, // 18 Y N 118 | SystemInstructionEmulationCounts, // 19 Y N 119 | SystemInvalidInfoClass1, // 20 120 | SystemCacheInformation, // 21 Y Y 121 | SystemPoolTagInformation, // 22 Y N 122 | SystemProcessorStatistics, // 23 Y N 123 | SystemDpcInformation, // 24 Y Y 124 | SystemNotImplemented6, // 25 Y N 125 | SystemLoadImage, // 26 N Y 126 | SystemUnloadImage, // 27 N Y 127 | SystemTimeAdjustment, // 28 Y Y 128 | SystemNotImplemented7, // 29 Y N 129 | SystemNotImplemented8, // 30 Y N 130 | SystemNotImplemented9, // 31 Y N 131 | SystemCrashDumpInformation, // 32 Y N 132 | SystemExceptionInformation, // 33 Y N 133 | SystemCrashDumpStateInformation, // 34 Y Y/N 134 | SystemKernelDebuggerInformation, // 35 Y N 135 | SystemContextSwitchInformation, // 36 Y N 136 | SystemRegistryQuotaInformation, // 37 Y Y 137 | SystemLoadAndCallImage, // 38 N Y 138 | SystemPrioritySeparation, // 39 N Y 139 | SystemNotImplemented10, // 40 Y N 140 | SystemNotImplemented11, // 41 Y N 141 | SystemInvalidInfoClass2, // 42 142 | SystemInvalidInfoClass3, // 43 143 | SystemTimeZoneInformation, // 44 Y N 144 | SystemLookasideInformation, // 45 Y N 145 | SystemSetTimeSlipEvent, // 46 N Y 146 | SystemCreateSession, // 47 N Y 147 | SystemDeleteSession, // 48 N Y 148 | SystemInvalidInfoClass4, // 49 149 | SystemRangeStartInformation, // 50 Y N 150 | SystemVerifierInformation, // 51 Y Y 151 | SystemAddVerifier, // 52 N Y 152 | SystemSessionProcessesInformation // 53 Y N 153 | }SYSTEM_INFORMATION_CLASS; 154 | 155 | NTSYSAPI NTSTATUS 156 | NTAPI ZwQuerySystemInformation( 157 | IN ULONG SystemInformationClass, 158 | IN OUT PVOID SystemInformation, 159 | IN ULONG SystemInformationLength, 160 | OUT PULONG ReturnLength); 161 | NTSYSAPI NTSTATUS 162 | NTAPI ZwQueryInformationProcess( 163 | IN HANDLE ProcessHandle, // 进程句柄 164 | IN PROCESSINFOCLASS InformationClass, // 信息类型 165 | OUT PVOID ProcessInformation, // 缓冲指针 166 | IN ULONG ProcessInformationLength, // 以字节为单位的缓冲大小 167 | OUT PULONG ReturnLength OPTIONAL // 写入缓冲的字节数 168 | ); 169 | typedef NTSTATUS(*QUERY_INFO_PROCESS) ( 170 | __in HANDLE ProcessHandle, 171 | __in PROCESSINFOCLASS ProcessInformationClass, 172 | __out_bcount(ProcessInformationLength) PVOID ProcessInformation, 173 | __in ULONG ProcessInformationLength, 174 | __out_opt PULONG ReturnLength 175 | ); 176 | 177 | // 178 | // Defines the commands between the utility and the filter 179 | // 180 | typedef enum _FLOG_COMMAND { 181 | GetFileLog, 182 | GetFileLogVersion, 183 | SetFileLogFilePath, 184 | SetFileLogAttach, 185 | } FLOG_COMMAND; 186 | 187 | // 188 | // Defines the command structure between the utility and the filter. 189 | // 190 | typedef struct _COMMAND_MESSAGE { 191 | FLOG_COMMAND Command; 192 | ULONG Reserved; // Alignment on IA64 193 | UCHAR Data[1100]; 194 | } COMMAND_MESSAGE, *PCOMMAND_MESSAGE; 195 | 196 | // 197 | // Defines the context structure 198 | // 199 | 200 | typedef struct _FLOG_TRANSACTION_CONTEXT { 201 | 202 | ULONG Count; 203 | 204 | }FLOG_TRANSACTION_CONTEXT, *PFLOG_TRANSACTION_CONTEXT; 205 | 206 | // 207 | // Version definition 208 | // 209 | #define FSLOG_MAJ_VERSION 0 210 | #define FSLOG_MIN_VERSION 1 211 | typedef struct _FLOGVER { 212 | USHORT Major; 213 | USHORT Minor; 214 | } FLOGVER, *PFLOGVER; 215 | 216 | 217 | //--------------------------------------------------------------------------- 218 | // Global variables 219 | //--------------------------------------------------------------------------- 220 | // 221 | // 222 | 223 | typedef struct _FLOG_DATA { 224 | 225 | // 226 | // The object that identifies this driver. 227 | // 228 | 229 | PDRIVER_OBJECT DriverObject; 230 | 231 | // 232 | // The filter that results from a call to 233 | // FltRegisterFilter. 234 | // 235 | 236 | PFLT_FILTER Filter; 237 | 238 | // 239 | // Server port: user mode connects to this port 240 | // 241 | 242 | PFLT_PORT ServerPort; 243 | 244 | // 245 | // Client connection port: only one connection is allowed at a time., 246 | // 247 | 248 | PFLT_PORT ClientPort; 249 | 250 | // 251 | // List of buffers with data to send to user mode. 252 | // 253 | 254 | KSPIN_LOCK OutputBufferLock; 255 | LIST_ENTRY OutputBufferList; 256 | 257 | // 258 | // Lookaside list used for allocating buffers. 259 | // 260 | 261 | NPAGED_LOOKASIDE_LIST FreeBufferList; 262 | 263 | // 264 | // Variables used to throttle how many records buffer we can use 265 | // 266 | 267 | LONG MaxRecordsToAllocate; 268 | __volatile LONG RecordsAllocated; 269 | 270 | // 271 | // static buffer used for sending an "out-of-memory" message 272 | // to user mode. 273 | // 274 | 275 | __volatile ULONG StaticBufferInUse; 276 | 277 | // 278 | // We need to make sure this buffer aligns on a PVOID boundary because 279 | // FSLog casts this buffer to a RECORD_LIST structure. 280 | // That can cause alignment faults unless the structure starts on the 281 | // proper PVOID boundary 282 | // 283 | 284 | //PVOID OutOfMemoryBuffer[RECORD_SIZE / sizeof(PVOID)];//备用的一个内存，暂时不需要 285 | 286 | // 287 | // Variable and lock for maintaining LogRecord sequence numbers. 288 | // 289 | 290 | __volatile ULONG LogSequenceNumber; 291 | 292 | // 293 | // The name query method to use. By default, it is set to 294 | // FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, but it can be overridden 295 | // by a setting in the registery. 296 | // 297 | 298 | ULONG NameQueryMethod; 299 | 300 | // 301 | // Global debug flags 302 | // 303 | 304 | ULONG DebugFlags; 305 | 306 | #if FLT_MGR_LONGHORN 307 | 308 | // 309 | // Dynamically imported Filter Mgr APIs 310 | // 311 | 312 | NTSTATUS 313 | (*PFltSetTransactionContext)( 314 | __in PFLT_INSTANCE Instance, 315 | __in PKTRANSACTION Transaction, 316 | __in FLT_SET_CONTEXT_OPERATION Operation, 317 | __in PFLT_CONTEXT NewContext, 318 | __deref_opt_out PFLT_CONTEXT *OldContext 319 | ); 320 | 321 | NTSTATUS 322 | (*PFltGetTransactionContext)( 323 | __in PFLT_INSTANCE Instance, 324 | __in PKTRANSACTION Transaction, 325 | __deref_out PFLT_CONTEXT *Context 326 | ); 327 | 328 | NTSTATUS 329 | (*PFltEnlistInTransaction)( 330 | __in PFLT_INSTANCE Instance, 331 | __in PKTRANSACTION Transaction, 332 | __in PFLT_CONTEXT TransactionContext, 333 | __in NOTIFICATION_MASK NotificationMask 334 | ); 335 | 336 | #endif 337 | 338 | } FLOG_DATA, *PFLOG_DATA; 339 | 340 | 341 | -------------------------------------------------------------------------------- /FileLogger/FileLoggerFilter.c: -------------------------------------------------------------------------------- 1 | #include "FileLoggerFilter.h" 2 | #include "StringHashMap.h" 3 | #include "Container.h" 4 | #include "FileLoggerData.h" 5 | #include "HashFunction.h" 6 | 7 | #define FILTER_KEY_NAME L"\\Registry\\Machine\\SOFTWARE\\CHIERU\\FileMon" 8 | 9 | 10 | NTSTATUS QueryRegTest(PUNICODE_STRING pStrKeyName, PUNICODE_STRING pStrValul)//QueryRegTest(PUNICODE_STRING pStrKeyName[], PUNICODE_STRING pStrValul[], ULONG lenth) 11 | { 12 | UNICODE_STRING RegUnicodeString; 13 | HANDLE hRegister; 14 | 15 | //初始化UNICODE_STRING字符串 16 | RtlInitUnicodeString(&RegUnicodeString, FILTER_KEY_NAME); 17 | 18 | 19 | OBJECT_ATTRIBUTES objectAttributes; 20 | //初始化objectAttributes 21 | InitializeObjectAttributes(&objectAttributes, 22 | &RegUnicodeString, 23 | OBJ_CASE_INSENSITIVE,//对大小写敏感 24 | NULL, 25 | NULL); 26 | //打开注册表 27 | NTSTATUS ntStatus = ZwOpenKey(&hRegister, 28 | KEY_ALL_ACCESS, 29 | &objectAttributes); 30 | 31 | if (NT_SUCCESS(ntStatus)) 32 | { 33 | //KdPrint(("Open register successfully\n")); 34 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("Open register successfully\n")); 35 | } 36 | UNICODE_STRING ValueName; 37 | ULONG ulSize; 38 | PKEY_VALUE_PARTIAL_INFORMATION pvpi = NULL; 39 | 40 | /* 41 | //初始化ValueName 42 | RtlInitUnicodeString(&ValueName, L"REG_DWORD test"); 43 | 44 | //读取REG_DWORD子键 45 | ntStatus = ZwQueryValueKey(hRegister, 46 | &ValueName, 47 | KeyValuePartialInformation, 48 | NULL, 49 | 0, 50 | &ulSize); 51 | 52 | if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND || ulSize == 0) 53 | { 54 | ZwClose(hRegister); 55 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("The item is not exist:%d\n", ulSize)); 56 | return; 57 | } 58 | pvpi = 59 | (PKEY_VALUE_PARTIAL_INFORMATION) 60 | ExAllocatePool(PagedPool, ulSize); 61 | 62 | ntStatus = ZwQueryValueKey(hRegister, 63 | &ValueName, 64 | KeyValuePartialInformation, 65 | pvpi, 66 | ulSize, 67 | &ulSize); 68 | if (!NT_SUCCESS(ntStatus)) 69 | { 70 | ZwClose(hRegister); 71 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("Read regsiter error\n")); 72 | return; 73 | } 74 | //判断是否为REG_DWORD类型 75 | if (pvpi->Type == REG_DWORD && pvpi->DataLength == sizeof(ULONG)) 76 | { 77 | PULONG pulValue = (PULONG)pvpi->Data; 78 | //KdPrint(("The value:%d\n", *pulValue)); 79 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("The value:%d\n", *pulValue)); 80 | } 81 | 82 | ExFreePool(pvpi); 83 | */ 84 | 85 | //初始化ValueName 86 | RtlInitUnicodeString(&ValueName, L"IgnoreProcess"); 87 | //读取REG_SZ子键 88 | ntStatus = ZwQueryValueKey(hRegister, 89 | &ValueName, 90 | KeyValuePartialInformation, 91 | NULL, 92 | 0, 93 | &ulSize); 94 | 95 | if (ntStatus == STATUS_OBJECT_NAME_NOT_FOUND || ulSize == 0) 96 | { 97 | ZwClose(hRegister); 98 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("The item is not exist:%d\n", ulSize)); 99 | return -1; 100 | } 101 | pvpi = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool(PagedPool, ulSize); 102 | 103 | ntStatus = ZwQueryValueKey(hRegister, 104 | &ValueName, 105 | KeyValuePartialInformation, 106 | pvpi, 107 | ulSize, 108 | &ulSize); 109 | if (!NT_SUCCESS(ntStatus)) 110 | { 111 | ZwClose(hRegister); 112 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("Read regsiter error\n")); 113 | return -1; 114 | } 115 | //判断是否为REG_SZ类型 116 | if (pvpi->Type == REG_SZ) 117 | { 118 | PT_DBG_PRINT(PTDBG_TRACE_ROUTINES, ("The value : %S\n", pvpi->Data)); 119 | 120 | STRING_HASH_MAP InitHashMap; 121 | StringHashInit(&InitHashMap, pvpi->Data, 0, 4); 122 | } 123 | 124 | ExFreePool(pvpi); 125 | ZwClose(hRegister); 126 | } 127 | 128 | NTSTATUS InitFilterRules() 129 | { 130 | QueryRegTest(NULL,NULL); 131 | return 1; 132 | } 133 | 134 | 135 | //strlwr(); strupr 136 | -------------------------------------------------------------------------------- /FileLogger/FileLoggerFilter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | NTSTATUS InitFilterRules(); 6 | NTSTATUS FreeFilterRules(); 7 | NTSTATUS ResetFilterRules(); 8 | BOOLEAN FilterFLogger(PWCHAR wszProcessName, PWCHAR wszSourcePath, PWCHAR wszTargetPath, PWCHAR wszUserName); 9 | 10 | -------------------------------------------------------------------------------- /FileLogger/FileLoggerFunction.c: -------------------------------------------------------------------------------- 1 | #include "FileLoggerFunction.h" 2 | #include "FileLoggerData.h" 3 | //#include 4 | 5 | 6 | extern HASH_MAP g_hashMap; 7 | 8 | void EnumProcessInfo() 9 | { 10 | NTSTATUS status; 11 | ULONG size = 0x100000; 12 | PVOID Buffer = NULL; 13 | PSYSTEM_PROCESSES SystemInformation = NULL; 14 | 15 | UNICODE_STRING strUser; 16 | WCHAR strBuffer1[260]; 17 | 18 | strUser.Buffer = strBuffer1; 19 | strUser.Length = 0; 20 | strUser.MaximumLength = 260 * sizeof(WCHAR); 21 | 22 | Buffer = ExAllocatePoolWithTag(NonPagedPool, size, 'tag1'); 23 | if (Buffer == 0) 24 | { 25 | DbgPrint("ExAllocatePool fail"); 26 | return; 27 | } 28 | status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, Buffer, size, NULL); 29 | 30 | if (!NT_SUCCESS(status)) 31 | { 32 | DbgPrint("ZwQuerySystemInformation fail"); 33 | return; 34 | } 35 | 36 | SystemInformation = (PSYSTEM_PROCESSES)Buffer; 37 | while (1) 38 | { 39 | if (SystemInformation->ProcessId == 0) 40 | { 41 | KdPrint(("PID:%d system Idle Process\n", SystemInformation->ProcessId)); 42 | //GetUserName(SystemInformation->ProcessId, NULL);//没有用户名 43 | } 44 | else 45 | { 46 | //KdPrint(("Process ID:%d,Process Name:%wZ\n", SystemInformation->ProcessId, &SystemInformation->ProcessName)); 47 | GetUserName(SystemInformation->ProcessId, &strUser); 48 | //DbgPrint("ProcessUser:%wZ\n", &strUser); 49 | hashInsert(&g_hashMap, SystemInformation->ProcessId, &SystemInformation->ProcessName, &strUser); 50 | } 51 | 52 | if (SystemInformation->NextEntryDelta == 0) 53 | { 54 | break; 55 | } 56 | SystemInformation = (PSYSTEM_PROCESSES)(((PUCHAR)SystemInformation) + SystemInformation->NextEntryDelta); 57 | } 58 | 59 | ExFreePool(Buffer); 60 | } 61 | 62 | /* 63 | typedef struct _EX_CALLBACK_ROUTINE_BLOCK 64 | { 65 | EX_RUNDOWN_REF RundownProtect; 66 | PEX_CALLBACK_FUNCTION Function; 67 | PVOID Context; 68 | } EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;//*/ 69 | VOID CreateProcessNotifyRoutine(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create) 70 | { 71 | NTSTATUS status; 72 | WCHAR strBuffer1[260]; 73 | WCHAR strBuffer2[260]; 74 | UNICODE_STRING strName, strUser; 75 | //str = (UNICODE_STRING*)&strBuffer; 76 | 77 | //initialize 78 | strName.Buffer = strBuffer1; 79 | strName.Length = 0; 80 | strName.MaximumLength = 260 * sizeof(WCHAR); 81 | 82 | strUser.Buffer = strBuffer2; 83 | strUser.Length = 0; 84 | strUser.MaximumLength = 260 * sizeof(WCHAR); 85 | 86 | PAGED_CODE();//此宏确保调用线程行在一个允许分页的足够低IRQL级别 87 | 88 | if (Create) { 89 | 90 | //DbgPrint("CreateProcessNotifyRoutine:Create\n"); 91 | if (KeGetCurrentIrql() <= PASSIVE_LEVEL) 92 | { 93 | GetProcessInfo(ProcessId, &strName, &strUser); 94 | //DbgPrint("ProcessName:%wZ\n", &strName); 95 | //DbgPrint("ProcessUser:%wZ\n", &strUser); 96 | 97 | hashInsert(&g_hashMap, ProcessId, &strName, &strUser); 98 | //printfHashMap(&g_hashMap); 99 | } 100 | else 101 | { 102 | DbgPrint("CreateProcessNotifyRoutine: KeGetCurrentIrql() > PASSIVE_LEVEL\n"); 103 | } 104 | return STATUS_PROCEDURE_NOT_FOUND; 105 | } 106 | else //如果要注册 107 | { 108 | //DbgPrint("CreateProcessNotifyRoutine:!Create\n"); 109 | hashRemove(&g_hashMap, ProcessId); 110 | return STATUS_INVALID_PARAMETER; 111 | } 112 | 113 | } 114 | 115 | NTSTATUS GetProcessImagePath(IN ULONG dwProcessId, OUT PUNICODE_STRING ProcessImagePath) 116 | { 117 | NTSTATUS Status; 118 | HANDLE hProcess; 119 | PEPROCESS pEprocess; 120 | ULONG returnedLength; 121 | ULONG bufferLength; 122 | PVOID buffer; 123 | PUNICODE_STRING imageName; 124 | 125 | PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process 126 | 127 | /* 128 | QUERY_INFO_PROCESS ZwQueryInformationProcess2; 129 | if (NULL == ZwQueryInformationProcess2) { 130 | 131 | ZwQueryInformationProcess2 = ZwQueryInformationProcess; 132 | /*UNICODE_STRING routineName; 133 | RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess"); 134 | DbgPrint("GetProcessImagePath:%wZ\n", routineName); 135 | 136 | ZwQueryInformationProcess2 = 137 | (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName); 138 | 139 | if (NULL == ZwQueryInformationProcess2) { 140 | DbgPrint("Cannot resolve ZwQueryInformationProcess/n"); 141 | }*//* 142 | }//*/ 143 | Status = PsLookupProcessByProcessId((HANDLE)dwProcessId, &pEprocess); 144 | if (!NT_SUCCESS(Status)) 145 | return Status; 146 | 147 | Status = ObOpenObjectByPointer(pEprocess, // Object 148 | OBJ_KERNEL_HANDLE, // HandleAttributes 149 | NULL, // PassedAccessState OPTIONAL 150 | GENERIC_READ, // DesiredAccess 151 | *PsProcessType, // ObjectType 152 | KernelMode, // AccessMode 153 | &hProcess); 154 | if (!NT_SUCCESS(Status)) 155 | return Status;// 156 | 157 | // 158 | // Step one - get the size we need 159 | // 160 | //hProcess = PsGetCurrentProcess(); //ZwQueryInformationProcess不能正常获取 161 | //hProcess = NtCurrentProcess(); //获取时有时出错，可能是ZwQueryInformationProcess调用时，上下文已经不是调用的那个process了！ 162 | Status = ZwQueryInformationProcess(hProcess, 163 | ProcessImageFileName, 164 | NULL, // buffer 165 | 0, // buffer size 166 | &returnedLength); 167 | 168 | 169 | if (STATUS_INFO_LENGTH_MISMATCH != Status) { 170 | return Status; 171 | } 172 | 173 | // 174 | // Is the passed-in buffer going to be big enough for us? 175 | // This function returns a single contguous buffer model... 176 | // 177 | bufferLength = returnedLength - sizeof(UNICODE_STRING); 178 | if (ProcessImagePath->MaximumLength < bufferLength) { 179 | ProcessImagePath->Length = (USHORT)bufferLength; 180 | return STATUS_BUFFER_OVERFLOW; 181 | } 182 | 183 | // 184 | // If we get here, the buffer IS going to be big enough for us, so 185 | // let's allocate some storage. 186 | // 187 | buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD'); 188 | if (NULL == buffer) { 189 | return STATUS_INSUFFICIENT_RESOURCES; 190 | } 191 | 192 | // 193 | // Now lets go get the data 194 | // 195 | Status = ZwQueryInformationProcess(hProcess, 196 | ProcessImageFileName, 197 | buffer, 198 | returnedLength, 199 | &returnedLength); 200 | 201 | if (NT_SUCCESS(Status)) { 202 | // 203 | // Ah, we got what we needed 204 | // 205 | imageName = (PUNICODE_STRING)buffer; 206 | if (ProcessImagePath != NULL) 207 | RtlCopyUnicodeString(ProcessImagePath, imageName); 208 | else 209 | //DbgPrint("GetProcessImagePath,imageName:%wZ\n", imageName); 210 | DbgPrint("GetProcessImagePath,ProcessImagePath:%wZ\n", ProcessImagePath); 211 | } 212 | 213 | ZwClose(hProcess); 214 | 215 | // 216 | // free our buffer 217 | // 218 | ExFreePool(buffer); 219 | 220 | 221 | // 222 | // And tell the caller what happened. 223 | // 224 | return Status; 225 | 226 | } 227 | 228 | NTSTATUS GetUserName(IN ULONG dwProcessId, OUT PUNICODE_STRING ProcessUserName) 229 | { 230 | NTSTATUS status = STATUS_SUCCESS; 231 | HANDLE hProcess; 232 | PEPROCESS pEprocess; 233 | HANDLE TokenHandle; 234 | ULONG ReturnLength; 235 | ULONG size; 236 | PTOKEN_USER TokenInformation; 237 | //WCHAR SidStringBuffer[260]; 238 | //WCHAR SidStringBuffer2[260]; 239 | 240 | PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process 241 | 242 | status = PsLookupProcessByProcessId((HANDLE)dwProcessId, &pEprocess); 243 | if (!NT_SUCCESS(status)) 244 | return status; 245 | 246 | status = ObOpenObjectByPointer(pEprocess, // Object 247 | OBJ_KERNEL_HANDLE, // HandleAttributes 248 | NULL, // PassedAccessState OPTIONAL 249 | GENERIC_READ, // DesiredAccess 250 | *PsProcessType, // ObjectType 251 | KernelMode, // AccessMode 252 | &hProcess); 253 | if (!NT_SUCCESS(status)) 254 | return status;// 255 | 256 | status = ZwOpenProcessTokenEx(hProcess, TOKEN_READ, OBJ_KERNEL_HANDLE, &TokenHandle);//NtCurrentProcess(), 257 | if (!NT_SUCCESS(status)) { 258 | return status; 259 | } 260 | 261 | // 获取Sid 262 | { 263 | status = ZwQueryInformationToken(TokenHandle, TokenUser, NULL, 0, &ReturnLength); 264 | if (STATUS_BUFFER_TOO_SMALL != status) 265 | { 266 | KdPrint(("QueryLogonSID::ZwQueryInformationToken #1 failed: %08X\n", status)); 267 | return status; 268 | } 269 | 270 | TokenInformation = (TOKEN_GROUPS *)ExAllocatePool(NonPagedPool, ReturnLength); 271 | if (NULL == TokenInformation) 272 | { 273 | status = STATUS_INSUFFICIENT_RESOURCES; 274 | KdPrint(("QueryLogonSID::ExAllocatePool failed: %08X\n", status)); 275 | //ExFreePool(tokenGroups); 276 | return status; 277 | } 278 | 279 | status = ZwQueryInformationToken(TokenHandle, TokenUser, TokenInformation, ReturnLength, &ReturnLength); 280 | if (!NT_SUCCESS(status)) 281 | { 282 | KdPrint(("QueryLogonSID::ZwQueryInformationToken #2 failed: %08X\n", status)); 283 | return status; 284 | } 285 | } 286 | //由Sid得到用户名 287 | { 288 | UNICODE_STRING UstrName; 289 | UNICODE_STRING UstrDomain; 290 | ULONG dwAcctName = 1, dwDomainName = 1; 291 | SID_NAME_USE eUse = SidTypeUnknown; 292 | PSID Sid = ((PTOKEN_USER)TokenInformation)->User.Sid; 293 | 294 | //RtlZeroMemory(&UstrName, sizeof(UNICODE_STRING)); 295 | //RtlZeroMemory(&UstrDomain, sizeof(UNICODE_STRING));//*/ 296 | status = SecLookupAccountSid(Sid, &dwAcctName, NULL, &dwDomainName, NULL, &eUse); 297 | if (status == STATUS_BUFFER_TOO_SMALL) 298 | { 299 | //* 300 | UstrName.MaximumLength = dwAcctName + 2; /// for the L'\0' 301 | UstrName.Length = 0; 302 | UstrName.Buffer = ExAllocatePoolWithTag(PagedPool, UstrName.MaximumLength, 'tap1'); 303 | //RtlZeroMemory(UstrName.Buffer, UstrName.MaximumLength*sizeof(WCHAR)); 304 | 305 | UstrDomain.MaximumLength = dwDomainName + 2; /// for the '\0' 306 | UstrDomain.Length = 0; 307 | UstrDomain.Buffer = ExAllocatePoolWithTag(PagedPool, UstrDomain.MaximumLength, 'tap1');//*/ 308 | 309 | //RtlZeroMemory(SidStringBuffer, sizeof(SidStringBuffer)); 310 | //UstrName.Buffer = (PWCHAR)SidStringBuffer; 311 | //UstrName.MaximumLength = 259;// sizeof(SidStringBuffer); 312 | //UstrDomain.Length = 0; 313 | // 314 | //RtlZeroMemory(SidStringBuffer2, sizeof(SidStringBuffer2)); 315 | //UstrDomain.Buffer = (PWCHAR)SidStringBuffer2; 316 | //UstrDomain.MaximumLength = 259;//sizeof(SidStringBuffer2); 317 | //UstrDomain.Length = 0; 318 | 319 | //if (dwAccName>0 && dwAccName < MAX_PATH && dwDomainName>0 && dwDomainName <= MAX_PATH) 320 | if (UstrName.Buffer != NULL && UstrDomain.Buffer != NULL) 321 | { 322 | status = SecLookupAccountSid(Sid, &dwAcctName, &UstrName, &dwDomainName, &UstrDomain, &eUse); 323 | 324 | if (status == STATUS_BUFFER_TOO_SMALL) 325 | { 326 | DbgPrint("SecLookupAccountSid:Memery Too Small!\n"); 327 | } 328 | else if (NT_SUCCESS(status)) 329 | { 330 | /*DbgPrint("SecLookupAccountSid: %wZ\n", &UstrName); 331 | DbgPrint("SecLookupAccountSid: %wZ\n", &UstrDomain);*/ 332 | if (ProcessUserName != NULL) 333 | RtlCopyUnicodeString(ProcessUserName, &UstrName); 334 | else 335 | DbgPrint("SecLookupAccountSid: %wZ\n", &UstrName); 336 | } 337 | else 338 | { 339 | DbgPrint("SecLookupAccountSid,errorCode: %ud\n", status); 340 | } 341 | ExFreePool(UstrName.Buffer); 342 | ExFreePool(UstrDomain.Buffer); 343 | } 344 | else 345 | { 346 | ExFreePool(TokenInformation); 347 | return status; 348 | } 349 | } 350 | else 351 | { 352 | ExFreePool(TokenInformation); 353 | return status; 354 | } 355 | } 356 | 357 | ZwClose(TokenHandle); 358 | 359 | /* 360 | { 361 | UNICODE_STRING SidString; 362 | WCHAR SidStringBuffer[260]; 363 | RtlZeroMemory(SidStringBuffer, sizeof(SidStringBuffer)); 364 | SidString.Buffer = (PWCHAR)SidStringBuffer; 365 | SidString.MaximumLength = sizeof(SidStringBuffer); 366 | 367 | status = RtlConvertSidToUnicodeString(&SidString, ((PTOKEN_USER)TokenInformation)->User.Sid, FALSE); 368 | DbgPrint("sudamis PC Name: %wZ\n", &SidString); 369 | }//*/ 370 | 371 | ExFreePool(TokenInformation); 372 | 373 | return STATUS_SUCCESS; 374 | 375 | //ERROR_CLEANUP: 376 | // if (TokenInformation != NULL) 377 | // ExFreePool(TokenInformation); 378 | // return status; 379 | } 380 | 381 | NTSTATUS GetProcessInfo(IN ULONG dwProcessId, OUT PUNICODE_STRING ProcessName, OUT PUNICODE_STRING ProcessUserName) 382 | { 383 | NTSTATUS status; 384 | HANDLE hProcess; 385 | PEPROCESS pEprocess; 386 | ULONG returnedLength; 387 | ULONG bufferLength; 388 | PVOID buffer; 389 | PUNICODE_STRING imageName; 390 | 391 | PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process 392 | 393 | status = PsLookupProcessByProcessId((HANDLE)dwProcessId, &pEprocess); 394 | if (!NT_SUCCESS(status)) 395 | return status; 396 | 397 | status = ObOpenObjectByPointer(pEprocess, // Object 398 | OBJ_KERNEL_HANDLE, // HandleAttributes 399 | NULL, // PassedAccessState OPTIONAL 400 | GENERIC_READ, // DesiredAccess 401 | *PsProcessType, // ObjectType 402 | KernelMode, // AccessMode 403 | &hProcess); 404 | if (!NT_SUCCESS(status)) 405 | return status;// 406 | 407 | { 408 | status = ZwQueryInformationProcess(hProcess, 409 | ProcessImageFileName, 410 | NULL, // buffer 411 | 0, // buffer size 412 | &returnedLength); 413 | 414 | if (STATUS_INFO_LENGTH_MISMATCH != status) { 415 | return status; 416 | } 417 | 418 | // 419 | // If we get here, the buffer IS going to be big enough for us, so 420 | // let's allocate some storage. 421 | // 422 | buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD'); 423 | if (NULL == buffer) { 424 | return STATUS_INSUFFICIENT_RESOURCES; 425 | } 426 | 427 | // 428 | // Now lets go get the data 429 | // 430 | status = ZwQueryInformationProcess(hProcess, 431 | ProcessImageFileName, 432 | buffer, 433 | returnedLength, 434 | &returnedLength); 435 | 436 | if (NT_SUCCESS(status)) { 437 | imageName = (PUNICODE_STRING)buffer; 438 | 439 | WCHAR *lpTemp = wcsrchr(imageName->Buffer, L'\\'); 440 | if (lpTemp) 441 | { 442 | imageName->Length -= (imageName->Buffer - lpTemp - 1)*sizeof(WCHAR);//byte 443 | imageName->Buffer = lpTemp + 1; 444 | } 445 | if (ProcessName != NULL) 446 | { 447 | RtlCopyUnicodeString(ProcessName, imageName); 448 | //DbgPrint("GetProcessImagePath,1:%wZ\n", imageName); 449 | } 450 | else 451 | DbgPrint("GetProcessImagePath,2:%wZ\n", ProcessName); 452 | } 453 | ExFreePool(buffer); 454 | } 455 | { 456 | PTOKEN_USER TokenInformation; 457 | HANDLE TokenHandle; 458 | ULONG ReturnLength; 459 | 460 | status = ZwOpenProcessTokenEx(hProcess, TOKEN_READ, OBJ_KERNEL_HANDLE, &TokenHandle);//NtCurrentProcess(), 461 | if (!NT_SUCCESS(status)) { 462 | return status; 463 | } 464 | 465 | // 获取Sid 466 | { 467 | status = ZwQueryInformationToken(TokenHandle, TokenUser, NULL, 0, &ReturnLength); 468 | if (STATUS_BUFFER_TOO_SMALL != status) 469 | { 470 | KdPrint(("QueryLogonSID::ZwQueryInformationToken #1 failed: %08X\n", status)); 471 | return status; 472 | } 473 | 474 | TokenInformation = (TOKEN_GROUPS *)ExAllocatePool(NonPagedPool, ReturnLength); 475 | if (NULL == TokenInformation) 476 | { 477 | status = STATUS_INSUFFICIENT_RESOURCES; 478 | KdPrint(("QueryLogonSID::ExAllocatePool failed: %08X\n", status)); 479 | //ExFreePool(tokenGroups); 480 | return status; 481 | } 482 | 483 | status = ZwQueryInformationToken(TokenHandle, TokenUser, TokenInformation, ReturnLength, &ReturnLength); 484 | if (!NT_SUCCESS(status)) 485 | { 486 | KdPrint(("QueryLogonSID::ZwQueryInformationToken #2 failed: %08X\n", status)); 487 | return status; 488 | } 489 | } 490 | //由Sid得到用户名 491 | { 492 | UNICODE_STRING UstrName; 493 | UNICODE_STRING UstrDomain; 494 | ULONG dwAcctName = 1, dwDomainName = 1; 495 | SID_NAME_USE eUse = SidTypeUnknown; 496 | PSID Sid = ((PTOKEN_USER)TokenInformation)->User.Sid; 497 | 498 | //RtlZeroMemory(&UstrName, sizeof(UNICODE_STRING)); 499 | //RtlZeroMemory(&UstrDomain, sizeof(UNICODE_STRING));//*/ 500 | status = SecLookupAccountSid(Sid, &dwAcctName, NULL, &dwDomainName, NULL, &eUse); 501 | if (status == STATUS_BUFFER_TOO_SMALL) 502 | { 503 | //* 504 | UstrName.MaximumLength = dwAcctName + 2; /// for the L'\0' 505 | UstrName.Length = 0; 506 | UstrName.Buffer = ExAllocatePoolWithTag(PagedPool, UstrName.MaximumLength, 'tap1'); 507 | //RtlZeroMemory(UstrName.Buffer, UstrName.MaximumLength*sizeof(WCHAR)); 508 | 509 | UstrDomain.MaximumLength = dwDomainName + 2; /// for the '\0' 510 | UstrDomain.Length = 0; 511 | UstrDomain.Buffer = ExAllocatePoolWithTag(PagedPool, UstrDomain.MaximumLength, 'tap1');//*/ 512 | 513 | //if (dwAccName>0 && dwAccName < MAX_PATH && dwDomainName>0 && dwDomainName <= MAX_PATH) 514 | if (UstrName.Buffer != NULL && UstrDomain.Buffer != NULL) 515 | { 516 | status = SecLookupAccountSid(Sid, &dwAcctName, &UstrName, &dwDomainName, &UstrDomain, &eUse); 517 | 518 | if (status == STATUS_BUFFER_TOO_SMALL) 519 | { 520 | DbgPrint("SecLookupAccountSid:Memery Too Small!\n"); 521 | } 522 | else if (NT_SUCCESS(status)) 523 | { 524 | /*DbgPrint("SecLookupAccountSid: %wZ\n", &UstrName); 525 | DbgPrint("SecLookupAccountSid: %wZ\n", &UstrDomain);*/ 526 | if (ProcessUserName != NULL) 527 | RtlCopyUnicodeString(ProcessUserName, &UstrName); 528 | else 529 | DbgPrint("SecLookupAccountSid: %wZ\n", &UstrName); 530 | } 531 | else 532 | { 533 | DbgPrint("SecLookupAccountSid,errorCode: %ud\n", status); 534 | } 535 | ExFreePool(UstrName.Buffer); 536 | ExFreePool(UstrDomain.Buffer); 537 | } 538 | else 539 | { 540 | ExFreePool(TokenInformation); 541 | return status; 542 | } 543 | } 544 | else 545 | { 546 | ExFreePool(TokenInformation); 547 | return status; 548 | } 549 | } 550 | 551 | ZwClose(TokenHandle); 552 | 553 | /* 554 | { 555 | UNICODE_STRING SidString; 556 | WCHAR SidStringBuffer[260]; 557 | RtlZeroMemory(SidStringBuffer, sizeof(SidStringBuffer)); 558 | SidString.Buffer = (PWCHAR)SidStringBuffer; 559 | SidString.MaximumLength = sizeof(SidStringBuffer); 560 | 561 | status = RtlConvertSidToUnicodeString(&SidString, ((PTOKEN_USER)TokenInformation)->User.Sid, FALSE); 562 | DbgPrint("sudamis PC Name: %wZ\n", &SidString); 563 | }//*/ 564 | 565 | ExFreePool(TokenInformation); 566 | } 567 | ZwClose(hProcess); 568 | 569 | return status; 570 | } -------------------------------------------------------------------------------- /FileLogger/FileLoggerFunction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | //#ifndef __FLOGFUN_H__ 3 | //#define __FLOGFUN_H__ 4 | 5 | #include 6 | //#include 7 | #include 8 | 9 | 10 | 11 | /************************************************************************* 12 | Prototypes 13 | *************************************************************************/ 14 | #pragma region 函数预定义 15 | void EnumProcessInfo(); 16 | VOID CreateProcessNotifyRoutine(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create); 17 | NTSTATUS GetProcessImagePath(IN ULONG dwProcessId, OUT PUNICODE_STRING ProcessImagePath); 18 | NTSTATUS GetUserName(IN ULONG dwProcessId, OUT PUNICODE_STRING ProcessUserName); 19 | NTSTATUS GetProcessInfo(IN ULONG dwProcessId, OUT PUNICODE_STRING ProcessName, OUT PUNICODE_STRING ProcessUserName); 20 | 21 | 22 | //#endif __FLOGFUN_H__ -------------------------------------------------------------------------------- /FileLogger/HashFunction.c: -------------------------------------------------------------------------------- 1 | 2 | #include "HashFunction.h" 3 | 4 | // BKDR Hash Function 5 | /* 6 | unsigned int BKDRHash(char *str) 7 | { 8 | unsigned int seed = 131; // 31 131 1313 13131 131313 etc.. 9 | unsigned int hash = 0; 10 | 11 | while (*str) 12 | { 13 | hash = hash * seed + (*str++); 14 | } 15 | 16 | return (hash & 0x7FFFFFFF); 17 | }*/ 18 | ULONG BKDRHash(WCHAR *str, ULONG lenth, ULONG seed) 19 | { 20 | //ULONG seed = 131; // 31 131 1313 13131 131313 etc.. 21 | ULONG hash = 0; 22 | 23 | ++lenth; 24 | while (--lenth) 25 | { 26 | hash = hash * seed + (*str++); 27 | } 28 | 29 | return (hash & 0x7FFFFFFF); 30 | } 31 | 32 | unsigned int SDBMHash(char *str) 33 | { 34 | unsigned int hash = 0; 35 | 36 | while (*str) 37 | { 38 | // equivalent to: hash = 65599*hash + (*str++); 39 | hash = (*str++) + (hash << 6) + (hash << 16) - hash; 40 | } 41 | 42 | return (hash & 0x7FFFFFFF); 43 | } 44 | 45 | // RS Hash Function 46 | unsigned int RSHash(char *str) 47 | { 48 | unsigned int b = 378551; 49 | unsigned int a = 63689; 50 | unsigned int hash = 0; 51 | 52 | while (*str) 53 | { 54 | hash = hash * a + (*str++); 55 | a *= b; 56 | } 57 | 58 | return (hash & 0x7FFFFFFF); 59 | } 60 | 61 | // JS Hash Function 62 | unsigned int JSHash(char *str) 63 | { 64 | unsigned int hash = 1315423911; 65 | 66 | while (*str) 67 | { 68 | hash ^= ((hash << 5) + (*str++) + (hash >> 2)); 69 | } 70 | 71 | return (hash & 0x7FFFFFFF); 72 | } 73 | 74 | // P. J. Weinberger Hash Function 75 | unsigned int PJWHash(char *str) 76 | { 77 | unsigned int BitsInUnignedInt = (unsigned int)(sizeof(unsigned int) * 8); 78 | unsigned int ThreeQuarters = (unsigned int)((BitsInUnignedInt * 3) / 4); 79 | unsigned int OneEighth = (unsigned int)(BitsInUnignedInt / 8); 80 | unsigned int HighBits = (unsigned int)(0xFFFFFFFF) << (BitsInUnignedInt - OneEighth); 81 | unsigned int hash = 0; 82 | unsigned int test = 0; 83 | 84 | while (*str) 85 | { 86 | hash = (hash << OneEighth) + (*str++); 87 | if ((test = hash & HighBits) != 0) 88 | { 89 | hash = ((hash ^ (test >> ThreeQuarters)) & (~HighBits)); 90 | } 91 | } 92 | 93 | return (hash & 0x7FFFFFFF); 94 | } 95 | 96 | // ELF Hash Function 97 | unsigned int ELFHash(char *str) 98 | { 99 | unsigned int hash = 0; 100 | unsigned int x = 0; 101 | 102 | while (*str) 103 | { 104 | hash = (hash << 4) + (*str++); 105 | if ((x = hash & 0xF0000000L) != 0) 106 | { 107 | hash ^= (x >> 24); 108 | hash &= ~x; 109 | } 110 | } 111 | 112 | return (hash & 0x7FFFFFFF); 113 | } 114 | 115 | // DJB Hash Function 116 | unsigned int DJBHash(char *str) 117 | { 118 | unsigned int hash = 5381; 119 | 120 | while (*str) 121 | { 122 | hash += (hash << 5) + (*str++); 123 | } 124 | 125 | return (hash & 0x7FFFFFFF); 126 | } 127 | 128 | // AP Hash Function 129 | unsigned int APHash(char *str) 130 | { 131 | unsigned int hash = 0; 132 | int i; 133 | 134 | for (i = 0; *str; i++) 135 | { 136 | if ((i & 1) == 0) 137 | { 138 | hash ^= ((hash << 7) ^ (*str++) ^ (hash >> 3)); 139 | } 140 | else 141 | { 142 | hash ^= (~((hash << 11) ^ (*str++) ^ (hash >> 5))); 143 | } 144 | } 145 | 146 | return (hash & 0x7FFFFFFF); 147 | } -------------------------------------------------------------------------------- /FileLogger/HashFunction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | // BKDR Hash Function 6 | /* 7 | unsigned int BKDRHash(char *str) 8 | { 9 | unsigned int seed = 131; // 31 131 1313 13131 131313 etc.. 10 | unsigned int hash = 0; 11 | 12 | while (*str) 13 | { 14 | hash = hash * seed + (*str++); 15 | } 16 | 17 | return (hash & 0x7FFFFFFF); 18 | }*/ 19 | ULONG BKDRHash(WCHAR *str, ULONG lenth, ULONG seed); 20 | 21 | unsigned int SDBMHash(char *str); 22 | 23 | // RS Hash Function 24 | unsigned int RSHash(char *str); 25 | 26 | // JS Hash Function 27 | unsigned int JSHash(char *str); 28 | 29 | // P. J. Weinberger Hash Function 30 | unsigned int PJWHash(char *str); 31 | 32 | // ELF Hash Function 33 | unsigned int ELFHash(char *str); 34 | 35 | // DJB Hash Function 36 | unsigned int DJBHash(char *str); 37 | 38 | // AP Hash Function 39 | unsigned int APHash(char *str); -------------------------------------------------------------------------------- /FileLogger/StringHashMap.c: -------------------------------------------------------------------------------- 1 | #include "StringHashMap.h" 2 | #include "HashFunction.h" 3 | #include "FileLoggerData.h" 4 | #include "stdlib.h" 5 | 6 | 7 | #define AllocatePoolTag 'SHMP' 8 | 9 | int __cdecl cmp(const void *a, const void *b) 10 | { 11 | return *(ULONG *)a - *(ULONG *)b; //强制转换类型 12 | }//qsort(num, 100, sizeof(num[0]), cmp); 13 | 14 | NTSTATUS StringHashInit(PSTRING_HASH_MAP pInitHashMap, PWCHAR initBuffer, ULONG initSize, ULONG maxCollision) 15 | { 16 | //#pragma region #pragma endregion 17 | 18 | ULONG lStringCount = 0; 19 | 20 | pInitHashMap->pWcharPool = initBuffer; //把传进来的字符串存好，当作hash table的底层缓存 21 | KdPrint(("initBuffer:%S", initBuffer)); 22 | 23 | for (PWCHAR p = initBuffer; *p != L'\0'; ++p)//计算字符串数量 24 | { 25 | if (*p == L';') ++lStringCount; 26 | } 27 | 28 | PUNICODE_STRING pUnicodeString = (PUNICODE_STRING)ExAllocatePoolWithTag(PagedPool,\ 29 | lStringCount * sizeof(UNICODE_STRING), AllocatePoolTag); 30 | #pragma region 把所有字符串解析到pUnicodeString 31 | { 32 | memset(pUnicodeString, 0, lStringCount * sizeof(UNICODE_STRING)); 33 | ULONG stringIndex = 0; 34 | ULONG stringLength = 0; 35 | for (PWCHAR p = initBuffer; *p != L'\0'; ++p) 36 | { 37 | if (*p == L';') 38 | { 39 | pUnicodeString[stringIndex].Buffer = p - stringLength; 40 | if (*(p - 1) != L'\\') 41 | { 42 | *p = L'\\'; 43 | ++stringLength; 44 | } 45 | pUnicodeString[stringIndex].Length = stringLength * sizeof(WCHAR); 46 | pUnicodeString[stringIndex].MaximumLength = stringLength* sizeof(WCHAR); 47 | //KdPrint(("pUnicodeString[%d]:%wZ, Length:%d, MaximumLength:%d\n", i, &pUnicodeString[i], pUnicodeString[i].Length, pUnicodeString[i].MaximumLength)); 48 | 49 | ++stringIndex; 50 | stringLength = 0; 51 | } 52 | else 53 | { 54 | ++stringLength; 55 | //KdPrint(("length:%d\n", length)); 56 | } 57 | } 58 | } 59 | #pragma endregion 60 | for (int i = 0; i < lStringCount; ++i) 61 | { 62 | KdPrint(("pUnicodeString[%d]:%wZ, Length:%d, MaximumLength:%d\n", i, &pUnicodeString[i], pUnicodeString[i].Length, pUnicodeString[i].MaximumLength)); 63 | } 64 | 65 | ULONG seed = 131;// 31 131 1313 13131 131313 etc.. 66 | ULONG *pUnicodeStringHash = (PULONG)ExAllocatePoolWithTag(PagedPool, lStringCount * sizeof(ULONG), AllocatePoolTag); 67 | #pragma region 把pUnicodeString里的所有字符串hash到pUnicodeStringHash中，并排序、检查碰撞，修改seed直到碰撞达到要求 68 | do 69 | { 70 | for (int j = 0; j < lStringCount; ++j) 71 | { 72 | pUnicodeStringHash[j] = BKDRHash(pUnicodeString[j].Buffer, pUnicodeString[j].Length / sizeof(WCHAR), seed); 73 | KdPrint(("pUnicodeStringHash[%d]:%u\n", j, pUnicodeStringHash[j])); 74 | } 75 | qsort(pUnicodeStringHash, lStringCount, sizeof(ULONG), cmp); 76 | int maxRepeatTimes = 1; 77 | for (int j = 1; j < lStringCount; ++j)//计算冲突数量 78 | { 79 | if (pUnicodeStringHash[j] == pUnicodeStringHash[j - 1]) 80 | { 81 | ++maxRepeatTimes; 82 | } 83 | else 84 | { 85 | if (maxRepeatTimes > maxCollision) break; 86 | else maxRepeatTimes = 1; 87 | } 88 | } 89 | if (maxRepeatTimes > maxCollision) 90 | { 91 | int lAdd = (seed / 10) % 10; 92 | seed = seed * 10 + lAdd; 93 | if (seed > 131313131) break; 94 | } 95 | else 96 | break; 97 | } while (1); 98 | #pragma endregion 99 | KdPrint(("seed:%u\n", seed)); 100 | for (int i = 0; i < lStringCount; ++i) 101 | { 102 | KdPrint(("--->[%d]:%u\n", i, pUnicodeStringHash[i])); 103 | } 104 | 105 | ULONG lNullStringCount = 0; 106 | PULONG pTmpHashTableCount = NULL; 107 | #pragma region 修改pInitHashMap->lHashTableSize，使HashTable碰撞满足要求，如果lStringCount<512:[1024~2048],其他: >2*lStringCount 108 | { 109 | if (lStringCount < 512) 110 | pInitHashMap->lHashTableSize = 1024; 111 | else 112 | pInitHashMap->lHashTableSize = lStringCount * 2; 113 | 114 | pTmpHashTableCount = (ULONG)ExAllocatePoolWithTag(PagedPool, pInitHashMap->lHashTableSize * 2 * sizeof(ULONG), AllocatePoolTag); 115 | memset(pTmpHashTableCount, 0, pInitHashMap->lHashTableSize * 2 * sizeof(ULONG)); 116 | 117 | ULONG loop = 1, maxSize = pInitHashMap->lHashTableSize * 2; 118 | for (; (pInitHashMap->lHashTableSize < maxSize) && loop; ++pInitHashMap->lHashTableSize) 119 | { 120 | loop = 0; 121 | memset(pTmpHashTableCount, 0, pInitHashMap->lHashTableSize * sizeof(ULONG)); 122 | for (int j = 0; j < lStringCount; j++)//如果有重复maxCollision个及以上的，重新选hash seed 123 | { 124 | if (++pTmpHashTableCount[pUnicodeStringHash[j] % pInitHashMap->lHashTableSize] > maxCollision) 125 | { 126 | loop = 1; 127 | break; 128 | } 129 | } 130 | } 131 | -- pInitHashMap->lHashTableSize; 132 | if (loop == 1) 133 | { 134 | memset(pTmpHashTableCount, 0, pInitHashMap->lHashTableSize * sizeof(ULONG)); 135 | for (int j = 0; j < lStringCount; j++)//如果有重复maxCollision个及以上的，重新选hash seed 136 | { 137 | ++pTmpHashTableCount[pUnicodeStringHash[j] % pInitHashMap->lHashTableSize]; 138 | } 139 | } 140 | } 141 | #pragma endregion 142 | ExFreePool(pUnicodeStringHash); 143 | 144 | KdPrint(("pInitHashMap->lHashTableSize:%u\n", pInitHashMap->lHashTableSize)); 145 | for (int j = 0; j < pInitHashMap->lHashTableSize; j++)//统计String桶，做好相应的位置 146 | { 147 | KdPrint(("pTmpHashTable[%d]:%u\n", j, pTmpHashTableCount[j])); 148 | if (pTmpHashTableCount[j]) ++lNullStringCount; 149 | } 150 | 151 | #pragma region 152 | //开始分配真正的hash table 缓存 153 | pInitHashMap->ppHashTable = (PUNICODE_STRING *)ExAllocatePoolWithTag(PagedPool, \ 154 | pInitHashMap->lHashTableSize * sizeof(PUNICODE_STRING), AllocatePoolTag); 155 | memset(pInitHashMap->ppHashTable, 0, pInitHashMap->lHashTableSize * sizeof(PUNICODE_STRING));//全部UNICODE_String初始化为0 156 | 157 | pInitHashMap->pStringPool = (PUNICODE_STRING)ExAllocatePoolWithTag(PagedPool, \ 158 | (lStringCount + lNullStringCount) * sizeof(UNICODE_STRING), AllocatePoolTag); 159 | memset(pInitHashMap->pStringPool, 0, (lStringCount + lNullStringCount) * sizeof(UNICODE_STRING));//全部UNICODE_String初始化为0 160 | 161 | PUNICODE_STRING nextStringPointer = pInitHashMap->pStringPool; 162 | for (int j = 0; j < pInitHashMap->lHashTableSize; j++)//统计String桶，pInitHashMap->ppHashTable地址分配好 163 | { 164 | if (pTmpHashTableCount[j]) 165 | { 166 | pInitHashMap->ppHashTable[j] = nextStringPointer; 167 | nextStringPointer = nextStringPointer + pTmpHashTableCount[j] + 1; 168 | } 169 | //KdPrint(("after:pTmpHashTable[%d]:%u\n", j, pTmpHashTableCount[j])); 170 | } 171 | 172 | for (int j = 0; j lHashTableSize; 176 | PUNICODE_STRING pString = pInitHashMap->ppHashTable[hashValue]; 177 | if (pString == NULL) continue; 178 | while (pString->Length >0) ++pString; 179 | pString->Buffer = pUnicodeString[j].Buffer; 180 | pString->Length = pUnicodeString[j].Length; 181 | pString->MaximumLength = pUnicodeString[j].MaximumLength; 182 | 183 | KdPrint(("pString:%d\n", pString - pInitHashMap->pStringPool)); 184 | } 185 | #pragma endregion 186 | ExFreePool(pUnicodeString); 187 | ExFreePool(pTmpHashTableCount); 188 | 189 | for (int j = 0; j < lStringCount + lNullStringCount; j++)//统计String桶，做好相应的位置 190 | { 191 | //这里有问题，缓存不对！！！！！ 192 | KdPrint(("pInitHashMap->pStringPool[%d]:%wZ\n", j, &pInitHashMap->pStringPool[j])); 193 | } 194 | for (int j = 0; j < pInitHashMap->lHashTableSize; j++)//统计String桶，做好相应的位置 195 | { 196 | KdPrint(("pInitHashMap->ppHashTable[%d]:%wZ\n", j, pInitHashMap->ppHashTable[j])); 197 | } 198 | 199 | //*/ 200 | return 1; 201 | } 202 | -------------------------------------------------------------------------------- /FileLogger/StringHashMap.h: -------------------------------------------------------------------------------- 1 | /* 2 | ****************************** 3 | * 本hash表用于存储字符串，不能插入只能初始化 4 | * 在初始化的时候，需检查碰撞，不能达到要求则需更改hash函数的参数和更改table大小,采用BKDRHash函数 5 | * ULONG BKDRHash(WCHAR *str, ULONG lenth, ULONG seed) //ULONG seed = 31 131 1313 13131 131313 etc.. 6 | * 如果所有seed都不能满足，则选择碰撞最小的seed！ 7 | * 8 | ****************************** 9 | */ 10 | 11 | #pragma once 12 | #include 13 | 14 | 15 | #define VALUE_COUNT 1024 16 | 17 | typedef struct _STRING_HASH_MAP { 18 | PUNICODE_STRING *ppHashTable; 19 | ULONG lHashTableSize; 20 | 21 | ULONG IsIncludeFilter;//是白名单还是黑名单（在pre中如果过滤掉，则，把上下文设为NULL，在pro中看到NULL的上下文则，直接退出） 22 | //InterlockedIncrement,InterlockedDecrement,InterlockedExchangeAdd 23 | __volatile LONG threadCount;//用于退出时确认没有进程使用后，方能删除缓冲区； 24 | 25 | PUNICODE_STRING pStringPool;//emery pool; index:0~max ; index==-1:NULL;InterlockedExchangePointer 26 | PWCHAR pWcharPool;//emery pool; index:0~max ; index==-1:NULL;InterlockedExchangePointer 27 | }STRING_HASH_MAP, *PSTRING_HASH_MAP; 28 | 29 | 30 | PSTRING_HASH_MAP getStringHashMapInstance();//采用工厂模式? 31 | NTSTATUS StringHashInit(PSTRING_HASH_MAP pInitHashMap, PWCHAR initBuffer, ULONG initSize, ULONG maxCollision); 32 | NTSTATUS StringHashInsert(PSTRING_HASH_MAP pHashMap, ULONG processId, PUNICODE_STRING strProcessName, PUNICODE_STRING strUserName); 33 | NTSTATUS StringHashRemove(PSTRING_HASH_MAP pHashMap, ULONG processId); 34 | NTSTATUS StringHashDestroy(PSTRING_HASH_MAP pHashMap); 35 | VOID printfStringHashMap(PSTRING_HASH_MAP pInitHashMap); 36 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FileLogger 2 | 3 | 4 | 5 | 立项原因 6 | -------- 7 | 11-20-2015 8 | 9 | 接触了一个文件操作日志收集的项目，该项目的驱动基于minifilter。驱动里，只是很简单地把驱动中收集到的日志原样转送到应用层，具体的过滤操作放到应用层。个人觉得这样大大限制了软件的性能。大部分无用的日志本可以在驱动中完成过滤，避免不必要的性能消耗，故而有此项目。 10 | 此项目旨在收集wingdows下文件操作日志，并且还原记录为真实操作。比如一个不同卷之间的move操作，windows会分解为许多操作，发送的IRP一般会有create、read、write、attribute、cleanup、close、delete等，本程序会将他们合并记录为一个move记录。此外，会尽量提高程序运行性能，减少不必要的性能消耗。 11 | 12 | 由于只在业余时间进行开发，而且对WDK不是很熟悉，开发速比较慢。 13 | 14 | -------- 15 | 12-12-2016 16 | 17 | 还没养成写开源软件的习惯，时间被各种各样的事情浪费了。 -------------------------------------------------------------------------------- /Win7Debug/FileLogger.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lxt1045/FileLogger/a11e57318496b3c9495a8512ea1f3ffba6ef05a5/Win7Debug/FileLogger.cer -------------------------------------------------------------------------------- /Win7Debug/FileLogger.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileLogger 3 | ;;; 4 | ;;; 5 | ;;; Copyright (c) 2015 - 2025, LiXiantu 6 | ;;; 7 | 8 | [Version] 9 | Signature = "$Windows NT$" 10 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963 11 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 12 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 13 | Class = "_TODO_Change_Class_appropriately_" 14 | ClassGuid = {_TODO_Change_ClassGuid_appropriately_} 15 | Provider = %ManufacturerName% 16 | DriverVer=09/25/2015,13.54.35.525 17 | CatalogFile = FileLogger.cat 18 | 19 | [DestinationDirs] 20 | DefaultDestDir = 12 21 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 22 | 23 | ;; 24 | ;; Default install sections 25 | ;; 26 | 27 | [DefaultInstall] 28 | OptionDesc = %ServiceDescription% 29 | CopyFiles = MiniFilter.DriverFiles 30 | 31 | [DefaultInstall.Services] 32 | AddService = %ServiceName%,,MiniFilter.Service 33 | 34 | ;; 35 | ;; Default uninstall sections 36 | ;; 37 | 38 | [DefaultUninstall] 39 | DelFiles = MiniFilter.DriverFiles 40 | 41 | [DefaultUninstall.Services] 42 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 43 | 44 | ; 45 | ; Services Section 46 | ; 47 | 48 | [MiniFilter.Service] 49 | DisplayName = %ServiceName% 50 | Description = %ServiceDescription% 51 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 52 | Dependencies = "FltMgr" 53 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 54 | StartType = 3 ;SERVICE_DEMAND_START 55 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 56 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 57 | LoadOrderGroup = "FSFilter Activity Monitor" 58 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 59 | AddReg = MiniFilter.AddRegistry 60 | 61 | ; 62 | ; Registry Modifications 63 | ; 64 | 65 | [MiniFilter.AddRegistry] 66 | HKR,,"DebugFlags",0x00010001 ,0x0 67 | HKR,,"SupportedFeatures",0x00010001,0x3 68 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 69 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 70 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 71 | 72 | ; 73 | ; Copy Files 74 | ; 75 | 76 | [MiniFilter.DriverFiles] 77 | %DriverName%.sys 78 | 79 | [SourceDisksFiles] 80 | FileLogger.sys = 1,, 81 | 82 | [SourceDisksNames] 83 | 1 = %DiskId1%,,, 84 | 85 | ;; 86 | ;; String Section 87 | ;; 88 | 89 | [Strings] 90 | ; TODO - Add your manufacturer 91 | ManufacturerName = "Lxt1045" 92 | ServiceDescription = "FileLogger Mini-Filter Driver" 93 | ServiceName = "FileLogger" 94 | DriverName = "FileLogger" 95 | DiskId1 = "FileLogger Device Installation Disk" 96 | 97 | ;Instances specific information. 98 | DefaultInstance = "FileLogger Instance" 99 | Instance1.Name = "FileLogger Instance" 100 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 101 | Instance1.Altitude = "370030" 102 | ;Instance.Altitude = "_TODO_Change_Altitude_appropriately_" 103 | Instance1.Flags = 0x0 ; Allow all attachments 104 | -------------------------------------------------------------------------------- /Win7Debug/FileLogger.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lxt1045/FileLogger/a11e57318496b3c9495a8512ea1f3ffba6ef05a5/Win7Debug/FileLogger.sys -------------------------------------------------------------------------------- /Win8.1Debug/FileLogger.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lxt1045/FileLogger/a11e57318496b3c9495a8512ea1f3ffba6ef05a5/Win8.1Debug/FileLogger.cer -------------------------------------------------------------------------------- /Win8.1Debug/FileLogger.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileLogger 3 | ;;; 4 | ;;; 5 | ;;; Copyright (c) 2015 - 2025, LiXiantu 6 | ;;; 7 | 8 | [Version] 9 | Signature = "$Windows NT$" 10 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963 11 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 12 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 13 | Class = "_TODO_Change_Class_appropriately_" 14 | ClassGuid = {_TODO_Change_ClassGuid_appropriately_} 15 | Provider = %ManufacturerName% 16 | DriverVer=09/30/2015,23.18.2.881 17 | CatalogFile = FileLogger.cat 18 | 19 | [DestinationDirs] 20 | DefaultDestDir = 12 21 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 22 | 23 | ;; 24 | ;; Default install sections 25 | ;; 26 | 27 | [DefaultInstall] 28 | OptionDesc = %ServiceDescription% 29 | CopyFiles = MiniFilter.DriverFiles 30 | 31 | [DefaultInstall.Services] 32 | AddService = %ServiceName%,,MiniFilter.Service 33 | 34 | ;; 35 | ;; Default uninstall sections 36 | ;; 37 | 38 | [DefaultUninstall] 39 | DelFiles = MiniFilter.DriverFiles 40 | 41 | [DefaultUninstall.Services] 42 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 43 | 44 | ; 45 | ; Services Section 46 | ; 47 | 48 | [MiniFilter.Service] 49 | DisplayName = %ServiceName% 50 | Description = %ServiceDescription% 51 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 52 | Dependencies = "FltMgr" 53 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 54 | StartType = 3 ;SERVICE_DEMAND_START 55 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 56 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 57 | LoadOrderGroup = "FSFilter Activity Monitor" 58 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 59 | AddReg = MiniFilter.AddRegistry 60 | 61 | ; 62 | ; Registry Modifications 63 | ; 64 | 65 | [MiniFilter.AddRegistry] 66 | HKR,,"DebugFlags",0x00010001 ,0x0 67 | HKR,,"SupportedFeatures",0x00010001,0x3 68 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 69 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 70 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 71 | 72 | ; 73 | ; Copy Files 74 | ; 75 | 76 | [MiniFilter.DriverFiles] 77 | %DriverName%.sys 78 | 79 | [SourceDisksFiles] 80 | FileLogger.sys = 1,, 81 | 82 | [SourceDisksNames] 83 | 1 = %DiskId1%,,, 84 | 85 | ;; 86 | ;; String Section 87 | ;; 88 | 89 | [Strings] 90 | ; TODO - Add your manufacturer 91 | ManufacturerName = "Lxt1045" 92 | ServiceDescription = "FileLogger Mini-Filter Driver" 93 | ServiceName = "FileLogger" 94 | DriverName = "FileLogger" 95 | DiskId1 = "FileLogger Device Installation Disk" 96 | 97 | ;Instances specific information. 98 | DefaultInstance = "FileLogger Instance" 99 | Instance1.Name = "FileLogger Instance" 100 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 101 | Instance1.Altitude = "370030" 102 | ;Instance.Altitude = "_TODO_Change_Altitude_appropriately_" 103 | Instance1.Flags = 0x0 ; Allow all attachments 104 | -------------------------------------------------------------------------------- /Win8.1Debug/FileLogger.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lxt1045/FileLogger/a11e57318496b3c9495a8512ea1f3ffba6ef05a5/Win8.1Debug/FileLogger.sys -------------------------------------------------------------------------------- /x64/Win7Debug/FileLogger.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; FileLogger 3 | ;;; 4 | ;;; 5 | ;;; Copyright (c) 2015 - 2025, LiXiantu 6 | ;;; 7 | 8 | [Version] 9 | Signature = "$Windows NT$" 10 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963 11 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 12 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 13 | Class = "_TODO_Change_Class_appropriately_" 14 | ClassGuid = {_TODO_Change_ClassGuid_appropriately_} 15 | Provider = %ManufacturerName% 16 | DriverVer=09/24/2015,13.41.55.145 17 | CatalogFile = FileLogger.cat 18 | 19 | [DestinationDirs] 20 | DefaultDestDir = 12 21 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 22 | 23 | ;; 24 | ;; Default install sections 25 | ;; 26 | 27 | [DefaultInstall] 28 | OptionDesc = %ServiceDescription% 29 | CopyFiles = MiniFilter.DriverFiles 30 | 31 | [DefaultInstall.Services] 32 | AddService = %ServiceName%,,MiniFilter.Service 33 | 34 | ;; 35 | ;; Default uninstall sections 36 | ;; 37 | 38 | [DefaultUninstall] 39 | DelFiles = MiniFilter.DriverFiles 40 | 41 | [DefaultUninstall.Services] 42 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 43 | 44 | ; 45 | ; Services Section 46 | ; 47 | 48 | [MiniFilter.Service] 49 | DisplayName = %ServiceName% 50 | Description = %ServiceDescription% 51 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 52 | Dependencies = "FltMgr" 53 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 54 | StartType = 3 ;SERVICE_DEMAND_START 55 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 56 | ; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 57 | LoadOrderGroup = "FSFilter Activity Monitor" 58 | ;LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 59 | AddReg = MiniFilter.AddRegistry 60 | 61 | ; 62 | ; Registry Modifications 63 | ; 64 | 65 | [MiniFilter.AddRegistry] 66 | HKR,,"DebugFlags",0x00010001 ,0x0 67 | HKR,,"SupportedFeatures",0x00010001,0x3 68 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 69 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 70 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 71 | 72 | ; 73 | ; Copy Files 74 | ; 75 | 76 | [MiniFilter.DriverFiles] 77 | %DriverName%.sys 78 | 79 | [SourceDisksFiles] 80 | FileLogger.sys = 1,, 81 | 82 | [SourceDisksNames] 83 | 1 = %DiskId1%,,, 84 | 85 | ;; 86 | ;; String Section 87 | ;; 88 | 89 | [Strings] 90 | ; TODO - Add your manufacturer 91 | ManufacturerName = "Lxt1045" 92 | ServiceDescription = "FileLogger Mini-Filter Driver" 93 | ServiceName = "FileLogger" 94 | DriverName = "FileLogger" 95 | DiskId1 = "FileLogger Device Installation Disk" 96 | 97 | ;Instances specific information. 98 | DefaultInstance = "FileLogger Instance" 99 | Instance1.Name = "FileLogger Instance" 100 | ; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512 101 | Instance1.Altitude = "370030" 102 | ;Instance.Altitude = "_TODO_Change_Altitude_appropriately_" 103 | Instance1.Flags = 0x0 ; Allow all attachments 104 | --------------------------------------------------------------------------------