|
IRP HOOK之后,在系统刚进入桌面的几分钟内卸载驱动,会出现这个蓝屏,可是之后的时间卸载这个驱动,一切正常。实在是想不明白为什么。以下是代码
NTSTATUS NtfsCreateDispatchHook(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION IoStackLocation = NULL;
PFILE_OBJECT FileObject = NULL;
IoStackLocation = IoGetCurrentIrpStackLocation( Irp );
KeResetEvent( &Event );
if ( IoStackLocation == NULL )
goto End;
FileObject = IoStackLocation->FileObject;
if ( FileObject == NULL )
goto End;
if ( KeGetCurrentIrql() == PASSIVE_LEVEL )
{
BOOLEAN Bad = FALSE;
Bad = RtlFindSubString( &FileObject->FileName, &QQProtectUpd );
if( Bad )
{
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
KeSetEvent( &Event, IO_DISK_INCREMENT + 1, FALSE );
return STATUS_ACCESS_DENIED;
}
}
End:
Status = NtfsCreateDispatch( DeviceObject, Irp );
KeSetEvent( &Event, IO_DISK_INCREMENT + 1, FALSE );
return Status;
}
NTSTATUS FSDHookControl( IN BOOLEAN IsHook )
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uNTFS = {0};
PDRIVER_OBJECT NTFS = NULL;
RtlInitUnicodeString( &uNTFS, L"\\FileSystem\\Ntfs" );
status = ObReferenceObjectByName( &uNTFS,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
&NTFS);
if ( ! NT_SUCCESS( status ) )
return status;
if( IsHook )
NtfsCreateDispatch = InterlockedExchangePointer(
( PVOID )&NTFS->MajorFunction[ IRP_MJ_CREATE ],
NtfsCreateDispatchHook );
if( ! IsHook && MmIsAddressValid( NtfsCreateDispatch ) )
{
if( NTFS->MajorFunction[ IRP_MJ_CREATE ] == NtfsCreateDispatchHook )
{
KeWaitForSingleObject( &Event, Executive, KernelMode, FALSE, NULL );
InterlockedExchangePointer( ( PVOID )&( NTFS->MajorFunction[ IRP_MJ_CREATE ] ),
NtfsCreateDispatch );
}
}
ObDereferenceObject( NTFS );
return STATUS_SUCCESS;
}
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|