查看文章 |
驱动在入口函数调用EncryptionThreadPoolStart(); //根据cpu个数生成工作线程数目 随后根据注册表中信息生成不同的设备,我这里只有 return TCCreateRootDeviceObject (DriverObject); 这里只看TC_IOCTL_MOUNT_VOLUME:这个操作好了,因为我主要想看他的加密解密的算法流程
TC_IOCTL_MOUNT_VOLUME中调用了MountDevice下面主要看看这个函数(只复制下主要操作) 1.首先创建一个设备对象 ntStatus = TCCreateDeviceObject (DeviceObject->DriverObject, &NewDeviceObject, mount); MOUNT_STRUCT中保存了这个设备对象的一些属性 NTSTATUS TCCreateDeviceObject (PDRIVER_OBJECT DriverObject, PDEVICE_OBJECT * ppDeviceObject, MOUNT_STRUCT * mount) { UNICODE_STRING Win32NameString, ntUnicodeString; WCHAR dosname[32], ntname[32]; PEXTENSION Extension; NTSTATUS ntStatus; ULONG devChars = 0;
Dump ("TCCreateDeviceObject BEGIN\n"); ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
TCGetDosNameFromNumber (dosname, mount->nDosDriveNo); TCGetNTNameFromNumber (ntname, mount->nDosDriveNo); RtlInitUnicodeString (&ntUnicodeString, ntname); RtlInitUnicodeString (&Win32NameString, dosname);
devChars = FILE_DEVICE_SECURE_OPEN; devChars |= mount->bMountReadOnly ? FILE_READ_ONLY_DEVICE : 0; devChars |= mount->bMountRemovable ? FILE_REMOVABLE_MEDIA : 0;
Dump ("Creating device nt=%ls dos=%ls\n", ntname, dosname);
ntStatus = IoCreateDevice ( DriverObject, /* Our Driver Object */ sizeof (EXTENSION), /* Size of state information */ &ntUnicodeString, /* Device name "\Device\Name" */ FILE_DEVICE_DISK, /* Device type */ devChars, /* Device characteristics */ FALSE, /* Exclusive device */ ppDeviceObject); /* Returned ptr to Device Object */
if (!NT_SUCCESS (ntStatus)) { Dump ("TCCreateDeviceObject NTSTATUS = 0x%08x END\n", ntStatus); return ntStatus;/* Failed to create DeviceObject */ } /* Initialize device object and extension. */
(*ppDeviceObject)->Flags |= DO_DIRECT_IO;
注意下这里,说是减少bug check
(*ppDeviceObject)->StackSize += 2; // Reduce occurrence of NO_MORE_IRP_STACK_LOCATIONS bug check caused by buggy drivers
/* Setup the device extension */ Extension = (PEXTENSION) (*ppDeviceObject)->DeviceExtension; memset (Extension, 0, sizeof (EXTENSION));
Extension->IsVolumeDevice = TRUE; Extension->lMagicNumber = 0xabfeacde; Extension->nDosDriveNo = mount->nDosDriveNo; Extension->bRemovable = mount->bMountRemovable; Extension->PartitionInInactiveSysEncScope = mount->bPartitionInInactiveSysEncScope; Extension->SystemFavorite = mount->SystemFavorite;
KeInitializeEvent (&Extension->keCreateEvent, SynchronizationEvent, FALSE); KeInitializeSemaphore (&Extension->RequestSemaphore, 0L, MAXLONG); KeInitializeSpinLock (&Extension->ListSpinLock); InitializeListHead (&Extension->ListEntry); IoInitializeRemoveLock (&Extension->Queue.RemoveLock, 'LRCT', 0, 0);
Dump ("TCCreateDeviceObject STATUS_SUCCESS END\n");
return STATUS_SUCCESS; } 2.捕获当前线程的sid拷贝给新建设备对象的扩展,这么做为了在远程,或者网络上访问的时候获得权限 PEXTENSION NewExtension = (PEXTENSION) NewDeviceObject->DeviceExtension; SECURITY_SUBJECT_CONTEXT subContext; PACCESS_TOKEN accessToken;
SeCaptureSubjectContext (&subContext); accessToken = SeQuerySubjectContextToken (&subContext);
if (!accessToken) { ntStatus = STATUS_INVALID_PARAMETER; } else { PTOKEN_USER tokenUser;
ntStatus = SeQueryInformationToken (accessToken, TokenUser, &tokenUser); if (NT_SUCCESS (ntStatus)) { ULONG sidLength = RtlLengthSid (tokenUser->User.Sid);
NewExtension->UserSid = TCalloc (sidLength); if (!NewExtension->UserSid) ntStatus = STATUS_INSUFFICIENT_RESOURCES; else ntStatus = RtlCopySid (sidLength, NewExtension->UserSid, tokenUser->User.Sid); //捕获当前线程的sid拷贝给新建设备对象的扩展 } }
SeReleaseSubjectContext (&subContext);
|
