我有一个使用WDK 8.1样本的扫描仪文件系统迷你过滤器驱动程序 .
我想知道我是否可以将整个文件发送到用户土地应用程序,这样我就可以进行更复杂的计算,例如MD5 Hash或其他任何其他功能,以便我不必在迷你过滤器驱动程序中编写更复杂的操作但是相反,在用户土地应用程序,我不介意引入windows.h,我可以在堆上分配内存,而不是使用ExAllocatePoolWithTag和类似的东西 .
我可以在一个通知中将整个文件传递到用户登陆模式吗?
如果不是,我将如何进行分块并同步 .
以下是8.1扫描仪文件系统迷你过滤器驱动程序示例的界面,它指示迷你过滤器驱动程序和用户土地应用程序之间的通信:
/*++
Copyright (c) 1999-2002 Microsoft Corporation
Module Name:
scanuk.h
Abstract:
Header file which contains the structures, type definitions,
constants, global variables and function prototypes that are
shared between kernel and user mode.
Environment:
Kernel & user mode
--*/
#ifndef __SCANUK_H__
#define __SCANUK_H__
//
// Name of port used to communicate
//
const PWSTR ScannerPortName = L"\\ScannerPort";
#define SCANNER_READ_BUFFER_SIZE 1024
typedef struct _SCANNER_NOTIFICATION {
ULONG BytesToScan;
ULONG Reserved; // for quad-word alignement of the Contents structure
UCHAR Contents[SCANNER_READ_BUFFER_SIZE];
} SCANNER_NOTIFICATION, *PSCANNER_NOTIFICATION;
typedef struct _SCANNER_REPLY {
BOOLEAN SafeToOpen;
} SCANNER_REPLY, *PSCANNER_REPLY;
#endif // __SCANUK_H__
注意传递的缓冲区大小有1024个限制 . 这意味着我无法对用户登陆应用程序中的整个文件执行MD5哈希,然后将被强制在迷你过滤器驱动程序中执行此操作,如果可能,我希望避免使用它 .
以下是迷你过滤器驱动程序中的功能,它使用上面的界面将消息发送到用户登陆应用程序:
//////////////////////////////////////////////////////////////////////////
// Local support routines.
//
/////////////////////////////////////////////////////////////////////////
NTSTATUS
ScannerpScanFileInUserMode (
_In_ PFLT_INSTANCE Instance,
_In_ PFILE_OBJECT FileObject,
_Out_ PBOOLEAN SafeToOpen
)
/*++
Routine Description:
This routine is called to send a request up to user mode to scan a given
file and tell our caller whether it's safe to open this file.
Note that if the scan fails, we set SafeToOpen to TRUE. The scan may fail
because the service hasn't started, or perhaps because this create/cleanup
is for a directory, and there's no data to read & scan.
If we failed creates when the service isn't running, there'd be a
bootstrapping problem -- how would we ever load the .exe for the service?
Arguments:
Instance - Handle to the filter instance for the scanner on this volume.
FileObject - File to be scanned.
SafeToOpen - Set to FALSE if the file is scanned successfully and it contains
foul language.
Return Value:
The status of the operation, hopefully STATUS_SUCCESS. The common failure
status will probably be STATUS_INSUFFICIENT_RESOURCES.
--*/
{
NTSTATUS status = STATUS_SUCCESS;
PVOID buffer = NULL;
ULONG bytesRead;
PSCANNER_NOTIFICATION notification = NULL;
FLT_VOLUME_PROPERTIES volumeProps;
LARGE_INTEGER offset;
ULONG replyLength, length;
PFLT_VOLUME volume = NULL;
*SafeToOpen = TRUE;
//
// If not client port just return.
//
if (ScannerData.ClientPort == NULL) {
return STATUS_SUCCESS;
}
try {
//
// Obtain the volume object .
//
status = FltGetVolumeFromInstance( Instance, &volume );
if (!NT_SUCCESS( status )) {
leave;
}
//
// Determine sector size. Noncached I/O can only be done at sector size offsets, and in lengths which are
// multiples of sector size. A more efficient way is to make this call once and remember the sector size in the
// instance setup routine and setup an instance context where we can cache it.
//
status = FltGetVolumeProperties( volume,
&volumeProps,
sizeof( volumeProps ),
&length );
//
// STATUS_BUFFER_OVERFLOW can be returned - however we only need the properties, not the names
// hence we only check for error status.
//
if (NT_ERROR( status )) {
leave;
}
length = max( SCANNER_READ_BUFFER_SIZE, volumeProps.SectorSize );
//
// Use non-buffered i/o, so allocate aligned pool
//
buffer = FltAllocatePoolAlignedWithTag( Instance,
NonPagedPool,
length,
'nacS' );
if (NULL == buffer) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
notification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( SCANNER_NOTIFICATION ),
'nacS' );
if(NULL == notification) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
//
// Read the beginning of the file and pass the contents to user mode.
//
offset.QuadPart = bytesRead = 0;
status = FltReadFile( Instance,
FileObject,
&offset,
length,
buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL );
if (NT_SUCCESS( status ) && (0 != bytesRead)) {
notification->BytesToScan = (ULONG) bytesRead;
//
// Copy only as much as the buffer can hold
//
RtlCopyMemory( ¬ification->Contents,
buffer,
min( notification->BytesToScan, SCANNER_READ_BUFFER_SIZE ) );
replyLength = sizeof( SCANNER_REPLY );
status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
notification,
sizeof(SCANNER_NOTIFICATION),
notification,
&replyLength,
NULL );
if (STATUS_SUCCESS == status) {
*SafeToOpen = ((PSCANNER_REPLY) notification)->SafeToOpen;
} else {
//
// Couldn't send message
//
DbgPrint( "!!! scanner.sys --- couldn't send message to user-mode to scan file, status 0x%X\n", status );
}
}
} finally {
if (NULL != buffer) {
FltFreePoolAlignedWithTag( Instance, buffer, 'nacS' );
}
if (NULL != notification) {
ExFreePoolWithTag( notification, 'nacS' );
}
if (NULL != volume) {
FltObjectDereference( volume );
}
}
return status;
}
3 回答
不需要这样的并发症 . 微软已经在内核中支持加密 . 查看内核本身用于执行散列,密钥和安全相关加密处理的CNG库 . 如果你真的坚持将文件内容发送到用户模式,我会提出一个更优雅的解决方案,那就是 read the file in the user-mode's process address space .
打开文件并查询其大小 .
使用用户模式进程的进程句柄调用ZwAllocateVirtualMemory .
读取分配空间中的文件内容 .
发送用户模式进程分配的地址以及大小和其他信息,如文件名等 .
等待用户模式进程完成处理并获得结果 .
调用ZwFreeVirtualMemory释放内存,或者如果你有异步模型,让用户模式进程通过调用VirtualFree释放它自己的内存 .
我要考虑的另一个替代方法是在内核中打开文件,然后调用ZwDuplicateObject并为我的用户模式进程创建文件句柄 . 最后,向用户模式进程发送句柄,让它与句柄一起工作,读取/查询执行它想要的操作 . 同样取决于您的实现,用户模式进程可以关闭句柄,或者您可以在用户模式进程的上下文中等待并关闭它(例如,使用KeStackAttachProcess附加到其地址空间) .
尽管如此,我还是会在内核中完成所有处理工作,因为切换上下文总是很昂贵 .
祝好运,
加布里埃尔
在内核中读取较少并且在用户模式下读取整个文件总是更好,这需要来自内核的文件信息被发送到必须读取的用户模式 .
如果你想读取完整的文件并通过端口发送它,那么你应该注意FltReadFile API及其参数,有一个参数负责读取文件的数量 . 您必须将标记缓冲区大小与标记池一起设置 .