/*
禁止远程计算机访问本地共享文件。
另一个功能是禁止本计算机访问别的计算机的资源。估计也就是处理设备名或者路径的开头标志,这也是一个思路。
效果是可以看到远程计算机的顶层共享文件夹,但是里面的内容打不开。
前操作没有成功,后操作成功。
很简单,也值得收藏。
注意:
The IoIsFileOriginRemote routine determines whether a given file object is for a remote create request.
File system filter drivers call IoIsFileOriginRemote for a file object to determine whether it represents a remote create request.
IoIsFileOriginRemote must be called after the create request has entirely completed. In other words, it cannot be called in the create dispatch ("pre-create") path or the create completion ("post-create") path.
IoIsFileOriginRemote checks the FO_REMOTE_ORIGIN flag on the file object pointed to by FileObject. Network file systems set or clear this flag by calling IoSetFileOrigin.
Network file systems call IoSetFileOrigin to set or clear the FO_REMOTE_ORIGIN flag on the file object pointed to by FileObject.
This flag is set to indicate that the file object was created to satisfy a remote create request.
Network file systems should call IoSetFileOrigin in their servers for any file objects that are created to satisfy a create request from a network client.
File system filter drivers should not call IoSetFileOrigin.
made by correy
made at 2013.08.05
email:kouleguan at hotmail dot com
homepage:http://correy.webs.com
*/
#include <fltKernel.h>
#define _In_ //在vs2012+wdk8.0中可以去掉此行。
PFLT_FILTER gFilterHandle;
FLT_POSTOP_CALLBACK_STATUS CreatePostOperation (__inout PFLT_CALLBACK_DATA Data,__in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext,__in FLT_POST_OPERATION_FLAGS Flags)
{
if ( !NT_SUCCESS( Data->IoStatus.Status ) || ( STATUS_REPARSE == Data->IoStatus.Status ) )
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
//Data->Iopb等于当前IRP栈。
if (Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel == SecurityImpersonation)
{
FltCancelFileOpen(FltObjects->Instance, FltObjects->FileObject);//这一行加不加无所谓,最好加上。
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
}
return FLT_POSTOP_FINISHED_PROCESSING;//FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE, 0, NULL, CreatePostOperation},
{ IRP_MJ_OPERATION_END }
};
#pragma PAGEDCODE
NTSTATUS PtInstanceSetup (__in PCFLT_RELATED_OBJECTS FltObjects,__in FLT_INSTANCE_SETUP_FLAGS Flags,__in DEVICE_TYPE VolumeDeviceType,__in FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
NTSTATUS PtInstanceQueryTeardown (__in PCFLT_RELATED_OBJECTS FltObjects,__in FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags)
{
return STATUS_SUCCESS;
}
#pragma PAGEDCODE//#pragma alloc_text(PAGE, PtUnload)
NTSTATUS PtUnload (__in FLT_FILTER_UNLOAD_FLAGS Flags)
{
FltUnregisterFilter( gFilterHandle );
return STATUS_SUCCESS;
}
CONST FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
PtUnload, // MiniFilterUnload
PtInstanceSetup, // InstanceSetup
PtInstanceQueryTeardown, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)//#pragma INITCODE
NTSTATUS DriverEntry (_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
KdBreakPoint();//DbgBreakPoint()
status = FltRegisterFilter( DriverObject, &FilterRegistration, &gFilterHandle );//Register with FltMgr to tell it our callback routines
if (NT_SUCCESS( status )) //FLT_ASSERT( NT_SUCCESS( status ) );
{
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
return status;
}
2013年8月5日星期一
Minifilter禁止远程访问本地共享文件
订阅:
博文评论 (Atom)
没有评论:
发表评论