刺激战场
  • 1674阅读
  • 1回复

拦截某些程序对某些文件的上传 [复制链接]

上一主题 下一主题
离线天道酬勤
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-02-11
— 本帖被 天道酬勤 从 驱动保护 移动到本区(2016-05-19) —

minifilter,sfilter也可以做这类事情,但是写起来有一大坨~翻了一下硬盘发现很久很久以前写的一个代码~
主要代码如下,其他代码部分都是可以自己写写完事了~


代码:
//SSDT hook???? or inline hook?
Hookstru OrigZwCreateFile;
Hookstru OrigZwOpenFile;
wchar_t m_wcGoodFile[][MAX_PATH] =
{
  L"*\\GAME.TRC",
};
BOOLEAN IsGoodFileName(PUNICODE_STRING usName)
{
  size_t i;
  // enumerate known modules
  for (i = 0; i < sizeof(m_wcGoodFile) / sizeof(m_wcGoodFile[0]); i++)
  {
    UNICODE_STRING usExpression;
    RtlInitUnicodeString(&usExpression, m_wcGoodFile);
    // match name by mask
    if (FsRtlIsNameInExpression(&usExpression, usName, TRUE, NULL))
    {
      return TRUE;
    }
  }
  return FALSE;
}
wchar_t m_wcBadFile[][MAX_PATH] =
{
  L"*\\~DMP*.TMP",
  L"*.CMP",
  L"*.DMP",
  L"*.TRC",
        L"*.CPP",
        L"*.C",
        L"*.H",
        L"*.E",
        L"*.LUA",
        L"*.LOG"
};


BOOLEAN IsBadFileName(PUNICODE_STRING usName)
{
  size_t i;
  // enumerate known modules
  for (i = 0; i < sizeof(m_wcBadFile) / sizeof(m_wcBadFile[0]); i++)
  {
    UNICODE_STRING usExpression;
    RtlInitUnicodeString(&usExpression, m_wcBadFile);
    // match name by mask
    if (FsRtlIsNameInExpression(&usExpression, usName, TRUE, NULL))
    {
      return TRUE;
    }
  }
  return FALSE;
}
const char normalProcesslist[][33]={
  "explorer.exe",
  "svchost.exe",
  "ctfmon.exe",
  "conime.exe",
  "csrss.exe",
  "winlogon.exe",
  "wmiprvse.exe",
  "services.exe",
  "rthdcpl.exe",
  "lsass.exe",
  "devenv.exe",
  "nvsvc32.exe",
  "cmd.exe",
  "firefox.exe",
  "notepad.exe",
  "iPodService.exe",
  "QQPYCloud.exe",
  "notepad++.exe",
  "vmware-hostd.ex",
  "QQPYConfig.exe",
  "TSVNCache.exe",
  "iTunesHelper.ex",
  "AGPLoader.exe",
  "od.exe",
  "Dbgview.exe",
  "vcpkgsrv.exe",
  "MSBuild.exe",
  "AutoVersion.exe",
  "build.exe",
  "nmake.exe",
  "calc.exe",
  "link.exe",
  "idaq.exe",
  "verclsid.exe",
};
BOOL IsNormalProcess(PEPROCESS Process)
{
  char processname[128];
  int i=0;
  RtlZeroMemory(processname,128);
  strncpy(processname,PsGetProcessImageFileName(Process),16);
  for (i=0;i<sizeof(normalProcesslist)/sizeof(normalProcesslist[0]);i++)
  {
    if (_stricmp(processname,normalProcesslist)==0)
    {
      return TRUE;
    }
  }
  return FALSE;
}
NTSTATUS NTAPI
  OnNtCreateFile (
  PHANDLE FileHandle,
  ACCESS_MASK DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PIO_STATUS_BLOCK IoStatusBlock,
  PLARGE_INTEGER AllocationSize,
  ULONG FileAttributes,
  ULONG ShareAccess,
  ULONG CreateDisposition,
  ULONG CreateOptions,
  PVOID EaBuffer,
  ULONG EaLength
  )
{
  NTSTATUS ns;
  T_ZwCreateFile OldZwCreateFile=NULL;
  OldZwCreateFile = (T_ZwCreateFile)OrigZwCreateFile.oritocall;
  if(ExGetPreviousMode()==UserMode&&!IsNormalProcess(PsGetCurrentProcess()))
  {
    __try
    {
      if (MmIsAddressValid(ObjectAttributes))
      {
        if(ValidateUnicodeString(ObjectAttributes->ObjectName))
        {
          if (IsGoodFileName(ObjectAttributes->ObjectName))
          {
            goto PassThrugh;
          }
          if (IsBadFileName(ObjectAttributes->ObjectName))
          {
            return STATUS_ACCESS_DENIED;
          }
        }
      }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
    }
  }
PassThrugh:
  ns = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
  return ns;
}


NTSTATUS NTAPI
  OnNtOpenFile(
  PHANDLE FileHandle,
  ACCESS_MASK DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PIO_STATUS_BLOCK IoStatusBlock,
  ULONG ShareAccess,
  ULONG OpenOptions
  )
{
  NTSTATUS ns;
  T_ZwOpenFile OldZwOpenFile=NULL;
  OldZwOpenFile = (T_ZwOpenFile)OrigZwOpenFile.oritocall;
  if(ExGetPreviousMode()==UserMode&&!IsNormalProcess(PsGetCurrentProcess()))
  {
    __try
    {
      if (MmIsAddressValid(ObjectAttributes))
      {
        if(ValidateUnicodeString(ObjectAttributes->ObjectName))
        {
          if (IsGoodFileName(ObjectAttributes->ObjectName))
          {
            goto PassThrugh;
          }
          if (IsBadFileName(ObjectAttributes->ObjectName))
          {
            return STATUS_ACCESS_DENIED;
          }
        }
      }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
    }
  }
PassThrugh:
  ns =OldZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);
  return ns;
}
离线v2680267313

只看该作者 沙发  发表于: 2016-04-30
用户被禁言,该主题自动屏蔽!
快速回复
限100 字节
如果您在写长篇帖子又不马上发表,建议存为草稿
 
上一个 下一个