这里的保护并不是真正的保护,只是通过0环占用文件达到文件无法被操作
0环代码
#define CTL_PROTECT_PATH IRP_IOCTRL_CODE(14)
#define CTL_UNPROTECT_PATH IRP_IOCTRL_CODE(15)
...
...
//文件操作-保护文件
NTSTATUS SetProtectIoCall(char* szFileName) {
NTSTATUS ntSTATUS = STATUS_SUCCESS;
//文件句柄
HANDLE hFile = NULL;
//文件属性结构体
FILE_STANDARD_INFORMATION fsi = { 0 };
//完成状态
IO_STATUS_BLOCK Iostatus = { 0 };
//对象属性
OBJECT_ATTRIBUTES ObjectAtt = { 0 };
//三环c:\a.txt
//0环:\\??\\c:\a.txt
//将三环路径转换成驱动使用的路径
ANSI_STRING asFilePath = { 0 };
UNICODE_STRING usFilePath = { 0 };
UNICODE_STRING usDriverFilePath = { 0 };
UNICODE_STRING usDrvPath = { 0 };
WCHAR wcBuffer[256];
ULONG wcbufferLen = 256 * sizeof(WCHAR);
RtlInitEmptyUnicodeString(&usDrvPath, &wcBuffer, wcbufferLen);
RtlInitUnicodeString(&usDriverFilePath, L"\\??\\");
RtlInitAnsiString(&asFilePath, szFileName);
RtlAnsiStringToUnicodeString(&usFilePath, &asFilePath, TRUE);
RtlAppendUnicodeStringToString(&usDrvPath, &usDriverFilePath);
RtlAppendUnicodeStringToString(&usDrvPath, &usFilePath);
RtlFreeUnicodeString(&usFilePath);
InitializeObjectAttributes(&ObjectAtt, &usDrvPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
//打开文件 ZwOpenFile()
ntSTATUS = ZwOpenFile(&hFile, GENERIC_ALL, &ObjectAtt, &Iostatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE|FILE_SHARE_READ, FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
//保存文件句柄
g_FileHandle = hFile;
return ntSTATUS;
}
//文件操作-解除保护文件
NTSTATUS SetUnProtectIoCall() {
DbgBreakPoint();
NTSTATUS ntSTATUS = 1;
if (g_FileHandle!=NULL)
{
ntSTATUS=ZwClose(g_FileHandle);
return ntSTATUS;
}
else
{
return ntSTATUS;
}
}
...
...
case CTL_PROTECT_PATH: {
ntStatus = SetProtectIoCall(pInputBuffer);
if (NT_SUCCESS(ntStatus))
{
RtlZeroMemory(pOutputBuffer, 1024);
ULONG uRetlength = strlen("Protect Success!");
RtlCopyMemory(pOutputBuffer, "Protect Success!", uRetlength);
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = uRetlength;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}
else {
RtlZeroMemory(pOutputBuffer, 1024);
ULONG uRetlength = strlen("Protect Failed!");
RtlCopyMemory(pOutputBuffer, "Protect Failed!", uRetlength);
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = uRetlength;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}
return STATUS_SUCCESS;
}
case CTL_UNPROTECT_PATH: {
ntStatus = SetUnProtectIoCall(pInputBuffer);
if (NT_SUCCESS(ntStatus))
{
RtlZeroMemory(pOutputBuffer, 1024);
ULONG uRetlength = strlen("UnProtect Success!");
RtlCopyMemory(pOutputBuffer, "UnProtect Success!", uRetlength);
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = uRetlength;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}
else {
RtlZeroMemory(pOutputBuffer, 1024);
ULONG uRetlength = strlen("UnProtect Failed!");
RtlCopyMemory(pOutputBuffer, "UnProtect Failed!", uRetlength);
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = uRetlength;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}
return STATUS_SUCCESS;
}
3环代码
case'B': {
RetNumber = 0;
memset(InputBuffer, 0, sizeof(InputBuffer));
memset(OutputBuffer, 0, sizeof(OutputBuffer));
printf("请输入需要保护文件的路径:\n");
scanf("%s", InputBuffer);
DeviceIoControl(hDriver, CTL_PROTECT_PATH, InputBuffer, sizeof(InputBuffer), OutputBuffer, sizeof(OutputBuffer), &RetNumber, NULL);
printf("返回数据: %s\n", OutputBuffer);
system("pause");
break;
}
case'C': {
RetNumber = 0;
memset(InputBuffer, 0, sizeof(InputBuffer));
memset(OutputBuffer, 0, sizeof(OutputBuffer));
printf("请输入需要解除保护文件的路径:\n");
scanf("%s", InputBuffer);
DeviceIoControl(hDriver, CTL_UNPROTECT_PATH, InputBuffer, sizeof(InputBuffer), OutputBuffer, sizeof(OutputBuffer), &RetNumber, NULL);
printf("返回数据: %s\n", OutputBuffer);
system("pause");
break;
}
解除保护后
雷达卡
发表于 2025-3-10 23:06:29
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶