文件监控(教学版)

参考FileSpy写的文件监控程序，但比它的抽象多了。可能瑞星的文件驱动也是这样写的，否则它为什么老阻止我安装驱动呢。测试程序是一个命令行小程序，负责打开设备，开启监控和关闭监控，运行时开启和关闭两次。

在DebugView中查看输出信息，我只是想看看能不能达到目的，所以信息量很少。

在驱动程序中开启和关闭监控的代码：

VOID AttachedToDeviceByName (__in PWSTR DeviceName, __in BOOLEAN attach)

{

  UCHAR tmp_buf1[50];

  UNICODE_STRING volumeName;

  NTSTATUS status;

  OBJECT_ATTRIBUTES objectAttributes;

  IO_STATUS_BLOCK openStatus;

  HANDLE fileHandle;

  PDEVICE_OBJECT volume_obj, fs_obj, spy_obj;

  PFILESPY_DEVICE_EXTENSION devExt;

  ULONG i;

  LARGE_INTEGER interval;

  PDEVICE_OBJECT current_obj, next_obj;

  PAGED_CODE();

  //应用程序传过来的盘符

  RtlInitEmptyUnicodeString(&volumeName, (PWSTR)tmp_buf1, sizeof(tmp_buf1));

  RtlAppendUnicodeToString(&volumeName, L"\\DosDevices\\");

  status = RtlAppendUnicodeToString(&volumeName, DeviceName);

  InitializeObjectAttributes( &objectAttributes,

                &volumeName,

                OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,

                NULL,

                NULL );

  status = ZwCreateFile( &fileHandle,

               SYNCHRONIZE|FILE_READ_DATA,

               &objectAttributes,

               &openStatus,

               NULL,

               0,

               FILE_SHARE_READ|FILE_SHARE_WRITE,

               FILE_OPEN,

               FILE_SYNCHRONOUS_IO_NONALERT,

               NULL,

               0 );

  status = ObReferenceObjectByHandle( fileHandle,

                    FILE_READ_DATA,

                    *IoFileObjectType,

                    KernelMode,

                    &volume_obj,

                    NULL );

  fs_obj = IoGetBaseFileSystemDeviceObject( volume_obj );

  ObReferenceObject( fs_obj );

  if(attach)

  {    

    ObDereferenceObject( volume_obj );

    ZwClose( fileHandle );

    status = IoCreateDevice( gFileSpyDriverObject,

                sizeof( FILESPY_DEVICE_EXTENSION ),

                NULL,

                fs_obj->DeviceType,

                0,

                FALSE,

                &spy_obj );

    devExt = spy_obj->DeviceExtension;

    devExt->AttachedToDeviceObject = NULL;

    ASSERT( IS_FILESPY_DEVICE_OBJECT( spy_obj ) );

    SetFlag( spy_obj->Flags, FlagOn( fs_obj->Flags, (DO_BUFFERED_IO | DO_DIRECT_IO | DO_SUPPORTS_TRANSACTIONS)));

    SetFlag( spy_obj->Characteristics, FlagOn( fs_obj->Characteristics, (FILE_DEVICE_SECURE_OPEN) ));

    for (i=0; i < 8; i++)

    {

      status = IoAttachDeviceToDeviceStackSafe( spy_obj, fs_obj, &devExt->AttachedToDeviceObject );

      if (NT_SUCCESS(status) )

      {

        break;

      }

      interval.QuadPart = (500 * DELAY_ONE_MILLISECOND);

      KeDelayExecutionThread( KernelMode, FALSE, &interval );

    }

    ClearFlag(spy_obj->Flags, DO_DEVICE_INITIALIZING);

    ObDereferenceObject( fs_obj );

  }

  else

  {

    current_obj = IoGetAttachedDeviceReference( fs_obj );

    while (NULL != current_obj)

    {

      if (IS_FILESPY_DEVICE_OBJECT( current_obj ))

      {

        spy_obj = current_obj;

        break;

      }

      next_obj = IoGetLowerDeviceObject( current_obj );

      ObDereferenceObject( current_obj );

      current_obj = next_obj;

    }

    ObDereferenceObject( volume_obj );

    ZwClose( fileHandle );

    devExt = spy_obj->DeviceExtension;

    IoDetachDevice( devExt->AttachedToDeviceObject );

    IoDeleteDevice( spy_obj );

    ObDereferenceObject( spy_obj );

    ObDereferenceObject( spy_obj );

    ObDereferenceObject( spy_obj );

    interval.QuadPart = (5 * DELAY_ONE_SECOND); //等5秒

    KeDelayExecutionThread( KernelMode, FALSE, &interval );

    ObDereferenceObject( fs_obj );

  }  

}

写的时候遇到一个有趣的问题是，驱动安装卸载一次，然后再安装，应用程序就不能访问它了，GetError()提示说系统找不到指定的文件。原来是卸载的时候没有卸干净，所以第二次不能用，程序中有相连的三句话“ObDereferenceObject( spy_obj);”正是我担心spy_obj不释放才出此下策。