好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 ccb777 于 2010-7-7 11:47 编辑
真的删得很猛~ 驱动不是我写的
以下驱动源码↓
#include <ntddk.h>
#include "windef.h"
#define NT_DEVICE_NAME L"\\Device\\SuperKillFile"
#define DOS_DEVICE_NAME L"\\DosDevices\\SuperKillFile"
#define IOCTL_SUPERKILLFILE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x360, METHOD_BUFFERED, FILE_ANY_ACCESS)
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
NTSTATUS DispatchCreateClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
VOID SKillUnloadDriver( IN PDRIVER_OBJECT DriverObject );
HANDLE
SkillIoOpenFile(
IN PCWSTR FileName,
IN ACCESS_MASK DesiredAccess,
IN ULONG ShareAccess
)
{
NTSTATUS ntStatus;
UNICODE_STRING uniFileName;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE ntFileHandle;
IO_STATUS_BLOCK ioStatus;
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
DbgPrint("KeGetCurrentIrql() > PASSIVE_LEVEL\n");
return 0;
}
RtlInitUnicodeString(&uniFileName, FileName);
InitializeObjectAttributes(&objectAttributes, &uniFileName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = IoCreateFile(&ntFileHandle,
DesiredAccess,
&objectAttributes,
&ioStatus,
0,
FILE_ATTRIBUTE_NORMAL,
ShareAccess,
FILE_OPEN,
0,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if (!NT_SUCCESS(ntStatus))
{
return 0;
}
return ntFileHandle;
}
NTSTATUS
SkillSetFileCompletion(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
Irp->UserIosb->Status = Irp->IoStatus.Status;
Irp->UserIosb->Information = Irp->IoStatus.Information;
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, FALSE);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
//去掉只读属性
BOOLEAN
SKillStripFileAttributes(
IN HANDLE FileHandle
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PFILE_OBJECT fileObject;
PDEVICE_OBJECT DeviceObject;
PIRP Irp;
KEVENT event;
FILE_BASIC_INFORMATION FileInformation;
IO_STATUS_BLOCK ioStatus;
PIO_STACK_LOCATION irpSp;
ntStatus = ObReferenceObjectByHandle(FileHandle,
DELETE,
*IoFileObjectType,
KernelMode,
&fileObject,
NULL);
if (!NT_SUCCESS(ntStatus))
{
return FALSE;
}
DeviceObject = IoGetRelatedDeviceObject(fileObject);
Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);
if (Irp == NULL)
{
ObDereferenceObject(fileObject);
return FALSE;
}
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
memset(&FileInformation,0,0x28);
FileInformation.FileAttributes = FILE_ATTRIBUTE_NORMAL;
Irp->AssociatedIrp.SystemBuffer = &FileInformation;
Irp->UserEvent = &event;
Irp->UserIosb = &ioStatus;
Irp->Tail.Overlay.OriginalFileObject = fileObject;
Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
Irp->RequestorMode = KernelMode;
irpSp = IoGetNextIrpStackLocation(Irp);
irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
irpSp->DeviceObject = DeviceObject;
irpSp->FileObject = fileObject;
irpSp->Parameters.SetFile.Length = sizeof(FILE_BASIC_INFORMATION);
irpSp->Parameters.SetFile.FileInformationClass = FileBasicInformation;
irpSp->Parameters.SetFile.FileObject = fileObject;
IoSetCompletionRoutine(
Irp,
SkillSetFileCompletion,
&event,
TRUE,
TRUE,
TRUE);
IoCallDriver(DeviceObject, Irp);
KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
ObDereferenceObject(fileObject);
return TRUE;
}
BOOLEAN
SKillDeleteFile(
IN HANDLE FileHandle
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PFILE_OBJECT fileObject;
PDEVICE_OBJECT DeviceObject;
PIRP Irp;
KEVENT event;
FILE_DISPOSITION_INFORMATION FileInformation;
IO_STATUS_BLOCK ioStatus;
PIO_STACK_LOCATION irpSp;
PSECTION_OBJECT_POINTERS pSectionObjectPointer;
SKillStripFileAttributes( FileHandle); //去掉只读属性,才能删除只读文件
ntStatus = ObReferenceObjectByHandle(FileHandle,
DELETE,
*IoFileObjectType,
KernelMode,
&fileObject,
NULL);
if (!NT_SUCCESS(ntStatus))
{
return FALSE;
}
DeviceObject = IoGetRelatedDeviceObject(fileObject);
Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);
if (Irp == NULL)
{
ObDereferenceObject(fileObject);
return FALSE;
}
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
FileInformation.DeleteFile = TRUE;
Irp->AssociatedIrp.SystemBuffer = &FileInformation;
Irp->UserEvent = &event;
Irp->UserIosb = &ioStatus;
Irp->Tail.Overlay.OriginalFileObject = fileObject;
Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
Irp->RequestorMode = KernelMode;
irpSp = IoGetNextIrpStackLocation(Irp);
irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
irpSp->DeviceObject = DeviceObject;
irpSp->FileObject = fileObject;
irpSp->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);
irpSp->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
irpSp->Parameters.SetFile.FileObject = fileObject;
IoSetCompletionRoutine(
Irp,
SkillSetFileCompletion,
&event,
TRUE,
TRUE,
TRUE);
//再加上下面这三行代码 ,MmFlushImageSection 函数通过这个结构来检查是否可以删除文件。
pSectionObjectPointer = fileObject->SectionObjectPointer;
pSectionObjectPointer->ImageSectionObject = 0;
pSectionObjectPointer->DataSectionObject = 0;
IoCallDriver(DeviceObject, Irp);
KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
ObDereferenceObject(fileObject);
return TRUE;
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
UNICODE_STRING uniDeviceName;
UNICODE_STRING uniSymLink;
NTSTATUS ntStatus;
PDEVICE_OBJECT deviceObject = NULL;
RtlInitUnicodeString(&uniDeviceName, NT_DEVICE_NAME);
RtlInitUnicodeString(&uniSymLink, DOS_DEVICE_NAME);
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
DriverObject->DriverUnload = SKillUnloadDriver;
ntStatus = IoCreateDevice(
DriverObject,
0,
&uniDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&deviceObject);
if (!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
ntStatus = IoCreateSymbolicLink(&uniSymLink, &uniDeviceName);
if (!NT_SUCCESS(ntStatus))
{
IoDeleteDevice(deviceObject);
return ntStatus;
}
DbgPrint("drever loaded!\n");
return STATUS_SUCCESS;
}
NTSTATUS DispatchCreateClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS ntStatus = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID ioBuf = pIrp->AssociatedIrp.SystemBuffer;
ULONG inBufLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG outBufLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
HANDLE hFileHandle;
PCWSTR Path;
switch(uIoControlCode)
{
case IOCTL_SUPERKILLFILE:
{
Path=*(PCWSTR *)ioBuf;
hFileHandle = SkillIoOpenFile(Path,
FILE_READ_ATTRIBUTES,
FILE_SHARE_DELETE);
if (hFileHandle!=NULL)
{
SKillDeleteFile(hFileHandle);
ZwClose(hFileHandle);
DbgPrint("succeed!\n");
}
break;
}
}
if(ntStatus == STATUS_SUCCESS)
pIrp->IoStatus.Information = outBufLength;
else
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = ntStatus;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return ntStatus;
}
VOID SKillUnloadDriver(
IN PDRIVER_OBJECT DriverObject
)
{
PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
UNICODE_STRING uniSymLink;
RtlInitUnicodeString(&uniSymLink, DOS_DEVICE_NAME);
DbgPrint("driver unloaded.\n");
IoDeleteSymbolicLink(&uniSymLink);
IoDeleteDevice(deviceObject);
}
oJJ.rar
(56.26 KB, 下载次数: 153)
有了驱动源码 大家就容易写很多了吧! |
|
发表于 2010-7-7 11:44
|
发表于 2010-7-7 13:13
