C#能调用windows底层的文件驱动不? C#能调用windows底层的文件驱动不? 求助,呵呵 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 再求助FindFirstChangeNotificationW和ReadDirectoryChangesW这两个是windows底层的api函数,是用来监控文件变化的,能否在C#中调用这两个函数呢?谢谢各位大大们了! 可以的,底层和应用层的API都可以, 确认是可以调用,但是能否起到文件以改变就会通知用户呢?因为看了些例子在c++里面调用这个函数是比较方便的,但是不晓得在C#里面调用这个api函数能否起到监控的作用,谢谢了! 能调用就一定起作用,只不过用C#写有些结构得自己声明,例如PFILE_NOTIFY_INFORMATION,还得调用一些其他API,如果用C写就很方便了,你可以用C写dll再用C#调,反正我一向的原则是,哪个方便就用哪个,没必要非得用C# 还有,C#本身就有FileSystemWatcher,用起来很方便 如果要防止其他进程创建文件,应用层的话需要注入你要防止的进程,但这个只是防止了某一个进程,如果要防止所有进程往特定目录创建文件,那就得注入所有的进程了,比较麻烦,也许有其他方法,不过我也新手不太清楚。而内核里就比较容易了,你只需要把SSDT表中NtCreateFile函数的地址改成你自己的函数,然后判断传进来的参数,如果是你所指定的目录,直接返回失败即可 呵呵,我比你还新手,C#如果要HOOK NtCreatFile这个函数应该怎么实现呢?谢谢帮助啊! Hook只能用C写,Hook基本都是内存操作的函数,用C写更加容易。还有,我说的那个NtCreateFile指的是内核中的,不是Ntdll里的,这个得写驱动来实现,如果你需要,我可以给你写一个简单的例子,不过是C的代码 c# 能 dllimport 使用用 extern c 方式 导出的函数还可以用 COM ,使得 C# 能看见接口都不容易啊…… #ifdef __cplusplusextern "C" {#endif#include <ntddk.h>#include <wdm.h>#include <string.h>#include <windef.h>#ifdef __cplusplus}; // extern "C"#endif#include "HookNtCreateFile.h"#ifdef __cplusplusnamespace { #endif PDRIVER_OBJECT pdoGlobalDrvObj = 0;#ifdef __cplusplus}; #endifDWORD NtCreateFileIndex=0;PDWORD isChange=0;HANDLE hEvent=NULL;typedef struct ServiceDescriptorTable{ DWORD ServiceTableBase; PVOID pvServiceCounterTable; ULONG ulNumberOfServices; PVOID pvParamTableBase; }SSDT, *PSSDT;extern "C" PSSDT KeServiceDescriptorTable;typedef NTSTATUS (NTAPI *_RealNtCreateFile)(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in_opt PVOID EaBuffer, __in ULONG EaLength);_RealNtCreateFile RealNtCreateFile;NTSTATUS GetNtCreateFileIndex(VOID){ UNICODE_STRING usZwCreateFile; RtlInitUnicodeString(&usZwCreateFile,L"ZwCreateFile"); DWORD ZwCreateFile_func= (DWORD)MmGetSystemRoutineAddress(&usZwCreateFile); NtCreateFileIndex = *(DWORD*)(ZwCreateFile_func + 1); KdPrint(("NtCreateFile 函数在SSDT表中的序号是: %x\n",NtCreateFileIndex)); RealNtCreateFile=(_RealNtCreateFile)(*(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)); KdPrint(("NtCreateFile 函数的地址是:%x",(DWORD)RealNtCreateFile)); return STATUS_SUCCESS;}NTSTATUS NTAPI MyNtCreateFile(__out PHANDLE FileHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __out PIO_STATUS_BLOCK IoStatusBlock, __in_opt PLARGE_INTEGER AllocationSize, __in ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in_opt PVOID EaBuffer, __in ULONG EaLength){ UNICODE_STRING FilePath; RtlInitUnicodeString(&FilePath,L"\\??\\C:\\1.txt"); if(!RtlCompareUnicodeString(&FilePath,ObjectAttributes->ObjectName,TRUE)) //如果是你指定的文件名则返回失败 { KdPrint((ObjectAttributes->ObjectName->Buffer)); return STATUS_UNSUCCESSFUL; } return RealNtCreateFile( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);}NTSTATUS HookNtCreateFile(VOID){ GetNtCreateFileIndex(); __asm { cli mov eax, cr0 and eax, not 10000h mov cr0, eax } *(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)=(DWORD)MyNtCreateFile; __asm { mov eax, cr0 or eax, 10000h mov cr0, eax sti } if(*(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)==(DWORD)MyNtCreateFile) return STATUS_SUCCESS; else return STATUS_UNSUCCESSFUL;}NTSTATUS UnHookNtCreateFile(VOID){ __asm { cli mov eax, cr0 and eax, not 10000h mov cr0, eax } if(RealNtCreateFile) { *(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)=(DWORD)RealNtCreateFile; KdPrint(("NtCreateFile Restored!\n")); } __asm { mov eax, cr0 or eax, 10000h mov cr0, eax sti } if(RealNtCreateFile) { return STATUS_SUCCESS; } else { return STATUS_UNSUCCESSFUL; }}NTSTATUS HOOKNTCREATEFILE_DispatchCreateClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ){ NTSTATUS status = STATUS_SUCCESS; Irp->IoStatus.Status = status; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status;}NTSTATUS HOOKNTCREATEFILE_DispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ){ NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); PVOID InBuffer,OutBuffer; InBuffer = OutBuffer = (PCHAR)Irp->AssociatedIrp.SystemBuffer; ULONG uOutSize=irpSp->Parameters.DeviceIoControl.OutputBufferLength; //isChange=(DWORD*)MmMapIoSpace(MmGetPhysicalAddress((void*)(*(DWORD*)InBuffer)),4,MmNonCached); switch(irpSp->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_HOOKNTCREATEFILE_OPERATION: // status = SomeHandlerFunction(irpSp); if(HookNtCreateFile()==STATUS_SUCCESS) { CHAR cInfo[] = "Hook NtCreateFile成功了"; int cInfoLen = strlen(cInfo)+1; memcpy(OutBuffer,cInfo,cInfoLen); Irp->IoStatus.Status = STATUS_SUCCESS; } break; default: Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Information = 0; break; } if(status==STATUS_SUCCESS) Irp->IoStatus.Information=uOutSize; else Irp->IoStatus.Information=0; status = Irp->IoStatus.Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status;}VOID HOOKNTCREATEFILE_DriverUnload( IN PDRIVER_OBJECT DriverObject ){ UnHookNtCreateFile(); ZwClose(hEvent); PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject; IoDeleteSymbolicLink(&usSymlinkName); while(pdoNextDeviceObj) { PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj; pdoNextDeviceObj = pdoThisDeviceObj->NextDevice; IoDeleteDevice(pdoThisDeviceObj); }}#ifdef __cplusplusextern "C" {#endif NTSTATUS DriverEntry( IN OUT PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { PDEVICE_OBJECT pdoDeviceObj = 0; NTSTATUS status = STATUS_UNSUCCESSFUL; pdoGlobalDrvObj = DriverObject; if(!NT_SUCCESS(status = IoCreateDevice( DriverObject, 0, &usDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pdoDeviceObj ))) { return status; }; if(!NT_SUCCESS(status = IoCreateSymbolicLink( &usSymlinkName, &usDeviceName ))) { IoDeleteDevice(pdoDeviceObj); return status; } DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = HOOKNTCREATEFILE_DispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HOOKNTCREATEFILE_DispatchDeviceControl; DriverObject->DriverUnload = HOOKNTCREATEFILE_DriverUnload; return STATUS_SUCCESS; }#ifdef __cplusplus}; // extern "C"#endif 要不我给你传文件,我这已经成功了,win7和XP都可以,在C盘根目录下无法创建1.txt。QQ:1075375145 要不晚上加你,现在在公司不能上私人qq,抓到要被当迟到一次处理,哎,蛋疼的公司!或者发我qq邮箱[email protected],晚上回去加你,哥子,太感谢了!可以结贴了! c#调用cmd代码 求一种技术 一个控件,点击隐藏让它渐渐向右隐藏。怎么实现? winform文档窗口背景图片怎样最大化? 关于c# dataGridView的问题 达人们帮帮忙 先谢了 实时性较高的串口通讯如何解决? onclick 一个SOCKET的问题,服务器端如何向客户端发送消息 有关MDI子窗体最大化时隐藏系统的按钮? 窗体间的传值问题(再现等候,问题解决马上给分) vs2005在64位平台下编译的程序有问题 谁能帮我把这个网页HTML源代码无乱码保存到本地呢?
能调用就一定起作用,只不过用C#写有些结构得自己声明,例如PFILE_NOTIFY_INFORMATION,还得调用一些其他API,如果用C写就很方便了,你可以用C写dll再用C#调,反正我一向的原则是,哪个方便就用哪个,没必要非得用C#
如果要防止其他进程创建文件,应用层的话需要注入你要防止的进程,但这个只是防止了某一个进程,如果要防止所有进程往特定目录创建文件,那就得注入所有的进程了,比较麻烦,也许有其他方法,不过我也新手不太清楚。而内核里就比较容易了,你只需要把SSDT表中NtCreateFile函数的地址改成你自己的函数,然后判断传进来的参数,如果是你所指定的目录,直接返回失败即可
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <wdm.h>
#include <string.h>
#include <windef.h>
#ifdef __cplusplus
}; // extern "C"
#endif#include "HookNtCreateFile.h"#ifdef __cplusplus
namespace {
#endif
PDRIVER_OBJECT pdoGlobalDrvObj = 0;
#ifdef __cplusplus
};
#endifDWORD NtCreateFileIndex=0;
PDWORD isChange=0;
HANDLE hEvent=NULL;typedef struct ServiceDescriptorTable
{
DWORD ServiceTableBase;
PVOID pvServiceCounterTable;
ULONG ulNumberOfServices;
PVOID pvParamTableBase;
}SSDT, *PSSDT;
extern "C" PSSDT KeServiceDescriptorTable;typedef NTSTATUS (NTAPI *_RealNtCreateFile)(__out PHANDLE FileHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_opt PLARGE_INTEGER AllocationSize,
__in ULONG FileAttributes,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in_opt PVOID EaBuffer,
__in ULONG EaLength);_RealNtCreateFile RealNtCreateFile;NTSTATUS GetNtCreateFileIndex(VOID)
{
UNICODE_STRING usZwCreateFile;
RtlInitUnicodeString(&usZwCreateFile,L"ZwCreateFile");
DWORD ZwCreateFile_func= (DWORD)MmGetSystemRoutineAddress(&usZwCreateFile);
NtCreateFileIndex = *(DWORD*)(ZwCreateFile_func + 1);
KdPrint(("NtCreateFile 函数在SSDT表中的序号是: %x\n",NtCreateFileIndex));
RealNtCreateFile=(_RealNtCreateFile)(*(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4));
KdPrint(("NtCreateFile 函数的地址是:%x",(DWORD)RealNtCreateFile));
return STATUS_SUCCESS;
}NTSTATUS NTAPI MyNtCreateFile(__out PHANDLE FileHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_opt PLARGE_INTEGER AllocationSize,
__in ULONG FileAttributes,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in_opt PVOID EaBuffer,
__in ULONG EaLength)
{
UNICODE_STRING FilePath;
RtlInitUnicodeString(&FilePath,L"\\??\\C:\\1.txt");
if(!RtlCompareUnicodeString(&FilePath,ObjectAttributes->ObjectName,TRUE)) //如果是你指定的文件名则返回失败
{
KdPrint((ObjectAttributes->ObjectName->Buffer));
return STATUS_UNSUCCESSFUL;
}
return RealNtCreateFile(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength);
}NTSTATUS HookNtCreateFile(VOID)
{
GetNtCreateFileIndex();
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
*(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)=(DWORD)MyNtCreateFile;
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
if(*(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)==(DWORD)MyNtCreateFile)
return STATUS_SUCCESS;
else
return STATUS_UNSUCCESSFUL;
}NTSTATUS UnHookNtCreateFile(VOID)
{
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
if(RealNtCreateFile)
{
*(DWORD*)(KeServiceDescriptorTable->ServiceTableBase+NtCreateFileIndex*4)=(DWORD)RealNtCreateFile;
KdPrint(("NtCreateFile Restored!\n"));
}
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
if(RealNtCreateFile)
{
return STATUS_SUCCESS;
}
else
{
return STATUS_UNSUCCESSFUL;
}
}NTSTATUS HOOKNTCREATEFILE_DispatchCreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}NTSTATUS HOOKNTCREATEFILE_DispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp);
PVOID InBuffer,OutBuffer;
InBuffer = OutBuffer = (PCHAR)Irp->AssociatedIrp.SystemBuffer;
ULONG uOutSize=irpSp->Parameters.DeviceIoControl.OutputBufferLength;
//isChange=(DWORD*)MmMapIoSpace(MmGetPhysicalAddress((void*)(*(DWORD*)InBuffer)),4,MmNonCached);
switch(irpSp->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_HOOKNTCREATEFILE_OPERATION:
// status = SomeHandlerFunction(irpSp);
if(HookNtCreateFile()==STATUS_SUCCESS)
{
CHAR cInfo[] = "Hook NtCreateFile成功了";
int cInfoLen = strlen(cInfo)+1;
memcpy(OutBuffer,cInfo,cInfoLen);
Irp->IoStatus.Status = STATUS_SUCCESS;
}
break;
default:
Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
Irp->IoStatus.Information = 0;
break;
}
if(status==STATUS_SUCCESS)
Irp->IoStatus.Information=uOutSize;
else
Irp->IoStatus.Information=0;
status = Irp->IoStatus.Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}VOID HOOKNTCREATEFILE_DriverUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UnHookNtCreateFile();
ZwClose(hEvent);
PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject;
IoDeleteSymbolicLink(&usSymlinkName); while(pdoNextDeviceObj)
{
PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj;
pdoNextDeviceObj = pdoThisDeviceObj->NextDevice;
IoDeleteDevice(pdoThisDeviceObj);
}
}#ifdef __cplusplus
extern "C" {
#endif
NTSTATUS DriverEntry(
IN OUT PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDEVICE_OBJECT pdoDeviceObj = 0;
NTSTATUS status = STATUS_UNSUCCESSFUL;
pdoGlobalDrvObj = DriverObject; if(!NT_SUCCESS(status = IoCreateDevice(
DriverObject,
0,
&usDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pdoDeviceObj
)))
{
return status;
}; if(!NT_SUCCESS(status = IoCreateSymbolicLink(
&usSymlinkName,
&usDeviceName
)))
{
IoDeleteDevice(pdoDeviceObj);
return status;
} DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] = HOOKNTCREATEFILE_DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HOOKNTCREATEFILE_DispatchDeviceControl;
DriverObject->DriverUnload = HOOKNTCREATEFILE_DriverUnload; return STATUS_SUCCESS;
}
#ifdef __cplusplus
}; // extern "C"
#endif