转自:http://blog.csdn.net/lostspeed/article/details/11738311

封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName

在WinXpSp3下测试通过.

函数定义

  1. BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr);
  1. BOOLEAN GetFilePathNameFromFileObject(
  2. FILE_OBJECT * pFileObj,
  3. UNICODE_STRING * puniFilePathName);

函数实现

  1. BOOLEAN GetFilePathNameFromFileObject(
  2. FILE_OBJECT * pFileObj,
  3. UNICODE_STRING * puniFilePathName)
  4. {
  5. /// puniFilePathName 已经被 RtlInitUnicodeString 初始化过,
  6. /// .Buffer 有MAX_PATH宽字符长度
  7. BOOLEAN bValidFN_FileObj = FALSE;
  8. BOOLEAN bValidFN_RelatedFileObj = FALSE;
  9. PFILE_OBJECT pRelatedFileObject = NULL;
  10. UNICODE_STRING ustrTmp;
  11. UNICODE_STRING ustrLink; ///< 分隔符号, e.g. L'\\'
  12. if ((NULL == pFileObj) || (NULL == puniFilePathName))
  13. return FALSE;
  14. /// 初始化数据
  15. RtlInitUnicodeString(&ustrTmp, NULL);
  16. RtlInitUnicodeString(&ustrLink, L"\\");
  17. RtlZeroMemory(puniFilePathName->Buffer, puniFilePathName->MaximumLength);
  18. puniFilePathName->Length = 0;
  19. pRelatedFileObject = pFileObj->RelatedFileObject;
  20. bValidFN_FileObj = IsValidUnicodeString(&pFileObj->FileName);
  21. bValidFN_RelatedFileObj =
  22. IsValidUnicodeString(&pRelatedFileObject->FileName);
  23. /// 盘符
  24. IoVolumeDeviceToDosName(pFileObj->DeviceObject, &ustrTmp);
  25. RtlCopyUnicodeString(puniFilePathName, &ustrTmp);
  26. RtlFreeUnicodeString(&ustrTmp); ///< !
  27. /// 相对路径
  28. /// pRelatedFileObject->FileName 也有可能是空的
  29. /// 相对全路径名称全部在 pFileObj->FileName
  30. if (bValidFN_RelatedFileObj)
  31. {
  32. /// pRelatedFileObject->FileName.Buffer 可能是有效的
  33. /// 却不是一个可见的宽字符串, 以 L'\0'开头
  34. if ((L'\\' != pRelatedFileObject->FileName.Buffer[0])
  35. &&(L'\0' != pRelatedFileObject->FileName.Buffer[0]))
  36. {
  37. RtlUnicodeStringCat(puniFilePathName, &ustrLink);
  38. }
  39. RtlUnicodeStringCat(puniFilePathName, &pRelatedFileObject->FileName);
  40. }
  41. /// 文件名, 也有可能是包含相对路径的全路径名称.
  42. /// e.g. "\Windows\System\xx.yyy"
  43. if (bValidFN_FileObj)
  44. {
  45. if ((L'\\' != pFileObj->FileName.Buffer[0])
  46. && (L'\0' != pFileObj->FileName.Buffer[0]))
  47. {
  48. RtlUnicodeStringCat(puniFilePathName, &ustrLink);
  49. }
  50. RtlUnicodeStringCat(puniFilePathName, &pFileObj->FileName);
  51. }
  52. return (bValidFN_FileObj || bValidFN_RelatedFileObj);
  53. }
  1. BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr)
  2. {
  3. BOOLEAN bRc = FALSE;
  4. ULONG   ulIndex = 0;
  5. __try
  6. {
  7. if (!MmIsAddressValid(pstr))
  8. return FALSE;
  9. if ((NULL == pstr->Buffer) || (0 == pstr->Length))
  10. return FALSE;
  11. for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++)
  12. {
  13. if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex))
  14. return FALSE;
  15. }
  16. bRc = TRUE;
  17. }
  18. __except(EXCEPTION_EXECUTE_HANDLER)
  19. {
  20. bRc = FALSE;
  21. }
  22. return bRc;
  23. }

在分派例程中得到 FILE_OBJECT 方法

  1. pIoStack = IoGetCurrentIrpStackLocation(pIrp);
  1. pFileObject = pIoStack->FileObject;

入参的准备

  1. WCHAR               cFilePathNameW[MAX_PATH];
  2. UNICODE_STRING      unistrFilePathName;
  3. RtlZeroMemory(cFilePathNameW, sizeof(cFilePathNameW));
  4. RtlInitUnicodeString(&unistrFilePathName, cFilePathNameW);
  5. unistrFilePathName.MaximumLength = sizeof(cFilePathNameW); ///< !

效果图

    1. DisPatchDeviceControl IOCTL 0x22e000
    2. cFilePathName[0] = C:\
    3. cFilePathName[1] = C:\Documents and Settings\All Users\Application Data\VMware
    4. cFilePathName[2] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools
    5. cFilePathName[3] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\
    6. cFilePathName[4] = C:\WINDOWS\system32\Msimtf.dll
    7. cFilePathName[5] = C:\WINDOWS\system32\NOTEPAD.EXE
    8. cFilePathName[6] = C:\WINDOWS\AppPatch\sysmain.sdb
    9. cFilePathName[7] = C:\WINDOWS\AppPatch\systest.sdb
    10. cFilePathName[8] = C:\WINDOWS\system32\
    11. cFilePathName[9] = C:\WINDOWS\
    12. cFilePathName[10] = C:\WINDOWS\system32\NOTEPAD.EXE.Manifest
    13. cFilePathName[11] = C:\WINDOWS\system32\NOTEPAD.EXE.Config
    14. cFilePathName[12] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CN_f3ffe327\
    15. cFilePathName[13] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\
    16. cFilePathName[14] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CHS_6bff526c\
    17. cFilePathName[15] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\
    18. cFilePathName[16] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy
    19. cFilePathName[17] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CN_b45a2b14\
    20. cFilePathName[18] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\
    21. cFilePathName[19] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CHS_2c599a59\
    22. cFilePathName[20] = C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
    23. cFilePathName[21] = C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
    24. cFilePathName[22] = C:\Documents and Settings\Administrator\
    25. cFilePathName[23] = C:\Documents and Settings\Administrator\桌面\
    26. cFilePathName[24] = C:\DOCUME~1\
    27. cFilePathName[25] = C:\DOCUME~1\ADMINI~1\
    28. cFilePathName[26] = C:\DOCUME~1\ADMINI~1\LOCALS~1\
    29. cFilePathName[27] = C:\Documents and Settings\Administrator\桌面\abc.txt
    30. cFilePathName[28] = C:\Documents and Settings\Administrator\桌面
    31. cFilePathName[29] = C:\SYSTEM VOLUME INFORMATION\
    32. cFilePathName[30] = C:\Documents and Settings\Administrator\Recent\
    33. cFilePathName[31] = C:\Documents and Settings\Administrator\Recent\abc.txt.lnk
    34. cFilePathName[32] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\
    35. cFilePathName[33] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\
    36. cFilePathName[34] = C:\WINDOWS\APPPATCH\
    37. cFilePathName[35] = C:\WINDOWS\WINSXS\
    38. cFilePathName[36] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\
    39. cFilePathName[37] = C:\WINDOWS\SYSTEM32\NTDLL.DLL
    40. cFilePathName[38] = C:\WINDOWS\SYSTEM32\KERNEL32.DLL
    41. cFilePathName[39] = C:\WINDOWS\SYSTEM32\UNICODE.NLS
    42. cFilePathName[40] = C:\WINDOWS\SYSTEM32\LOCALE.NLS
    43. cFilePathName[41] = C:\WINDOWS\SYSTEM32\SORTTBLS.NLS
    44. cFilePathName[42] = C:\WINDOWS\SYSTEM32\COMDLG32.DLL
    45. cFilePathName[43] = C:\WINDOWS\SYSTEM32\ADVAPI32.DLL
    46. cFilePathName[44] = C:\WINDOWS\SYSTEM32\RPCRT4.DLL
    47. cFilePathName[45] = C:\WINDOWS\SYSTEM32\SECUR32.DLL
    48. cFilePathName[46] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL
    49. cFilePathName[47] = C:\WINDOWS\SYSTEM32\MSVCRT.DLL
    50. cFilePathName[48] = C:\WINDOWS\SYSTEM32\GDI32.DLL
    51. cFilePathName[49] = C:\WINDOWS\SYSTEM32\USER32.DLL
    52. cFilePathName[50] = C:\WINDOWS\SYSTEM32\SHLWAPI.DLL
    53. cFilePathName[51] = C:\WINDOWS\SYSTEM32\SHELL32.DLL
    54. cFilePathName[52] = C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
    55. cFilePathName[53] = C:\WINDOWS\SYSTEM32\SHIMENG.DLL
    56. cFilePathName[54] = C:\WINDOWS\APPPATCH\ACGENRAL.DLL
    57. cFilePathName[55] = C:\WINDOWS\SYSTEM32\WINMM.DLL
    58. cFilePathName[56] = C:\WINDOWS\SYSTEM32\OLE32.DLL
    59. cFilePathName[57] = C:\WINDOWS\SYSTEM32\OLEAUT32.DLL
    60. cFilePathName[58] = C:\WINDOWS\SYSTEM32\MSACM32.DLL
    61. cFilePathName[59] = C:\WINDOWS\SYSTEM32\VERSION.DLL
    62. cFilePathName[60] = C:\WINDOWS\SYSTEM32\USERENV.DLL
    63. cFilePathName[61] = C:\WINDOWS\SYSTEM32\UXTHEME.DLL
    64. cFilePathName[62] = C:\WINDOWS\SYSTEM32\CTYPE.NLS
    65. cFilePathName[63] = C:\WINDOWS\SYSTEM32\IMM32.DLL
    66. cFilePathName[64] = C:\WINDOWS\SYSTEM32\LPK.DLL
    67. cFilePathName[65] = C:\WINDOWS\SYSTEM32\USP10.DLL
    68. cFilePathName[66] = C:\WINDOWS\WINDOWSSHELL.MANIFEST
    69. cFilePathName[67] = C:\WINDOWS\SYSTEM32\MSCTF.DLL
    70. cFilePathName[68] = C:\WINDOWS\SYSTEM32\MSCTFIME.IME
    71. cFilePathName[69] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\CHANGE.LOG
    72. cFilePathName[70] = C:\BOOT.INI
    73. cFilePathName[71] = C:\WINDOWS\SYSTEM32\WIN32K.SYS
    74. cFilePathName[72] = C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    75. cFilePathName[73] = C:\Documents and Settings\
    76. cFilePathName[74] = C:\Documents and Settings\Administrator\Local Settings\
    77. cFilePathName[75] = C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini
    78. cFilePathName[76] = C:\WINDOWS\WindowsShell.Config
    79. cFilePathName[77] = C:\WINDOWS\system32\SHELL32.dll.124.Manifest
    80. cFilePathName[78] = C:\WINDOWS\system32\SHELL32.dll.124.Config
    81. cFilePathName[79] = C:\WINDOWS\Prefetch\
    82. cFilePathName[80] = C:\WINDOWS\system32\0804\
    83. cFilePathName[81] = C:\WINDOWS\MUI\Fallback\0804\
    84. cFilePathName[82] = C:\WINDOWS\system32\DRIVERS\MUI\0804\
    85. cFilePathName[83] = C:\WINDOWS\system32\DRIVERS\ACPI.sys
    86. cFilePathName[84] = C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    87. cFilePathName[85] = C:\WINDOWS\system32\DRIVERS\intelppm.sys
    88. cFilePathName[86] = C:\WINDOWS\system32\DRIVERS\ipnat.sys
    89. cFilePathName[87] = C:\WINDOWS\System32\Drivers\HTTP.sys
    90. cFilePathName[88] = C:\WINDOWS\system32\WBEM\Logs\wmiprov.log
    91. cFilePathName[89] = C:\WINDOWS\SoftwareDistribution\DataStore\
    92. cFilePathName[90] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
    93. cFilePathName[91] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb\
    94. cFilePathName[92] = C:\WINDOWS\SoftwareDistribution\DataStore
    95. cFilePathName[93] = C:\WINDOWS\SoftwareDistribution
    96. cFilePathName[94] = C:\WINDOWS\SoftwareDistribution\
    97. cFilePathName[95] = C:\WINDOWS
    98. cFilePathName[96] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk
    99. cFilePathName[97] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk\
    100. cFilePathName[98] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs
    101. cFilePathName[99] = C:\WINDOWS\system32\xpsp2res.dll

note : Get FilePathName from FILE_OBJECT的更多相关文章

  1. FILE_OBJECT

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx The FILE_OBJECT str ...

  2. 三星Note 7停产,原来是吃了流程的亏

    三星Note 7发售两个月即成为全球噩梦,从首炸到传言停产仅仅47天.所谓"屋漏偏逢连天雨",相比华为.小米等品牌对其全球市场的挤压.侵蚀,Galaxy Note 7爆炸事件这场连 ...

  3. 《Note --- Unreal --- MemPro (CONTINUE... ...)》

    Mem pro 是一个主要集成内存泄露检测的工具,其具有自身的源码和GUI,在GUI中利用"Launch" button进行加载自己待检测的application,目前支持的平台为 ...

  4. 《Note --- Unreal 4 --- Sample analyze --- StrategyGame(continue...)》

    ---------------------------------------------------------------------------------------------------- ...

  5. [LeetCode] Ransom Note 赎金条

    
Given
 an 
arbitrary
 ransom
 note
 string 
and 
another 
string 
containing 
letters from
 all 
th ...

  6. Beginning Scala study note(9) Scala and Java Interoperability

    1. Translating Java Classes to Scala Classes Example 1: # a class declaration in Java public class B ...

  7. Beginning Scala study note(8) Scala Type System

    1. Unified Type System Scala has a unified type system, enclosed by the type Any at the top of the h ...

  8. Beginning Scala study note(7) Trait

    A trait provides code reusability in Scala by encapsulating method and state and then offing possibi ...

  9. Beginning Scala study note(6) Scala Collections

    Scala's object-oriented collections support mutable and immutable type hierarchies. Also support fun ...

随机推荐

  1. 运维生涯中总有一次痛彻心扉的rm命令

    为了防止误操作,配置rm命令别名,同时可以进行恢复删除文件 1. 在/tmp目录下新建两个目录,命名为:.trash,tools cd /tmp/ mkdir .trash mkdir tools 2 ...

  2. 框架_mybatis2使用注解

    在dao中使用注解: package cn.dao; import cn.mepu.User; import org.apache.ibatis.annotations.Select; import ...

  3. tftp 服务器的配置

    如果用下面一条命令能够看到服务已经启动, 则不用安装, 否则需要按 1 或 2 点安装 tftp-server 服务器. [arm@localhost arm]#netstat -a | grep t ...

  4. zic2xpm - 将 ZIICS 象棋片段 (chess pieces) 转换为 XBoard (XPM/XIM) 片段的工具。

    总览 SYNOPSIS zic2xpm file1 [file2 ...] 描述 zic2xpm 将一个或多个 ZIICS 片段文件转换为 XBoard 可用的格式.如果你给出一个以上的文件名,小心同 ...

  5. 自定义实现系统max方法

    function MyMath(){ //添加了一个方法 this.getMax=function(){ //所有数字中的最大值 var max=arguments[0]; for(var i=0;i ...

  6. 泛型(Generic)方法(函数,算法)

    例子: static void Main(string[] args) { int[] a1 = { 1, 2, 3, 4, 5 }; int[] a2 = { 1, 2, 3, 4, 5 }; do ...

  7. H5全局属性contenteditable,实现可编辑元素

    <div contenteditable="true">这是一段可编辑的段落.请试着编辑该文本.</div> 效果如下:

  8. 7.12模拟T2(套路容斥+多项式求逆)

    Description: \(n<=10,max(w)<=1e6\) 题解: 考虑暴力,相当于走多维格子图,不能走有些点. 套路就是设\(f[i]\)表示第一次走到i的方案数 \(f[i] ...

  9. [Nowcoder] 数数字

    题意:...咕咕懒得写了. 思路: 裸的记搜... #include <bits/stdc++.h> using namespace std; #define ll long long m ...

  10. Photon Server与Unity3D客户端的交互

    Photon Server与Unity3D的交互分为3篇博文实现 (1)Photon Server的服务器端配置 (2)Photon Server的Unity3D客户端配置 (3)Photon Ser ...