note : Get FilePathName from FILE_OBJECT
转自:http://blog.csdn.net/lostspeed/article/details/11738311
封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName
在WinXpSp3下测试通过.
函数定义
- BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr);
- BOOLEAN GetFilePathNameFromFileObject(
- FILE_OBJECT * pFileObj,
- UNICODE_STRING * puniFilePathName);
函数实现
- BOOLEAN GetFilePathNameFromFileObject(
- FILE_OBJECT * pFileObj,
- UNICODE_STRING * puniFilePathName)
- {
- /// puniFilePathName 已经被 RtlInitUnicodeString 初始化过,
- /// .Buffer 有MAX_PATH宽字符长度
- BOOLEAN bValidFN_FileObj = FALSE;
- BOOLEAN bValidFN_RelatedFileObj = FALSE;
- PFILE_OBJECT pRelatedFileObject = NULL;
- UNICODE_STRING ustrTmp;
- UNICODE_STRING ustrLink; ///< 分隔符号, e.g. L'\\'
- if ((NULL == pFileObj) || (NULL == puniFilePathName))
- return FALSE;
- /// 初始化数据
- RtlInitUnicodeString(&ustrTmp, NULL);
- RtlInitUnicodeString(&ustrLink, L"\\");
- RtlZeroMemory(puniFilePathName->Buffer, puniFilePathName->MaximumLength);
- puniFilePathName->Length = 0;
- pRelatedFileObject = pFileObj->RelatedFileObject;
- bValidFN_FileObj = IsValidUnicodeString(&pFileObj->FileName);
- bValidFN_RelatedFileObj =
- IsValidUnicodeString(&pRelatedFileObject->FileName);
- /// 盘符
- IoVolumeDeviceToDosName(pFileObj->DeviceObject, &ustrTmp);
- RtlCopyUnicodeString(puniFilePathName, &ustrTmp);
- RtlFreeUnicodeString(&ustrTmp); ///< !
- /// 相对路径
- /// pRelatedFileObject->FileName 也有可能是空的
- /// 相对全路径名称全部在 pFileObj->FileName
- if (bValidFN_RelatedFileObj)
- {
- /// pRelatedFileObject->FileName.Buffer 可能是有效的
- /// 却不是一个可见的宽字符串, 以 L'\0'开头
- if ((L'\\' != pRelatedFileObject->FileName.Buffer[0])
- &&(L'\0' != pRelatedFileObject->FileName.Buffer[0]))
- {
- RtlUnicodeStringCat(puniFilePathName, &ustrLink);
- }
- RtlUnicodeStringCat(puniFilePathName, &pRelatedFileObject->FileName);
- }
- /// 文件名, 也有可能是包含相对路径的全路径名称.
- /// e.g. "\Windows\System\xx.yyy"
- if (bValidFN_FileObj)
- {
- if ((L'\\' != pFileObj->FileName.Buffer[0])
- && (L'\0' != pFileObj->FileName.Buffer[0]))
- {
- RtlUnicodeStringCat(puniFilePathName, &ustrLink);
- }
- RtlUnicodeStringCat(puniFilePathName, &pFileObj->FileName);
- }
- return (bValidFN_FileObj || bValidFN_RelatedFileObj);
- }
- BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr)
- {
- BOOLEAN bRc = FALSE;
- ULONG ulIndex = 0;
- __try
- {
- if (!MmIsAddressValid(pstr))
- return FALSE;
- if ((NULL == pstr->Buffer) || (0 == pstr->Length))
- return FALSE;
- for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++)
- {
- if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex))
- return FALSE;
- }
- bRc = TRUE;
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- bRc = FALSE;
- }
- return bRc;
- }
在分派例程中得到 FILE_OBJECT 方法
- pIoStack = IoGetCurrentIrpStackLocation(pIrp);
- pFileObject = pIoStack->FileObject;
入参的准备
- WCHAR cFilePathNameW[MAX_PATH];
- UNICODE_STRING unistrFilePathName;
- RtlZeroMemory(cFilePathNameW, sizeof(cFilePathNameW));
- RtlInitUnicodeString(&unistrFilePathName, cFilePathNameW);
- unistrFilePathName.MaximumLength = sizeof(cFilePathNameW); ///< !
效果图
- DisPatchDeviceControl IOCTL 0x22e000
- cFilePathName[0] = C:\
- cFilePathName[1] = C:\Documents and Settings\All Users\Application Data\VMware
- cFilePathName[2] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools
- cFilePathName[3] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\
- cFilePathName[4] = C:\WINDOWS\system32\Msimtf.dll
- cFilePathName[5] = C:\WINDOWS\system32\NOTEPAD.EXE
- cFilePathName[6] = C:\WINDOWS\AppPatch\sysmain.sdb
- cFilePathName[7] = C:\WINDOWS\AppPatch\systest.sdb
- cFilePathName[8] = C:\WINDOWS\system32\
- cFilePathName[9] = C:\WINDOWS\
- cFilePathName[10] = C:\WINDOWS\system32\NOTEPAD.EXE.Manifest
- cFilePathName[11] = C:\WINDOWS\system32\NOTEPAD.EXE.Config
- cFilePathName[12] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CN_f3ffe327\
- cFilePathName[13] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\
- cFilePathName[14] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CHS_6bff526c\
- cFilePathName[15] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\
- cFilePathName[16] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy
- cFilePathName[17] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CN_b45a2b14\
- cFilePathName[18] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\
- cFilePathName[19] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CHS_2c599a59\
- cFilePathName[20] = C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
- cFilePathName[21] = C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
- cFilePathName[22] = C:\Documents and Settings\Administrator\
- cFilePathName[23] = C:\Documents and Settings\Administrator\桌面\
- cFilePathName[24] = C:\DOCUME~1\
- cFilePathName[25] = C:\DOCUME~1\ADMINI~1\
- cFilePathName[26] = C:\DOCUME~1\ADMINI~1\LOCALS~1\
- cFilePathName[27] = C:\Documents and Settings\Administrator\桌面\abc.txt
- cFilePathName[28] = C:\Documents and Settings\Administrator\桌面
- cFilePathName[29] = C:\SYSTEM VOLUME INFORMATION\
- cFilePathName[30] = C:\Documents and Settings\Administrator\Recent\
- cFilePathName[31] = C:\Documents and Settings\Administrator\Recent\abc.txt.lnk
- cFilePathName[32] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\
- cFilePathName[33] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\
- cFilePathName[34] = C:\WINDOWS\APPPATCH\
- cFilePathName[35] = C:\WINDOWS\WINSXS\
- cFilePathName[36] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\
- cFilePathName[37] = C:\WINDOWS\SYSTEM32\NTDLL.DLL
- cFilePathName[38] = C:\WINDOWS\SYSTEM32\KERNEL32.DLL
- cFilePathName[39] = C:\WINDOWS\SYSTEM32\UNICODE.NLS
- cFilePathName[40] = C:\WINDOWS\SYSTEM32\LOCALE.NLS
- cFilePathName[41] = C:\WINDOWS\SYSTEM32\SORTTBLS.NLS
- cFilePathName[42] = C:\WINDOWS\SYSTEM32\COMDLG32.DLL
- cFilePathName[43] = C:\WINDOWS\SYSTEM32\ADVAPI32.DLL
- cFilePathName[44] = C:\WINDOWS\SYSTEM32\RPCRT4.DLL
- cFilePathName[45] = C:\WINDOWS\SYSTEM32\SECUR32.DLL
- cFilePathName[46] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL
- cFilePathName[47] = C:\WINDOWS\SYSTEM32\MSVCRT.DLL
- cFilePathName[48] = C:\WINDOWS\SYSTEM32\GDI32.DLL
- cFilePathName[49] = C:\WINDOWS\SYSTEM32\USER32.DLL
- cFilePathName[50] = C:\WINDOWS\SYSTEM32\SHLWAPI.DLL
- cFilePathName[51] = C:\WINDOWS\SYSTEM32\SHELL32.DLL
- cFilePathName[52] = C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
- cFilePathName[53] = C:\WINDOWS\SYSTEM32\SHIMENG.DLL
- cFilePathName[54] = C:\WINDOWS\APPPATCH\ACGENRAL.DLL
- cFilePathName[55] = C:\WINDOWS\SYSTEM32\WINMM.DLL
- cFilePathName[56] = C:\WINDOWS\SYSTEM32\OLE32.DLL
- cFilePathName[57] = C:\WINDOWS\SYSTEM32\OLEAUT32.DLL
- cFilePathName[58] = C:\WINDOWS\SYSTEM32\MSACM32.DLL
- cFilePathName[59] = C:\WINDOWS\SYSTEM32\VERSION.DLL
- cFilePathName[60] = C:\WINDOWS\SYSTEM32\USERENV.DLL
- cFilePathName[61] = C:\WINDOWS\SYSTEM32\UXTHEME.DLL
- cFilePathName[62] = C:\WINDOWS\SYSTEM32\CTYPE.NLS
- cFilePathName[63] = C:\WINDOWS\SYSTEM32\IMM32.DLL
- cFilePathName[64] = C:\WINDOWS\SYSTEM32\LPK.DLL
- cFilePathName[65] = C:\WINDOWS\SYSTEM32\USP10.DLL
- cFilePathName[66] = C:\WINDOWS\WINDOWSSHELL.MANIFEST
- cFilePathName[67] = C:\WINDOWS\SYSTEM32\MSCTF.DLL
- cFilePathName[68] = C:\WINDOWS\SYSTEM32\MSCTFIME.IME
- cFilePathName[69] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\CHANGE.LOG
- cFilePathName[70] = C:\BOOT.INI
- cFilePathName[71] = C:\WINDOWS\SYSTEM32\WIN32K.SYS
- cFilePathName[72] = C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
- cFilePathName[73] = C:\Documents and Settings\
- cFilePathName[74] = C:\Documents and Settings\Administrator\Local Settings\
- cFilePathName[75] = C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini
- cFilePathName[76] = C:\WINDOWS\WindowsShell.Config
- cFilePathName[77] = C:\WINDOWS\system32\SHELL32.dll.124.Manifest
- cFilePathName[78] = C:\WINDOWS\system32\SHELL32.dll.124.Config
- cFilePathName[79] = C:\WINDOWS\Prefetch\
- cFilePathName[80] = C:\WINDOWS\system32\0804\
- cFilePathName[81] = C:\WINDOWS\MUI\Fallback\0804\
- cFilePathName[82] = C:\WINDOWS\system32\DRIVERS\MUI\0804\
- cFilePathName[83] = C:\WINDOWS\system32\DRIVERS\ACPI.sys
- cFilePathName[84] = C:\WINDOWS\system32\DRIVERS\mssmbios.sys
- cFilePathName[85] = C:\WINDOWS\system32\DRIVERS\intelppm.sys
- cFilePathName[86] = C:\WINDOWS\system32\DRIVERS\ipnat.sys
- cFilePathName[87] = C:\WINDOWS\System32\Drivers\HTTP.sys
- cFilePathName[88] = C:\WINDOWS\system32\WBEM\Logs\wmiprov.log
- cFilePathName[89] = C:\WINDOWS\SoftwareDistribution\DataStore\
- cFilePathName[90] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
- cFilePathName[91] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb\
- cFilePathName[92] = C:\WINDOWS\SoftwareDistribution\DataStore
- cFilePathName[93] = C:\WINDOWS\SoftwareDistribution
- cFilePathName[94] = C:\WINDOWS\SoftwareDistribution\
- cFilePathName[95] = C:\WINDOWS
- cFilePathName[96] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk
- cFilePathName[97] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk\
- cFilePathName[98] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs
- cFilePathName[99] = C:\WINDOWS\system32\xpsp2res.dll
note : Get FilePathName from FILE_OBJECT的更多相关文章
- FILE_OBJECT
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx The FILE_OBJECT str ...
- 三星Note 7停产,原来是吃了流程的亏
三星Note 7发售两个月即成为全球噩梦,从首炸到传言停产仅仅47天.所谓"屋漏偏逢连天雨",相比华为.小米等品牌对其全球市场的挤压.侵蚀,Galaxy Note 7爆炸事件这场连 ...
- 《Note --- Unreal --- MemPro (CONTINUE... ...)》
Mem pro 是一个主要集成内存泄露检测的工具,其具有自身的源码和GUI,在GUI中利用"Launch" button进行加载自己待检测的application,目前支持的平台为 ...
- 《Note --- Unreal 4 --- Sample analyze --- StrategyGame(continue...)》
---------------------------------------------------------------------------------------------------- ...
- [LeetCode] Ransom Note 赎金条
Given an arbitrary ransom note string and another string containing letters from all th ...
- Beginning Scala study note(9) Scala and Java Interoperability
1. Translating Java Classes to Scala Classes Example 1: # a class declaration in Java public class B ...
- Beginning Scala study note(8) Scala Type System
1. Unified Type System Scala has a unified type system, enclosed by the type Any at the top of the h ...
- Beginning Scala study note(7) Trait
A trait provides code reusability in Scala by encapsulating method and state and then offing possibi ...
- Beginning Scala study note(6) Scala Collections
Scala's object-oriented collections support mutable and immutable type hierarchies. Also support fun ...
随机推荐
- 运维生涯中总有一次痛彻心扉的rm命令
为了防止误操作,配置rm命令别名,同时可以进行恢复删除文件 1. 在/tmp目录下新建两个目录,命名为:.trash,tools cd /tmp/ mkdir .trash mkdir tools 2 ...
- 框架_mybatis2使用注解
在dao中使用注解: package cn.dao; import cn.mepu.User; import org.apache.ibatis.annotations.Select; import ...
- tftp 服务器的配置
如果用下面一条命令能够看到服务已经启动, 则不用安装, 否则需要按 1 或 2 点安装 tftp-server 服务器. [arm@localhost arm]#netstat -a | grep t ...
- zic2xpm - 将 ZIICS 象棋片段 (chess pieces) 转换为 XBoard (XPM/XIM) 片段的工具。
总览 SYNOPSIS zic2xpm file1 [file2 ...] 描述 zic2xpm 将一个或多个 ZIICS 片段文件转换为 XBoard 可用的格式.如果你给出一个以上的文件名,小心同 ...
- 自定义实现系统max方法
function MyMath(){ //添加了一个方法 this.getMax=function(){ //所有数字中的最大值 var max=arguments[0]; for(var i=0;i ...
- 泛型(Generic)方法(函数,算法)
例子: static void Main(string[] args) { int[] a1 = { 1, 2, 3, 4, 5 }; int[] a2 = { 1, 2, 3, 4, 5 }; do ...
- H5全局属性contenteditable,实现可编辑元素
<div contenteditable="true">这是一段可编辑的段落.请试着编辑该文本.</div> 效果如下:
- 7.12模拟T2(套路容斥+多项式求逆)
Description: \(n<=10,max(w)<=1e6\) 题解: 考虑暴力,相当于走多维格子图,不能走有些点. 套路就是设\(f[i]\)表示第一次走到i的方案数 \(f[i] ...
- [Nowcoder] 数数字
题意:...咕咕懒得写了. 思路: 裸的记搜... #include <bits/stdc++.h> using namespace std; #define ll long long m ...
- Photon Server与Unity3D客户端的交互
Photon Server与Unity3D的交互分为3篇博文实现 (1)Photon Server的服务器端配置 (2)Photon Server的Unity3D客户端配置 (3)Photon Ser ...