转自:http://blog.csdn.net/lostspeed/article/details/11738311

封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName

在WinXpSp3下测试通过.

函数定义

  1. BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr);
  1. BOOLEAN GetFilePathNameFromFileObject(
  2. FILE_OBJECT * pFileObj,
  3. UNICODE_STRING * puniFilePathName);

函数实现

  1. BOOLEAN GetFilePathNameFromFileObject(
  2. FILE_OBJECT * pFileObj,
  3. UNICODE_STRING * puniFilePathName)
  4. {
  5. /// puniFilePathName 已经被 RtlInitUnicodeString 初始化过,
  6. /// .Buffer 有MAX_PATH宽字符长度
  7. BOOLEAN bValidFN_FileObj = FALSE;
  8. BOOLEAN bValidFN_RelatedFileObj = FALSE;
  9. PFILE_OBJECT pRelatedFileObject = NULL;
  10. UNICODE_STRING ustrTmp;
  11. UNICODE_STRING ustrLink; ///< 分隔符号, e.g. L'\\'
  12. if ((NULL == pFileObj) || (NULL == puniFilePathName))
  13. return FALSE;
  14. /// 初始化数据
  15. RtlInitUnicodeString(&ustrTmp, NULL);
  16. RtlInitUnicodeString(&ustrLink, L"\\");
  17. RtlZeroMemory(puniFilePathName->Buffer, puniFilePathName->MaximumLength);
  18. puniFilePathName->Length = 0;
  19. pRelatedFileObject = pFileObj->RelatedFileObject;
  20. bValidFN_FileObj = IsValidUnicodeString(&pFileObj->FileName);
  21. bValidFN_RelatedFileObj =
  22. IsValidUnicodeString(&pRelatedFileObject->FileName);
  23. /// 盘符
  24. IoVolumeDeviceToDosName(pFileObj->DeviceObject, &ustrTmp);
  25. RtlCopyUnicodeString(puniFilePathName, &ustrTmp);
  26. RtlFreeUnicodeString(&ustrTmp); ///< !
  27. /// 相对路径
  28. /// pRelatedFileObject->FileName 也有可能是空的
  29. /// 相对全路径名称全部在 pFileObj->FileName
  30. if (bValidFN_RelatedFileObj)
  31. {
  32. /// pRelatedFileObject->FileName.Buffer 可能是有效的
  33. /// 却不是一个可见的宽字符串, 以 L'\0'开头
  34. if ((L'\\' != pRelatedFileObject->FileName.Buffer[0])
  35. &&(L'\0' != pRelatedFileObject->FileName.Buffer[0]))
  36. {
  37. RtlUnicodeStringCat(puniFilePathName, &ustrLink);
  38. }
  39. RtlUnicodeStringCat(puniFilePathName, &pRelatedFileObject->FileName);
  40. }
  41. /// 文件名, 也有可能是包含相对路径的全路径名称.
  42. /// e.g. "\Windows\System\xx.yyy"
  43. if (bValidFN_FileObj)
  44. {
  45. if ((L'\\' != pFileObj->FileName.Buffer[0])
  46. && (L'\0' != pFileObj->FileName.Buffer[0]))
  47. {
  48. RtlUnicodeStringCat(puniFilePathName, &ustrLink);
  49. }
  50. RtlUnicodeStringCat(puniFilePathName, &pFileObj->FileName);
  51. }
  52. return (bValidFN_FileObj || bValidFN_RelatedFileObj);
  53. }
  1. BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr)
  2. {
  3. BOOLEAN bRc = FALSE;
  4. ULONG   ulIndex = 0;
  5. __try
  6. {
  7. if (!MmIsAddressValid(pstr))
  8. return FALSE;
  9. if ((NULL == pstr->Buffer) || (0 == pstr->Length))
  10. return FALSE;
  11. for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++)
  12. {
  13. if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex))
  14. return FALSE;
  15. }
  16. bRc = TRUE;
  17. }
  18. __except(EXCEPTION_EXECUTE_HANDLER)
  19. {
  20. bRc = FALSE;
  21. }
  22. return bRc;
  23. }

在分派例程中得到 FILE_OBJECT 方法

  1. pIoStack = IoGetCurrentIrpStackLocation(pIrp);
  1. pFileObject = pIoStack->FileObject;

入参的准备

  1. WCHAR               cFilePathNameW[MAX_PATH];
  2. UNICODE_STRING      unistrFilePathName;
  3. RtlZeroMemory(cFilePathNameW, sizeof(cFilePathNameW));
  4. RtlInitUnicodeString(&unistrFilePathName, cFilePathNameW);
  5. unistrFilePathName.MaximumLength = sizeof(cFilePathNameW); ///< !

效果图

    1. DisPatchDeviceControl IOCTL 0x22e000
    2. cFilePathName[0] = C:\
    3. cFilePathName[1] = C:\Documents and Settings\All Users\Application Data\VMware
    4. cFilePathName[2] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools
    5. cFilePathName[3] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\
    6. cFilePathName[4] = C:\WINDOWS\system32\Msimtf.dll
    7. cFilePathName[5] = C:\WINDOWS\system32\NOTEPAD.EXE
    8. cFilePathName[6] = C:\WINDOWS\AppPatch\sysmain.sdb
    9. cFilePathName[7] = C:\WINDOWS\AppPatch\systest.sdb
    10. cFilePathName[8] = C:\WINDOWS\system32\
    11. cFilePathName[9] = C:\WINDOWS\
    12. cFilePathName[10] = C:\WINDOWS\system32\NOTEPAD.EXE.Manifest
    13. cFilePathName[11] = C:\WINDOWS\system32\NOTEPAD.EXE.Config
    14. cFilePathName[12] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CN_f3ffe327\
    15. cFilePathName[13] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\
    16. cFilePathName[14] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CHS_6bff526c\
    17. cFilePathName[15] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\
    18. cFilePathName[16] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy
    19. cFilePathName[17] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CN_b45a2b14\
    20. cFilePathName[18] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\
    21. cFilePathName[19] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CHS_2c599a59\
    22. cFilePathName[20] = C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
    23. cFilePathName[21] = C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
    24. cFilePathName[22] = C:\Documents and Settings\Administrator\
    25. cFilePathName[23] = C:\Documents and Settings\Administrator\桌面\
    26. cFilePathName[24] = C:\DOCUME~1\
    27. cFilePathName[25] = C:\DOCUME~1\ADMINI~1\
    28. cFilePathName[26] = C:\DOCUME~1\ADMINI~1\LOCALS~1\
    29. cFilePathName[27] = C:\Documents and Settings\Administrator\桌面\abc.txt
    30. cFilePathName[28] = C:\Documents and Settings\Administrator\桌面
    31. cFilePathName[29] = C:\SYSTEM VOLUME INFORMATION\
    32. cFilePathName[30] = C:\Documents and Settings\Administrator\Recent\
    33. cFilePathName[31] = C:\Documents and Settings\Administrator\Recent\abc.txt.lnk
    34. cFilePathName[32] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\
    35. cFilePathName[33] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\
    36. cFilePathName[34] = C:\WINDOWS\APPPATCH\
    37. cFilePathName[35] = C:\WINDOWS\WINSXS\
    38. cFilePathName[36] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\
    39. cFilePathName[37] = C:\WINDOWS\SYSTEM32\NTDLL.DLL
    40. cFilePathName[38] = C:\WINDOWS\SYSTEM32\KERNEL32.DLL
    41. cFilePathName[39] = C:\WINDOWS\SYSTEM32\UNICODE.NLS
    42. cFilePathName[40] = C:\WINDOWS\SYSTEM32\LOCALE.NLS
    43. cFilePathName[41] = C:\WINDOWS\SYSTEM32\SORTTBLS.NLS
    44. cFilePathName[42] = C:\WINDOWS\SYSTEM32\COMDLG32.DLL
    45. cFilePathName[43] = C:\WINDOWS\SYSTEM32\ADVAPI32.DLL
    46. cFilePathName[44] = C:\WINDOWS\SYSTEM32\RPCRT4.DLL
    47. cFilePathName[45] = C:\WINDOWS\SYSTEM32\SECUR32.DLL
    48. cFilePathName[46] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL
    49. cFilePathName[47] = C:\WINDOWS\SYSTEM32\MSVCRT.DLL
    50. cFilePathName[48] = C:\WINDOWS\SYSTEM32\GDI32.DLL
    51. cFilePathName[49] = C:\WINDOWS\SYSTEM32\USER32.DLL
    52. cFilePathName[50] = C:\WINDOWS\SYSTEM32\SHLWAPI.DLL
    53. cFilePathName[51] = C:\WINDOWS\SYSTEM32\SHELL32.DLL
    54. cFilePathName[52] = C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
    55. cFilePathName[53] = C:\WINDOWS\SYSTEM32\SHIMENG.DLL
    56. cFilePathName[54] = C:\WINDOWS\APPPATCH\ACGENRAL.DLL
    57. cFilePathName[55] = C:\WINDOWS\SYSTEM32\WINMM.DLL
    58. cFilePathName[56] = C:\WINDOWS\SYSTEM32\OLE32.DLL
    59. cFilePathName[57] = C:\WINDOWS\SYSTEM32\OLEAUT32.DLL
    60. cFilePathName[58] = C:\WINDOWS\SYSTEM32\MSACM32.DLL
    61. cFilePathName[59] = C:\WINDOWS\SYSTEM32\VERSION.DLL
    62. cFilePathName[60] = C:\WINDOWS\SYSTEM32\USERENV.DLL
    63. cFilePathName[61] = C:\WINDOWS\SYSTEM32\UXTHEME.DLL
    64. cFilePathName[62] = C:\WINDOWS\SYSTEM32\CTYPE.NLS
    65. cFilePathName[63] = C:\WINDOWS\SYSTEM32\IMM32.DLL
    66. cFilePathName[64] = C:\WINDOWS\SYSTEM32\LPK.DLL
    67. cFilePathName[65] = C:\WINDOWS\SYSTEM32\USP10.DLL
    68. cFilePathName[66] = C:\WINDOWS\WINDOWSSHELL.MANIFEST
    69. cFilePathName[67] = C:\WINDOWS\SYSTEM32\MSCTF.DLL
    70. cFilePathName[68] = C:\WINDOWS\SYSTEM32\MSCTFIME.IME
    71. cFilePathName[69] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\CHANGE.LOG
    72. cFilePathName[70] = C:\BOOT.INI
    73. cFilePathName[71] = C:\WINDOWS\SYSTEM32\WIN32K.SYS
    74. cFilePathName[72] = C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    75. cFilePathName[73] = C:\Documents and Settings\
    76. cFilePathName[74] = C:\Documents and Settings\Administrator\Local Settings\
    77. cFilePathName[75] = C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini
    78. cFilePathName[76] = C:\WINDOWS\WindowsShell.Config
    79. cFilePathName[77] = C:\WINDOWS\system32\SHELL32.dll.124.Manifest
    80. cFilePathName[78] = C:\WINDOWS\system32\SHELL32.dll.124.Config
    81. cFilePathName[79] = C:\WINDOWS\Prefetch\
    82. cFilePathName[80] = C:\WINDOWS\system32\0804\
    83. cFilePathName[81] = C:\WINDOWS\MUI\Fallback\0804\
    84. cFilePathName[82] = C:\WINDOWS\system32\DRIVERS\MUI\0804\
    85. cFilePathName[83] = C:\WINDOWS\system32\DRIVERS\ACPI.sys
    86. cFilePathName[84] = C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    87. cFilePathName[85] = C:\WINDOWS\system32\DRIVERS\intelppm.sys
    88. cFilePathName[86] = C:\WINDOWS\system32\DRIVERS\ipnat.sys
    89. cFilePathName[87] = C:\WINDOWS\System32\Drivers\HTTP.sys
    90. cFilePathName[88] = C:\WINDOWS\system32\WBEM\Logs\wmiprov.log
    91. cFilePathName[89] = C:\WINDOWS\SoftwareDistribution\DataStore\
    92. cFilePathName[90] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
    93. cFilePathName[91] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb\
    94. cFilePathName[92] = C:\WINDOWS\SoftwareDistribution\DataStore
    95. cFilePathName[93] = C:\WINDOWS\SoftwareDistribution
    96. cFilePathName[94] = C:\WINDOWS\SoftwareDistribution\
    97. cFilePathName[95] = C:\WINDOWS
    98. cFilePathName[96] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk
    99. cFilePathName[97] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk\
    100. cFilePathName[98] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs
    101. cFilePathName[99] = C:\WINDOWS\system32\xpsp2res.dll

note : Get FilePathName from FILE_OBJECT的更多相关文章

  1. FILE_OBJECT

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx The FILE_OBJECT str ...

  2. 三星Note 7停产,原来是吃了流程的亏

    三星Note 7发售两个月即成为全球噩梦,从首炸到传言停产仅仅47天.所谓"屋漏偏逢连天雨",相比华为.小米等品牌对其全球市场的挤压.侵蚀,Galaxy Note 7爆炸事件这场连 ...

  3. 《Note --- Unreal --- MemPro (CONTINUE... ...)》

    Mem pro 是一个主要集成内存泄露检测的工具,其具有自身的源码和GUI,在GUI中利用"Launch" button进行加载自己待检测的application,目前支持的平台为 ...

  4. 《Note --- Unreal 4 --- Sample analyze --- StrategyGame(continue...)》

    ---------------------------------------------------------------------------------------------------- ...

  5. [LeetCode] Ransom Note 赎金条

    
Given
 an 
arbitrary
 ransom
 note
 string 
and 
another 
string 
containing 
letters from
 all 
th ...

  6. Beginning Scala study note(9) Scala and Java Interoperability

    1. Translating Java Classes to Scala Classes Example 1: # a class declaration in Java public class B ...

  7. Beginning Scala study note(8) Scala Type System

    1. Unified Type System Scala has a unified type system, enclosed by the type Any at the top of the h ...

  8. Beginning Scala study note(7) Trait

    A trait provides code reusability in Scala by encapsulating method and state and then offing possibi ...

  9. Beginning Scala study note(6) Scala Collections

    Scala's object-oriented collections support mutable and immutable type hierarchies. Also support fun ...

随机推荐

  1. FreeBSD_11-系统管理——{Part_1-xfce 桌面}

    一.首先安装 Xorg 安装 xorg pkg install xorg 清除旧文件(如果已前安装过 xorg) /etc/X11/xorg.conf /usr/local/etc/X11/xorg. ...

  2. ajax 回传参数

    JSONObject json = new JSONObject(); json.put("msg", msg); json.put("success", co ...

  3. keepAlived主备及双主

    nginx用默认配置即可 1.主备配置 1.主keepAlived配置 vrrp_instance VI_1 { state MASTER #主备区分 interface eth0 virtual_r ...

  4. tomcat启动内存修改

    #   USE_NOHUP       (Optional) If set to the string true the start command will #                   ...

  5. VMware1设备与主机共享网络的问题

    问题的提出: 最近需要用到VMware1设备来配置网络,顺便将VMware1设备与主机进行共享网络,这样master就能直接访问网络了,但是原本以为直接在wlan设备上选择网络共享就行了,但是却没法收 ...

  6. redis主从复制和哨兵

    摘自:https://www.cnblogs.com/leeSmall/p/8398401.html 一.Redis主从复制 主从复制:主节点负责写数据,从节点负责读数据,主节点定期把数据同步到从节点 ...

  7. pandas读取xlsx

    一.使用pandas读取xlsx 引用pandas库 import pandas as pd pd.read_excel(path, sheet_name=0, header=0, names=Non ...

  8. Atcoder arc092

    E-Both Sides Merger 给你一个序列,支持两种操作,直到序列中只有一个数时停下来,使得剩下数最大,并输出选数方案. 操作1:扔掉一个最前端或最后端的元素.操作2:选取一个不在边界上的元 ...

  9. look at me

    I would bet my life, like I bet my heart我以生命与真心担保That you were the one, baby你就是我的命中注定I've never been ...

  10. 阿里云POLARDB如何帮助百胜软件应对数据库的“巅峰时刻”

    POLARDB是阿里云自研的下一代关系型云数据库,100%兼容MySQL,存储容量最高可达100TB,性能最高提升至MySQL的6倍,适用于企业多样化的数据库应用场景.POLARDB采用存储和计算分离 ...