Introduction
Have you ever thought of blocking access to USB Memory and CD? I will introduce an example of this. Perhaps some of you will not be interested in this, but I think this technique will be useful for more large-scale projects. I referenced a sample in Microsoft Windows DDK. This sample is implemented by file system filter driver. As you know, File System Filter Driver is commonly used in Anti-Virus and it can be used for some other purposes. In this sample, we can not only block access, but log the file path written to USB.
How to Use
This sample consists of 2 sysfiles and a DLL file. In order to test this sample, first execute install.exe in 1_install folder. You can uninstall this by executing uninstall.exe in 3_uninstall folder.
As seen above, click OK button first and then test the functions.
Using the Code
Here I would explain the file system filter driver. There are two ways of developing file system filter driver. One is to use filter function supported by FLTLIB.DLL in system32 directory. In this case, we can communicate with driver by using FilterConnectCommunicationPort() function and FilterSendMessage() function. Another one is to get file system driver's pointer and attach our driver to it by using IoAttachDeviceToDeviceStack() function.
DriverEntry
DriverEntry() function should be written like below:
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
NTSTATUS status;
PFLT_VOLUME fltvolume;
HANDLE handle = (PVOID)-1;
PROCESS_DEVICEMAP_INFORMATION ldrives;
ULONG drive, bit;
STRING ansiString, ansiVolString;
UNICODE_STRING unString, unVolString;
CHAR szDrv[20];
ULONG sizeneeded;
HANDLE hThread;
OBJECT_ATTRIBUTES oaThread;
KIRQL irql;
ULONG i;
try {
ACDrvData.LogSequenceNumber = 0;
ACDrvData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE;
ACDrvData.RecordsAllocated = 0;
ACDrvData.NameQueryMethod = DEFAULT_NAME_QUERY_METHOD;
ACDrvData.DriverObject = DriverObject;
InitializeListHead( &ACDrvData.OutputBufferList );
KeInitializeSpinLock( &ACDrvData.OutputBufferLock );
#if ACDRV_LONGHORN
//
// Dynamically import FilterMgr APIs for transaction support
//
ACDrvData.PFltSetTransactionContext =
FltGetRoutineAddress( "FltSetTransactionContext" );
ACDrvData.PFltGetTransactionContext =
FltGetRoutineAddress( "FltGetTransactionContext" );
ACDrvData.PFltEnlistInTransaction =
FltGetRoutineAddress( "FltEnlistInTransaction" );
#endif
SpyReadDriverParameters(RegistryPath);
Read more: Codeproject
0 comments:
Post a Comment