Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- struct SYMLINK_ECP_CONTEXT
- {
- USHORT UnparsedNameLength;
- union{
- USHORT Flags;
- struct {
- USHORT MountPoint : 1;
- };
- };
- USHORT DeviceNameLength;
- USHORT Zero;
- SYMLINK_ECP_CONTEXT* Reparsed;
- UNICODE_STRING Name;
- };
- void Dump(SYMLINK_ECP_CONTEXT* perd)
- {
- do
- {
- DbgPrint("ERD[%x]: <%wZ>\n", perd->Tag, &perd->Name);
- UNICODE_STRING us = perd->Name;
- us.Length = perd->DeviceNameLength;
- DbgPrint("Device: <%wZ>\n", &us);
- if (USHORT UnparsedNameLength = perd->UnparsedNameLength)
- {
- us.Buffer = (PWSTR)RtlOffsetToPointer(us.Buffer, perd->Name.Length - UnparsedNameLength);
- us.MaximumLength = us.Length = UnparsedNameLength;
- DbgPrint("Unparsed: <%wZ>\n", &us);
- }
- } while (perd = perd->Reparsed);
- }
- void printECP(PFLT_CALLBACK_DATA Data)
- {
- PECP_LIST EcpList;
- if (0 <= FltGetEcpListFromCallbackData(g_Filter, Data, &EcpList) && EcpList)
- {
- PVOID EcpContext = 0;
- GUID EcpType;
- ULONG EcpContextSize;
- while (0 <= FsRtlGetNextExtraCreateParameter(EcpList, EcpContext, &EcpType, &EcpContext, &EcpContextSize))
- {
- BOOLEAN bUser = FsRtlIsEcpFromUserMode(EcpContext);
- DbgPrint("Ecp(%x): %p {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x} [%x]\n",
- bUser, EcpContext, EcpType.Data1, EcpType.Data2, EcpType.Data3,
- EcpType.Data4[0], EcpType.Data4[1], EcpType.Data4[2], EcpType.Data4[3],
- EcpType.Data4[4], EcpType.Data4[5], EcpType.Data4[6], EcpType.Data4[7],
- EcpContextSize);
- struct __declspec(uuid("73d5118a-88ba-439f-92f4-46d38952d250")) IopSymlinkECPGuid;
- if (!bUser && IsEqualGUID(__uuidof(IopSymlinkECPGuid), EcpType))
- {
- Dump((SYMLINK_ECP_CONTEXT*)EcpContext);
- }
- }
- }
- }
- FLT_POSTOP_CALLBACK_STATUS PostCreate(__inout PFLT_CALLBACK_DATA Data,
- __in PCFLT_RELATED_OBJECTS FltObjects,
- __in_opt PVOID CompletionContext,
- __in FLT_POST_OPERATION_FLAGS Flags
- )
- {
- if (PsIsProcessBeingDebugged(PsGetCurrentProcess()) && 0 <= Data->IoStatus.Status &&
- !(Data->Iopb->Parameters.Create.Options & FILE_OPEN_BY_FILE_ID))
- {
- DbgPrint("+++ PostCreate\n");
- printECP(Data);
- PFILE_OBJECT CONST FileObject = FltObjects->FileObject;
- DbgPrint("%p(%x,%x) FileName=%wZ\n",
- Data->TagData, Data->IoStatus.Status, Data->IoStatus.Information, &FileObject->FileName);
- if (Data->IoStatus.Status == STATUS_REPARSE)
- {
- PFLT_TAG_DATA_BUFFER TagData = Data->TagData;
- ULONG_PTR ReparseTag = Data->IoStatus.Information;
- if (TagData)
- {
- if (TagData->FileTag != ReparseTag)
- {
- DbgPrint("TagData:%x!=x\n", TagData->FileTag, ReparseTag);
- TagData = 0;
- }
- }
- UNICODE_STRING FileName = {};
- switch (Data->IoStatus.Information)
- {
- case IO_REPARSE:
- FileName = FileObject->FileName;
- break;
- case IO_REPARSE_TAG_MOUNT_POINT:
- if (TagData)
- {
- FileName.MaximumLength =
- FileName.Length = TagData->MountPointReparseBuffer.SubstituteNameLength;
- FileName.Buffer = (PWSTR)RtlOffsetToPointer(
- TagData->MountPointReparseBuffer.PathBuffer,
- TagData->MountPointReparseBuffer.SubstituteNameOffset);
- }
- break;
- case IO_REPARSE_TAG_SYMLINK:
- if (TagData)
- {
- DbgPrint("[%x]\n", TagData->SymbolicLinkReparseBuffer.Flags);
- FileName.MaximumLength =
- FileName.Length = TagData->SymbolicLinkReparseBuffer.SubstituteNameLength;
- FileName.Buffer = (PWSTR)RtlOffsetToPointer(
- TagData->SymbolicLinkReparseBuffer.PathBuffer,
- TagData->SymbolicLinkReparseBuffer.SubstituteNameOffset);
- }
- break;
- default:
- DbgPrint("ReparseTag=%x ?\n", ReparseTag);
- }
- if (FileName.Length)
- {
- DbgPrint("%x: -> %wZ\n", ReparseTag, &FileName);
- }
- }
- PFLT_FILE_NAME_INFORMATION NameInfo;
- NTSTATUS status = FltGetFileNameInformation( Data,
- FLT_FILE_NAME_OPENED|
- FLT_FILE_NAME_QUERY_DEFAULT|
- FLT_FILE_NAME_ALLOW_QUERY_ON_REPARSE, &NameInfo );
- if (0 <= status)
- {
- DbgPrint("FLT_FILE_NAME_OPENED:%wZ\n", &NameInfo->Name);
- FltReleaseFileNameInformation( NameInfo );
- }
- else
- {
- DbgPrint("FltGetFileNameInformation:%x\n", status);
- }
- DbgPrint("--- PostCreate\n");
- }
- return FLT_POSTOP_FINISHED_PROCESSING;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement