rename minifilter

1. #include <fltkernel.h>
2.  
3.  
4. DRIVER_INITIALIZE DriverEntry;
5. NTSTATUS
6. DriverEntry(
7.     _In_ PDRIVER_OBJECT DriverObject,
8.     _In_ PUNICODE_STRING RegistryPath
9. );
10.  
11. NTSTATUS
12. FLTAPI
13. Unload(
14.     _In_ FLT_FILTER_UNLOAD_FLAGS Flags
15. );
16.  
17. FLT_PREOP_CALLBACK_STATUS
18. FLTAPI
19. RenamePreSetInformation(
20.     _Inout_ PFLT_CALLBACK_DATA Data,
21.     _In_ PCFLT_RELATED_OBJECTS FltObjects,
22.     _Outptr_result_maybenull_ PVOID *CompletionContext
23. )
24. {
25.     FILE_INFORMATION_CLASS fileInfoClass = Data->Iopb->Parameters.SetFileInformation.FileInformationClass;
26.     PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
27.     PFLT_FILE_NAME_INFORMATION nameInfo2 = NULL;
28.     PFLT_FILE_NAME_INFORMATION destinationNameInfo = NULL;
29.     PFILE_RENAME_INFORMATION renameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
30.  
31.     if (FileRenameInformation != fileInfoClass && FileRenameInformationEx != fileInfoClass)
32.     {
33.         return FLT_PREOP_SUCCESS_NO_CALLBACK;
34.     }
35.  
36.     NTSTATUS status = FltGetDestinationFileNameInformation(FltObjects->Instance,
37.         FltObjects->FileObject,
38.         renameInfo->RootDirectory,
39.         renameInfo->FileName,
40.         renameInfo->FileNameLength,
41.         FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
42.         &destinationNameInfo
43.     );
44.     if (NT_VERIFY(NT_SUCCESS(status)))
45.     {
46.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PRE FltGetDestinationFileNameInformation %wZ\n", destinationNameInfo->Name);
47.     }
48.  
49.     status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo);
50.     if (NT_VERIFY(NT_SUCCESS(status)))
51.     {
52.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PRE FltGetFileNameInformation,normalized,default: %wZ\n", &nameInfo->Name);
53.         FltReleaseFileNameInformation(nameInfo);
54.     }
55.  
56.     status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY, &nameInfo2);
57.     if (NT_VERIFY(NT_SUCCESS(status)))
58.     {
59.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "PRE FltGetFileNameInformation,normalized,fs only: %wZ\n", &nameInfo2->Name);
60.         FltReleaseFileNameInformation(nameInfo2);
61.     }
62.  
63.     *CompletionContext = destinationNameInfo;
64.     return FLT_PREOP_SUCCESS_WITH_CALLBACK;
65. }
66.  
67. FLT_POSTOP_CALLBACK_STATUS
68. FLTAPI
69. RenamePostSetInformationSafe(
70.     _Inout_ PFLT_CALLBACK_DATA Data,
71.     _In_ PCFLT_RELATED_OBJECTS FltObjects,
72.     _In_opt_ PVOID CompletionContext,
73.     _In_ FLT_POST_OPERATION_FLAGS Flags
74. )
75. {
76.     UNREFERENCED_PARAMETER(Flags);
77.     NTSTATUS status = STATUS_UNSUCCESSFUL;
78.     PFLT_FILE_NAME_INFORMATION preNameInfo = (PFLT_FILE_NAME_INFORMATION)CompletionContext;
79.     PFLT_FILE_NAME_INFORMATION tunneledNameInfo = NULL;
80.     PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
81.     PFLT_FILE_NAME_INFORMATION nameInfo2 = NULL;
82.     PFLT_FILE_NAME_INFORMATION destinationNameInfo = NULL;
83.     PFILE_RENAME_INFORMATION renameInfo = (PFILE_RENAME_INFORMATION)Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
84.  
85.     if (!NT_SUCCESS(Data->IoStatus.Status))
86.     {
87.         return FLT_POSTOP_FINISHED_PROCESSING;
88.     }
89.  
90.     if (preNameInfo)
91.     {
92.         status = FltGetTunneledName(Data, preNameInfo, &tunneledNameInfo);
93.         if (NT_VERIFY(NT_SUCCESS(status)))
94.         {
95.             if (tunneledNameInfo)
96.             {
97.                 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "POST FltGetTunneledName: %wZ\n", &tunneledNameInfo->Name);
98.                
99.                 FltReleaseFileNameInformation(tunneledNameInfo);
100.             } else
101.             {
102.                 DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "POST FltGetTunneledName: No tunneling.\n");
103.             }
104.         }
105.         FltReleaseFileNameInformation(preNameInfo);
106.     }
107.  
108.     status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo);
109.     if (NT_VERIFY(NT_SUCCESS(status)))
110.     {
111.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "POST FltGetFileNameInformation,normalized,default: %wZ\n", &nameInfo->Name);
112.         FltReleaseFileNameInformation(nameInfo);
113.     }
114.  
115.     status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY, &nameInfo2);
116.     if (NT_VERIFY(NT_SUCCESS(status)))
117.     {
118.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "POST FltGetFileNameInformation,normalized,fs only: %wZ\n", &nameInfo2->Name);
119.         FltReleaseFileNameInformation(nameInfo2);
120.     }
121.  
122.     status = FltGetDestinationFileNameInformation(FltObjects->Instance,
123.         FltObjects->FileObject,
124.         renameInfo->RootDirectory,
125.         renameInfo->FileName,
126.         renameInfo->FileNameLength,
127.         FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
128.         &destinationNameInfo
129.     );
130.     if (NT_VERIFY(NT_SUCCESS(status)))
131.     {
132.         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "POST FltGetDestinationFileNameInformation: %wZ\n", &destinationNameInfo->Name);
133.         FltReleaseFileNameInformation(destinationNameInfo);
134.     }
135.  
136.     return FLT_POSTOP_FINISHED_PROCESSING;
137. }
138.  
139. FLT_POSTOP_CALLBACK_STATUS
140. FLTAPI
141. RenamePostSetInformation(
142.     _Inout_ PFLT_CALLBACK_DATA Data,
143.     _In_ PCFLT_RELATED_OBJECTS FltObjects,
144.     _In_opt_ PVOID CompletionContext,
145.     _In_ FLT_POST_OPERATION_FLAGS Flags
146. )
147. {
148.     if (FlagOn(Flags, FLTFL_POST_OPERATION_DRAINING))
149.     {
150.         if (CompletionContext)
151.         {
152.             FltReleaseFileNameInformation((PFLT_FILE_NAME_INFORMATION)CompletionContext);
153.         }
154.         return FLT_POSTOP_FINISHED_PROCESSING;
155.     }
156.  
157.     FLT_POSTOP_CALLBACK_STATUS status;
158.     FltDoCompletionProcessingWhenSafe(Data, FltObjects, CompletionContext, Flags, RenamePostSetInformationSafe, &status);
159.  
160.     return status;
161. }
162.  
163. static const FLT_OPERATION_REGISTRATION gCallbacks[] = {
164.     {
165.         IRP_MJ_SET_INFORMATION,
166.         FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
167.         RenamePreSetInformation,
168.         RenamePostSetInformation
169.     },
170.     { IRP_MJ_OPERATION_END }
171. };
172.  
173. static FLT_REGISTRATION gRegistration = {
174.      sizeof(FLT_REGISTRATION),
175.     FLT_REGISTRATION_VERSION,
176.     0,
177.     NULL,
178.     gCallbacks,
179.     Unload,
180.     NULL,
181.     NULL,
182.     NULL,
183.     NULL,
184.     NULL,
185.     NULL,
186.     NULL
187. };
188.  
189. PFLT_FILTER gFilter;
190.  
191. NTSTATUS
192. DriverEntry(
193.     _In_ PDRIVER_OBJECT DriverObject,
194.     _In_ PUNICODE_STRING RegistryPath
195. )
196. {
197.     UNREFERENCED_PARAMETER(DriverObject);
198.     UNREFERENCED_PARAMETER(RegistryPath);
199.  
200.     NTSTATUS status = FltRegisterFilter(DriverObject, &gRegistration, &gFilter);
201.     NT_VERIFY(NT_SUCCESS(status));
202.  
203.     status = FltStartFiltering(gFilter);
204.     NT_VERIFY(NT_SUCCESS(status));
205.  
206.     return STATUS_SUCCESS;
207. }
208.  
209. NTSTATUS
210. FLTAPI
211. Unload(
212.     _In_ FLT_FILTER_UNLOAD_FLAGS Flags
213. )
214. {
215.     UNREFERENCED_PARAMETER(Flags);
216.  
217.     FltUnregisterFilter(gFilter);
218.  
219.     return STATUS_SUCCESS;
220. }