Main.c

1. #include "MainFunctions.h"
2.  
3. UNICODE_STRING dev;
4. UNICODE_STRING dos;
5.  
6. PDEVICE_OBJECT DeviceObject;
7.  
8. PFLT_FILTER Filter;
9.  
10. NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
11. {
12.     UNREFERENCED_PARAMETER(RegistryPath);
13.  
14.     NTSTATUS Status = FltRegisterFilter(DriverObject, &Registration, &Filter);
15.  
16.     DPrint("Register Filter: 0x%x\n", Status);
17.  
18.     if (NT_SUCCESS(Status))
19.         DPrint("Start filtering: 0x%x\n", FltStartFiltering(Filter));
20.  
21.     RtlInitUnicodeString(&dev, L"\\Device\\L3nAVFlt");
22.     RtlInitUnicodeString(&dos, L"\\DosDevice\\L3nAVFlt");
23.  
24.     IoCreateDevice(DriverObject, 0, &dev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &DeviceObject);
25.  
26.     IoCreateSymbolicLink(&dos, &dev);
27.  
28.     for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
29.         DriverObject->MajorFunction[i] = UnimplementedCall;
30.     }
31.  
32.     DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
33.     DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
34.     DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DevIOControl;
35.  
36.     DriverObject->Flags |= DO_BUFFERED_IO;
37.  
38.     return STATUS_SUCCESS;
39. }
40.  
41. NTSTATUS UnimplementedCall(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
42.     UNREFERENCED_PARAMETER(DeviceObject);
43.  
44.     Irp->IoStatus.Information = 0;
45.     Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
46.  
47.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
48.  
49.     return STATUS_SUCCESS;
50. }
51.  
52. NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
53. {
54.     UNREFERENCED_PARAMETER(DeviceObject);
55.  
56.     Irp->IoStatus.Status = STATUS_SUCCESS;
57.     Irp->IoStatus.Information = 0;
58.  
59.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
60.     return STATUS_SUCCESS;
61. }
62.  
63. NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP Irp)
64. {
65.     UNREFERENCED_PARAMETER(DeviceObject);
66.  
67.     Irp->IoStatus.Status = STATUS_SUCCESS;
68.     Irp->IoStatus.Information = 0;
69.  
70.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
71.     return STATUS_SUCCESS;
72. }
73.  
74. NTSTATUS DevIOControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
75. {
76.     UNREFERENCED_PARAMETER(DeviceObject);
77.  
78.     NTSTATUS Status = STATUS_NOT_SUPPORTED;
79.     ULONG BytesWritten = 0;
80.  
81.     //PIO_STACK_LOCATION IoStack = IoGetCurrentIrpStackLocation(Irp);
82.  
83.     // Code received from user space
84.     //ULONG ControlCode = IoStack->Parameters.DeviceIoControl.IoControlCode;
85.  
86.     // process according to the ctrlcode
87.  
88.     Irp->IoStatus.Status = Status;
89.     Irp->IoStatus.Information = BytesWritten;
90.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
91.  
92.     return Status;
93. }
94.  
95. FLT_PREOP_CALLBACK_STATUS PreOpCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID *CompletionContext)
96. {
97.     UNREFERENCED_PARAMETER(CompletionContext);
98.     FLT_PREOP_CALLBACK_STATUS Status = FLT_PREOP_SUCCESS_WITH_CALLBACK;
99.     PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
100.  
101.     DPrint("Yoooo\n");
102.  
103.     if (FltObjects->FileObject) {
104.         DPrint("GetFileNameInfo: 0x%x\n", FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP, &FileNameInfo));
105.  
106.         DPrint("ParseFileNameInfo: 0x%x\n", FltParseFileNameInformation(FileNameInfo));
107.  
108.         DPrint("Hum..\n");
109.     }
110.     else {
111.         DPrint("Ghosterino!\n");
112.     }
113.  
114.     return Status;
115. }