Created
November 30, 2022 12:08
-
-
Save helloobaby/f08c462dbba49159ccf9cca8ef246d00 to your computer and use it in GitHub Desktop.
minifilter InstanceSetup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include"minifilter.h" | |
| namespace minifilter { | |
| // minifilter加载的时候会给每个卷都挂载上 | |
| NTSTATUS InstanceSetup(_In_ PCFLT_RELATED_OBJECTS FltObjects, | |
| _In_ FLT_INSTANCE_SETUP_FLAGS Flags, | |
| _In_ DEVICE_TYPE VolumeDeviceType, | |
| _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType) { | |
| PAGED_CODE(); | |
| NTSTATUS Status; | |
| ULONG SizeOfBuffer; | |
| // https://github.com/189569400/adversary_emulation_library/blob/997419bb0b8cd61ba69086a35a91a3d073d41d05/wizard_spider/Resources/Mimikatz/mimikatz/mimidrv/kkll_m_filters.c | |
| PFILTER_FULL_INFORMATION myFilterFullInformation; | |
| PINSTANCE_BASIC_INFORMATION myInstanceBasicInformation; | |
| dbg::print("------------------Start-----------------\n"); | |
| if (FltObjects->FileObject) | |
| dbg::print("[FltObjects->FileObject]%wZ\n", | |
| FltObjects->FileObject->FileName); | |
| else | |
| dbg::print("[FltObjects->FileObject] NULL\n"); | |
| UNICODE_STRING VolumeName{}; | |
| VolumeName.Buffer = (PWCHAR)ExAllocatePool(NonPagedPool, 256); | |
| VolumeName.Length = 0; | |
| VolumeName.MaximumLength = 256 - 2; | |
| FltGetVolumeName(FltObjects->Volume, &VolumeName, NULL); | |
| dbg::print("[FltObjects->Volume]%wZ\n", VolumeName); | |
| UNICODE_STRING DosName; | |
| PDEVICE_OBJECT DeviceObject; | |
| dbg::dbgbreak(); | |
| Status = FltGetDiskDeviceObject(FltObjects->Volume, &DeviceObject); | |
| if (NT_SUCCESS(Status)) | |
| Status = IoVolumeDeviceToDosName(DeviceObject, &DosName); | |
| if (NT_SUCCESS(Status)) | |
| dbg::print("[DosName]%wZ\n", DosName); | |
| else | |
| dbg::print("[DosName]%x\n", Status); | |
| Status = FltGetFilterInformation(FltObjects->Filter, FilterFullInformation, 0, | |
| 0, &SizeOfBuffer); | |
| NT_ASSERT(Status == STATUS_BUFFER_TOO_SMALL); | |
| myFilterFullInformation = | |
| (PFILTER_FULL_INFORMATION)ExAllocatePool(NonPagedPool, SizeOfBuffer); | |
| FltGetFilterInformation(FltObjects->Filter, FilterFullInformation, | |
| myFilterFullInformation, SizeOfBuffer, &SizeOfBuffer); | |
| char OutBuffer[256]{}; | |
| // 因为这玩意的缓冲区不是以空字符结尾的,不能直接输出 | |
| memcpy(OutBuffer, myFilterFullInformation->FilterNameBuffer, | |
| myFilterFullInformation->FilterNameLength); | |
| dbg::print("[FltObjects->Filter]%ws\n", OutBuffer); | |
| ExFreePool(myFilterFullInformation); | |
| ExFreePool(VolumeName.Buffer); | |
| FltGetInstanceInformation(FltObjects->Instance, InstanceBasicInformation, 0, | |
| 0, &SizeOfBuffer); | |
| NT_ASSERT(Status == STATUS_BUFFER_TOO_SMALL); | |
| myInstanceBasicInformation = | |
| (PINSTANCE_BASIC_INFORMATION)ExAllocatePool(NonPagedPool, SizeOfBuffer); | |
| FltGetInstanceInformation(FltObjects->Instance, InstanceBasicInformation, | |
| myInstanceBasicInformation, SizeOfBuffer, | |
| &SizeOfBuffer); | |
| RtlZeroMemory(OutBuffer, sizeof(OutBuffer)); | |
| memcpy(OutBuffer, | |
| (char*)myInstanceBasicInformation + | |
| myInstanceBasicInformation->InstanceNameBufferOffset, | |
| myInstanceBasicInformation->InstanceNameLength); | |
| dbg::print("[FltObjects->Instance]%ws\n", OutBuffer); | |
| dbg::print("[VolumeDeviceType]%x\n", VolumeDeviceType); | |
| dbg::print("[VolumeFilesystemType]%x\n", VolumeFilesystemType); | |
| dbg::print("------------------End-----------------\n"); | |
| return STATUS_SUCCESS; | |
| } | |
| } // namespace minifilter |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment