本文共 9769 字，大约阅读时间需要 32 分钟。

封了一个函数, 从 FILE_OBJECT 中 得到 FilePathName

在WinXpSp3下测试通过.

函数定义

BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr);

BOOLEAN GetFilePathNameFromFileObject(    FILE_OBJECT * pFileObj,     UNICODE_STRING * puniFilePathName);

函数实现

BOOLEAN GetFilePathNameFromFileObject(    FILE_OBJECT * pFileObj,     UNICODE_STRING * puniFilePathName){    /// puniFilePathName 已经被 RtlInitUnicodeString 初始化过,     /// .Buffer 有MAX_PATH宽字符长度        BOOLEAN bValidFN_FileObj = FALSE;    BOOLEAN bValidFN_RelatedFileObj = FALSE;    PFILE_OBJECT pRelatedFileObject = NULL;    UNICODE_STRING ustrTmp;    UNICODE_STRING ustrLink; ///< 分隔符号, e.g. L'\\'    if ((NULL == pFileObj) || (NULL == puniFilePathName))        return FALSE;    /// 初始化数据    RtlInitUnicodeString(&ustrTmp, NULL);    RtlInitUnicodeString(&ustrLink, L"\\");    RtlZeroMemory(puniFilePathName->Buffer, puniFilePathName->MaximumLength);    puniFilePathName->Length = 0;    pRelatedFileObject = pFileObj->RelatedFileObject;    bValidFN_FileObj = IsValidUnicodeString(&pFileObj->FileName);    bValidFN_RelatedFileObj =         IsValidUnicodeString(&pRelatedFileObject->FileName);    /// 盘符    IoVolumeDeviceToDosName(pFileObj->DeviceObject, &ustrTmp);    RtlCopyUnicodeString(puniFilePathName, &ustrTmp);    RtlFreeUnicodeString(&ustrTmp); ///< !        /// 相对路径    /// pRelatedFileObject->FileName 也有可能是空的    /// 相对全路径名称全部在 pFileObj->FileName    if (bValidFN_RelatedFileObj)    {        /// pRelatedFileObject->FileName.Buffer 可能是有效的        /// 却不是一个可见的宽字符串, 以 L'\0'开头        if ((L'\\' != pRelatedFileObject->FileName.Buffer[0])            &&(L'\0' != pRelatedFileObject->FileName.Buffer[0]))        {            RtlUnicodeStringCat(puniFilePathName, &ustrLink);        }                    RtlUnicodeStringCat(puniFilePathName, &pRelatedFileObject->FileName);    }    /// 文件名, 也有可能是包含相对路径的全路径名称.    /// e.g. "\Windows\System\xx.yyy"    if (bValidFN_FileObj)    {        if ((L'\\' != pFileObj->FileName.Buffer[0])            && (L'\0' != pFileObj->FileName.Buffer[0]))        {            RtlUnicodeStringCat(puniFilePathName, &ustrLink);        }        RtlUnicodeStringCat(puniFilePathName, &pFileObj->FileName);    }    return (bValidFN_FileObj || bValidFN_RelatedFileObj);}

BOOLEAN IsValidUnicodeString(PUNICODE_STRING pstr){    BOOLEAN bRc = FALSE;    ULONG   ulIndex = 0;    __try    {        if (!MmIsAddressValid(pstr))            return FALSE;        if ((NULL == pstr->Buffer) || (0 == pstr->Length))            return FALSE;        for (ulIndex = 0; ulIndex < pstr->Length; ulIndex++)        {            if (!MmIsAddressValid((UCHAR *)pstr->Buffer + ulIndex))                return FALSE;        }        bRc = TRUE;    }        __except(EXCEPTION_EXECUTE_HANDLER)    {        bRc = FALSE;    }    return bRc;}

在分派例程中得到 FILE_OBJECT 方法

pIoStack = IoGetCurrentIrpStackLocation(pIrp);

pFileObject = pIoStack->FileObject;

入参的准备

WCHAR               cFilePathNameW[MAX_PATH];    UNICODE_STRING      unistrFilePathName;    RtlZeroMemory(cFilePathNameW, sizeof(cFilePathNameW));    RtlInitUnicodeString(&unistrFilePathName, cFilePathNameW);    unistrFilePathName.MaximumLength = sizeof(cFilePathNameW); ///< !

效果图

DisPatchDeviceControl IOCTL 0x22e000cFilePathName[0] = C:\ cFilePathName[1] = C:\Documents and Settings\All Users\Application Data\VMware cFilePathName[2] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools cFilePathName[3] = C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\ cFilePathName[4] = C:\WINDOWS\system32\Msimtf.dll cFilePathName[5] = C:\WINDOWS\system32\NOTEPAD.EXE cFilePathName[6] = C:\WINDOWS\AppPatch\sysmain.sdb cFilePathName[7] = C:\WINDOWS\AppPatch\systest.sdb cFilePathName[8] = C:\WINDOWS\system32\ cFilePathName[9] = C:\WINDOWS\ cFilePathName[10] = C:\WINDOWS\system32\NOTEPAD.EXE.Manifest cFilePathName[11] = C:\WINDOWS\system32\NOTEPAD.EXE.Config cFilePathName[12] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CN_f3ffe327\ cFilePathName[13] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\ cFilePathName[14] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_zh-CHS_6bff526c\ cFilePathName[15] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\ cFilePathName[16] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy cFilePathName[17] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CN_b45a2b14\ cFilePathName[18] = C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\ cFilePathName[19] = C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_zh-CHS_2c599a59\ cFilePathName[20] = C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest cFilePathName[21] = C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf cFilePathName[22] = C:\Documents and Settings\Administrator\ cFilePathName[23] = C:\Documents and Settings\Administrator\桌面\ cFilePathName[24] = C:\DOCUME~1\ cFilePathName[25] = C:\DOCUME~1\ADMINI~1\ cFilePathName[26] = C:\DOCUME~1\ADMINI~1\LOCALS~1\ cFilePathName[27] = C:\Documents and Settings\Administrator\桌面\abc.txt cFilePathName[28] = C:\Documents and Settings\Administrator\桌面 cFilePathName[29] = C:\SYSTEM VOLUME INFORMATION\ cFilePathName[30] = C:\Documents and Settings\Administrator\Recent\ cFilePathName[31] = C:\Documents and Settings\Administrator\Recent\abc.txt.lnk cFilePathName[32] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\ cFilePathName[33] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\ cFilePathName[34] = C:\WINDOWS\APPPATCH\ cFilePathName[35] = C:\WINDOWS\WINSXS\ cFilePathName[36] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\ cFilePathName[37] = C:\WINDOWS\SYSTEM32\NTDLL.DLL cFilePathName[38] = C:\WINDOWS\SYSTEM32\KERNEL32.DLL cFilePathName[39] = C:\WINDOWS\SYSTEM32\UNICODE.NLS cFilePathName[40] = C:\WINDOWS\SYSTEM32\LOCALE.NLS cFilePathName[41] = C:\WINDOWS\SYSTEM32\SORTTBLS.NLS cFilePathName[42] = C:\WINDOWS\SYSTEM32\COMDLG32.DLL cFilePathName[43] = C:\WINDOWS\SYSTEM32\ADVAPI32.DLL cFilePathName[44] = C:\WINDOWS\SYSTEM32\RPCRT4.DLL cFilePathName[45] = C:\WINDOWS\SYSTEM32\SECUR32.DLL cFilePathName[46] = C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL cFilePathName[47] = C:\WINDOWS\SYSTEM32\MSVCRT.DLL cFilePathName[48] = C:\WINDOWS\SYSTEM32\GDI32.DLL cFilePathName[49] = C:\WINDOWS\SYSTEM32\USER32.DLL cFilePathName[50] = C:\WINDOWS\SYSTEM32\SHLWAPI.DLL cFilePathName[51] = C:\WINDOWS\SYSTEM32\SHELL32.DLL cFilePathName[52] = C:\WINDOWS\SYSTEM32\WINSPOOL.DRV cFilePathName[53] = C:\WINDOWS\SYSTEM32\SHIMENG.DLL cFilePathName[54] = C:\WINDOWS\APPPATCH\ACGENRAL.DLL cFilePathName[55] = C:\WINDOWS\SYSTEM32\WINMM.DLL cFilePathName[56] = C:\WINDOWS\SYSTEM32\OLE32.DLL cFilePathName[57] = C:\WINDOWS\SYSTEM32\OLEAUT32.DLL cFilePathName[58] = C:\WINDOWS\SYSTEM32\MSACM32.DLL cFilePathName[59] = C:\WINDOWS\SYSTEM32\VERSION.DLL cFilePathName[60] = C:\WINDOWS\SYSTEM32\USERENV.DLL cFilePathName[61] = C:\WINDOWS\SYSTEM32\UXTHEME.DLL cFilePathName[62] = C:\WINDOWS\SYSTEM32\CTYPE.NLS cFilePathName[63] = C:\WINDOWS\SYSTEM32\IMM32.DLL cFilePathName[64] = C:\WINDOWS\SYSTEM32\LPK.DLL cFilePathName[65] = C:\WINDOWS\SYSTEM32\USP10.DLL cFilePathName[66] = C:\WINDOWS\WINDOWSSHELL.MANIFEST cFilePathName[67] = C:\WINDOWS\SYSTEM32\MSCTF.DLL cFilePathName[68] = C:\WINDOWS\SYSTEM32\MSCTFIME.IME cFilePathName[69] = C:\SYSTEM VOLUME INFORMATION\_RESTORE{288FCF24-DDBA-4A0A-98C0-50E279B93ECC}\RP4\CHANGE.LOG cFilePathName[70] = C:\BOOT.INI cFilePathName[71] = C:\WINDOWS\SYSTEM32\WIN32K.SYS cFilePathName[72] = C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83 cFilePathName[73] = C:\Documents and Settings\ cFilePathName[74] = C:\Documents and Settings\Administrator\Local Settings\ cFilePathName[75] = C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini cFilePathName[76] = C:\WINDOWS\WindowsShell.Config cFilePathName[77] = C:\WINDOWS\system32\SHELL32.dll.124.Manifest cFilePathName[78] = C:\WINDOWS\system32\SHELL32.dll.124.Config cFilePathName[79] = C:\WINDOWS\Prefetch\ cFilePathName[80] = C:\WINDOWS\system32\0804\ cFilePathName[81] = C:\WINDOWS\MUI\Fallback\0804\ cFilePathName[82] = C:\WINDOWS\system32\DRIVERS\MUI\0804\ cFilePathName[83] = C:\WINDOWS\system32\DRIVERS\ACPI.sys cFilePathName[84] = C:\WINDOWS\system32\DRIVERS\mssmbios.sys cFilePathName[85] = C:\WINDOWS\system32\DRIVERS\intelppm.sys cFilePathName[86] = C:\WINDOWS\system32\DRIVERS\ipnat.sys cFilePathName[87] = C:\WINDOWS\System32\Drivers\HTTP.sys cFilePathName[88] = C:\WINDOWS\system32\WBEM\Logs\wmiprov.log cFilePathName[89] = C:\WINDOWS\SoftwareDistribution\DataStore\ cFilePathName[90] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb cFilePathName[91] = C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb\ cFilePathName[92] = C:\WINDOWS\SoftwareDistribution\DataStore cFilePathName[93] = C:\WINDOWS\SoftwareDistribution cFilePathName[94] = C:\WINDOWS\SoftwareDistribution\ cFilePathName[95] = C:\WINDOWS cFilePathName[96] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk cFilePathName[97] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk\ cFilePathName[98] = C:\WINDOWS\SoftwareDistribution\DataStore\Logs cFilePathName[99] = C:\WINDOWS\system32\xpsp2res.dll

参考

 http://bbs.pediy.com/showthread.php?t=60777

转载地址：https://lostspeed.blog.csdn.net/article/details/11738311 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！