minifilter InstanceSetup函数测试

#include"minifilter.h"

namespace minifilter {

    // minifilter加载的时候会给每个卷都挂载上
NTSTATUS InstanceSetup(_In_ PCFLT_RELATED_OBJECTS FltObjects,
                       _In_ FLT_INSTANCE_SETUP_FLAGS Flags,
                       _In_ DEVICE_TYPE VolumeDeviceType,
                       _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType) {
  PAGED_CODE();
  NTSTATUS Status;
  ULONG SizeOfBuffer;

  // https://github.com/189569400/adversary_emulation_library/blob/997419bb0b8cd61ba69086a35a91a3d073d41d05/wizard_spider/Resources/Mimikatz/mimikatz/mimidrv/kkll_m_filters.c
  PFILTER_FULL_INFORMATION myFilterFullInformation;
  PINSTANCE_BASIC_INFORMATION myInstanceBasicInformation;

  dbg::print("------------------Start-----------------\n");
  if (FltObjects->FileObject)
    dbg::print("[FltObjects->FileObject]%wZ\n",
               FltObjects->FileObject->FileName);
  else
    dbg::print("[FltObjects->FileObject] NULL\n");

  UNICODE_STRING VolumeName{};
  VolumeName.Buffer = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
  VolumeName.Length = 0;
  VolumeName.MaximumLength = 256 - 2;

  FltGetVolumeName(FltObjects->Volume, &VolumeName, NULL);
  dbg::print("[FltObjects->Volume]%wZ\n", VolumeName);

  UNICODE_STRING DosName;
  PDEVICE_OBJECT DeviceObject;
  dbg::dbgbreak();
  Status = FltGetDiskDeviceObject(FltObjects->Volume, &DeviceObject);
  if (NT_SUCCESS(Status))
    Status = IoVolumeDeviceToDosName(DeviceObject, &DosName);

  if (NT_SUCCESS(Status))
    dbg::print("[DosName]%wZ\n", DosName);
  else
    dbg::print("[DosName]%x\n", Status);

  Status = FltGetFilterInformation(FltObjects->Filter, FilterFullInformation, 0,
                                   0, &SizeOfBuffer);
  NT_ASSERT(Status == STATUS_BUFFER_TOO_SMALL);

  myFilterFullInformation =
      (PFILTER_FULL_INFORMATION)ExAllocatePool(NonPagedPool, SizeOfBuffer);
  FltGetFilterInformation(FltObjects->Filter, FilterFullInformation,
                          myFilterFullInformation, SizeOfBuffer, &SizeOfBuffer);

  char OutBuffer[256]{};
  // 因为这玩意的缓冲区不是以空字符结尾的,不能直接输出
  memcpy(OutBuffer, myFilterFullInformation->FilterNameBuffer,
         myFilterFullInformation->FilterNameLength);

  dbg::print("[FltObjects->Filter]%ws\n", OutBuffer);

  ExFreePool(myFilterFullInformation);
  ExFreePool(VolumeName.Buffer);

  FltGetInstanceInformation(FltObjects->Instance, InstanceBasicInformation, 0,
                            0, &SizeOfBuffer);
  NT_ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
  myInstanceBasicInformation =
      (PINSTANCE_BASIC_INFORMATION)ExAllocatePool(NonPagedPool, SizeOfBuffer);

  FltGetInstanceInformation(FltObjects->Instance, InstanceBasicInformation,
                            myInstanceBasicInformation, SizeOfBuffer,
                            &SizeOfBuffer);

  RtlZeroMemory(OutBuffer, sizeof(OutBuffer));
  memcpy(OutBuffer,
         (char*)myInstanceBasicInformation +
             myInstanceBasicInformation->InstanceNameBufferOffset,
         myInstanceBasicInformation->InstanceNameLength);
  dbg::print("[FltObjects->Instance]%ws\n", OutBuffer);

  dbg::print("[VolumeDeviceType]%x\n", VolumeDeviceType);
  dbg::print("[VolumeFilesystemType]%x\n", VolumeFilesystemType);

  dbg::print("------------------End-----------------\n");

  return STATUS_SUCCESS;
}
}  // namespace minifilter