windows内核HarddiskVolumeX路径转Dos路径
/*++
1: kd> dt _FLT_VOLUME FFFFAC07058A8010
FLTMGR!_FLT_VOLUME
+0x000 Base : _FLT_OBJECT
+0x030 Flags : 0x1e5 (No matching name)
+0x034 FileSystemType : d ( FLT_FSTYPE_MUP )
+0x038 DeviceObject : 0xffffac07`05978860 _DEVICE_OBJECT
+0x040 DiskDeviceObject : (null)
+0x048 FrameZeroVolume : 0xffffac07`058a8010 _FLT_VOLUME
+0x050 VolumeInNextFrame : (null)
+0x058 Frame : 0xffffac07`059c3470 _FLTP_FRAME
+0x060 DeviceName : _UNICODE_STRING "\Device\Mup"
+0x070 GuidName : _UNICODE_STRING ""
+0x080 CDODeviceName : _UNICODE_STRING "\Device\Mup"
+0x090 CDODriverName : _UNICODE_STRING "\FileSystem\Mup"
+0x0a0 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x120 Callbacks : _CALLBACK_CTRL
+0x508 ContextLock : _EX_PUSH_LOCK
+0x510 VolumeContexts : _CONTEXT_LIST_CTRL
+0x518 StreamListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x598 FileListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x618 NameCacheCtrl : _NAME_CACHE_VOLUME_CTRL
+0x6d0 MountNotifyLock : _ERESOURCE
+0x738 TargetedOpenActiveCount : 0n0
+0x740 TxVolContextListLock : _EX_PUSH_LOCK
+0x748 TxVolContexts : _TREE_ROOT
+0x750 SupportedFeatures : 0n0
1: kd> dt _FLT_VOLUME FFFFAC07058CA4B0
FLTMGR!_FLT_VOLUME
+0x000 Base : _FLT_OBJECT
+0x030 Flags : 0x164 (No matching name)
+0x034 FileSystemType : 2 ( FLT_FSTYPE_NTFS )
+0x038 DeviceObject : 0xffffac07`05875d40 _DEVICE_OBJECT
+0x040 DiskDeviceObject : 0xffffac07`05950880 _DEVICE_OBJECT
+0x048 FrameZeroVolume : 0xffffac07`058ca4b0 _FLT_VOLUME
+0x050 VolumeInNextFrame : (null)
+0x058 Frame : 0xffffac07`059c3470 _FLTP_FRAME
+0x060 DeviceName : _UNICODE_STRING "\Device\HarddiskVolume3"
+0x070 GuidName : _UNICODE_STRING "\??\Volume{6aa4f23d-c98e-4b92-ae3a-78d133289142}"
+0x080 CDODeviceName : _UNICODE_STRING "\Ntfs"
+0x090 CDODriverName : _UNICODE_STRING "\FileSystem\Ntfs"
+0x0a0 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x120 Callbacks : _CALLBACK_CTRL
+0x508 ContextLock : _EX_PUSH_LOCK
+0x510 VolumeContexts : _CONTEXT_LIST_CTRL
+0x518 StreamListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x598 FileListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x618 NameCacheCtrl : _NAME_CACHE_VOLUME_CTRL
+0x6d0 MountNotifyLock : _ERESOURCE
+0x738 TargetedOpenActiveCount : 0n767
+0x740 TxVolContextListLock : _EX_PUSH_LOCK
+0x748 TxVolContexts : _TREE_ROOT
+0x750 SupportedFeatures : 0n7
1: kd> dt _FLT_VOLUME FFFFAC0705BB9270
FLTMGR!_FLT_VOLUME
+0x000 Base : _FLT_OBJECT
+0x030 Flags : 0x64 (No matching name)
+0x034 FileSystemType : 19 ( FLT_FSTYPE_NPFS )
+0x038 DeviceObject : 0xffffac07`05bb9040 _DEVICE_OBJECT
+0x040 DiskDeviceObject : (null)
+0x048 FrameZeroVolume : 0xffffac07`05bb9270 _FLT_VOLUME
+0x050 VolumeInNextFrame : (null)
+0x058 Frame : 0xffffac07`059c3470 _FLTP_FRAME
+0x060 DeviceName : _UNICODE_STRING "\Device\NamedPipe"
+0x070 GuidName : _UNICODE_STRING ""
+0x080 CDODeviceName : _UNICODE_STRING "\Device\NamedPipe"
+0x090 CDODriverName : _UNICODE_STRING "\FileSystem\Npfs"
+0x0a0 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x120 Callbacks : _CALLBACK_CTRL
+0x508 ContextLock : _EX_PUSH_LOCK
+0x510 VolumeContexts : _CONTEXT_LIST_CTRL
+0x518 StreamListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x598 FileListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x618 NameCacheCtrl : _NAME_CACHE_VOLUME_CTRL
+0x6d0 MountNotifyLock : _ERESOURCE
+0x738 TargetedOpenActiveCount : 0n0
+0x740 TxVolContextListLock : _EX_PUSH_LOCK
+0x748 TxVolContexts : _TREE_ROOT
+0x750 SupportedFeatures : 0n0
1: kd> dt _FLT_VOLUME FFFFAC0705BBA270
FLTMGR!_FLT_VOLUME
+0x000 Base : _FLT_OBJECT
+0x030 Flags : 0x24 (No matching name)
+0x034 FileSystemType : 1a ( FLT_FSTYPE_MSFS )
+0x038 DeviceObject : 0xffffac07`05bba040 _DEVICE_OBJECT
+0x040 DiskDeviceObject : (null)
+0x048 FrameZeroVolume : 0xffffac07`05bba270 _FLT_VOLUME
+0x050 VolumeInNextFrame : (null)
+0x058 Frame : 0xffffac07`059c3470 _FLTP_FRAME
+0x060 DeviceName : _UNICODE_STRING "\Device\Mailslot"
+0x070 GuidName : _UNICODE_STRING ""
+0x080 CDODeviceName : _UNICODE_STRING "\Device\Mailslot"
+0x090 CDODriverName : _UNICODE_STRING "\FileSystem\Msfs"
+0x0a0 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x120 Callbacks : _CALLBACK_CTRL
+0x508 ContextLock : _EX_PUSH_LOCK
+0x510 VolumeContexts : _CONTEXT_LIST_CTRL
+0x518 StreamListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x598 FileListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x618 NameCacheCtrl : _NAME_CACHE_VOLUME_CTRL
+0x6d0 MountNotifyLock : _ERESOURCE
+0x738 TargetedOpenActiveCount : 0n0
+0x740 TxVolContextListLock : _EX_PUSH_LOCK
+0x748 TxVolContexts : _TREE_ROOT
+0x750 SupportedFeatures : 0n0
1: kd> dt _FLT_VOLUME FFFFAC0705BBB010
FLTMGR!_FLT_VOLUME
+0x000 Base : _FLT_OBJECT
+0x030 Flags : 0x1e4 (No matching name)
+0x034 FileSystemType : 3 ( FLT_FSTYPE_FAT )
+0x038 DeviceObject : 0xffffac07`05bbad70 _DEVICE_OBJECT
+0x040 DiskDeviceObject : 0xffffac07`0597ac40 _DEVICE_OBJECT
+0x048 FrameZeroVolume : 0xffffac07`05bbb010 _FLT_VOLUME
+0x050 VolumeInNextFrame : (null)
+0x058 Frame : 0xffffac07`059c3470 _FLTP_FRAME
+0x060 DeviceName : _UNICODE_STRING "\Device\HarddiskVolume1"
+0x070 GuidName : _UNICODE_STRING "\??\Volume{dcc99da2-d075-4574-bdc3-2f0f0102f7b3}"
+0x080 CDODeviceName : _UNICODE_STRING "\Fat"
+0x090 CDODriverName : _UNICODE_STRING "\FileSystem\fastfat"
+0x0a0 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x120 Callbacks : _CALLBACK_CTRL
+0x508 ContextLock : _EX_PUSH_LOCK
+0x510 VolumeContexts : _CONTEXT_LIST_CTRL
+0x518 StreamListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x598 FileListCtrls : _FLT_RESOURCE_LIST_HEAD
+0x618 NameCacheCtrl : _NAME_CACHE_VOLUME_CTRL
+0x6d0 MountNotifyLock : _ERESOURCE
+0x738 TargetedOpenActiveCount : 0n0
+0x740 TxVolContextListLock : _EX_PUSH_LOCK
+0x748 TxVolContexts : _TREE_ROOT
+0x750 SupportedFeatures : 0n0
--*/
#include"minifilter.h"
PFLT_FILTER gFilterHandle;
typedef struct _FLT_OBJECT // 5 elements, 0x30 bytes (sizeof)
{
/*0x000*/ enum _FLT_OBJECT_FLAGS Flags;
/*0x004*/ ULONG32 PointerCount;
/*0x008*/ struct _EX_RUNDOWN_REF RundownRef; // 2 elements, 0x8 bytes (sizeof)
/*0x010*/ struct _LIST_ENTRY PrimaryLink; // 2 elements, 0x10 bytes (sizeof)
/*0x020*/ struct _GUID UniqueIdentifier; // 4 elements, 0x10 bytes (sizeof)
}FLT_OBJECT, * PFLT_OBJECT;
typedef struct _FLT_VOLUME // 24 elements, 0x758 bytes (sizeof)
{
/*0x000*/ struct _FLT_OBJECT Base; // 5 elements, 0x30 bytes (sizeof)
/*0x030*/ enum _FLT_VOLUME_FLAGS Flags;
/*0x034*/ enum _FLT_FILESYSTEM_TYPE FileSystemType;
/*0x038*/ struct _DEVICE_OBJECT* DeviceObject;
/*0x040*/ struct _DEVICE_OBJECT* DiskDeviceObject;
/*0x048*/ struct _FLT_VOLUME* FrameZeroVolume;
/*0x050*/ struct _FLT_VOLUME* VolumeInNextFrame;
/*0x058*/ struct _FLTP_FRAME* Frame;
/*0x060*/ struct _UNICODE_STRING DeviceName; // 3 elements, 0x10 bytes (sizeof)
/*0x070*/ struct _UNICODE_STRING GuidName; // 3 elements, 0x10 bytes (sizeof)
/*0x080*/ struct _UNICODE_STRING CDODeviceName; // 3 elements, 0x10 bytes (sizeof)
/*0x090*/ struct _UNICODE_STRING CDODriverName; // 3 elements, 0x10 bytes (sizeof)
}FLT_VOLUME, * PFLT_VOLUME;
extern "C"
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
status = FltRegisterFilter( DriverObject,
&minifilter::FilterRegistration,
&gFilterHandle );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
dbg::print("FltStartFiltering failed with status %x\n");
FltUnregisterFilter( gFilterHandle );
return status;
}
}
else
{
dbg::print("FltRegisterFilter failed with status %x\n",status);
return status;
}
//code added here...
ULONG num = 0;
PDEVICE_OBJECT DiskDeviceObject = NULL;
ULONG ReturnLength = 0;
ULONG BufferNeed = 0;
status = FltEnumerateVolumes(gFilterHandle, NULL, NULL, &num);
if (!num) {
dbg::print("FltEnumerateVolumes failed with %x!\n",status);
FltUnregisterFilter(gFilterHandle);
return STATUS_UNSUCCESSFUL;
}
PFLT_VOLUME* buf = (PFLT_VOLUME*)ExAllocatePoolWithTag(NonPagedPool, sizeof(PFLT_VOLUME*) * num, 'I');
NT_ASSERT(buf);
//
status = FltEnumerateVolumes(gFilterHandle, buf, 8*num, &num);
if (!NT_SUCCESS(status)) {
FltUnregisterFilter(gFilterHandle);
dbg::print("FltEnumerateVolumes failed with %x!\n",status);
return STATUS_UNSUCCESSFUL;
}
for (int i = 0; i < num; i++) {
status = FltGetDiskDeviceObject(buf[i], &DiskDeviceObject);
if (!NT_SUCCESS(status) || !DiskDeviceObject) {
dbg::print("FltGetDiskDeviceObject failed with %x!\n", status);
continue;
}
dbg::print("[+]++++++++++++++++++++\n");
if (DiskDeviceObject->Flags & DO_DEVICE_HAS_NAME) {
static char NameBuf[1024]{};
status = ObQueryNameString(DiskDeviceObject, (POBJECT_NAME_INFORMATION)NameBuf, sizeof(NameBuf), &ReturnLength);
if (!NT_SUCCESS(status)) {
dbg::print("ObQueryNameString failed with %x!\n", status);
continue;
}
dbg::print("DiskDevice Name : %wZ Device Type %d: \n", ((POBJECT_NAME_INFORMATION)NameBuf)->Name,DiskDeviceObject->DeviceType);
if (DiskDeviceObject->DeviceType == FILE_DEVICE_DISK || DiskDeviceObject->DeviceType == FILE_DEVICE_CD_ROM) {
status = FltGetVolumeName(buf[i], NULL, &BufferNeed);
if (status != STATUS_BUFFER_TOO_SMALL) {
dbg::print("FltGetVolumeName failed with %x\n", status);
continue;
}
PUNICODE_STRING usVolumeName = (PUNICODE_STRING)ExAllocatePoolZero(NonPagedPool, 2 * sizeof(UNICODE_STRING), 'k');
if (!usVolumeName) {
KeBugCheck(STATUS_INSUFFICIENT_RESOURCES);
}
WCHAR* buffer = (WCHAR*)ExAllocatePool(NonPagedPool, BufferNeed);
usVolumeName->Buffer = buffer;
usVolumeName->MaximumLength = BufferNeed;
usVolumeName->Length = usVolumeName->MaximumLength - sizeof(L'\0');
status = FltGetVolumeName(buf[i], usVolumeName, NULL);
if (NT_SUCCESS(status)) {
dbg::print("Volume Name %wZ\n", usVolumeName); //这里获得的和上面的ObQueryName获得的是一样的
}
}
}
dbg::print("[-]--------------------\n");
ObDereferenceObject(DiskDeviceObject);
}
return status;
}