CHANGMEN的个人博客,专注于网络安全领域。
内核驱动MiniFilter Callback
最近更新:2026-05-01   |   字数总计:1.8k   |   阅读估时:9分钟   |   阅读量:
  1. 解决 FltEnumerateFilters 并获取 FLTMGR!FltGlobals 地址
  2. 查看FLTMGR!_GLOBALS 结构
  3. GetFilterByName 函数
  4. GetOperationsForFilter 函数
  5. EnumFrameVolumes 函数
  6. UnLinksForVolumesAndCallbacks 函数

具体的介绍可以看https://www.lyshark.com/post/6f58192d.html,这个是比较复杂的,不像监控进程,线程那些,只需要一个api+一个回调函数。

我们自己写的文件过滤驱动为这个

image-20260430110322994

现在我们去windbg去找一下关于文件过滤的一系列内核数据结构。

参考https://github.com/V-i-x-x/kernel-callback-removal/tree/main/MiniFilterFileCallbackKernelBypass

这个项目很好,但是需要手动进行修改一些偏移,不然直接蓝屏。

解决 FltEnumerateFilters 并获取 FLTMGR!FltGlobals 地址

我们可以通过以下导出函数 FLTMGR!FltEnumerateFilters进行二分查找获得该FLTMGR!FltGlobals地址

1
u FLTMGR!FltEnumerateFilters L50

image-20260430111318854

根据特征码找到此位置,然后获取这个地址减去0x58即可。

查看FLTMGR!_GLOBALS 结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
0: kd> dt FLTMGR!_GLOBALS fffff801`7ead9600
   +0x000 DebugFlags       : 0
   +0x008 TraceFlags       : 0
   +0x010 GFlags           : 0x143
   +0x018 RegHandle        : 0xffffbb08`8dd66110
   +0x020 NumProcessors    : 2
   +0x024 CacheLineSize    : 0x40
   +0x028 AlignedInstanceTrackingListSize : 0x40
   +0x030 ControlDeviceObject : 0xffffbb08`8da9b290 _DEVICE_OBJECT
   +0x038 DriverObject     : 0xffffbb08`8da9d800 _DRIVER_OBJECT
   +0x040 KtmTransactionManagerHandle : 0xffffffff`80000234 Void
   +0x048 TxVolKtmResourceManagerHandle : 0xffffffff`80002fbc Void
   +0x050 TxVolKtmResourceManager : 0xffffbb08`93d11d60 _KRESOURCEMANAGER
   +0x058 FrameList        : _FLT_RESOURCE_LIST_HEAD
   +0x0d8 Phase2InitLock   : _FAST_MUTEX
   +0x110 RegistryPath     : _UNICODE_STRING "\Registry\Machine\System\CurrentControlSet\Services\FltMgr"
   +0x120 RegistryPathBuffer : [160]  "\Registry\Machine\System\CurrentControlSet\Services\FltMgr"
   +0x260 GlobalVolumeOperationLock : 0xffffbb08`8dd69590 _EX_PUSH_LOCK_CACHE_AWARE_LEGACY
   +0x268 FltpServerPortObjectType : 0xffffbb08`8d3f12a0 _OBJECT_TYPE
   +0x270 FltpCommunicationPortObjectType : 0xffffbb08`8d3f1400 _OBJECT_TYPE
   +0x278 MsgDeviceObject  : 0xffffbb08`8da9b060 _DEVICE_OBJECT
   +0x280 ManualDeviceAttachTimer : (null) 
   +0x288 ManualDeviceAttachWork : _WORK_QUEUE_ITEM
   +0x2a8 ManualDeviceAttachLimit : 0n0
   +0x2ac ManualAttachDelayCounter : 0n0
   +0x2b0 FastManualAttachTimerPeriod : 5
   +0x2b4 ManualAttachTimerPeriod : 0xf
   +0x2b8 ManualAttachDelay : 0
   +0x2bc ManualAttachIgnoredDevices : 0 ''
   +0x2bd ManualAttachOnlyOnceDevices : 0 ''
   +0x2be ManualAttachFastAttachDevices : 0 ''
   +0x2c0 CallbackStackSwapThreshold : 0x2000
   +0x300 TargetedIoCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x380 IoDeviceHintLookasideList : _PAGED_LOOKASIDE_LIST
   +0x400 StreamListCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x480 FileListCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x500 NameCacheCreateCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x580 AsyncIoContextLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x600 WorkItemLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x680 NameControlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x700 OperationStatusCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x780 NameGenerationContextLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x800 FileLockLookasideList : _PAGED_LOOKASIDE_LIST
   +0x880 TxnParameterBlockLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x900 TxCtxExtensionNPagedLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x980 TxVolCtxLookasideList : _NPAGED_LOOKASIDE_LIST
   +0xa00 TxVolStreamListCtrlEntryLookasideList : _PAGED_LOOKASIDE_LIST
   +0xa80 SectionListCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0xb00 SectionCtxExtensionLookasideList : _NPAGED_LOOKASIDE_LIST
   +0xb80 OpenReparseListLookasideList : _PAGED_LOOKASIDE_LIST
   +0xc00 OpenReparseListEntryLookasideList : _PAGED_LOOKASIDE_LIST
   +0xc80 QueryOnCreateLookasideList : _PAGED_LOOKASIDE_LIST
   +0xd00 NameBufferLookasideList : _PAGED_LOOKASIDE_LIST
   +0xd80 NameCacheNodeLookasideLists : [7] _PAGED_LOOKASIDE_LIST
   +0x1100 FltpParameterOffsetTable : [28] <anonymous-tag>
   +0x11e0 ThrottledWorkCtrl : _THROTTLED_WORK_ITEM_CTRL
   +0x1230 LostItemDelayInSeconds : 0x1e
   +0x1238 VerifiedFiltersList : _LIST_ENTRY [ 0xfffff801`7eada838 - 0xfffff801`7eada838 ]
   +0x1248 VerifiedFiltersLock : 0
   +0x1250 VerifiedResourceLinkFailures : 0n0
   +0x1254 VerifiedResourceUnlinkFailures : 0n0
   +0x1258 PerfTraceRoutines : 0xfffff801`7fa00eb0 _WMI_FLTIO_NOTIFY_ROUTINES
   +0x1260 DummyPerfTraceRoutines : _WMI_FLTIO_NOTIFY_ROUTINES
   +0x1290 RenameCounter    : _LARGE_INTEGER 0x1865a
   +0x1298 FilterSupportedFeaturesMode : 0n0
   +0x12a0 InitialRundownSize : 0xd8

GetFilterByName 函数

+0x058 FrameList : _FLT_RESOURCE_LIST_HEAD

1
2
3
4
5
6
7
8
9
10
0: kd> dx -id 0,0,ffffbb088d28a040 -r1 (*((FLTMGR!_FLT_RESOURCE_LIST_HEAD *)0xfffff8017ead9658))
(*((FLTMGR!_FLT_RESOURCE_LIST_HEAD *)0xfffff8017ead9658))                 [Type: _FLT_RESOURCE_LIST_HEAD]
    [+0x000] rLock            : Unowned Resource [Type: _ERESOURCE]
    [+0x068] rList            [Type: _LIST_ENTRY]
    [+0x078] rCount           : 0x1 [Type: unsigned long]
0: kd> dx -id 0,0,ffffbb088d28a040 -r1 (*((FLTMGR!_LIST_ENTRY *)0xfffff8017ead96c0))
(*((FLTMGR!_LIST_ENTRY *)0xfffff8017ead96c0))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0xffffbb088dacc038 [Type: _LIST_ENTRY *]
    [+0x008] Blink            : 0xffffbb088dacc038 [Type: _LIST_ENTRY *]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
0: kd> dt FLTMGR!_FLTP_FRAME 0xffffbb088dacc030
   +0x000 Type             : _FLT_TYPE
   +0x008 Links            : _LIST_ENTRY [ 0xfffff801`7ead96c0 - 0xfffff801`7ead96c0 ]
   +0x018 FrameID          : 0
   +0x020 AltitudeIntervalLow : _UNICODE_STRING "0"
   +0x030 AltitudeIntervalHigh : _UNICODE_STRING "409800"
   +0x040 LargeIrpCtrlStackSize : 0x7 ''
   +0x041 SmallIrpCtrlStackSize : 0x1 ''
   +0x048 RegisteredFilters : _FLT_RESOURCE_LIST_HEAD
   +0x0c8 AttachedVolumes  : _FLT_RESOURCE_LIST_HEAD
   +0x148 MountingVolumes  : _LIST_ENTRY [ 0xffffbb08`8dacc178 - 0xffffbb08`8dacc178 ]
   +0x158 AttachedFileSystems : _FLT_MUTEX_LIST_HEAD
   +0x1a8 ZombiedFltObjectContexts : _FLT_MUTEX_LIST_HEAD
   +0x1f8 KtmResourceManagerHandle : 0xffffffff`8000023c Void
   +0x200 KtmResourceManager : 0xffffbb08`8f30a300 _KRESOURCEMANAGER
   +0x208 FilterUnloadLock : _ERESOURCE
   +0x270 DeviceObjectAttachLock : _FAST_MUTEX
   +0x2a8 Prcb             : 0xffffbb08`8d3f5d80 _FLT_PRCB
   +0x2b0 PrcbPoolToFree   : 0xffffbb08`8d3f5d60 Void
   +0x2b8 LookasidePoolToFree : 0xffffbb08`8da9d9c0 Void
   +0x2c0 IrpCtrlStackProfiler : _FLTP_IRPCTRL_STACK_PROFILER
   +0x400 SmallIrpCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x480 LargeIrpCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x500 ReserveIrpCtrls  : _RESERVE_IRPCTRL
0: kd> dx -id 0,0,ffffbb088d28a040 -r1 (*((FLTMGR!_FLT_RESOURCE_LIST_HEAD *)0xffffbb088dacc078))
(*((FLTMGR!_FLT_RESOURCE_LIST_HEAD *)0xffffbb088dacc078))                 [Type: _FLT_RESOURCE_LIST_HEAD]
    [+0x000] rLock            : Unowned Resource [Type: _ERESOURCE]
    [+0x068] rList            [Type: _LIST_ENTRY]
    [+0x078] rCount           : 0xc [Type: unsigned long]
0: kd> dx -id 0,0,ffffbb088d28a040 -r1 (*((FLTMGR!_LIST_ENTRY *)0xffffbb088dacc0e0))
(*((FLTMGR!_LIST_ENTRY *)0xffffbb088dacc0e0))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0xffffbb088d344660 [Type: _LIST_ENTRY *]
    [+0x008] Blink            : 0xffffbb088f3084d0 [Type: _LIST_ENTRY *]
0: kd> dt _FLT_FILTER 0xffffbb088d344650
FLTMGR!_FLT_FILTER
   +0x000 Base             : _FLT_OBJECT
   +0x030 Frame            : 0xffffbb08`8dacc030 _FLTP_FRAME
   +0x038 Name             : _UNICODE_STRING "bindflt"
   +0x048 DefaultAltitude  : _UNICODE_STRING "409800"
   +0x058 Flags            : 0x16 (No matching name)
   +0x060 DriverObject     : 0xffffbb08`90d21a70 _DRIVER_OBJECT
   +0x068 InstanceList     : _FLT_RESOURCE_LIST_HEAD
   +0x0e8 VerifierExtension : (null) 
   +0x0f0 VerifiedFiltersLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
   +0x100 FilterUnload     : 0xfffff801`8ed11c70     long  +fffff8018ed11c70
   +0x108 InstanceSetup    : 0xfffff801`8ed07810     long  +fffff8018ed07810
   +0x110 InstanceQueryTeardown : 0xfffff801`8ed07720     long  +fffff8018ed07720
   +0x118 InstanceTeardownStart : 0xfffff801`8ed07c20     void  +fffff8018ed07c20
   +0x120 InstanceTeardownComplete : 0xfffff801`8ed07c10     void  +fffff8018ed07c10
   +0x128 SupportedContextsListHead : 0xffffbb08`90f032f0 _ALLOCATE_CONTEXT_HEADER
   +0x130 SupportedContexts : [7] (null) 
   +0x168 PreVolumeMount   : 0xfffff801`8ed04ef0     _FLT_PREOP_CALLBACK_STATUS  +fffff8018ed04ef0
   +0x170 PostVolumeMount  : (null) 
   +0x178 GenerateFileName : 0xfffff801`8ecfdd90     long  +fffff8018ecfdd90
   +0x180 NormalizeNameComponent : (null) 
   +0x188 NormalizeNameComponentEx : 0xfffff801`8ed10980     long  +fffff8018ed10980
   +0x190 NormalizeContextCleanup : (null) 
   +0x198 KtmNotification  : (null) 
   +0x1a0 SectionNotification : (null) 
   +0x1a8 Operations       : 0xffffbb08`8d344900 _FLT_OPERATION_REGISTRATION
   +0x1b0 OldDriverUnload  : (null) 
   +0x1b8 ActiveOpens      : _FLT_MUTEX_LIST_HEAD
   +0x208 ConnectionList   : _FLT_MUTEX_LIST_HEAD
   +0x258 PortList         : _FLT_MUTEX_LIST_HEAD
   +0x2a8 PortLock         : _EX_PUSH_LOCK

跟着链表就能找到我们的驱动

image-20260430112247730

GetOperationsForFilter 函数

image-20260430112427781

image-20260430112447515

开头第一个就是这个

image-20260430110322994

比如我们看到是0,那么就是代表IRP_MJ_CREATE操作,然后pre和post就是回调FSCreatePreCallback和FSCreatePostCallback

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
static std::unordered_map<BYTE, const char*> g_IrpMjMap{
	{0, "IRP_MJ_CREATE"},
	{1, "IRP_MJ_CREATE_NAMED_PIPE"},
	{2, "IRP_MJ_CLOSE"},
	{3, "IRP_MJ_READ"},
	{4, "IRP_MJ_WRITE"},
	{5, "IRP_MJ_QUERY_INFORMATION"},
	{6, "IRP_MJ_SET_INFORMATION"},
	{7, "IRP_MJ_QUERY_EA"},
	{8, "IRP_MJ_SET_EA"},
	{9, "IRP_MJ_FLUSH_BUFFERS"},
	{0xa, "IRP_MJ_QUERY_VOLUME_INFORMATION"},
	{0xb, "IRP_MJ_SET_VOLUME_INFORMATION"},
	{0xc, "IRP_MJ_DIRECTORY_CONTROL"},
	{0xd, "IRP_MJ_FILE_SYSTEM_CONTROL"},
	{0xe, "IRP_MJ_DEVICE_CONTROL"},
	{0xf, "IRP_MJ_INTERNAL_DEVICE_CONTROL"},
	{0x10, "IRP_MJ_SHUTDOWN"},
	{0x11, "IRP_MJ_LOCK_CONTROL"},
	{0x12, "IRP_MJ_CLEANUP"},
	{0x13, "IRP_MJ_CREATE_MAILSLOT"},
	{0x14, "IRP_MJ_QUERY_SECURITY"},
	{0x15, "IRP_MJ_SET_SECURITY"},
	{0x16, "IRP_MJ_POWER"},
	{0x17, "IRP_MJ_SYSTEM_CONTROL"},
	{0x18, "IRP_MJ_DEVICE_CHANGE"},
	{0x19, "IRP_MJ_QUERY_QUOTA"},
	{0x1a, "IRP_MJ_SET_QUOTA"},
	{0x1b, "IRP_MJ_PNP"},
	{0x1b, "IRP_MJ_PNP_POWER"},
	{0x1b, "IRP_MJ_MAXIMUM_FUNCTION"},
	{((UCHAR)-1), "IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION"},
	{((UCHAR)-2), "IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION"},
	{((UCHAR)-3), "IRP_MJ_ACQUIRE_FOR_MOD_WRITE"},
	{((UCHAR)-4), "IRP_MJ_RELEASE_FOR_MOD_WRITE"},
	{((UCHAR)-5), "IRP_MJ_ACQUIRE_FOR_CC_FLUSH"},
	{((UCHAR)-6), "IRP_MJ_RELEASE_FOR_CC_FLUSH"},
	{((UCHAR)-7), "IRP_MJ_QUERY_OPEN"},
	{((UCHAR)-13), "IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE"},
	{((UCHAR)-14), "IRP_MJ_NETWORK_QUERY_OPEN"},
	{((UCHAR)-15), "IRP_MJ_MDL_READ"},
	{((UCHAR)-16), "IRP_MJ_MDL_READ_COMPLETE"},
	{((UCHAR)-17), "IRP_MJ_PREPARE_MDL_WRITE"},
	{((UCHAR)-18), "IRP_MJ_MDL_WRITE_COMPLETE"},
	{((UCHAR)-19), "IRP_MJ_VOLUME_MOUNT"},
	{((UCHAR)-20), "IRP_MJ_VOLUME_DISMOUNT"}
};

这边加0x20,看下一个IRP。

终止条件要注意:数组最后一个 entry 的 MajorFunctionIRP_MJ_OPERATION_END (0x80),遍历时碰到 0x80 就停止,这是 FltMgr 的约定标志。

那么下一个0x4,就是IRP_MJ_WRITE。继续遍历即可

image-20260430112852384

EnumFrameVolumes 函数

每个帧也连接到卷。你可以把卷作为设备名称。

文件过滤器可以设置为仅激活并监控特定卷的 I/O 操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
0: kd> dt FLTMGR!_FLTP_FRAME 0xffffbb088dacc030
   +0x000 Type             : _FLT_TYPE
   +0x008 Links            : _LIST_ENTRY [ 0xfffff801`7ead96c0 - 0xfffff801`7ead96c0 ]
   +0x018 FrameID          : 0
   +0x020 AltitudeIntervalLow : _UNICODE_STRING "0"
   +0x030 AltitudeIntervalHigh : _UNICODE_STRING "409800"
   +0x040 LargeIrpCtrlStackSize : 0x7 ''
   +0x041 SmallIrpCtrlStackSize : 0x1 ''
   +0x048 RegisteredFilters : _FLT_RESOURCE_LIST_HEAD
   +0x0c8 AttachedVolumes  : _FLT_RESOURCE_LIST_HEAD
   +0x148 MountingVolumes  : _LIST_ENTRY [ 0xffffbb08`8dacc178 - 0xffffbb08`8dacc178 ]
   +0x158 AttachedFileSystems : _FLT_MUTEX_LIST_HEAD
   +0x1a8 ZombiedFltObjectContexts : _FLT_MUTEX_LIST_HEAD
   +0x1f8 KtmResourceManagerHandle : 0xffffffff`8000023c Void
   +0x200 KtmResourceManager : 0xffffbb08`8f30a300 _KRESOURCEMANAGER
   +0x208 FilterUnloadLock : _ERESOURCE
   +0x270 DeviceObjectAttachLock : _FAST_MUTEX
   +0x2a8 Prcb             : 0xffffbb08`8d3f5d80 _FLT_PRCB
   +0x2b0 PrcbPoolToFree   : 0xffffbb08`8d3f5d60 Void
   +0x2b8 LookasidePoolToFree : 0xffffbb08`8da9d9c0 Void
   +0x2c0 IrpCtrlStackProfiler : _FLTP_IRPCTRL_STACK_PROFILER
   +0x400 SmallIrpCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x480 LargeIrpCtrlLookasideList : _NPAGED_LOOKASIDE_LIST
   +0x500 ReserveIrpCtrls  : _RESERVE_IRPCTRL

image-20260430113304510

需要从我们获得的卷地址中减去 10,才能到达卷结构 FLTMGR!_FLT_VOLUME 的起点

image-20260430113248199

UnLinksForVolumesAndCallbacks 函数

每个卷将包含一个回调列表,按其mj+22进行索引。

image-20260430113454119

意思就是从22开始,对应我们的g_IrpMjMap,比如22就是{0, “IRP_MJ_CREATE”}

1
dt FLTMGR!_CALLBACK_NODE

image-20260430113654392

image-20260430114230393

那么我们之前看到的,0x0的回调,跟这个是对应的,pre post都是一样的。

image-20260430114356816

所以这个寻找的逻辑,就是遍历这些卷,然后进行找Callbacks,从50个链表的第22个开始,然后遍历我们之前获取到的指定驱动的mj几种类型的。

image-20260430115246353

比如这是第21个,就是0xff {((UCHAR)-1), “IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION”},都对上了。

image-20260430115938502

image-20260430115657682

该函数将具体操作如下:

  • 先循环我们从过滤器(GetOperationsForFilter)得到的操作。
  • 在第一个循环内,循环浏览各卷。
  • 获取操作 Entry(在卷结构的操作列表中)基于主要函数(步骤 1 操作)+ 22。操作 entry 将包含为该卷设置的所有回调
  • 循环我们所在的 operationLists 条目的 CallbackLinks。
  • 检查操作内的前后回调条目是否与过滤操作(步骤1)中的条目匹配。
  • 如果是这样,我们就把整个链表从操作中的链表(卷结构)中移除。

意思就是从那50个里面,每一个都是一个链表,如果进去链表看里面数据FLTMGR!_CALLBACK_NODE我们循环对应上了这个pre和post,那么就进行这个从这个链表里面摘除。比如刚刚我们看的,这个就是第21个的链表。这个只有一个节点,如果我们摘除了。

1
2
3
4
5
0: kd> dx -id 0,0,ffffbb088d28a040 -r1 (*((FLTMGR!_LIST_ENTRY *)0xffffbb088da9e280))
(*((FLTMGR!_LIST_ENTRY *)0xffffbb088da9e280))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0xffffbb088fa31f00 [Type: _LIST_ENTRY *]
    [+0x008] Blink            : 0xffffbb088fa31f00 [Type: _LIST_ENTRY *]

image-20260430120425141

此时链表空了

image-20260430120702158

2026-04-30 该篇文章被 CHANGMEN 打上标签: 内核

上一篇:内核驱动WFP过滤平台 下一篇:内核驱动监听ObRegister回调
© 2024 CHANGMEN | Network Security Enthusiast
🌊看过大海的人不会忘记海的广阔🌊 本站由Hexo驱动|使用Hexo-theme-A4主题