如题,我想在IRP_MJ_CREATE截获创建的文件路径,并修改重定向到U盘上创建,就是文件的转存!如有可行代码请多多提示,大牛帮帮忙啊!!!
------解决方案--------------------
To redirect a file-open or file-creation operation to another file, a file system filter driver does the following:
In the handler of IRP_MJ_CREATE, obtains the file name (FileName field) from the FILE_OBJECT.
Replaces this name with the full name of the destination file.
This full name includes the name of the volume device object (for example, Device\HardDiskVolume0\Directory\MyFile.txt). You can substitute your own buffer to the existing FileName.Buffer present in the FILE_OBJECT. In this case, allocate your buffer from NonPaged pool memory, free the original FileName.Buffer by using ExFreePool, and then replace FileName.Buffer with your buffer.
Sets the status field of the IoStatus block to STATUS_REPARSE, and then sets the Information field to IO_REPARSE.
Completes the request.
Returns STATUS_REPARSE.
The IO Manager then triggers another file-open operation and sends an IRP_MJ_CREATE, taking into account the particular file name.
The destination file can be local or on a remote computer. To redirect the file-open operation to a remote file, use the following syntax for the file name:
"\??\UNC\HostName\Share\File"
-or-
"\Device\Mup\HostName\Share\File"
-or-
"\Device\LanmanagerRedirector\HostName\Share\File" (assuming you are targeting a file on CIFS/SMB/LanManager)
The fact that the first create-file operation is performed relative to another file object does not matter. Do not modify the RelatedFileObject field of the FILE_OBJECT. To perform the reparse operation, the IO Manager considers only the FileName field and not the RelatedFileObject. Additionally, the IO Manager frees the RelatedFileObject, as appropriate, when it handles the STATUS_REPARSE status returned by the filter. Therefore, it is not the responsibility of the filter to free that file object.
There is a fixed limit concerning the number of nested reparse operations that the IO Manager can perform. This limit has been introduced to avoid infinite loops. The maximum number of nested reparse operations the system can perform is 32.
This reparsing method performed by the IO Manager has to be disassociated from reparse points. Reparse points have been introduced in NTFS, starting with Microsoft Windows 2000. Reparse points permit you to store information together with a file.
- C/C++ code
NTSTATUSSfCreate ( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ){ PIO_STACK_LOCATION IrpSp; PUNICODE_STRING FileName; PVOID FileNameBuffer; UNICODE_STRING NewFileName; BOOLEAN bRedirectFileOpen = FALSE; // // If the device being opened is the primary device object instead of a // filter device object, just indicate that the operation worked. // if (DeviceObject == FsDeviceObject) { // // Allow users to open the device that represents our driver. // Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = FILE_OPENED; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } IrpSp = IoGetCurrentIrpStackLocation(Irp); // // At this point, you must determine whether you want to redirect //ad.F