\u5bf9\u4e8eMiniFilter\u76d1\u63a7\u8f6f\u94fe\u63a5\u548c\u786c\u94fe\u63a5\u8fd9\u5757\u7684\u8d44\u6599\u8fd8\u662f\u633a\u5c11\u7684\u3002<\/p>\n
\u8fd9\u91cc\u6574\u7406\u5e76\u5b9e\u73b0\u4e86\u4ee5\u4e0b\u529f\u80fd:<\/p>\n
#include <fltKernel.h>\n\nPFLT_FILTER gFilterHandle = NULL;\n\nFLT_POSTOP_CALLBACK_STATUS FsFilterPostSetInformation(\n __inout PFLT_CALLBACK_DATA Data,\n __in PCFLT_RELATED_OBJECTS FltObjects,\n __in_opt PVOID CompletionContext,\n __in FLT_POST_OPERATION_FLAGS Flags\n)\n{\n FILE_INFORMATION_CLASS Class = \n Data->Iopb->Parameters.SetFileInformation.FileInformationClass;\n PFILE_RENAME_INFORMATION pRenameInfo = (PFILE_RENAME_INFORMATION)\n Data->Iopb->Parameters.SetFileInformation.InfoBuffer;\n\n PFLT_FILE_NAME_INFORMATION pSrcNameInfo = NULL;\n PFLT_FILE_NAME_INFORMATION pLinkNameInfo = NULL;\n\n NTSTATUS Status = STATUS_UNSUCCESSFUL;\n if (Class == FileLinkInformation)\n {\n Status = FltGetFileNameInformation(\n Data, \n FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, \n &pSrcNameInfo\n );\n if (!NT_SUCCESS(Status))\n {\n goto END;\n }\n\n Status = FltParseFileNameInformation(pSrcNameInfo);\n if (!NT_SUCCESS(Status))\n {\n goto END;\n }\n\n Status = FltGetDestinationFileNameInformation(\n FltObjects->Instance,\n Data->Iopb->TargetFileObject, \n pRenameInfo->RootDirectory, \n pRenameInfo->FileName, \n pRenameInfo->FileNameLength, \n FLT_FILE_NAME_NORMALIZED, \n &pLinkNameInfo\n );\n if (!NT_SUCCESS(Status))\n {\n goto END;\n }\n\n KdPrint((\"[HardLink] FilePath:%S, HardLink:%S\\n\", \n pSrcNameInfo->Name.Buffer, pLinkNameInfo->Name.Buffer));\n }\nEND:\n if (pSrcNameInfo != NULL)\n {\n FltReleaseFileNameInformation(pSrcNameInfo);\n }\n if (pLinkNameInfo != NULL)\n {\n FltReleaseFileNameInformation(pLinkNameInfo);\n }\n return FLT_POSTOP_FINISHED_PROCESSING;\n}\n\nFLT_POSTOP_CALLBACK_STATUS FsFilterPostFileSystemControl(\n __inout PFLT_CALLBACK_DATA Data,\n __in PCFLT_RELATED_OBJECTS FltObjects,\n __in_opt PVOID CompletionContext,\n __in FLT_POST_OPERATION_FLAGS Flags\n)\n{\n NTSTATUS Status = STATUS_UNSUCCESSFUL;\n PWCHAR pwzFilePath = NULL;\n PFLT_FILE_NAME_INFORMATION NameInfo = NULL;\n\n ULONG FsControlCode = Data->Iopb->Parameters.FileSystemControl.Common.FsControlCode;\n if (FsControlCode == FSCTL_SET_REPARSE_POINT)\n {\n ULONG InputBufferLength = Data->Iopb->Parameters.FileSystemControl.Neither.InputBufferLength;\n if (InputBufferLength == sizeof(REPARSE_GUID_DATA_BUFFER) ||\n InputBufferLength > MAXIMUM_REPARSE_DATA_BUFFER_SIZE)\n {\n goto END;\n }\n\n PREPARSE_DATA_BUFFER DataBuffer = Data->Iopb->Parameters.FileSystemControl.Neither.InputBuffer;\n if (DataBuffer == NULL)\n {\n goto END;\n }\n\n PUCHAR pPathBuffer = NULL;\n USHORT uNameOffset = 0;\n USHORT uNameLength = 0;\n if (DataBuffer->ReparseTag == IO_REPARSE_TAG_SYMLINK)\n {\n pPathBuffer = (PUCHAR)DataBuffer->SymbolicLinkReparseBuffer.PathBuffer;\n uNameOffset = DataBuffer->SymbolicLinkReparseBuffer.PrintNameOffset;\n uNameLength = DataBuffer->SymbolicLinkReparseBuffer.PrintNameLength;\n }\n else if (DataBuffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT)\n {\n pPathBuffer = (PUCHAR)DataBuffer->MountPointReparseBuffer.PathBuffer;\n uNameOffset = 0;\n uNameLength = DataBuffer->MountPointReparseBuffer.SubstituteNameLength;\n }\n else\n {\n goto END;\n }\n\n pwzFilePath = ExAllocatePoolWithTag(NonPagedPool, uNameLength + sizeof(WCHAR), 'TAG_');\n if (pwzFilePath == NULL)\n {\n goto END;\n }\n RtlCopyMemory(pwzFilePath, pPathBuffer + uNameOffset, uNameLength);\n pwzFilePath[uNameLength \/ 2] = L'\\0';\n\n NTSTATUS Status = STATUS_UNSUCCESSFUL;\n Status = FltGetFileNameInformation(\n Data, \n FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, \n &NameInfo\n );\n if (!NT_SUCCESS(Status))\n {\n goto END;\n }\n\n Status = FltParseFileNameInformation(NameInfo);\n if (!NT_SUCCESS(Status))\n {\n goto END;\n }\n\n KdPrint((\"[SymboLink] FilePath:%S, SymbolicPath:%S\\n\", pwzFilePath, NameInfo->Name.Buffer));\n }\n\nEND:\n if (pwzFilePath != NULL)\n {\n ExFreePool(pwzFilePath);\n }\n if (NameInfo != NULL)\n {\n FltReleaseFileNameInformation(NameInfo);\n }\n return FLT_POSTOP_FINISHED_PROCESSING;\n}\n\nCONST FLT_OPERATION_REGISTRATION Callbacks[] = \n{\n { \n IRP_MJ_SET_INFORMATION,\n 0,\n NULL,\n FsFilterPostSetInformation \n },\n { \n IRP_MJ_FILE_SYSTEM_CONTROL,\n 0,\n NULL,\n FsFilterPostFileSystemControl\n },\n { \n IRP_MJ_OPERATION_END \n }\n};\n\nNTSTATUS\nFsFilterUnload(\n _In_ FLT_FILTER_UNLOAD_FLAGS Flags\n)\n{\n FltUnregisterFilter(gFilterHandle);\n return STATUS_SUCCESS;\n}\n\nCONST FLT_REGISTRATION FilterRegistration = \n{\n sizeof(FLT_REGISTRATION),\n FLT_REGISTRATION_VERSION,\n 0, \n NULL, \n Callbacks,\n FsFilterUnload,\n NULL,\n NULL,\n NULL,\n NULL,\n NULL, \n NULL, \n NULL \n};\n\nNTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\n{\n KdPrint((\"DriverEntry\\n\"));\n\n NTSTATUS Status = STATUS_SUCCESS;\n\n Status = FltRegisterFilter(\n DriverObject,\n &FilterRegistration,\n &gFilterHandle);\n if (!NT_SUCCESS(Status))\n {\n return Status;\n }\n\n Status = FltStartFiltering(gFilterHandle);\n if (!NT_SUCCESS(Status))\n {\n FltUnregisterFilter(gFilterHandle);\n }\n return Status;\n}\n<\/code><\/pre>\n\u6d4b\u8bd5:<\/h4>\n\/\/ \u521b\u5efa\u786c\u94fe\u63a5\nmklink \/h xxHardLink xxx.txt\n\n\/\/ \u521b\u5efa\u8f6f\u94fe\u63a5\nmklink \/d xxSymbolLink xxx.txt\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u5bf9\u4e8eMiniFilter\u76d1\u63a7\u8f6f\u94fe\u63a5\u548c\u786c\u94fe\u63a5\u8fd9\u5757\u7684\u8d44\u6599\u8fd8\u662f\u633a\u5c11\u7684\u3002 \u8fd9\u91cc\u6574\u7406\u5e76\u5b9e\u73b0\u4e86\u4ee5\u4e0b\u529f\u80fd: #include […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/204"}],"collection":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=204"}],"version-history":[{"count":1,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/204\/revisions"}],"predecessor-version":[{"id":205,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/204\/revisions\/205"}],"wp:attachment":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=204"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}