Windows内核文件管理技术：构建IRP<\/h1>

1. IRP基础概念<\/h2>

1.1 IRP简介<\/h3>

IRP(I\/O Request Packet)是Windows操作系统内核中用于I\/O操作的关键数据结构：<\/p>

用于驱动程序之间传递I\/O请求<\/li>
描述并跟踪I\/O操作的状态<\/li>

是驱动程序与操作系统处理I\/O请求的核心机制<\/li> <\/ul>

1.2 IRP结构<\/h3>

IRP总是伴随着一个或多个I\/O栈位置结构(IO_STACK_LOCATION)：<\/p>

分配IRP时必须指定I\/O栈位置数量<\/li>

栈位置数量等于设备栈中设备对象的数量<\/li> <\/ul>

重要成员变量：<\/p>

MdlAddress<\/code>：指向内存描述符列表(MDL)<\/li>
AssociatedIrp.SystemBuffer<\/code>：指向系统分配的缓冲区<\/li>
IoStatus<\/code>：包含操作状态和返回字节数<\/li>
UserEvent<\/code>：指向用户模式事件对象<\/li>
UserBuffer<\/code>：指向用户模式缓冲区<\/li>
UserIosb<\/code>：指向用户模式I\/O状态块<\/li>
RequestorMode<\/code>：表示I\/O请求模式(UserMode\/KernelMode)<\/li>

Flags<\/code>：存储IRP相关标志位<\/li>
<\/ul>
1.3 IO_STACK_LOCATION结构<\/h3>
关键成员：<\/p>

MajorFunction<\/code>：IRP主功能代码(如IRP_MJ_READ)<\/li>
MinorFunction<\/code>：次功能代码<\/li>
Parameters<\/code>：与I\/O请求类型相关的参数联合体<\/li>
FileObject<\/code>：指向相关文件对象<\/li>
DeviceObject<\/code>：指向当前处理IRP的设备对象<\/li>
<\/ul>
2. Windows I\/O请求处理机制<\/h2>
2.1 驱动程序栈层次结构<\/h3>


最顶层<\/strong>：文件系统驱动程序(FSD)<\/p>

处理文件系统相关请求(如NTFS、FAT)<\/li>
<\/ul>
<\/li>

中间层<\/strong>：文件系统过滤驱动程序<\/p>

修改或监控I\/O请求<\/li>
如杀毒软件的过滤驱动<\/li>
<\/ul>
<\/li>

底层<\/strong>：设备驱动程序<\/p>

直接与硬件设备交互(如disk.sys)<\/li>
<\/ul>
<\/li>

最底层<\/strong>：总线驱动程序<\/p>

管理硬件总线(PCI、USB等)<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 I\/O请求处理流程<\/h3>

系统服务调度<\/strong>：用户模式调用(如CreateFile)转为内核调用(NtCreateFile)<\/li>
创建IRP<\/strong>：I\/O管理器创建并初始化IRP<\/li>
驱动程序接收IRP<\/strong>：FSD根据MajorFunction传递给相应分发例程<\/li>
分发例程处理<\/strong>：

执行相应操作(如权限检查)<\/li>
可传递给下层驱动程序<\/li>
<\/ul>
<\/li>
完成IRP<\/strong>：

填入IoStatus<\/li>
调用IoCompleteRequest<\/li>
I\/O管理器将结果返回用户模式<\/li>
<\/ul>
<\/li>
<\/ol>
3. 分发例程<\/h2>
3.1 基本概念<\/h3>

驱动程序处理IRP请求的核心回调函数<\/li>
函数原型：NTSTATUS MyDriverDispatchRoutine(PDEVICE_OBJECT, PIRP)<\/code><\/li>
必须调用IoCompleteRequest结束请求<\/li>
<\/ul>
3.2 主要分发例程类型<\/h3>



MajorFunction<\/th>
对应API<\/th>
功能<\/th>
<\/tr>
<\/thead>


IRP_MJ_CREATE<\/td>
CreateFile\/ZwCreateFile<\/td>
创建文件或设备<\/td>
<\/tr>

IRP_MJ_CLOSE<\/td>
CloseHandle\/ZwClose<\/td>
关闭文件或设备<\/td>
<\/tr>

IRP_MJ_READ<\/td>
ReadFile\/ZwReadFile<\/td>
读取操作<\/td>
<\/tr>

IRP_MJ_WRITE<\/td>
WriteFile\/ZwWriteFile<\/td>
写入操作<\/td>
<\/tr>

IRP_MJ_DEVICE_CONTROL<\/td>
DeviceIoControl\/ZwDeviceIoControl<\/td>
设备控制请求<\/td>
<\/tr>
<\/tbody>
<\/table>
3.3 示例代码<\/h3>
NTSTATUS MyDriverCreate<\/span>(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
<\/span><\/span>    UNREFERENCED_PARAMETER(DeviceObject);
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置IRP状态
<\/span><\/span><\/span><\/span>    Irp-><\/span>IoStatus.Status =<\/span> STATUS_SUCCESS;
<\/span><\/span>    Irp-><\/span>IoStatus.Information =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 完成IRP
<\/span><\/span><\/span><\/span>    IoCompleteRequest(Irp, IO_NO_INCREMENT);
<\/span><\/span>    
<\/span><\/span>    return<\/span> STATUS_SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 构建IRP的关键函数<\/h2>
4.1 常用构建函数<\/h3>


IoAllocateIrp<\/strong><\/p>

仅分配并初始化空IRP<\/li>
原型：PIRP IoAllocateIrp(CCHAR StackSize, BOOLEAN ChargeQuota)<\/code><\/li>
<\/ul>
<\/li>

IoBuildSynchronousFsdRequest<\/strong><\/p>

分配并初始化同步FSD请求IRP<\/li>
原型：
PIRP IoBuildSynchronousFsdRequest(
<\/span><\/span>    ULONG MajorFunction,
<\/span><\/span>    PDEVICE_OBJECT DeviceObject,
<\/span><\/span>    PVOID Buffer,
<\/span><\/span>    ULONG Length,
<\/span><\/span>    PLARGE_INTEGER StartingOffset,
<\/span><\/span>    PKEVENT Event,
<\/span><\/span>    PIO_STATUS_BLOCK IoStatusBlock)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

IoBuildDeviceIoControlRequest<\/strong><\/p>

构建设备I\/O控制请求(IOCTL)<\/li>
<\/ul>
<\/li>

IoBuildAsynchronousFsdRequest<\/strong><\/p>

构建异步FSD请求<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 其他关键函数<\/h3>


IoCallDriver<\/strong><\/p>

将IRP传递给下一个驱动程序<\/li>
原型：NTSTATUS IoCallDriver(PDEVICE_OBJECT, PIRP)<\/code><\/li>
<\/ul>
<\/li>

IoCreateFile<\/strong><\/p>

内核模式专用文件操作函数<\/li>
可创建\/打开文件、设备、目录或卷<\/li>
<\/ul>
<\/li>

ObReferenceObjectByHandle<\/strong><\/p>

通过句柄获取对象引用指针<\/li>
原型：
NTSTATUS ObReferenceObjectByHandle(
<\/span><\/span>    HANDLE Handle,
<\/span><\/span>    ACCESS_MASK DesiredAccess,
<\/span><\/span>    POBJECT_TYPE ObjectType,
<\/span><\/span>    KPROCESSOR_MODE AccessMode,
<\/span><\/span>    PVOID *<\/span>Object,
<\/span><\/span>    POBJECT_HANDLE_INFORMATION HandleInformation)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
5. 构建IRP创建文件实现<\/h2>
5.1 实现步骤<\/h3>

初始化内核事件用于同步<\/li>
设置对象属性(文件名、句柄属性等)<\/li>
使用IoCreateFile创建文件获取句柄<\/li>
引用文件对象句柄获取文件对象指针<\/li>
获取关联的设备对象<\/li>
构建IRP(IoBuildSynchronousFsdRequest)<\/li>
获取IRP堆栈位置并设置文件对象<\/li>
发送IRP(IoCallDriver)并等待完成<\/li>
释放资源(文件对象、关闭句柄)<\/li>
<\/ol>
5.2 完整代码示例<\/h3>
#include<\/span> <ntddk.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>NTSTATUS MyCreateFile<\/span>(PUNICODE_STRING FileName) {
<\/span><\/span>    NTSTATUS status;
<\/span><\/span>    OBJECT_ATTRIBUTES objectAttributes;
<\/span><\/span>    HANDLE fileHandle =<\/span> NULL;
<\/span><\/span>    PFILE_OBJECT fileObject =<\/span> NULL;
<\/span><\/span>    PDEVICE_OBJECT deviceObject =<\/span> NULL;
<\/span><\/span>    IO_STATUS_BLOCK ioStatusBlock;
<\/span><\/span>    PIRP irp =<\/span> NULL;
<\/span><\/span>    KEVENT event;
<\/span><\/span>
<\/span><\/span>    \/\/ 初始化事件
<\/span><\/span><\/span><\/span>    KeInitializeEvent(&<\/span>event, SynchronizationEvent, FALSE);
<\/span><\/span>
<\/span><\/span>    \/\/ 初始化对象属性
<\/span><\/span><\/span><\/span>    InitializeObjectAttributes(&<\/span>objectAttributes, FileName, 
<\/span><\/span>        OBJ_KERNEL_HANDLE |<\/span> OBJ_CASE_INSENSITIVE, NULL, NULL);
<\/span><\/span>
<\/span><\/span>    \/\/ 创建或打开文件
<\/span><\/span><\/span><\/span>    status =<\/span> IoCreateFile(
<\/span><\/span>        &<\/span>fileHandle, 
<\/span><\/span>        GENERIC_WRITE |<\/span> SYNCHRONIZE,
<\/span><\/span>        &<\/span>objectAttributes, 
<\/span><\/span>        &<\/span>ioStatusBlock,
<\/span><\/span>        NULL, 
<\/span><\/span>        FILE_ATTRIBUTE_NORMAL,
<\/span><\/span>        FILE_SHARE_READ |<\/span> FILE_SHARE_WRITE |<\/span> FILE_SHARE_DELETE,
<\/span><\/span>        FILE_OPEN_IF, 
<\/span><\/span>        FILE_SYNCHRONOUS_IO_NONALERT,
<\/span><\/span>        NULL, 0<\/span>, CreateFileTypeNone, NULL, 
<\/span><\/span>        IO_NO_PARAMETER_CHECKING);
<\/span><\/span>
<\/span><\/span>    if<\/span> (!<\/span>NT_SUCCESS(status)) {
<\/span><\/span>        DbgPrint("IoCreateFile failed: 0x%X<\/span>\n<\/span>"<\/span>, status);
<\/span><\/span>        return<\/span> status;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 引用文件对象
<\/span><\/span><\/span><\/span>    status =<\/span> ObReferenceObjectByHandle(fileHandle, FILE_READ_ACCESS, 
<\/span><\/span>        *<\/span>IoFileObjectType, KernelMode, (PVOID*<\/span>)&<\/span>fileObject, NULL);
<\/span><\/span>    if<\/span> (!<\/span>NT_SUCCESS(status)) {
<\/span><\/span>        DbgPrint("ObReferenceObjectByHandle failed: 0x%X<\/span>\n<\/span>"<\/span>, status);
<\/span><\/span>        ZwClose(fileHandle);
<\/span><\/span>        return<\/span> status;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 获取设备对象
<\/span><\/span><\/span><\/span>    deviceObject =<\/span> IoGetRelatedDeviceObject(fileObject);
<\/span><\/span>
<\/span><\/span>    \/\/ 构建IRP
<\/span><\/span><\/span><\/span>    irp =<\/span> IoBuildSynchronousFsdRequest(
<\/span><\/span>        IRP_MJ_WRITE, 
<\/span><\/span>        deviceObject,
<\/span><\/span>        NULL, 0<\/span>, NULL, &<\/span>event, &<\/span>ioStatusBlock);
<\/span><\/span>
<\/span><\/span>    if<\/span> (irp ==<\/span> NULL) {
<\/span><\/span>        DbgPrint("IoBuildSynchronousFsdRequest failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        ObDereferenceObject(fileObject);
<\/span><\/span>        ZwClose(fileHandle);
<\/span><\/span>        return<\/span> STATUS_INSUFFICIENT_RESOURCES;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 设置IRP堆栈位置
<\/span><\/span><\/span><\/span>    PIO_STACK_LOCATION irpStack =<\/span> IoGetNextIrpStackLocation(irp);
<\/span><\/span>    irpStack-><\/span>FileObject =<\/span> fileObject;
<\/span><\/span>
<\/span><\/span>    \/\/ 发送IRP
<\/span><\/span><\/span><\/span>    status =<\/span> IoCallDriver(deviceObject, irp);
<\/span><\/span>    if<\/span> (status ==<\/span> STATUS_PENDING) {
<\/span><\/span>        KeWaitForSingleObject(&<\/span>event, Executive, KernelMode, FALSE, NULL);
<\/span><\/span>        status =<\/span> ioStatusBlock.Status;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 处理结果
<\/span><\/span><\/span><\/span>    if<\/span> (NT_SUCCESS(status)) {
<\/span><\/span>        DbgPrint("File created successfully"<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        DbgPrint("Failed to create file. Status: 0x%X<\/span>\n<\/span>"<\/span>, status);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 清理资源
<\/span><\/span><\/span><\/span>    ObDereferenceObject(fileObject);
<\/span><\/span>    ZwClose(fileHandle);
<\/span><\/span>    return<\/span> status;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>VOID MyDriverUnload<\/span>(PDRIVER_OBJECT DriverObject) {
<\/span><\/span>    DbgPrint("Driver Unload Called<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
<\/span><\/span>    UNICODE_STRING fileName;
<\/span><\/span>    RtlInitUnicodeString(&<\/span>fileName, L<\/span>"<\/span>\\<\/span>??<\/span>\\<\/span>C:<\/span>\\<\/span>work<\/span>\\<\/span>syswork10<\/span>\\<\/span>File.txt"<\/span>);
<\/span><\/span>    
<\/span><\/span>    DriverObject-><\/span>DriverUnload =<\/span> MyDriverUnload;
<\/span><\/span>    
<\/span><\/span>    NTSTATUS status =<\/span> MyCreateFile(&<\/span>fileName);
<\/span><\/span>    if<\/span> (!<\/span>NT_SUCCESS(status)) {
<\/span><\/span>        DbgPrint("Failed to create file. Status: 0x%X<\/span>\n<\/span>"<\/span>, status);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> status;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 注意事项<\/h2>


内存管理<\/strong>：<\/p>

自定义FILE_OBJECT时需要为FileName成员分配内存<\/li>
使用ExAllocatePool进行动态内存分配<\/li>
对象销毁时必须释放内存<\/li>
<\/ul>
<\/li>

IRP处理<\/strong>：<\/p>

确保正确处理IRP完成状态<\/li>
避免在持有自旋锁时调用IoCompleteRequest(可能导致死锁)<\/li>
<\/ul>
<\/li>

安全考虑<\/strong>：<\/p>

Rootkit可能拦截I\/O请求进行篡改<\/li>
驱动程序应验证所有输入参数<\/li>
<\/ul>
<\/li>

开发环境<\/strong>：<\/p>

在虚拟机中进行驱动开发<\/li>
使用快照功能防止系统崩溃<\/li>
<\/ul>
<\/li>
<\/ol>

MajorFunction<\/th>	对应API<\/th>	功能<\/th> <\/tr> <\/thead>
IRP_MJ_CREATE<\/td>	CreateFile\/ZwCreateFile<\/td>	创建文件或设备<\/td> <\/tr>
IRP_MJ_CLOSE<\/td>	CloseHandle\/ZwClose<\/td>	关闭文件或设备<\/td> <\/tr>
IRP_MJ_READ<\/td>	ReadFile\/ZwReadFile<\/td>	读取操作<\/td> <\/tr>
IRP_MJ_WRITE<\/td>	WriteFile\/ZwWriteFile<\/td>	写入操作<\/td> <\/tr>
IRP_MJ_DEVICE_CONTROL<\/td>	DeviceIoControl\/ZwDeviceIoControl<\/td>	设备控制请求<\/td> <\/tr> <\/tbody> <\/table> 3.3 示例代码<\/h3> NTSTATUS MyDriverCreate<\/span>(PDEVICE_OBJECT DeviceObject, PIRP Irp) { <\/span><\/span> UNREFERENCED_PARAMETER(DeviceObject); <\/span><\/span> <\/span><\/span> \/\/ 设置IRP状态 <\/span><\/span><\/span><\/span> Irp-><\/span>IoStatus.Status =<\/span> STATUS_SUCCESS; <\/span><\/span> Irp-><\/span>IoStatus.Information =<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 完成IRP <\/span><\/span><\/span><\/span> IoCompleteRequest(Irp, IO_NO_INCREMENT); <\/span><\/span> <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 构建IRP的关键函数<\/h2> 4.1 常用构建函数<\/h3> IoAllocateIrp<\/strong><\/p> 仅分配并初始化空IRP<\/li> 原型：PIRP IoAllocateIrp(CCHAR StackSize, BOOLEAN ChargeQuota)<\/code><\/li> <\/ul> <\/li> IoBuildSynchronousFsdRequest<\/strong><\/p> 分配并初始化同步FSD请求IRP<\/li> 原型： PIRP IoBuildSynchronousFsdRequest( <\/span><\/span> ULONG MajorFunction, <\/span><\/span> PDEVICE_OBJECT DeviceObject, <\/span><\/span> PVOID Buffer, <\/span><\/span> ULONG Length, <\/span><\/span> PLARGE_INTEGER StartingOffset, <\/span><\/span> PKEVENT Event, <\/span><\/span> PIO_STATUS_BLOCK IoStatusBlock) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> IoBuildDeviceIoControlRequest<\/strong><\/p> 构建设备I\/O控制请求(IOCTL)<\/li> <\/ul> <\/li> IoBuildAsynchronousFsdRequest<\/strong><\/p> 构建异步FSD请求<\/li> <\/ul> <\/li> <\/ol> 4.2 其他关键函数<\/h3> IoCallDriver<\/strong><\/p> 将IRP传递给下一个驱动程序<\/li> 原型：NTSTATUS IoCallDriver(PDEVICE_OBJECT, PIRP)<\/code><\/li> <\/ul> <\/li> IoCreateFile<\/strong><\/p> 内核模式专用文件操作函数<\/li> 可创建\/打开文件、设备、目录或卷<\/li> <\/ul> <\/li> ObReferenceObjectByHandle<\/strong><\/p> 通过句柄获取对象引用指针<\/li> 原型： NTSTATUS ObReferenceObjectByHandle( <\/span><\/span> HANDLE Handle, <\/span><\/span> ACCESS_MASK DesiredAccess, <\/span><\/span> POBJECT_TYPE ObjectType, <\/span><\/span> KPROCESSOR_MODE AccessMode, <\/span><\/span> PVOID <\/span>Object, <\/span><\/span> POBJECT_HANDLE_INFORMATION HandleInformation) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 5. 构建IRP创建文件实现<\/h2> 5.1 实现步骤<\/h3> 初始化内核事件用于同步<\/li> 设置对象属性(文件名、句柄属性等)<\/li> 使用IoCreateFile创建文件获取句柄<\/li> 引用文件对象句柄获取文件对象指针<\/li> 获取关联的设备对象<\/li> 构建IRP(IoBuildSynchronousFsdRequest)<\/li> 获取IRP堆栈位置并设置文件对象<\/li> 发送IRP(IoCallDriver)并等待完成<\/li> 释放资源(文件对象、关闭句柄)<\/li> <\/ol> 5.2 完整代码示例<\/h3> #include<\/span> <ntddk.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>NTSTATUS MyCreateFile<\/span>(PUNICODE_STRING FileName) { <\/span><\/span> NTSTATUS status; <\/span><\/span> OBJECT_ATTRIBUTES objectAttributes; <\/span><\/span> HANDLE fileHandle =<\/span> NULL; <\/span><\/span> PFILE_OBJECT fileObject =<\/span> NULL; <\/span><\/span> PDEVICE_OBJECT deviceObject =<\/span> NULL; <\/span><\/span> IO_STATUS_BLOCK ioStatusBlock; <\/span><\/span> PIRP irp =<\/span> NULL; <\/span><\/span> KEVENT event; <\/span><\/span> <\/span><\/span> \/\/ 初始化事件 <\/span><\/span><\/span><\/span> KeInitializeEvent(&<\/span>event, SynchronizationEvent, FALSE); <\/span><\/span> <\/span><\/span> \/\/ 初始化对象属性 <\/span><\/span><\/span><\/span> InitializeObjectAttributes(&<\/span>objectAttributes, FileName, <\/span><\/span> OBJ_KERNEL_HANDLE \|<\/span> OBJ_CASE_INSENSITIVE, NULL, NULL); <\/span><\/span> <\/span><\/span> \/\/ 创建或打开文件 <\/span><\/span><\/span><\/span> status =<\/span> IoCreateFile( <\/span><\/span> &<\/span>fileHandle, <\/span><\/span> GENERIC_WRITE \|<\/span> SYNCHRONIZE, <\/span><\/span> &<\/span>objectAttributes, <\/span><\/span> &<\/span>ioStatusBlock, <\/span><\/span> NULL, <\/span><\/span> FILE_ATTRIBUTE_NORMAL, <\/span><\/span> FILE_SHARE_READ \|<\/span> FILE_SHARE_WRITE \|<\/span> FILE_SHARE_DELETE, <\/span><\/span> FILE_OPEN_IF, <\/span><\/span> FILE_SYNCHRONOUS_IO_NONALERT, <\/span><\/span> NULL, 0<\/span>, CreateFileTypeNone, NULL, <\/span><\/span> IO_NO_PARAMETER_CHECKING); <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> DbgPrint("IoCreateFile failed: 0x%X<\/span>\n<\/span>"<\/span>, status); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 引用文件对象 <\/span><\/span><\/span><\/span> status =<\/span> ObReferenceObjectByHandle(fileHandle, FILE_READ_ACCESS, <\/span><\/span> <\/span>IoFileObjectType, KernelMode, (PVOID*<\/span>)&<\/span>fileObject, NULL); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> DbgPrint("ObReferenceObjectByHandle failed: 0x%X<\/span>\n<\/span>"<\/span>, status); <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 获取设备对象 <\/span><\/span><\/span><\/span> deviceObject =<\/span> IoGetRelatedDeviceObject(fileObject); <\/span><\/span> <\/span><\/span> \/\/ 构建IRP <\/span><\/span><\/span><\/span> irp =<\/span> IoBuildSynchronousFsdRequest( <\/span><\/span> IRP_MJ_WRITE, <\/span><\/span> deviceObject, <\/span><\/span> NULL, 0<\/span>, NULL, &<\/span>event, &<\/span>ioStatusBlock); <\/span><\/span> <\/span><\/span> if<\/span> (irp ==<\/span> NULL) { <\/span><\/span> DbgPrint("IoBuildSynchronousFsdRequest failed<\/span>\n<\/span>"<\/span>); <\/span><\/span> ObDereferenceObject(fileObject); <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> STATUS_INSUFFICIENT_RESOURCES; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 设置IRP堆栈位置 <\/span><\/span><\/span><\/span> PIO_STACK_LOCATION irpStack =<\/span> IoGetNextIrpStackLocation(irp); <\/span><\/span> irpStack-><\/span>FileObject =<\/span> fileObject; <\/span><\/span> <\/span><\/span> \/\/ 发送IRP <\/span><\/span><\/span><\/span> status =<\/span> IoCallDriver(deviceObject, irp); <\/span><\/span> if<\/span> (status ==<\/span> STATUS_PENDING) { <\/span><\/span> KeWaitForSingleObject(&<\/span>event, Executive, KernelMode, FALSE, NULL); <\/span><\/span> status =<\/span> ioStatusBlock.Status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 处理结果 <\/span><\/span><\/span><\/span> if<\/span> (NT_SUCCESS(status)) { <\/span><\/span> DbgPrint("File created successfully"<\/span>); <\/span><\/span> } else<\/span> { <\/span><\/span> DbgPrint("Failed to create file. Status: 0x%X<\/span>\n<\/span>"<\/span>, status); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 清理资源 <\/span><\/span><\/span><\/span> ObDereferenceObject(fileObject); <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> status; <\/span><\/span>} <\/span><\/span> <\/span><\/span>VOID MyDriverUnload<\/span>(PDRIVER_OBJECT DriverObject) { <\/span><\/span> DbgPrint("Driver Unload Called<\/span>\n<\/span>"<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { <\/span><\/span> UNICODE_STRING fileName; <\/span><\/span> RtlInitUnicodeString(&<\/span>fileName, L<\/span>"<\/span>\\<\/span>??<\/span>\\<\/span>C:<\/span>\\<\/span>work<\/span>\\<\/span>syswork10<\/span>\\<\/span>File.txt"<\/span>); <\/span><\/span> <\/span><\/span> DriverObject-><\/span>DriverUnload =<\/span> MyDriverUnload; <\/span><\/span> <\/span><\/span> NTSTATUS status =<\/span> MyCreateFile(&<\/span>fileName); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> DbgPrint("Failed to create file. Status: 0x%X<\/span>\n<\/span>"<\/span>, status); <\/span><\/span> } <\/span><\/span> return<\/span> status; <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 注意事项<\/h2> 内存管理<\/strong>：<\/p> 自定义FILE_OBJECT时需要为FileName成员分配内存<\/li> 使用ExAllocatePool进行动态内存分配<\/li> 对象销毁时必须释放内存<\/li> <\/ul> <\/li> IRP处理<\/strong>：<\/p> 确保正确处理IRP完成状态<\/li> 避免在持有自旋锁时调用IoCompleteRequest(可能导致死锁)<\/li> <\/ul> <\/li> 安全考虑<\/strong>：<\/p> Rootkit可能拦截I\/O请求进行篡改<\/li> 驱动程序应验证所有输入参数<\/li> <\/ul> <\/li> 开发环境<\/strong>：<\/p> 在虚拟机中进行驱动开发<\/li> 使用快照功能防止系统崩溃<\/li> <\/ul> <\/li> <\/ol>