当先锋百科网

首页 1 2 3 4 5 6 7
再仍一块砖头,sfilter 中如何判断当前的IRP是否来自网络?:
如何从IrpStackLocation中判断来自网络的文件访问?

//---------------------------------------------------
NTSTATUS status;

PACCESS_TOKEN pToken = NULL;
PTOKEN_SOURCE pTokenSrc = NULL ;
PSECURITY_SUBJECT_CONTEXT secSubCtx;


secSubCtx = &(IrpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext);

if (secSubCtx->ClientToken != NULL || secSubCtx->PrimaryToken != NULL)
{
pToken = SeQuerySubjectContextToken(secSubCtx);
}

if (pToken == NULL)
{
//KdPrint(("SeQuerySubjectContextToken Errorn"));
return 0
}

//
// Get TokenSource Name If SourceName is "NtLmSsp" it was logged-in via Lanmanager,
// "User32" represents localy logged-in users.
//
__try
{

status = SeQueryInformationToken(pToken,TokenSource,&pTokenSrc);

if (NT_SUCCESS(status))
{
pTokenSrc->SourceName[TOKEN_SOURCE_LENGTH-1] = 0x00;

KdPrint(("Token Name :%s Len:%dn",pTokenSrc->SourceName,strlen(pTokenSrc->SourceName)));

if (_stricmp(pTokenSrc->SourceName,"NtLmSsp") == 0 )
{
KdPrint(("NetWork Access Token Findn"));
return 123
}

}
else
{
KdPrint(("SeQueryInformationToken Error:0x%xn",status));
}
}
__finally
{
ExFreePool(pTokenSrc);
}


return 0