-
Notifications
You must be signed in to change notification settings - Fork 281
File Operations
Protecting a file from deleting and overwriting with a hook. The hook is done via IRP hook (not Patchguard safe) and the explanation below is on the logic of the hook itself.
NTSTATUS HookedNtfsIrpCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
DeviceObject [PDEVICE_OBJECT] -- Unused.
Irp [PIRP] -- Pointer to an IRP.# Protecting a file
NidhoggClient.exe file add <PATH>
# Unprotecting a file
NidhoggClient.exe file remove <PATH>The function checks if the stack or the FileObject in the stack is NULL, or if the FileName in the FileObject is empty. If any of these conditions are true, it breaks out of the loop and calls the original NtfsIrpCreate function.
The function then calculates the size of the full path of the file and allocates memory for it.
If the memory allocation fails, it breaks out of the loop and calls the original NtfsIrpCreate function.
The function then copies the FileName from the FileObject to the allocated memory.
If the copy operation fails, it breaks out of the loop and calls the original NtfsIrpCreate function.
The function then checks if the file is in the list of files to be denied access to. If it is, it sets the status of the IRP to STATUS_ACCESS_DENIED and returns STATUS_SUCCESS.
Finally, if none of the above conditions are met, the function calls the original NtfsIrpCreate function.