我想通过 WDK 驱动程序发送 IRP 来删除文件。它适用于删除所有文件,无论是 *.pdf 还是 *.pptx,除了一些需要管理员运行的 EXE,例如 EXE 安装程序和 setup.exe 等。我不知道为什么它会在我尝试时挂在IoCallDriver删除 EXE 安装程序。我也尝试为KeWaitForSingleObject设置超时但没有运气,驱动程序一直挂在 IoCallDriver 上。
Windows 是否限制驱动程序删除这些管理员权限 EXE?如何解决这个问题?非常感谢。
NTSTATUS send_delete_file_irp(PFILE_OBJECT file_object) {
KEVENT event;
PDEVICE_OBJECT device_object = IoGetBaseFileSystemDeviceObject(file_object);
PIRP irp = IoAllocateIrp(device_object->StackSize, false);
// Set the complete routine that will free the IRP and signal the event
KeInitializeEvent(&event, SynchronizationEvent, false);
IoSetCompletionRoutine(
irp,
io_complete,
&event,
true,
true,
true);
FILE_DISPOSITION_INFORMATION file_disposition;
file_disposition.DeleteFile = true;
IO_STATUS_BLOCK io_status_block;
irp->AssociatedIrp.SystemBuffer = &file_disposition;
irp->UserEvent = &event;
irp->UserIosb = &io_status_block;
irp->Tail.Overlay.OriginalFileObject = file_object;
irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
irp->RequestorMode = KernelMode;
IO_STACK_LOCATION* stack_location = IoGetNextIrpStackLocation(irp);
stack_location->MajorFunction = IRP_MJ_SET_INFORMATION;
stack_location->DeviceObject = device_object;
stack_location->FileObject = file_object;
stack_location->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);
stack_location->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
stack_location->Parameters.SetFile.FileObject = file_object;
IoCallDriver(device_object, irp);
KeWaitForSingleObject(&event, Executive, KernelMode, true, nullptr);
return STATUS_SUCCESS;
}