摘要：

为能在操作系统的驱动级实现新的文件隐藏点，对传统的文件系统过滤驱动原理和驱动数据堆栈单元结构进行分析。通过修改驱动堆栈单元的结构和完成例程，配合修改I/O请求包的传递方法，实现2种驱动级文件隐藏的方法。使用该2种方法的文件可以在系统中实现深度隐藏，使得操作系统无法查询，也不能通过正常途径访问。

关键词: 文件系统过滤驱动程序, 驱动堆栈单元, I/O结构数组, I/O管理器, 完成例程

Abstract:

In order to get new file hidden points in drive-level of system, the principle of File System Filter Driver(FSFD) and the structure of driver stack location are analyzed. Through making some changes in driver stack location’s structure and CompletionRoutine, besides modifying the I/O Requst Packet(IRP) delivery method, two methods to hide files are implemented. Hidden files using these methods achieve depth hide. They can not be queried by system or be accessed through normal channels.

Key words: File System Filter Driver(FSFD), drive stack unit, IO_STACK_LOCATION, I/O Manager, CompletionRoutine

中图分类号: 

• TP316.7