问题
I have a minifilter (kernel-mode). I want to delete a file with specific path (\Device\HarddiskVolume1\file.txt or C:\file.txt) from kernel-mode
Is there any way to do that?
UPDATE: 20150130
I try to use ZwDeleteFile routine as Harry Johnston said. These are my codes:
RtlInitUnicodeString(&gRedirectFullFilePath, "\\Device\\HarddiskVolume1\\test.txt"); // This file existed
InitializeObjectAttributes(&ObjectAttribute, &gRedirectFullFilePath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwDeleteFile(&ObjectAttribute);
But it crash my system. Is there anything wrong with my codes? => fixed (This is answer)
Thanks!
回答1:
The ZwDeleteFile routine:
The ZwDeleteFile routine deletes the specified file.
回答2:
By usual methods its not possible to delete the file from kernel mode i.e from device driver.
This kind of practice or idea is highly discouraged.
回答3:
Use FltSetInformationFile() function with FileDispositionInformation class.
回答4:
There are many ways in which you can do that as illustrated in the minifilter DeleteSample from Microsoft.
- FILE_DELETE_ON_CLOSE flag which you can use in you CreateFile routine of choice.
- By setting the FileDispositionInformation
- Also notice the newly introduced FILE_DISPOSITION_INFORMATION_EX
Everything should be more clear after you study the sample. Also notice that you could do transactioned deletes and also delete a file by its file ID.
Good luck.
来源:https://stackoverflow.com/questions/28212998/how-to-delete-a-file-from-kernel-mode