微过滤驱动实现保护特定程序

使用方式

1.首先链接器的附加依赖项中导入fltMgr.lib
2.调用FltRegisterFilter进行注册
3.调用FltStartFiltering开启过滤
4.最后调用FltUnregisterFilter取消注册

FltRegisterFilter原型如下，其中第二参数是最重要的

NTSTATUS FLTAPI FltRegisterFilter(
  [in]  PDRIVER_OBJECT         Driver, 
  [in]  const FLT_REGISTRATION *Registration,
  [out] PFLT_FILTER            *RetFilter
);

FLT_REGISTRATION如下

typedef struct _FLT_REGISTRATION {
  USHORT                                      Size;
  USHORT                                      Version;
  FLT_REGISTRATION_FLAGS                      Flags;
  const FLT_CONTEXT_REGISTRATION              *ContextRegistration;
  const FLT_OPERATION_REGISTRATION            *OperationRegistration; //存放着各种回调例程
  PFLT_FILTER_UNLOAD_CALLBACK                 FilterUnloadCallback; //卸载过滤驱动的回调函数
  PFLT_INSTANCE_SETUP_CALLBACK                InstanceSetupCallback; //安装过滤驱动的回调函数
  PFLT_INSTANCE_QUERY_TEARDOWN_CALLBACK       InstanceQueryTeardownCallback;
  PFLT_INSTANCE_TEARDOWN_CALLBACK             InstanceTeardownStartCallback; //解除绑定时的回调函数
  PFLT_INSTANCE_TEARDOWN_CALLBACK             InstanceTeardownCompleteCallback;
  PFLT_GENERATE_FILE_NAME                     GenerateFileNameCallback;
  PFLT_NORMALIZE_NAME_COMPONENT               NormalizeNameComponentCallback;
  PFLT_NORMALIZE_CONTEXT_CLEANUP              NormalizeContextCleanupCallback;
  PFLT_TRANSACTION_NOTIFICATION_CALLBACK      TransactionNotificationCallback;
  PFLT_NORMALIZE_NAME_COMPONENT_EX            NormalizeNameComponentExCallback;
  PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK SectionNotificationCallback;
} FLT_REGISTRATION, *PFLT_REGISTRATION;

操作前回调结构原型如下：

FLT_PREOP_CALLBACK_STATUS PfltPreOperationCallback(
  [in, out] PFLT_CALLBACK_DATA Data,
  [in]      PCFLT_RELATED_OBJECTS FltObjects,
  [out]     PVOID *CompletionContext
)

IRP请求的类型通过Data->Iopb->MajorFunction获取
操作的目标文件名通过FltGetFileNameInformation获取

代码实现

minifiter驱动，实现对特定的文件进行保护，防止打开、删除、修改属性等

#include 
#include 
#include 

PFLT_FILTER gFilterHandle;

DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry(
	_In_ PDRIVER_OBJECT DriverObject,
	_In_ PUNICODE_STRING RegistryPath
);

NTSTATUS
InstanceSetup(
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_In_ FLT_INSTANCE_SETUP_FLAGS Flags,
	_In_ DEVICE_TYPE VolumeDeviceType,
	_In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType
);

VOID
InstanceTeardownStart(
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
);

VOID
InstanceTeardownComplete(
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags
);

NTSTATUS
Unload(
	_In_ FLT_FILTER_UNLOAD_FLAGS Flags
);

NTSTATUS
InstanceQueryTeardown(
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
);

FLT_PREOP_CALLBACK_STATUS
Minifilter_FileMonitor_TestPreOperation(
	_Inout_ PFLT_CALLBACK_DATA Data,
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_Flt_CompletionContext_Outptr_ PVOID* CompletionContext
);
FLT_POSTOP_CALLBACK_STATUS
Minifilter_FileMonitor_TestPostOperation(
	_Inout_ PFLT_CALLBACK_DATA Data,
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_In_opt_ PVOID CompletionContext,
	_In_ FLT_POST_OPERATION_FLAGS Flags
);

// 当实例被安装时触发
NTSTATUS InstanceSetup(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_SETUP_FLAGS Flags, _In_ DEVICE_TYPE VolumeDeviceType, _In_ FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
	DbgPrint("安装 MiniFilter \n");
	return STATUS_SUCCESS;
}

// 当实例被销毁时触发
NTSTATUS InstanceQueryTeardown(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags)
{
	DbgPrint("销毁 MiniFilter \n");
	return STATUS_SUCCESS;
}

// 实例解除绑定时触发
VOID InstanceTeardownStart(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags)
{
	DbgPrint("解绑 MiniFilter \n");
	return STATUS_SUCCESS;
}

// 实例解绑完成时触发
VOID InstanceTeardownComplete(_In_ PCFLT_RELATED_OBJECTS FltObjects, _In_ FLT_INSTANCE_TEARDOWN_FLAGS Flags)
{
	DbgPrint("解绑完成 MiniFilter \n");
	return STATUS_SUCCESS;
}

// 驱动关闭时卸载监控
NTSTATUS Unload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
{
	DbgPrint("卸载 MiniFilter \n");
	FltUnregisterFilter(gFilterHandle);
	return STATUS_SUCCESS;
}

// 回调函数集
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {

    { IRP_MJ_CREATE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_READ,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_WRITE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_SET_INFORMATION,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

#if 0 // TODO - List all of the requests to filter.
    { IRP_MJ_CREATE_NAMED_PIPE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_CLOSE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_QUERY_INFORMATION,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_QUERY_EA,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_SET_EA,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_FLUSH_BUFFERS,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_QUERY_VOLUME_INFORMATION,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_SET_VOLUME_INFORMATION,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_DIRECTORY_CONTROL,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_FILE_SYSTEM_CONTROL,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_DEVICE_CONTROL,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_INTERNAL_DEVICE_CONTROL,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_SHUTDOWN,
      0,
      Minifilter_FileMonitor_TestPreOperationNoPostOperation,
      NULL },                               //post operations not supported

    { IRP_MJ_LOCK_CONTROL,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_CLEANUP,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_CREATE_MAILSLOT,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_QUERY_SECURITY,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_SET_SECURITY,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_QUERY_QUOTA,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_SET_QUOTA,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_PNP,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_ACQUIRE_FOR_MOD_WRITE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_RELEASE_FOR_MOD_WRITE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_ACQUIRE_FOR_CC_FLUSH,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_RELEASE_FOR_CC_FLUSH,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_NETWORK_QUERY_OPEN,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_MDL_READ,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_MDL_READ_COMPLETE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_PREPARE_MDL_WRITE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_MDL_WRITE_COMPLETE,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_VOLUME_MOUNT,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

    { IRP_MJ_VOLUME_DISMOUNT,
      0,
      Minifilter_FileMonitor_TestPreOperation,
      Minifilter_FileMonitor_TestPostOperation },

#endif // TODO

    { IRP_MJ_OPERATION_END }
};

// 过滤驱动数据结构
CONST FLT_REGISTRATION FilterRegistration =
{
	sizeof(FLT_REGISTRATION),           //  结构大小(默认)
	FLT_REGISTRATION_VERSION,           //  结构版本(默认)
	0,                                  //  过滤器标志
	NULL,                               //  上下文
	Callbacks,                          //  注册回调函数集
	Unload,                             //  驱动卸载函数
	InstanceSetup,                      //  实例安装回调函数
	InstanceQueryTeardown,              //  实例销毁回调函数
	InstanceTeardownStart,              //  实例解除绑定时触发
	InstanceTeardownComplete,           //  实例解绑完成时触发
	NULL,                               //  GenerateFileName
	NULL,                               //  GenerateDestinationFileName
	NULL                                //  NormalizeNameComponent
};

BOOLEAN IsProtectionFile(PFLT_FILE_NAME_INFORMATION lpNameInfo)
{
    BOOLEAN bProtect = FALSE;
    PWCHAR lpszProtectionFileName, lpszFileName;
    // 申请内存
    lpszProtectionFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 256);
    lpszFileName = (PWCHAR)ExAllocatePool(NonPagedPool, 512);
    // 初始化内存
    RtlZeroMemory(lpszProtectionFileName, 256);
    RtlZeroMemory(lpszFileName, 512);
    // 复制数据
    RtlCopyMemory(lpszFileName, lpNameInfo->Name.Buffer, (sizeof(WCHAR) + lpNameInfo->Name.Length));
    RtlCopyMemory(lpszProtectionFileName, L"notepad.exe", (sizeof(WCHAR) + wcslen(L"notepad.exe")));
    // 判断
    if (NULL != wcsstr(lpszFileName, lpszProtectionFileName))
    {
        bProtect = TRUE;
    }
    // 释放内存
    ExFreePool(lpszProtectionFileName);
    ExFreePool(lpszFileName);

    return bProtect;
}
// 预操作回调函数(在执行过滤操作之前先执行此处)
FLT_PREOP_CALLBACK_STATUS Minifilter_FileMonitor_TestPreOperation(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _Flt_CompletionContext_Outptr_ PVOID* CompletionContext)
{
	NTSTATUS status;

	// 获取文件路径
	UCHAR MajorFunction = Data->Iopb->MajorFunction;
	PFLT_FILE_NAME_INFORMATION lpNameInfo = NULL;

	// 得到文件名相关信息
	status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &lpNameInfo);
	if (NT_SUCCESS(status))
	{
		status = FltParseFileNameInformation(lpNameInfo);
        if (NT_SUCCESS(status))
        {
            // CREATE
            if (IRP_MJ_CREATE == MajorFunction)
            {
                if (IsProtectionFile(lpNameInfo))
                {
                    KdPrint(("[IRP_MJ_CREATE]%wZ", &lpNameInfo->Name));
                    return FLT_PREOP_COMPLETE;
                    //					return FLT_PREOP_DISALLOW_FASTIO;
                }
            }
            // 读取
            else if (IRP_MJ_READ == MajorFunction)
            {
                if (IsProtectionFile(lpNameInfo))
                {
                    KdPrint(("[IRP_MJ_READ]%wZ", &lpNameInfo->Name));
                    return FLT_PREOP_COMPLETE;
                    //					return FLT_PREOP_DISALLOW_FASTIO;
                }
            }
            // 文件写入
            else if (IRP_MJ_WRITE == MajorFunction)
            {
                if (IsProtectionFile(lpNameInfo))
                {
                    KdPrint(("[IRP_MJ_WRITE]%wZ", &lpNameInfo->Name));
                    return FLT_PREOP_COMPLETE;
                    //					return FLT_PREOP_DISALLOW_FASTIO;
                }
            }
            // 修改文件信息
            else if (IRP_MJ_SET_INFORMATION == MajorFunction)
            {
                if (IsProtectionFile(lpNameInfo))
                {
                    KdPrint(("[IRP_MJ_SET_INFORMATION]%wZ", &lpNameInfo->Name));
                    return FLT_PREOP_COMPLETE;
                    //					return FLT_PREOP_DISALLOW_FASTIO;
                }
            }
        }
	}
	return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

// 后操作回调函数 (在执行过滤之后运行此处)
FLT_POSTOP_CALLBACK_STATUS Minifilter_FileMonitor_TestPostOperation(_Inout_ PFLT_CALLBACK_DATA Data, _In_ PCFLT_RELATED_OBJECTS FltObjects, _In_opt_ PVOID CompletionContext, _In_ FLT_POST_OPERATION_FLAGS Flags)
{
	return FLT_POSTOP_FINISHED_PROCESSING;
}

// ----------------------------------------------------------------------------------------
// 入口函数
// ----------------------------------------------------------------------------------------
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
	NTSTATUS status;

	// FltRegisterFilter 向过滤管理器注册过滤器
	// 参数1：本驱动驱动对象
	// 参数2：微过滤驱动描述结构
	// 参数3：返回注册成功的微过滤驱动句柄
	status = FltRegisterFilter(DriverObject, &FilterRegistration, &gFilterHandle);
	if (NT_SUCCESS(status))
	{
		// 开启过滤
		status = FltStartFiltering(gFilterHandle);
		DbgPrint("[过滤器] 开启监控.. \n");

		if (!NT_SUCCESS(status))
		{
			// 如果启动失败,则取消注册并退出
			FltUnregisterFilter(gFilterHandle);
			DbgPrint("[过滤器] 取消注册.. \n");
		}
	}
	return status;
}

三环程序C语言实现Minifilter动态安装与卸载

#include 
#include 
#include 
#include 

// 安装MiniFinter
BOOL InstallDriver(const char* lpszDriverName, const char* lpszDriverPath, const char* lpszAltitude)
{
	char szTempStr[MAX_PATH];
	HKEY hKey;
	DWORD dwData;
	char szDriverImagePath[MAX_PATH];

	if (NULL == lpszDriverName || NULL == lpszDriverPath)
	{
		return FALSE;
	}

	// 得到完整的驱动路径
	GetFullPathName(lpszDriverPath, MAX_PATH, szDriverImagePath, NULL);

	SC_HANDLE hServiceMgr = NULL; // SCM管理器的句柄
	SC_HANDLE hService = NULL;    // NT驱动程序的服务句柄

	// 打开服务控制管理器
	hServiceMgr = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hServiceMgr == NULL)
	{
		// OpenSCManager失败
		CloseServiceHandle(hServiceMgr);
		return FALSE;
	}

	// OpenSCManager成功  

	// 创建驱动所对应的服务
	hService = CreateService(hServiceMgr,
		lpszDriverName,             // 驱动程序的在注册表中的名字
		lpszDriverName,             // 注册表驱动程序的DisplayName 值
		SERVICE_ALL_ACCESS,         // 加载驱动程序的访问权限
		SERVICE_FILE_SYSTEM_DRIVER, // 表示加载的服务是文件系统驱动程序
		SERVICE_DEMAND_START,       // 注册表驱动程序的Start 值
		SERVICE_ERROR_IGNORE,       // 注册表驱动程序的ErrorControl 值
		szDriverImagePath,          // 注册表驱动程序的ImagePath 值
		"FSFilter Activity Monitor",// 注册表驱动程序的Group 值
		NULL,
		"FltMgr",                   // 注册表驱动程序的DependOnService 值
		NULL,
		NULL);

	if (hService == NULL)
	{
		if (GetLastError() == ERROR_SERVICE_EXISTS)
		{
			// 服务创建失败，是由于服务已经创立过
			CloseServiceHandle(hService);       // 服务句柄
			CloseServiceHandle(hServiceMgr);    // SCM句柄
			return TRUE;
		}
		else
		{
			CloseServiceHandle(hService);       // 服务句柄
			CloseServiceHandle(hServiceMgr);    // SCM句柄
			return FALSE;
		}
	}
	CloseServiceHandle(hService);       // 服务句柄
	CloseServiceHandle(hServiceMgr);    // SCM句柄

	//-------------------------------------------------------------------------------------------------------
	// SYSTEM\\CurrentControlSet\\Services\\DriverName\\Instances 子键下的键值项 
	//-------------------------------------------------------------------------------------------------------
	strcpy(szTempStr, "SYSTEM\\CurrentControlSet\\Services\\");
	strcat(szTempStr, lpszDriverName);
	strcat(szTempStr, "\\Instances");
	if (RegCreateKeyEx(HKEY_LOCAL_MACHINE, szTempStr, 0, "", TRUE, KEY_ALL_ACCESS, NULL, &hKey, (LPDWORD)&dwData) != ERROR_SUCCESS)
	{
		return FALSE;
	}
	// 注册表驱动程序的DefaultInstance 值 
	strcpy(szTempStr, lpszDriverName);
	strcat(szTempStr, " Instance");
	if (RegSetValueEx(hKey, "DefaultInstance", 0, REG_SZ, (CONST BYTE*)szTempStr, (DWORD)strlen(szTempStr)) != ERROR_SUCCESS)
	{
		return FALSE;
	}
	// 刷新注册表
	RegFlushKey(hKey);
	RegCloseKey(hKey);

	//-------------------------------------------------------------------------------------------------------
	// SYSTEM\\CurrentControlSet\\Services\\DriverName\\Instances\\DriverName Instance 子键下的键值项 
	//-------------------------------------------------------------------------------------------------------
	strcpy(szTempStr, "SYSTEM\\CurrentControlSet\\Services\\");
	strcat(szTempStr, lpszDriverName);
	strcat(szTempStr, "\\Instances\\");
	strcat(szTempStr, lpszDriverName);
	strcat(szTempStr, " Instance");
	if (RegCreateKeyEx(HKEY_LOCAL_MACHINE, szTempStr, 0, "", TRUE, KEY_ALL_ACCESS, NULL, &hKey, (LPDWORD)&dwData) != ERROR_SUCCESS)
	{
		return FALSE;
	}
	// 注册表驱动程序的Altitude 值
	strcpy(szTempStr, lpszAltitude);
	if (RegSetValueEx(hKey, "Altitude", 0, REG_SZ, (CONST BYTE*)szTempStr, (DWORD)strlen(szTempStr)) != ERROR_SUCCESS)
	{
		return FALSE;
	}
	// 注册表驱动程序的Flags 值
	dwData = 0x0;
	if (RegSetValueEx(hKey, "Flags", 0, REG_DWORD, (CONST BYTE*) & dwData, sizeof(DWORD)) != ERROR_SUCCESS)
	{
		return FALSE;
	}
	// 刷新注册表
	RegFlushKey(hKey);
	RegCloseKey(hKey);
	return TRUE;
}

// 启动驱动
BOOL StartDriver(const char* lpszDriverName)
{
	SC_HANDLE schManager;
	SC_HANDLE schService;
	SERVICE_STATUS svcStatus;

	if (NULL == lpszDriverName)
	{
		return FALSE;
	}

	schManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (NULL == schManager)
	{
		printf("打开管理器失败!\n");
		CloseServiceHandle(schManager);
		return FALSE;
	}
	schService = OpenService(schManager, lpszDriverName, SERVICE_ALL_ACCESS);
	if (NULL == schService)
	{
		printf("打开服务失败!\n");
		CloseServiceHandle(schService);
		CloseServiceHandle(schManager);
		return FALSE;
	}

	if (!StartService(schService, 0, NULL))
	{
		printf("开启服务失败!\n");
		CloseServiceHandle(schService);
		CloseServiceHandle(schManager);
		printf("%x\n", GetLastError());
		if (GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
		{
			// 服务已经开启
			printf("服务器已经开启!\n");
			return TRUE;
		}
		return FALSE;
	}

	CloseServiceHandle(schService);
	CloseServiceHandle(schManager);

	return TRUE;
}

// 关闭驱动
BOOL StopDriver(const char* lpszDriverName)
{
	SC_HANDLE schManager;
	SC_HANDLE schService;
	SERVICE_STATUS svcStatus;
	bool bStopped = false;

	schManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (NULL == schManager)
	{
		return FALSE;
	}
	schService = OpenService(schManager, lpszDriverName, SERVICE_ALL_ACCESS);
	if (NULL == schService)
	{
		CloseServiceHandle(schManager);
		return FALSE;
	}
	if (!ControlService(schService, SERVICE_CONTROL_STOP, &svcStatus) && (svcStatus.dwCurrentState != SERVICE_STOPPED))
	{
		CloseServiceHandle(schService);
		CloseServiceHandle(schManager);
		return FALSE;
	}

	CloseServiceHandle(schService);
	CloseServiceHandle(schManager);

	return TRUE;
}

// 删除驱动
BOOL DeleteDriver(const char* lpszDriverName)
{
	SC_HANDLE schManager;
	SC_HANDLE schService;
	SERVICE_STATUS svcStatus;

	schManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (NULL == schManager)
	{
		return FALSE;
	}
	schService = OpenService(schManager, lpszDriverName, SERVICE_ALL_ACCESS);
	if (NULL == schService)
	{
		CloseServiceHandle(schManager);
		return FALSE;
	}
	ControlService(schService, SERVICE_CONTROL_STOP, &svcStatus);
	if (!DeleteService(schService))
	{
		CloseServiceHandle(schService);
		CloseServiceHandle(schManager);
		return FALSE;
	}
	CloseServiceHandle(schService);
	CloseServiceHandle(schManager);

	return TRUE;
}

int main(int argc, char* argv[])
{
	
	char DriverPath[51] = {0};
	char number[51] = {0};
	printf("请输入你的驱动路径:");
	gets_s(DriverPath);
	printf("请输入你的驱动高度:");
	gets_s(number);
	
	//这里注意要进行强制类型转换
	InstallDriver("minifilter", (const char*)DriverPath, (const char*)number);

	while (1)
	{
		char str[20] = "\0";
		printf("请输入命令: ");
		gets_s(str);

		if (strcmp(str, "start") == 0)
		{
			printf("[*] 启动驱动 \n");
			StartDriver("minifilter");
		}
		if (strcmp(str, "stop") == 0)
		{
			printf("[-] 关闭驱动 \n");
			StopDriver("minifilter");
		}
	}
	return 0;
}

参考资料

https://blog.csdn.net/b_h_l/article/details/39957329
驱动开发：文件微过滤驱动入门
http://www.manongjc.com/article/45296.html