1) requirements specification:
as a C: \ \ 1. Exe, 1. Exe for an empty exe file, the upper software through the ShellExecute (0, "open", "C: \ \ 1. Exe", ""," ", SW_SHOWNORMAL),
Files in the drive, filtering, and replace it with a specified when performing an exe, in order to realize the protection , (the exe read content from other storage area, such as a hidden encrypted files,)
2) data description:
Existing online data, file redirection is to replace it to another path, that doesn't meet the requirements of the I
Also studied the PE manager, PE manager is introduced: the execution of a PE file, Windows is not in the beginning the entire file into memory, and memory mapping file instead of similar mechanisms, that is to say, the Windows loader at the time of loading only establish good virtual address and the mapping relationship between PE file,
3) present situation description:
Now I'm in the filter drivers: 1. Exe read certain - PostRead processing, by calling the interface, I read the contents of the specified storage area, and print it out and found that there is no question of data, files, however, did not call certain processing, filtered to find: call IRP_MJ_CREATE/IRP_MJ_QUERY_INFORMATION,
Through PE loader to start the EXE file in memory, because the program is a self-extracting, which failed to pass,
Excuse me, what is the way, a great god, please give opinions,