Ring3下Hook NtQueryDirectoryFile隐藏文件
2016-07-20 17:10
453 查看
NTSTATUS WINAPI Hook_NtQueryDirectoryFile(IN HANDLE FileHandle,IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID FileInformation,
IN ULONG FileInformationLength,IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL,IN BOOLEAN RestartScan)
{
NTSTATUS Status=STATUS_SUCCESS;
Status=OldNtQueryDirectoryFile(FileHandle,Event,ApcRoutine,ApcContext,\
IoStatusBlock,FileInformation,FileInformationLength,\
FileInformationClass,ReturnSingleEntry,FileName,RestartScan);
if (!NT_SUCCESS(Status))
{
return Status;
}
//////////////////////////////////
if (FileBothDirectoryInformation==FileInformationClass)
{
FILE_BOTH_DIRECTORY_INFORMATION* pFileInfo = (FILE_BOTH_DIRECTORY_INFORMATION*)FileInformation;
FILE_BOTH_DIRECTORY_INFORMATION* pLastFileInfo = NULL;
BOOL bLastFlag=FALSE;
do
{
bLastFlag=!(pFileInfo->NextEntryOffset);
if (NULL!=wcsstr(pFileInfo->FileName,L"1.hook"))
{
OutputDebugStringW(L"已发现目标");
if (bLastFlag) //链表里最后一个文件
{
pLastFileInfo->NextEntryOffset=0;
break;
}
else
{
int iPos = (ULONG)pFileInfo - (ULONG)FileInformation;
int iLeft = (ULONG)FileInformationLength - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), iLeft );
continue;
}
}
pLastFileInfo=pFileInfo;
pFileInfo=(PFILE_BOTH_DIRECTORY_INFORMATION)((CHAR*)pFileInfo+pFileInfo->NextEntryOffset);
}while(!bLastFlag);
}
return Status;
}
http://www.cnblogs.com/lzjsky/archive/2010/12/01/1892702.html
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID FileInformation,
IN ULONG FileInformationLength,IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL,IN BOOLEAN RestartScan)
{
NTSTATUS Status=STATUS_SUCCESS;
Status=OldNtQueryDirectoryFile(FileHandle,Event,ApcRoutine,ApcContext,\
IoStatusBlock,FileInformation,FileInformationLength,\
FileInformationClass,ReturnSingleEntry,FileName,RestartScan);
if (!NT_SUCCESS(Status))
{
return Status;
}
//////////////////////////////////
if (FileBothDirectoryInformation==FileInformationClass)
{
FILE_BOTH_DIRECTORY_INFORMATION* pFileInfo = (FILE_BOTH_DIRECTORY_INFORMATION*)FileInformation;
FILE_BOTH_DIRECTORY_INFORMATION* pLastFileInfo = NULL;
BOOL bLastFlag=FALSE;
do
{
bLastFlag=!(pFileInfo->NextEntryOffset);
if (NULL!=wcsstr(pFileInfo->FileName,L"1.hook"))
{
OutputDebugStringW(L"已发现目标");
if (bLastFlag) //链表里最后一个文件
{
pLastFileInfo->NextEntryOffset=0;
break;
}
else
{
int iPos = (ULONG)pFileInfo - (ULONG)FileInformation;
int iLeft = (ULONG)FileInformationLength - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), iLeft );
continue;
}
}
pLastFileInfo=pFileInfo;
pFileInfo=(PFILE_BOTH_DIRECTORY_INFORMATION)((CHAR*)pFileInfo+pFileInfo->NextEntryOffset);
}while(!bLastFlag);
}
return Status;
}
http://www.cnblogs.com/lzjsky/archive/2010/12/01/1892702.html
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Media Queries
- [YY题]HDOJ5288 OO’s Sequence
- leetcode 375. Guess Number Higher or Lower II
- Android 开发最佳实践教程——MVPBuilder
- 自定义可动画展开收缩View的实现
- UICollectionView详解
- 40.You have statistics collected for some selected tables. Your requirement is that the statistics
- 让超出父视图范围的子视图响应事件,在UIView范围外响应点击
- uvaLive 3263 That Nice Euler Circuit 欧拉定理
- UIBezierPath
- 自定义View之MenuItemView
- 判断UitableView reloadData 结束的方法
- GStreamer SDK 1.0 Build Via Cerbero
- java -BolokingQueue
- button的常用属性和方法总结
- Leetcode 232. Implement Queue using Stacks (Easy) (cpp)
- UIPickerView
- 关于去除easy ui 的input textarea 等输入框点击有蓝色框框
- hbuilder学习记录
- Android基础--Android Studio报错信息: ExecException finished with non-zero exit value 2