|
阅读:1749回复:7
谁有完整的隐藏目录的原代码
我按照网络上的文档写的文件隐藏,老是死机,重启计算机,请问谁有现成的可以使用的原代码。
|
|
|
沙发#
发布于:2005-02-22 12:26
不支持这样做,你可以贴出代码,大家帮你看看
|
|
|
|
板凳#
发布于:2005-02-22 13:21
事啊, 不要照搬人家的东西,把代码贴出来大家帮你看
|
|
|
|
地板#
发布于:2005-02-23 13:49
我在DriverEntry中添加如下代码 RealZwQueryDirectoryFile =(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)); // (REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = HookZwQueryDirectoryFile; 下面是HookZwQueryDirectoryFile函数 NTSTATUS HookZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery) { NTSTATUS rc; //ULONG CR0VALUE; ANSI_STRING ansiFileName,ansiDirName,HideDirFile; UNICODE_STRING uniFileName; //初始化要过虑的文件名这里是debug.exe RtlInitAnsiString(&HideDirFile,\"DBGVIEW.EXE\"); // 执行真正的ZwQueryDirectoryFile函数 rc = ((REALZWQUERYDIRECTORYFILE)(RealZwQueryDirectoryFile))( hFile, hEvent, IoApcRoutine, IoApcContext, pIoStatusBlock, FileInformationBuffer, FileInformationBufferLength, FileInfoClass, bReturnOnlyOneEntry, PathMask, bRestartQuery); /*如果执行成功(而且FILE_INFORMATION_CLASS的值为FileBothDirectoryInformation,我们就进行处理,过滤*/ if(NT_SUCCESS(rc)&& (FileInfoClass == FileBothDirectoryInformation)) { PFILE_BOTH_DIR_INFORMATION pFileInfo; PFILE_BOTH_DIR_INFORMATION pLastFileInfo; BOOLEAN bLastOne; //把执行结果赋给pFileInfo pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer; pLastFileInfo = NULL; //循环检查 do { bLastOne = !( pFileInfo->NextEntryOffset ); RtlInitUnicodeString(&uniFileName,pFileInfo->FileName); RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE); RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE); RtlUpperString(&ansiFileName,&ansiDirName); //打印结果,用debugview可以查看打印结果 DbgPrint(\"ansiFileName :%s\\n\",ansiFileName.Buffer); DbgPrint(\"HideDirFile :%s\\n\",HideDirFile.Buffer); // 开始进行比较,如果找到了就隐藏这个文件或者目录 if( RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length) { DbgPrint(\"This is HideDirFile!\\n\"); if(bLastOne) { if(pFileInfo == (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer ) { rc = 0x80000006; //隐藏文件或者目录; } else { pLastFileInfo->NextEntryOffset = 0; } break; } else //指针往后移动 { int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformationBuffer; int iLeft = (ULONG)FileInformationBufferLength - iPos - pFileInfo->NextEntryOffset; RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (ULONG)iLeft );//原来这里是DWORD continue; } } pLastFileInfo = pFileInfo; pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset); }while(!bLastOne); RtlFreeAnsiString(&ansiDirName); RtlFreeAnsiString(&ansiFileName); } return(rc); } |
|
|
地下室#
发布于:2005-02-23 15:21
从文件驱动做比较简单
|
|
|
|
5楼#
发布于:2005-02-25 16:22
下面这一段有问题。
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (ULONG)iLeft );//原来这里是DWORD |
|
|
6楼#
发布于:2008-02-27 16:28
有例子了,学习中
|
|
|
7楼#
发布于:2008-02-27 19:56
古代时期的事情了~
|
|
|
