文件（夹）隐藏又一种实现方式，比较浪费性能的方式呵呵免费奉献（自创）

楼主^#

更多发布于：2008-09-21 22:44

在驱网上混了这么久，我也来点无厘头的隐藏文件或者文件夹的代码片段吧（自己写的啊不过有一个子函数是某个网友写的，很抱歉我忘了他的网名了）
这个函数是用了半个下午写出来的。肯定有bug，不过我明天早上才开始调试它，有喜欢熬夜的人，这个代码就送给你们了。
NTSTATUS
FsDirectoryControl(IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp)
{
   NTSTATUS status;
   PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); //当前Irp(IO_STACK_LOCATION)的参数
   PDEVICE_EXTENSION devExt = DeviceObject->DeviceExtension;
   PFILE_BOTH_DIR_INFORMATION dirInfo = NULL;

   BOOLEAN bSingle = (irpSp->Flags &SL_RETURN_SINGLE_ENTRY);
   PVOID pUserBuffer = Irp->UserBuffer;
   PVOID pPreUserBuffer = NULL;
   ULONG UserBufferLen = irpSp->Parameters.QueryDirectory.Length;
   PVOID pBuffer = NULL;
   ULONG nCurrentIndex = 0;
   ULONG nLenLeft = 0;
   PVOID pTempBuffer = NULL;
   ULONG nOffset = 0;
   IO_STATUS_BLOCK ioStatus;
   KEVENT waitEvent;
   //UNICODE_STRING path;
   ASSERT(g_CDO != DeviceObject);
   ASSERT(IS_MY_DEVICE_OBJECT(DeviceObject));
   if (IRP_MN_QUERY_DIRECTORY != irpSp->MinorFunction)
   {
   goto PASSTHROUGH;
   }
   if (Irp->RequestorMode == KernelMode)
   {
   goto PASSTHROUGH;
   }
   if (FileBothDirectoryInformation != ((PQUERY_DIRECTORY)&irpSp->Parameters)->FileInformationClass)
   {
   goto PASSTHROUGH;
   }

   //自己分配irp ，自己分配buffer ，自己的irp完成后就拷数据给上面的userbuffer。
   pUserBuffer = Irp->UserBuffer;
   nCurrentIndex =0;

   pBuffer = ExAllocatePool(PagedPool,irpSp->Parameters.QueryDirectory.Length);

   if(pBuffer == NULL)
   {
   status = STATUS_INSUFFICIENT_RESOURCES;
   Irp->IoStatus.Information = 0;
   Irp->IoStatus.Status = status;
   goto RETURN;
   }
   nLenLeft = UserBufferLen;
   pTempBuffer = pBuffer;
   do
   {

   status = PfpQueryDirectory(Irp,devExt->AttachedToDevice,pBuffer,nLenLeft,&ioStatus);
   if(NT_SUCCESS(status))
   {
   do
   {
   dirInfo =(PFILE_BOTH_DIR_INFORMATION)pBuffer;
   if(!IS_MY_HIDE_OBJECT(dirInfo->FileName,
   dirInfo->FileNameLength,
   dirInfo->FileAttributes))
   {
   try
   {

   memcpy(pUserBuffer,dirInfo,sizeof(FILE_BOTH_DIR_INFORMATION)+dirInfo->FileNameLength-sizeof(WCHAR));

   pPreUserBuffer = pUserBuffer;

   (PUCHAR)pUserBuffer += (sizeof(FILE_BOTH_DIR_INFORMATION)+dirInfo->FileNameLength-sizeof(WCHAR)+7)&~7;
   nLenLeft-=(sizeof(FILE_BOTH_DIR_INFORMATION)+dirInfo->FileNameLength-sizeof(WCHAR)+7)&~7;

   (*(PFILE_BOTH_DIR_INFORMATION)pPreUserBuffer).NextEntryOffset = ((PUCHAR)pUserBuffer-(PUCHAR)pPreUserBuffer);

   }
   except (EXCEPTION_EXECUTE_HANDLER)
   {
   status = Irp->IoStatus.Status = GetExceptionCode();
   }
   }

   nOffset = dirInfo->NextEntryOffset;
   dirInfo = (PUCHAR)dirInfo +nOffset;

   }
   while(nOffset!=0);

   if(pPreUserBuffer!= NULL && bSingle)//上次查询没有找到
   {
   break;
   }
   memset(pBuffer,0,UserBufferLen);
   }

   } while(NT_SUCCESS(status));

   if(pPreUserBuffer)
   {
   (*(PFILE_BOTH_DIR_INFORMATION)pPreUserBuffer).NextEntryOffset =0;
   Irp->IoStatus.Information = (UserBufferLen-nLenLeft);

   }else
   {
   Irp->IoStatus.Status =status;
   }
   //HandleDirectory(Irp->UserBuffer, &((PQUERY_DIRECTORY)&irpSp->Parameters)->Length);
RETURN:
   if(pBuffer)
   {
   ExFreePool(pBuffer);
   }
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
   return status;

PASSTHROUGH:
   IoSkipCurrentIrpStackLocation(Irp);
   return IoCallDriver(devExt->AttachedToDevice, Irp);
}

NTSTATUS
PfpQueryDirectory(IN PIRP pOrignalIrp,
   IN PDEVICE_OBJECT pNextDevice,
   IN PVOID pBuffer, //新申请的buffer
   IN ULONG Len,//userbuffer中剩余的字节
   PIO_STATUS_BLOCK pIostatus)
{
   PIRP pnewIrp;
   PIO_STACK_LOCATION pIostack;
   KEVENT waitEvent;
   NTSTATUS ntstatus;
   pnewIrp = IoAllocateIrp(pNextDevice->StackSize,TRUE);

   if(pnewIrp == NULL)
   {
   pIostatus->Information =0;
   pIostatus->Status = STATUS_INSUFFICIENT_RESOURCES;
   return pIostatus->Status ;

   }

   pIostack = IoGetNextIrpStackLocation(pnewIrp);

   *pIostack =* IoGetCurrentIrpStackLocation(pOrignalIrp);


   pnewIrp->UserIosb = pIostatus;
   pnewIrp->Flags = IRP_SYNCHRONOUS_API;
   pnewIrp->RequestorMode = KernelMode;
   pnewIrp->Tail.Overlay.Thread = PsGetCurrentThread();
   pnewIrp->UserEvent = NULL;

   pIostack->Parameters.QueryDirectory.Length = Len;


   IoSetCompletionRoutine( pnewIrp,
   DirControlCompletion, //CompletionRoutine
   &waitEvent, //context parameter
   TRUE,
   TRUE,
   TRUE
   );

   ntstatus = IoCallDriver(pNextDevice,pnewIrp);

   if (STATUS_PENDING == ntstatus)
   {

   KeWaitForSingleObject( &waitEvent,
   Executive,
   KernelMode,
   FALSE,
   NULL );
   }

   //
   // Verify the completion has actually been run
   //

   ASSERT(KeReadStateEvent(&waitEvent) || !NT_SUCCESS(pIostatus->Status));

   return pIostatus->Status;
}

NTSTATUS
DirControlCompletion(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
   //if (Irp->PendingReturned) IoMarkIrpPending(Irp);
   UNREFERENCED_PARAMETER(DeviceObject);

   ASSERT( NULL != Irp->UserIosb );

   *Irp->UserIosb = Irp->IoStatus;

   KeSetEvent((PKEVENT)Context, IO_NO_INCREMENT, FALSE);

   //
   // We are now done, so clean up the IRP that we allocated.
   //

   IoFreeIrp( Irp );

   return STATUS_MORE_PROCESSING_REQUIRED; //注：必须返回这个值
}

喜欢0

Davisz 驱动牛犊注册日期2008-10-05 最后登录2011-09-27 粉丝0 关注0 积分2分威望3点贡献值0点好评度0点原创分0分专家分0分加关注写私信	沙发^# 发布于：2008-10-20 23:25 顶一下.
	回复(0) 喜欢(0)

qianjunhua 驱动小牛注册日期2003-12-08 最后登录2013-02-27 粉丝11 关注0 积分712分威望1052点贡献值1点好评度57点原创分0分专家分0分加关注写私信	板凳^# 发布于：2008-09-22 10:11 晕都没有人看得上眼啊
	回复(0) 喜欢(0)

looksail

荣誉会员

注册日期2005-05-22
最后登录2014-03-15
粉丝2
关注0
积分1016分
威望991点
贡献值0点
好评度239点
原创分0分
专家分0分

加关注写私信

地板^#

发布于：2008-09-22 02:41

提问归提问,还是只能靠自己

回复喜欢

您需要登录后才可以回帖，登录或者注册

文件（夹）隐藏 又一种实现方式，比较浪费性能的方式 呵呵 免费奉献（自创）

最新喜欢：

文件（夹）隐藏又一种实现方式，比较浪费性能的方式呵呵免费奉献（自创）