|
阅读:1201回复:0
关于本站<<隐藏任意文件目录进程端口..>>一文的疑问
我使用syscall把ZwQueryDirectoryFile替换掉了,然后在hook函数里面,我遍历链表,将不想让人可见的东西的next修改,
结果我想藏的文件是藏起来了,但是这时候随便删除一个文件,系统就一个黑屏直接重启了。即使我不做任何修改,只是遍历一下,结果也是一样,我不明白这是为什么,这时候我根本就没有修改内存的操作啊, 代码如下(我已经把处理的部分去掉了,光是一个遍历,也不行): status = RealZwQueryDirectoryFile(。。。。FileInformation,...); if(FileInformation) { pFileInfo = (FILE_BOTH_DIRECTORY_INFORMATION*)FileInformation; }else{ return status; } while(1){ if(FileInformationClass == 1) { FileNameStr = ((FILE_DIRECTORY_INFORMATION*)pFileInfo)->FileName; FileNameLength = ((FILE_DIRECTORY_INFORMATION*)pFileInfo)->FileNameLength; }else if(FileInformationClass == 2) { FileNameStr = ((FILE_FULL_DIRECTORY_INFORMATION*)pFileInfo)->FileName; FileNameLength = ((FILE_FULL_DIRECTORY_INFORMATION*)pFileInfo)->FileNameLength; }else if(FileInformationClass == 3) { FileNameStr = ((FILE_BOTH_DIRECTORY_INFORMATION*)pFileInfo)->FileName; FileNameLength = ((FILE_BOTH_DIRECTORY_INFORMATION*)pFileInfo)->FileNameLength; }else { break; } if(pFileInfo->NextEntryOffset == 0) { pFileInfo = (FILE_BOTH_DIRECTORY_INFORMATION*)((char*)pFileInfo + pFileInfo->NextEntryOffset ); }else { break; } } |
|
