|
阅读:1222回复:0
求各位大侠帮我解决这个问题
使用DriverStudio自带的例子Daytime进行目录枚举功能扩展。
编写MyNT.h文件如下: #ifndef _MyNT_H #define _MyNT_H #include <ntddk.h> #pragma pack(8) typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; char shortNameLength; WCHAR ShortName[12]; WCHAR Filename[1]; }FILE_BOTH_DIR_INFORMATION,*PFILE_BOTH_DIR_INFORMATION; #pragma pack() #define FileBothDirectoryInformation 3 extern "C" { NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryFile(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK ioStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN ULONG FileInformationClass, IN BOOLEAN ReturnSignleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan); } NTSTATUS MyFindNextFile(HANDLE hHandle,unsigned char *bBuffer,int len); #endif 编写MyNT.cpp文件如下: #include "MyNT.h" #pragma comment(lib,"ntdll.lib") NTSTATUS MyFindNextFile(HANDLE hHandle,unsigned char *bBuffer,int len) { NTSTATUS status; IO_STATUS_BLOCK io_block; status = NtQueryDirectoryFile(hHandle,NULL,NULL,NULL, &io_block,(PVOID)bBuffer,len, FileBothDirectoryInformation, FALSE,NULL,FALSE); return status; } 之后,在Daytime.cpp文件中添加如下代码: #include "MyNT.h" 在工程中添加MyNT.cpp文件。 在Daytime类中加入Public函数: VOID Test(VOID); 该函数定义如下: VOID Daytime::Test(VOID) { HANDLE hFileHandle; NTSTATUS status; IO_STATUS_BLOCK ioStatusBlock; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING uParentName; WCHAR wParentName[256]; char ansiParentName[256]; UNICODE_STRING uChildName; WCHAR wChildName[256]; char ansiChildName[256]; memset(wParentName,0,sizeof(wParentName)); wcscpy(wParentName,L"\\??\\C:\\WINDOWS\\"); RtlInitUnicodeString(&uParentName,wParentName); InitializeObjectAttributes(&objectAttributes,&uParentName, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL); hFileHandle = NULL; status = ZwOpenFile(&hFileHandle,GENERIC_READ|GENERIC_WRITE, &objectAttributes,&ioStatusBlock,FILE_SHARE_READ, FILE_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT); if(status == STATUS_SUCCESS) DbgPrint("ZwOpen Successed.\n"); else { DbgPrint("ZwOpen Failed.\n"); return; } if(hFileHandle == NULL)return; unsigned char ansiUse[4096]; memset(ansiUse,0,sizeof(ansiUse)); status = MyFindNextFile(hFileHandle,ansiUse,sizeof(ansiUse)); if(hFileHandle != NULL)ZwClose(hFileHandle); FILE_BOTH_DIR_INFORMATION fdInfo; unsigned long fdOffset = 0; int i,j,k; if(status == STATUS_SUCCESS) { while(1) { memset(&fdInfo,0,sizeof(fdInfo)); memcpy(&fdInfo,ansiUse+fdOffset,sizeof(fdInfo)); k = fdInfo.FileNameLength; memset(wChildName,0,sizeof(wChildName)); memcpy(wChildName,ansiUse+fdOffset+0x5e,k); i = wcslen(wChildName); memset(ansiChildName,0,sizeof(ansiChildName)); for(j = 0;j < i;j ++)ansiChildName[j] = (char)wChildName[j]; DbgPrint("Daytime: %s\n",ansiChildName); if(fdInfo.NextEntryOffset == 0)break; fdOffset = fdOffset+fdInfo.NextEntryOffset; } } else DbgPrint("Failed to query.\n"); } 编译后出现一个错误:Daytime.obj : error LNK2019: unresolved external symbol __chkstk referenced in function "public: void __thiscall Daytime::Test(void)" (?Test@Daytime@@QAEXXZ).\objchk\i386\Daytime.sys : fatal error LNK1120: 1 unresolved externals 为什么呢?谢谢各位!急急急!!! |
|
