|
阅读:1480回复:0
关于文件隐藏驱动的编译错误,求救!!
我在xp+2kDDK环境下,要做文件(夹)隐藏驱动。我将网上流传的《隐藏任意进程,目录/文件,注册表,端口》代码做了修改,编译出现了许多错误。请大家帮我分析分析。谢谢!!
附源码和编译结果: 源码―――――――――――――――――――――――――――――― #include "ntddk.h" #include "stdarg.h" #include "stdio.h" //---------------------------------------------------------------------- // DEFINES //---------------------------------------------------------------------- #if DBG #define DbgPrint(arg) DbgPrint arg #else #define DbgPrint(arg) #endif //32768-65535 are reserved for use by customers #define FILE_DEVICE_FILEHIDE 0x00008306 //available only on x86 now #define SYSCALL(_function) ServiceTable->ServiceTable[ *(PULONG)((PUCHAR)_function+1)] typedef unsigned long DWORD; typedef unsigned short WORD; typedef intBOOL; //structure unopen, parameter into ZwQueryDirectoryFile routine. //God bless me it will not be changed.ms is shit... struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME; typedef struct _DirEntry { DWORD dwLenToNext; DWORD dwAttr; FILETIME ftCreate, ftLastAccess, ftLastWrite; DWORD dwUnknown[ 2 ]; DWORD dwFileSizeLow; DWORD dwFileSizeHigh; DWORD dwUnknown2[ 3 ]; WORD wNameLen; WORD wUnknown; DWORD dwUnknown3; WORD wShortNameLen; WCHAR swShortName[ 12 ]; WCHAR suName[ 1 ]; } DirEntry, *PDirEntry; // Definition for system call service table typedef struct _SRVTABLE { PVOID*ServiceTable; ULONG LowCall; ULONG HiCall; PVOID*ArgTable; } SRVTABLE, *PSRVTABLE; NTSTATUS (*RealZwQuerySystemInformation)( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); //---------------------------------------------------------------------- // GLOBALS //---------------------------------------------------------------------- // Pointer to system global service table PSRVTABLE ServiceTable; extern PSRVTABLE KeServiceDescriptorTable; PDEVICE_OBJECT ControlDeviceObject; //---------------------------------------------------------------------- // FORWARD DEFINES //---------------------------------------------------------------------- NTSTATUS FileHideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); VOID FileHideUnload( IN PDRIVER_OBJECT DriverObject ); NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ); //====================================================================== // H O O K R O U T I N E S //====================================================================== // HookZwQueryDirectoryFile //---------------------------------------------------------------------- NTSTATUS HookZwQuerySystemInformation( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery) { NTSTATUS rc; ANSI_STRING ansiFileName,ansiDirName; UNICODE_STRING uniFileName; PP_DIR ptr; WCHAR ParentDirectory[1024] = {0}; int BytesReturned; PVOID Object; // 执行旧的ZwQuerySystemInformation函数 rc =(RealZwQuerySystemInformation)( hFile, hEvent, IoApcRoutine, IoApcContext, pIoStatusBlock, FileInformationBuffer, FileInformationBufferLength, FileInfoClass, bReturnOnlyOneEntry, PathMask, bRestartQuery); if(NT_SUCCESS(rc)) { PDirEntry p; PDirEntry pLast; BOOL bLastOne; int found; p = (PDirEntry)FileInformationBuffer; // 将查找出来结果赋给结构 pLast = NULL; do { bLastOne = !( p->dwLenToNext ); RtlInitUnicodeString(&uniFileName,p->suName); RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE); RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE); RtlUpperString(&ansiFileName,&ansiDirName); found=0; //应该在protectfilelist.ini文件中查找:…… // 在链表中查找是否包含当前目录 for(ptr = list_head; ptr != NULL; ptr = ptr->next) { if (ptr->flag != PTR_HIDEDIR) continue; if( RtlCompareMemory( ansiFileName.Buffer, ptr->name,strlen(ptr->name) ) == strlen(ptr->name)) { found=1; break; } }//end for // 如果链表中包含当前目录,隐藏 if(found) { if(bLastOne) { if(p == (PDirEntry)FileInformationBuffer ) { rc = 0x80000006; //隐藏 } else pLast->dwLenToNext = 0; break; } else { int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer; int iLeft = (DWORD)FileInformationBufferLength - iPos - p->dwLenToNext; RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft ); continue; } }//if(found) pLast = p; p = (PDirEntry)((char *)p + p->dwLenToNext ); }while( !bLastOne );//do RtlFreeAnsiString(&ansiDirName); RtlFreeAnsiString(&ansiFileName); } return(rc); } //---------------------------------------------------------------------- // HookRegistry // Replaces entries in the system service table with pointers to // our own hook routines. We save off the real routine addresses. //---------------------------------------------------------------------- VOID HookSystemCall( void ) { // Hook everything RealZwQuerySystemInformation = SYSCALL( ZwQuerySystemInformation ); SYSCALL( ZwQuerySystemInformation ) = (PVOID) HookZwQuerySystemInformation; } //---------------------------------------------------------------------- // // UnhookZwQueryDirectoryFile // //---------------------------------------------------------------------- VOID UnhookSystemCall( ) { // // Unhook everything // SYSCALL( ZwQuerySystemInformation ) = (PVOID) RealZwQuerySystemInformation; } //---------------------------------------------------------------------- // // FilehideDispatch // //---------------------------------------------------------------------- NTSTATUS FileHideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PIO_STACK_LOCATION irpStack; // // Go ahead and set the request up as successful // Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; // // Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. // irpStack = IoGetCurrentIrpStackLocation (Irp); switch (irpStack->MajorFunction) { case IRP_MJ_CREATE: DbgPrint(("FileHide: IRP_MJ_CREATE\n")); break; case IRP_MJ_SHUTDOWN: DbgPrint(("FileHide: IRP_MJ_CREATE\n")); break; case IRP_MJ_CLOSE: DbgPrint(("FileHide: IRP_MJ_CLOSE\n")); break; case IRP_MJ_DEVICE_CONTROL: DbgPrint (("FileHide: IRP_MJ_DEVICE_CONTROL\n")); break; } IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } //---------------------------------------------------------------------- // // RegmonUnload // // Our job is done - time to leave. // //---------------------------------------------------------------------- VOID FileHideUnload( IN PDRIVER_OBJECT DriverObject ) { WCHAR deviceLinkBuffer[] = L"\\DosDevices\\FileHideDR"; UNICODE_STRING deviceLinkUnicodeString; DbgPrint(("FileHide.SYS: unloading\n")); // // Unhook the registry // UnhookSystemCall(); // // Delete the symbolic link for our device // RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer ); IoDeleteSymbolicLink( &deviceLinkUnicodeString ); // // Delete the device object // IoDeleteDevice( DriverObject->DeviceObject ); DbgPrint(("FileHideDR.SYS: deleted devices\n")); } //---------------------------------------------------------------------- // // DriverEntry // // Installable driver initialization. Here we just set ourselves up. // //---------------------------------------------------------------------- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS ntStatus; WCHAR deviceNameBuffer[] = L"\\Device\\FileHideDR"; UNICODE_STRING deviceNameUnicodeString; WCHAR deviceLinkBuffer[] = L"\\DosDevices\\FileHideDR"; UNICODE_STRING deviceLinkUnicodeString; DbgPrint (("FileHideDR.SYS: entering DriverEntry\n")); // // Setup our name and symbolic link // RtlInitUnicodeString (&deviceNameUnicodeString, deviceNameBuffer ); RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer ); ntStatus = IoCreateDevice ( DriverObject, 0, &deviceNameUnicodeString, FILE_DEVICE_FILEHIDE, 0, TRUE, &ControlDeviceObject ); if (NT_SUCCESS(ntStatus)) { // Create a symbolic link that the GUI can specify to gain access // to this driver/device ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString, &deviceNameUnicodeString ); // // Create dispatch points for all routines that must be handled // DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FileHideDispatch; #if DBG DriverObject->DriverUnload = FileHideUnload; #endif } if (!NT_SUCCESS(ntStatus)) { DbgPrint(("FileHideDR: Failed to create our device!\n")); // // Something went wrong, so clean up (free resources etc) // if( ControlDeviceObject ) { IoDeleteDevice( ControlDeviceObject ); } IoDeleteSymbolicLink( &deviceLinkUnicodeString ); return ntStatus; } // // Pointer to system table data structure is an NTOSKRNL export // ServiceTable = KeServiceDescriptorTable; DbgPrint(("FileHide: Servicetable: %x\n", ServiceTable )); HookSystemCall(); DbgPrint(("FileHide: Hook System Call")); return STATUS_SUCCESS; } 编译结果+++++++++++++++++++++++++++ H:\MyProject\filedriver>build BUILD: Object root set to: ==> objchk BUILD: /i switch ignored BUILD: Compile and Link for i386 BUILD: Loading J:\NTDDK\build.dat... BUILD: Computing Include file dependencies: BUILD: Examining h:\myproject\filedriver directory for files to compile. h:\myproject\filedriver - 1 source files (382 lines) BUILD: Compiling h:\myproject\filedriver directory Compiling - filehide.c for i386 filehide.c(136) : error C2065: 'PP_DIR' : undeclared identifier filehide.c(136) : error C2146: syntax error : missing ';' before identifier 'ptr ' filehide.c(136) : error C2065: 'ptr' : undeclared identifier filehide.c(138) : error C2275: 'WCHAR' : illegal use of this type as an expressi on filehide.c(138) : error C2146: syntax error : missing ';' before identifier 'Par entDirectory' filehide.c(138) : error C2065: 'ParentDirectory' : undeclared identifier filehide.c(138) : error C2109: subscript requires array or pointer type filehide.c(138) : error C2059: syntax error : '{' filehide.c(139) : error C2143: syntax error : missing ';' before 'type' filehide.c(140) : error C2275: 'PVOID' : illegal use of this type as an expressi on filehide.c(140) : error C2146: syntax error : missing ';' before identifier 'Obj ect' filehide.c(140) : error C2065: 'Object' : undeclared identifier filehide.c(159) : error C2065: 'BOOL' : undeclared identifier filehide.c(159) : error C2146: syntax error : missing ';' before identifier 'bLa stOne' filehide.c(159) : error C2065: 'bLastOne' : undeclared identifier filehide.c(160) : error C2143: syntax error : missing ';' before 'type' filehide.c(172) : error C2065: 'found' : undeclared identifier filehide.c(176) : error C2065: 'list_head' : undeclared identifier filehide.c(176) : error C2223: left of '->next' must point to struct/union filehide.c(178) : error C2223: left of '->flag' must point to struct/union filehide.c(178) : error C2065: 'PTR_HIDEDIR' : undeclared identifier filehide.c(179) : error C2223: left of '->name' must point to struct/union filehide.c(179) : error C2223: left of '->name' must point to struct/union filehide.c(179) : error C2168: 'strlen' : too few actual parameters for intrinsi c function filehide.c(179) : error C2198: 'RtlCompareMemory' : too few actual parameters filehide.c(179) : error C2223: left of '->name' must point to struct/union filehide.c(179) : error C2168: 'strlen' : too few actual parameters for intrinsi c function BUILD: Compile errors: not linking h:\myproject\filedriver directory BUILD: Done 1 file compiled - 9 Warnings - 27 Errors - 191 LPS |
|
