|
阅读:2343回复:2
如何在ZwQueryDirectoryFile中获取文件路径?
写SSDT HOOK替换ZwQueryDirectoryFile( ) Native API来实现隐藏文件,如果想要隐藏指定目录下的某一文件,需要获取文件路径,请问如何在替换的ZwQueryDirectoryFile( )函数中获取文件路径?
找到unknown_love写的这篇http://bbs.driverdevelop.com/htm_data/39/0709/105738.html 其中的这句RtlUnicodeStringToAnsiString(&str,&pFile->FileName,1);无法实现,因为pFile根本就没有FileName这个成员啊 NTSTATUS NewZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery) { PFILE_OBJECT pFileObj=NULL; OBJECT_HANDLE_INFORMATION info; ANSI_STRING str; char* buff; ObReferenceObjectByHandle(hFile,0,0,KernelMode,(PVOID)&pFileObj,&info); if (!pFile) return; RtlUnicodeStringToAnsiString(&str,&pFile->FileName,1);//这句 buff=str.Buffer; DbgPrint("FilePath:%s\n",buff); RtlFreeAnsiString(&str); ObDereferenceObject(pFile); ...... } |
|
|
沙发#
发布于:2008-03-15 19:34
pFile是PFILE_OBJECT
|
|
|
|
板凳#
发布于:2008-03-15 20:32
原来如此啊,谢谢
|
|