ZwQueryDirectoryFile自己写的函数有点BUG 大家看看帮我！！

我用数组保留文件名 实现隐藏使没有问题的 但是用链表就会出错

大家看看怎么回事


NTSTATUS
NewZwQueryDirectoryFile(
    IN HANDLE FileHandle,
    IN HANDLE Event,
    IN PIO_APC_ROUTINE ApcRoutine,
    IN PVOID ApcContext,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    OUT PVOID FileInformation,
    IN ULONG Length,
    IN FILE_INFORMATION_CLASS FileInformationClass,
    IN BOOLEAN ReturnSingleEntry,
    IN PUNICODE_STRING FileName,
    IN BOOLEAN RestartScan
    )
{
    NTSTATUS status;
    
    ANSI_STRING strfilename;
    ANSI_STRING strpathname;
    UNICODE_STRING ustrfilename;
    UNICODE_STRING ustrpathname;
    WCHAR wpathname[1024] = {0};
    
    status = ((tZwQueryDirectoryFile)(OldZwQueryDirectoryFile))(FileHandle, Event, ApcRoutine, ApcContext
        , IoStatusBlock, FileInformation, Length , FileInformationClass , ReturnSingleEntry , FileName , RestartScan);
    
    if(NT_SUCCESS(status)&& (FileInformationClass == FileBothDirectoryInformation)){
        PFILE_BOTH_DIR_INFORMATION pFileInfo;
        PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
        BOOLEAN bLastOne;
        
        pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation;
        pLastFileInfo = NULL;

        //------获取路径
        GetDosNameChar(FileHandle , wpathname);
        
        do{
            bLastOne = !( pFileInfo->NextEntryOffset );
            RtlInitUnicodeString(&ustrfilename,pFileInfo->FileName);
            RtlInitUnicodeString(&ustrpathname,wpathname);
            RtlUnicodeStringToAnsiString(&strpathname,&ustrpathname,TRUE);
            RtlUnicodeStringToAnsiString(&strfilename,&ustrfilename,TRUE);

            DbgPrint("strpathname %s" , strpathname.Buffer);
            DbgPrint("strfilename %s" , strfilename.Buffer);
            
            if(FindHideFile(strpathname.Buffer , strfilename.Buffer)){
                if(bLastOne){
                    if(pFileInfo == (PFILE_BOTH_DIR_INFORMATION)FileInformation ){
                        status = 0x80000006;
                    }
                    else{
                        pLastFileInfo->NextEntryOffset = 0;
                    }
                    break;
                }
                else {
                    int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation;
                    int iLeft = (ULONG)Length - iPos - pFileInfo->NextEntryOffset;
                    RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (ULONG)iLeft );
                    continue;
                }
            }
            
            pLastFileInfo = pFileInfo;
            pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);
            
        }while(!bLastOne);
        
        RtlFreeAnsiString(&strpathname);
        RtlFreeAnsiString(&strfilename);
    }
    return status;
}


我调试的结果使这样的


*** Fatal System Error: 0x000000be
                       (0xF7982408,0x001E1161,0xF7D223A8,0x0000000B)

Driver at fault:
***   HipsNew.sys - Address F79824BB base at F7981000, DateStamp 48d4a660
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlpa.exe -
Loading Kernel Symbols
...............................................................................................................
Loading User Symbols
.........................
Loading unloaded module list
........*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck BE, {f7982408, 1e1161, f7d223a8, b}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
Probably caused by : HipsNew.sys ( HipsNew!NewZwQueryDirectoryFile+97 )

Followup: MachineOwner
---------




STACK_COMMAND:  kb

FOLLOWUP_IP:
HipsNew!NewZwQueryDirectoryFile+97 [e:\lgbean\lgbean_system_protect\hipsnew\hookfun.c @ 380]
f7981ef6 8b95d8f7ffff    mov     edx,dword ptr [ebp-828h]

FAULTING_SOURCE_CODE:  
   376:         //------??¨¨??¡¤??
   377:         GetDosNameChar(FileHandle , wpathname);
   378:        
   379:         do{
>  380:             bLastOne = !( pFileInfo->NextEntryOffset );
   381:             RtlInitUnicodeString(&ustrfilename,pFileInfo->FileName);
   382:             RtlInitUnicodeString(&ustrpathname,wpathname);
   383:             RtlUnicodeStringToAnsiString(&strpathname,&ustrpathname,TRUE);
   384:             RtlUnicodeStringToAnsiString(&strfilename,&ustrfilename,TRUE);
   385:


SYMBOL_STACK_INDEX:  6

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  HipsNew.sys

SYMBOL_NAME:  HipsNew!NewZwQueryDirectoryFile+97

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner