|
阅读:2803回复:3
HOOK ZwCreateSection,怎么得到文件名
我HOOK了ZwCreateSection,现在居然无法读到文件名
不知道是那个文件要启动 ZwCreateSection ( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL ); 这个结构里面唯一有希望得到文件名的是FileHandle,再如何得到? NtQueryInformationFile? |
|
|
沙发#
发布于:2007-03-28 17:47
自己顶一下,NtQueryInformationFile我用过了,无法得到结果,网上有些代码不是无法编译就是根本得不到!哪位大哥发个完整的代码
|
|
|
板凳#
发布于:2007-03-28 19:34
好不容易得到了文件名,晕死,前面少个盘符,5555555
|
|
|
地板#
发布于:2007-03-29 09:05
自己搞定了,来总结一下
BOOL GetPathByHandle(HANDLE hFile, LPWSTR lpBuf, DWORD nBuf) { ULONG m, n; WCHAR lpPath[MAX_PATH+4]; WCHAR lpDrive[MAX_PATH]; WCHAR lpDevName[MAX_PATH]; pZwQueryObject ZwQueryObject = NULL; HMODULE ntdll = NULL; ntdll = LoadLibrary("ntdll.dll"); ZwQueryObject = (pZwQueryObject)GetProcAddress(ntdll, "ZwQueryObject"); if (ZwQueryObject(hFile, 1, lpPath, MAX_PATH+4, &m) >= 0 && (m = GetLogicalDriveStringsW(MAX_PATH, lpDrive)) && m < MAX_PATH) { WCHAR *p = lpDrive; while (m = wcslen(p)) { p[m-1] = L'\0'; n = QueryDosDeviceW(p, lpDevName, MAX_PATH); if (n && n < MAX_PATH) { n = wcslen(lpDevName); if (!wcsnicmp(lpPath+4, lpDevName, n)) { wcsncpy(lpBuf, p, nBuf); if (nBuf > 2) wcsncpy(lpBuf+2, lpPath+4+n, nBuf-2); return TRUE; } } p += m + 1; } } return FALSE; } |
|