|
阅读:2270回复:5
发IRP包更名文件示例代码。
#include <ntddk.h>
typedef struct _FILE_RENAME_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; #define NT_DEVICE_NAME L"\\Device\\360SuperKill" #define DOS_DEVICE_NAME L"\\DosDevices\\360SuperKill" NTSTATUS NTAPI VfatBuildRequest (PDEVICE_OBJECT DeviceObject, PIRP Irp); VOID SKillUnloadDriver( IN PDRIVER_OBJECT DriverObject ) { PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; UNICODE_STRING uniSymLink; RtlInitUnicodeString(&uniSymLink, DOS_DEVICE_NAME); IoDeleteSymbolicLink(&uniSymLink); IoDeleteDevice(deviceObject); } HANDLE SkillIoOpenFile( IN PCWSTR FileName, IN ACCESS_MASK DesiredAccess, IN ULONG ShareAccess ) { NTSTATUS ntStatus; UNICODE_STRING uniFileName; OBJECT_ATTRIBUTES objectAttributes; HANDLE ntFileHandle; IO_STATUS_BLOCK ioStatus; if (KeGetCurrentIrql() > PASSIVE_LEVEL) { return 0; } RtlInitUnicodeString(&uniFileName, FileName); InitializeObjectAttributes(&objectAttributes, &uniFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL); ntStatus = IoCreateFile(&ntFileHandle, DesiredAccess, &objectAttributes, &ioStatus, 0, FILE_ATTRIBUTE_NORMAL, ShareAccess, FILE_OPEN, 0, NULL, 0, 0, NULL, IO_NO_PARAMETER_CHECKING); if (!NT_SUCCESS(ntStatus)) { return 0; } return ntFileHandle; } NTSTATUS KeRenameFileCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { DbgPrint(("IoCompletionRoutine!\n")); *Irp->UserIosb = Irp->IoStatus; if (Irp->UserEvent) KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0); if (Irp->MdlAddress) { IoFreeMdl(Irp->MdlAddress); Irp->MdlAddress = NULL; } IoFreeIrp(Irp); return STATUS_MORE_PROCESSING_REQUIRED; } NTSTATUS SkillSetFileCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { //DbgPrint(("IoCompletionRoutine!\n")); Irp->UserIosb->Status = Irp->IoStatus.Status; Irp->UserIosb->Information = Irp->IoStatus.Information; KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, FALSE); IoFreeIrp(Irp); return STATUS_MORE_PROCESSING_REQUIRED; } KeRenameFile( PDEVICE_OBJECT DeviceObject, PFILE_OBJECT FileObject, IN PVOID FileInformation, IN ULONG Length ) { PIRP Irp; PIO_STACK_LOCATION IrpSp; KEVENT Event; NTSTATUS Status; IO_STATUS_BLOCK IoStatusBlock; Irp = IoAllocateIrp( DeviceObject->StackSize, FALSE ); if ( ! Irp ) return STATUS_INSUFFICIENT_RESOURCES; KeInitializeEvent( &Event, SynchronizationEvent, FALSE ); IoStatusBlock.Status = STATUS_SUCCESS; IoStatusBlock.Information = 0; Irp->Flags |= IRP_BUFFERED_IO; Irp->RequestorMode = KernelMode; Irp->UserEvent = &Event; Irp->UserIosb = &IoStatusBlock; Irp->Tail.Overlay.OriginalFileObject = FileObject; Irp->Tail.Overlay.Thread = PsGetCurrentThread(); Irp->AssociatedIrp.SystemBuffer = (PVOID)FileInformation; Irp->MdlAddress = NULL; IrpSp = IoGetNextIrpStackLocation( Irp ); IrpSp->MajorFunction = IRP_MJ_SET_INFORMATION; IrpSp->FileObject = FileObject; IrpSp->DeviceObject = DeviceObject; IrpSp->Parameters.SetFile.Length = Length; IrpSp->Parameters.SetFile.FileInformationClass = FileRenameInformation; IrpSp->Parameters.SetFile.ReplaceIfExists = ((PFILE_RENAME_INFORMATION)FileInformation)->ReplaceIfExists; IoSetCompletionRoutine( Irp, KeRenameFileCompletion, &Event, TRUE, TRUE, TRUE ); Status = IoCallDriver( DeviceObject, Irp ); KeWaitForSingleObject( &Event, Executive, KernelMode, TRUE, NULL ); return IoStatusBlock.Status; } BOOLEAN SKillRenameFile( IN HANDLE FileHandle ) { NTSTATUS ntStatus = STATUS_SUCCESS; PFILE_OBJECT fileObject; PDEVICE_OBJECT DeviceObject; PIRP Irp; KEVENT event; PFILE_RENAME_INFORMATION ReFileInfo; IO_STATUS_BLOCK ioStatus; PIO_STACK_LOCATION irpSp; WCHAR filename[] = L"calc23.exe"; int len; ntStatus = ObReferenceObjectByHandle(FileHandle, DELETE, *IoFileObjectType, KernelMode, &fileObject, NULL); if (!NT_SUCCESS(ntStatus)) { return FALSE; } if (!(fileObject->Flags & FO_HANDLE_CREATED)) { /* Send the cleanup IRP */ DbgPrint("ItisOpen!"); } DeviceObject = IoGetRelatedDeviceObject(fileObject); len = 65535; ReFileInfo = ExAllocatePool(NonPagedPool,len); if(ReFileInfo) { RtlZeroMemory(ReFileInfo,len); } ReFileInfo->ReplaceIfExists = TRUE; ReFileInfo->RootDirectory = NULL; ReFileInfo->FileNameLength = wcslen(filename)*2 ; RtlCopyMemory(ReFileInfo->FileName,filename,wcslen(filename)*2); KdPrint(("\nrename file:%ws\n",ReFileInfo->FileName)); KeRenameFile(DeviceObject,fileObject,ReFileInfo,sizeof(FILE_RENAME_INFORMATION)); ObDereferenceObject(fileObject); ExFreePool(ReFileInfo); return TRUE; } BOOLEAN SKillDeleteFile( IN HANDLE FileHandle ) { NTSTATUS ntStatus = STATUS_SUCCESS; PFILE_OBJECT fileObject; PDEVICE_OBJECT DeviceObject; PIRP Irp; KEVENT event; FILE_DISPOSITION_INFORMATION FileInformation; IO_STATUS_BLOCK ioStatus; PIO_STACK_LOCATION irpSp; ntStatus = ObReferenceObjectByHandle(FileHandle, DELETE, *IoFileObjectType, KernelMode, &fileObject, NULL); if (!NT_SUCCESS(ntStatus)) { return FALSE; } if (!(fileObject->Flags & FO_HANDLE_CREATED)) { /* Send the cleanup IRP */ DbgPrint("ItisOpen!"); } DeviceObject = IoGetRelatedDeviceObject(fileObject); Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE); if (Irp == NULL) { ObDereferenceObject(fileObject); return FALSE; } KeInitializeEvent(&event, SynchronizationEvent, FALSE); FileInformation.DeleteFile = TRUE; Irp->AssociatedIrp.SystemBuffer = &FileInformation; Irp->UserEvent = &event; Irp->UserIosb = &ioStatus; Irp->Tail.Overlay.OriginalFileObject = fileObject; Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread(); Irp->RequestorMode = KernelMode; Irp->Flags = IRP_CLOSE_OPERATION | IRP_SYNCHRONOUS_API; irpSp = IoGetNextIrpStackLocation(Irp); irpSp->MajorFunction = IRP_MJ_SET_INFORMATION; irpSp->DeviceObject = DeviceObject; irpSp->FileObject = fileObject; irpSp->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION); irpSp->Parameters.SetFile.FileInformationClass = FileDispositionInformation; irpSp->Parameters.SetFile.FileObject = fileObject; IoSetCompletionRoutine( Irp, SkillSetFileCompletion, &event, TRUE, TRUE, TRUE); IoCallDriver(DeviceObject, Irp); KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL); ObDereferenceObject(fileObject); return TRUE; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { UNICODE_STRING uniDeviceName; UNICODE_STRING uniSymLink; NTSTATUS ntStatus; PDEVICE_OBJECT deviceObject = NULL; HANDLE hFileHandle; RtlInitUnicodeString(&uniDeviceName, NT_DEVICE_NAME); RtlInitUnicodeString(&uniSymLink, DOS_DEVICE_NAME); ntStatus = IoCreateDevice( DriverObject, 0, &uniDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &deviceObject); if (!NT_SUCCESS(ntStatus)) { return ntStatus; } ntStatus = IoCreateSymbolicLink(&uniSymLink, &uniDeviceName); if (!NT_SUCCESS(ntStatus)) { IoDeleteDevice(deviceObject); return ntStatus; } DriverObject->DriverUnload = SKillUnloadDriver; // // 重点在这 // hFileHandle = SkillIoOpenFile(L"\\??\\c:\\calc.exe", FILE_READ_ATTRIBUTES||FILE_WRITE_ATTRIBUTES, FILE_SHARE_DELETE); DbgPrint("hFileHandle:%08X/n",hFileHandle); // if (hFileHandle!=NULL) // { // SKillDeleteFile(hFileHandle); // ZwClose(hFileHandle); // } if (hFileHandle!=NULL) { SKillRenameFile(hFileHandle); ZwClose(hFileHandle); } return STATUS_SUCCESS; } |
|
|
沙发#
发布于:2008-04-22 16:04
下了,试用中
|
|
|
板凳#
发布于:2008-04-22 16:20
真不错!
看这个code学到了不少东西.强烈表扬. 加油! 注: 测试时要在c: 下创建一个名字为calc.exe的文件. |
|
|
地板#
发布于:2008-04-22 16:43
文件删除也是不错的啊!
|
|
|
地下室#
发布于:2008-04-22 17:55
那个是XiKug逆的360文件粉碎机。俺直接拿来用了,xixi。
|
|
|
5楼#
发布于:2008-04-22 23:21
好东西,学习,谢谢!
|
|