-
-
[讨论]隐藏指定目录的文件
-
发表于: 2010-12-30 17:31 3492
-
看到专题下面有人说怎样隐藏指定目录的文件。我贴我的代码大家看看,呵呵,
NTSTATUS MyNtQueryDirectoryFile(IN HANDLE hFile,IN HANDLE hEvent OPTIONAL,IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,IN PVOID IoApcContext OPTIONAL,OUT PIO_STATUS_BLOCK pIoStatusBlock,OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,IN FILE_INFORMATION_CLASS FileInfoClass,IN BOOLEAN bReturnOnlyOneEntry,IN PUNICODE_STRING PathMask OPTIONAL,IN BOOLEAN bRestartQuery)
{
//先恢复原来函数到前几个字节到内容
KdPrint(("ZwQueryDirectoryFile Called!\n"));
CancelPageProtection();
KIRQL vOldIRQL=KeRaiseIrqlToDpcLevel();
RtlCopyMemory(RealZwQueryDirectoryFile,mOldBytes,8*sizeof(BYTE));//恢复Inline Hook的前8个字节
KeLowerIrql(vOldIRQL);
RecoverPageProtection();
///////////////////////////////////////////////////////////////////////////////////////////////
UNICODE_STRING vStrHideFileName;
RtlInitUnicodeString(&vStrHideFileName,L"C:\\symserver\\HideMe.txt");//要隐藏的文件的完整路径
NTSTATUS rs=((REALNTQUERYDIRECTORYFILE)RealZwQueryDirectoryFile)(hFile,hEvent,IoApcRoutine,IoApcRoutine,pIoStatusBlock,FileInformationBuffer,FileInformationBufferLength,FileInfoClass,bReturnOnlyOneEntry,PathMask,bRestartQuery);
Hook();
KdPrint(("CurrentFileInfoClass=%d\n ",FileInfoClass));
if(NT_SUCCESS(rs) && FileInfoClass == FileBothDirectoryInformation)
{
PFILE_BOTH_DIR_INFORMATION pFileInfo;
PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
bool bLastOne;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer;
pLastFileInfo = NULL;
UNICODE_STRING vStrFilePath;
UNICODE_STRING vStrCurrentFile;
UNICODE_STRING vDosDeviceName;
UNICODE_STRING vFinalFullPath;
WCHAR vpFileName[1024];
WCHAR vFinalPathBuffer[1024];
UNICODE_STRING vDicimer;
RtlInitUnicodeString(&vDicimer,L"\\");
do
{
bLastOne = !( pFileInfo->NextEntryOffset );
RtlZeroMemory(vpFileName,sizeof(vpFileName));
RtlZeroMemory(vFinalPathBuffer,0,sizeof(vFinalPathBuffer));
IO_STATUS_BLOCK iostatus;
NTSTATUS res=ZwQueryInformationFile(hFile,&iostatus,(PFILE_NAME_INFORMATION)vpFileName,sizeof(vpFileName),FileNameInformation); //这个用来查询文件的路径,不包含驱动名和文件名
if(NT_SUCCESS(res))
{
PFILE_NAME_INFORMATION pFileNameInfo=(PFILE_NAME_INFORMATION)vpFileName;
RtlInitUnicodeString(&vStrFilePath,pFileNameInfo->FileName);//文件的路径
WCHAR vSingleFileName[1024];
RtlZeroMemory(vSingleFileName,sizeof(vSingleFileName));
RtlCopyMemory(vSingleFileName,pFileInfo->FileName,pFileInfo->FileNameLength);
RtlInitUnicodeString(&vStrCurrentFile,vSingleFileName);//文件的文件名
PFILE_OBJECT pFileObject;
res=ObReferenceObjectByHandle(hFile,NULL,*IoFileObjectType,KernelMode,(PVOID*)&pFileObject,NULL); if(!NT_SUCCESS(res))
{
KdPrint(("ObReferenceObjectByHandle Failed...\n"));
return rs;
}
RtlVolumeDeviceToDosName(pFileObject->DeviceObject,&vDosDeviceName);//获得对应的设备符号链接名(驱动器名) RtlInitEmptyUnicodeString(&vFinalFullPath,vFinalPathBuffer,sizeof(vFinalPathBuffer));//初始化一个足够大的空间
RtlAppendUnicodeStringToString(&vFinalFullPath,&vDosDeviceName);
RtlAppendUnicodeStringToString(&vFinalFullPath,&vStrFilePath);
if(vStrFilePath.Length>2)//根目录就不用加\符号了,根目录返回的路径是"\",UNICDE占两个字节所以是2
{
RtlAppendUnicodeStringToString(&vFinalFullPath,&vDicimer);
}
RtlAppendUnicodeStringToString(&vFinalFullPath,&vStrCurrentFile);
KdPrint(("FileName:%S \n",vFinalFullPath.Buffer));
}
else
{
KdPrint(("ZwQueryInfomationFile Failed...CODE: %d \n",res));
return rs;//返回原函数的返回值
}
if(RtlCompareUnicodeString(&vStrHideFileName,&vFinalFullPath,TRUE)==0)//是要隐藏的文件
{
DbgPrint("This Is The File We Want To Hide!\n");
if(bLastOne)
{
if(pFileInfo == (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer )
{
rs = 0x80000006;
}
else
{
pLastFileInfo->NextEntryOffset = 0;
}
break;
}
else
{
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformationBuffer;
int iLeft = (ULONG)FileInformationBufferLength - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (ULONG)iLeft );
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);
}while(!bLastOne);
}
///////////////////////////////////////////////////////////////////////////////////////////////
return rs;
}
我初步测试,没有问题,呵呵
NTSTATUS MyNtQueryDirectoryFile(IN HANDLE hFile,IN HANDLE hEvent OPTIONAL,IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,IN PVOID IoApcContext OPTIONAL,OUT PIO_STATUS_BLOCK pIoStatusBlock,OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,IN FILE_INFORMATION_CLASS FileInfoClass,IN BOOLEAN bReturnOnlyOneEntry,IN PUNICODE_STRING PathMask OPTIONAL,IN BOOLEAN bRestartQuery)
{
//先恢复原来函数到前几个字节到内容
KdPrint(("ZwQueryDirectoryFile Called!\n"));
CancelPageProtection();
KIRQL vOldIRQL=KeRaiseIrqlToDpcLevel();
RtlCopyMemory(RealZwQueryDirectoryFile,mOldBytes,8*sizeof(BYTE));//恢复Inline Hook的前8个字节
KeLowerIrql(vOldIRQL);
RecoverPageProtection();
///////////////////////////////////////////////////////////////////////////////////////////////
UNICODE_STRING vStrHideFileName;
RtlInitUnicodeString(&vStrHideFileName,L"C:\\symserver\\HideMe.txt");//要隐藏的文件的完整路径
NTSTATUS rs=((REALNTQUERYDIRECTORYFILE)RealZwQueryDirectoryFile)(hFile,hEvent,IoApcRoutine,IoApcRoutine,pIoStatusBlock,FileInformationBuffer,FileInformationBufferLength,FileInfoClass,bReturnOnlyOneEntry,PathMask,bRestartQuery);
Hook();
KdPrint(("CurrentFileInfoClass=%d\n ",FileInfoClass));
if(NT_SUCCESS(rs) && FileInfoClass == FileBothDirectoryInformation)
{
PFILE_BOTH_DIR_INFORMATION pFileInfo;
PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
bool bLastOne;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer;
pLastFileInfo = NULL;
UNICODE_STRING vStrFilePath;
UNICODE_STRING vStrCurrentFile;
UNICODE_STRING vDosDeviceName;
UNICODE_STRING vFinalFullPath;
WCHAR vpFileName[1024];
WCHAR vFinalPathBuffer[1024];
UNICODE_STRING vDicimer;
RtlInitUnicodeString(&vDicimer,L"\\");
do
{
bLastOne = !( pFileInfo->NextEntryOffset );
RtlZeroMemory(vpFileName,sizeof(vpFileName));
RtlZeroMemory(vFinalPathBuffer,0,sizeof(vFinalPathBuffer));
IO_STATUS_BLOCK iostatus;
NTSTATUS res=ZwQueryInformationFile(hFile,&iostatus,(PFILE_NAME_INFORMATION)vpFileName,sizeof(vpFileName),FileNameInformation); //这个用来查询文件的路径,不包含驱动名和文件名
if(NT_SUCCESS(res))
{
PFILE_NAME_INFORMATION pFileNameInfo=(PFILE_NAME_INFORMATION)vpFileName;
RtlInitUnicodeString(&vStrFilePath,pFileNameInfo->FileName);//文件的路径
WCHAR vSingleFileName[1024];
RtlZeroMemory(vSingleFileName,sizeof(vSingleFileName));
RtlCopyMemory(vSingleFileName,pFileInfo->FileName,pFileInfo->FileNameLength);
RtlInitUnicodeString(&vStrCurrentFile,vSingleFileName);//文件的文件名
PFILE_OBJECT pFileObject;
res=ObReferenceObjectByHandle(hFile,NULL,*IoFileObjectType,KernelMode,(PVOID*)&pFileObject,NULL); if(!NT_SUCCESS(res))
{
KdPrint(("ObReferenceObjectByHandle Failed...\n"));
return rs;
}
RtlVolumeDeviceToDosName(pFileObject->DeviceObject,&vDosDeviceName);//获得对应的设备符号链接名(驱动器名) RtlInitEmptyUnicodeString(&vFinalFullPath,vFinalPathBuffer,sizeof(vFinalPathBuffer));//初始化一个足够大的空间
RtlAppendUnicodeStringToString(&vFinalFullPath,&vDosDeviceName);
RtlAppendUnicodeStringToString(&vFinalFullPath,&vStrFilePath);
if(vStrFilePath.Length>2)//根目录就不用加\符号了,根目录返回的路径是"\",UNICDE占两个字节所以是2
{
RtlAppendUnicodeStringToString(&vFinalFullPath,&vDicimer);
}
RtlAppendUnicodeStringToString(&vFinalFullPath,&vStrCurrentFile);
KdPrint(("FileName:%S \n",vFinalFullPath.Buffer));
}
else
{
KdPrint(("ZwQueryInfomationFile Failed...CODE: %d \n",res));
return rs;//返回原函数的返回值
}
if(RtlCompareUnicodeString(&vStrHideFileName,&vFinalFullPath,TRUE)==0)//是要隐藏的文件
{
DbgPrint("This Is The File We Want To Hide!\n");
if(bLastOne)
{
if(pFileInfo == (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer )
{
rs = 0x80000006;
}
else
{
pLastFileInfo->NextEntryOffset = 0;
}
break;
}
else
{
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformationBuffer;
int iLeft = (ULONG)FileInformationBufferLength - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (ULONG)iLeft );
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);
}while(!bLastOne);
}
///////////////////////////////////////////////////////////////////////////////////////////////
return rs;
}
我初步测试,没有问题,呵呵
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [翻译]老外挑战360加固--实战分析(很详细) 41072
- [翻译]LLVM代码混淆分析及逻辑还原 14459
- [翻译]逆向平台Binary Ninja介绍 25302
看原图
赞赏
雪币:
留言: