首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]Hook ZwQueryDirectoryFile时遇到的问题……
发表于: 2011-2-11 13:55 4334

[求助]Hook ZwQueryDirectoryFile时遇到的问题……

corey 活跃值
2011-2-11 13:55
4334
我的代码跟网上主流的差不多 如下:
NTSTATUS NTAPI NewZwQueryDirectoryFile(
  IN HANDLE               FileHandle,
  IN HANDLE               Event OPTIONAL,
  IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
  IN PVOID                ApcContext OPTIONAL,
  OUT PIO_STATUS_BLOCK    IoStatusBlock,
  OUT PVOID               FileInformation,
  IN ULONG                Length,
  IN FILE_INFORMATION_CLASS FileInformationClass,
  IN BOOLEAN              ReturnSingleEntry,
  IN PUNICODE_STRING      FileMask OPTIONAL,
  IN BOOLEAN              RestartScan )
{
		NTSTATUS ntStatus = OldZwQueryDirectoryFile(
			FileHandle,
			Event,
			ApcRoutine,
			ApcContext,
			IoStatusBlock,
			FileInformation,
			Length,
			FileInformationClass,
			ReturnSingleEntry,
			FileMask,
			RestartScan);
	__try
	{
		if(NT_SUCCESS(ntStatus) && (
			FileInformationClass == FileDirectoryInformation ||
			FileInformationClass == FileFullDirectoryInformation ||
			FileInformationClass == FileIdFullDirectoryInformation ||
			FileInformationClass == FileBothDirectoryInformation   ||
			FileInformationClass == FileIdBothDirectoryInformation ||
			FileInformationClass == FileNamesInformation 
			))
		{
			PVOID p = FileInformation;
			PVOID pLast = NULL;
			DWORD pLastOne = 0;
			KdPrint(("<--------\n"));
			do{
						if(RtlCompareMemory(FileHide::GetEntryFileName(p,FileInformationClass), m_wHideFile.Buffer,m_wHideFile.Length ) == m_wHideFile.Length )				{
					KdPrint(("[-]Hide.....\n"));
					pLastOne =FileHide::GetNextEntryOffset(p,FileInformationClass);
					if(pLastOne == 0)
					{
						if (p == FileInformation)
							ntStatus = STATUS_NO_MORE_FILES;
						else
							FileHide::SetNextEntryOffset(pLast,FileInformationClass, 0);
						break;
					}
					else
					{
						int iPos = ((ULONG)p) - (ULONG)FileInformation;
						int iLeft = (DWORD)Length - iPos - pLastOne;
						RtlCopyMemory(p,(PVOID)((char*)p + pLastOne),(DWORD)iLeft);
						KdPrint(("iPos:%ld\tLength:%ld\tiLeft:%ld\t,NextOffset:%ld\tpLastOne:%ld\tCurrent:0x%x\n",
							iPos,Length,iLeft,FileHide::GetNextEntryOffset(p,FileInformationClass),pLastOne,p));
						continue;
					}
				}
				pLast = p;
				p = ((char*)p + FileHide::GetNextEntryOffset(p,FileInformationClass));
			}while (pLastOne != 0);
			KdPrint(("-------->\n"));
		}
	}
		__except(EXCEPTION_EXECUTE_HANDLER)
		{
			KdPrint(("Catch a BSOD\n"));
			return ntStatus;
		}
	return ntStatus;
}


奇怪的是每次执行到pLastOne =FileHide::GetNextEntryOffset(p,FileInformationClass);的时候总是返回0,然后整个函数就直接返回STATUS_NO_MORE_FILES了,导致一个应该被隐藏的文件在文件夹里边,整个文件夹就什么也没有了……请问这个问题怎么解决啊……头疼了一天了

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (1)
corey
雪    币: 73
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
刚才忘记贴了
DWORD FileHide::GetNextEntryOffset(IN PVOID pData,IN FILE_INFORMATION_CLASS FileInfo)
{
	DWORD result = 0;
	
	switch(FileInfo){
	case FileDirectoryInformation:
		result = ((PFILE_DIRECTORY_INFORMATION)pData)->NextEntryOffset;
		break;
	case FileFullDirectoryInformation:
		result = ((PFILE_FULL_DIR_INFORMATION)pData)->NextEntryOffset;
		break;
	case FileIdFullDirectoryInformation:
		result = ((PFILE_ID_FULL_DIR_INFORMATION)pData)->NextEntryOffset;
		break;
	case FileBothDirectoryInformation:
		result = ((PFILE_BOTH_DIR_INFORMATION)pData)->NextEntryOffset;
		break;
	case FileIdBothDirectoryInformation:
		result = ((PFILE_ID_BOTH_DIR_INFORMATION)pData)->NextEntryOffset;
		break;
	case FileNamesInformation:
		result = ((PFILE_NAMES_INFORMATION)pData)->NextEntryOffset;
		break;
	}
	return result;
}
2011-2-11 13:57
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//