-
-
[求助]ZwReadFile 读取MBR的问题
-
发表于:
2011-9-24 20:36
6801
-
ZwReadFile 读取MBR的时候出现了问题。
我以读取MBR结尾的55AA判定是否成功读取到MBR,但是始终没有成功。ring3成功了。
#define DISK_CLASS_NAME L"\\??\\PhysicalDrive0"
VOID
ReadMBR()
{
NTSTATUS Status;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE FileHandle;
UNICODE_STRING DeviceNameString;
UCHAR Buf[200] = {0};
LARGE_INTEGER ByteOffset = {0};
FILE_POSITION_INFORMATION FilePointerInformation;
RtlInitUnicodeString(&DeviceNameString,DISK_CLASS_NAME);
InitializeObjectAttributes(&ObjectAttributes,
&DeviceNameString,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwOpenFile(&FileHandle,
GENERIC_READ | GENERIC_WRITE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_NON_DIRECTORY_FILE);
if (NT_SUCCESS(Status))
{
DbgPrint("ZwCreateFile successfully!\n");
//return;
}
else
{
DbgPrint("ZwCreateFile failed!\n");
return;
}
//FilePointerInformation.CurrentByteOffset.QuadPart = 510;
//ByteOffset = FilePointerInformation.CurrentByteOffset;
ByteOffset.QuadPart = 510;
/*
Status = ZwSetInformationFile(FileHandle,
&IoStatusBlock,
&FilePointerInformation,
sizeof(FILE_POSITION_INFORMATION),
FilePositionInformation);
if(!NT_SUCCESS(Status))
{
DbgPrint("ZwQueryInformationFile\n");
return Status;
}
*/
Status = ZwReadFile(FileHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
Buf,
2,
&ByteOffset,
NULL);
if (NT_SUCCESS(Status))
{
DbgPrint("ZwReadFile successfully!\n");
DbgPrint("%02X\t%02X\n",Buf[0],Buf[1]);
}
else
{
DbgPrint("ZwReadFile failed!\n");
}
ZwClose(FileHandle);
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!
