NTSTATUS
NTAPI
studZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
BOOLEAN bProtect = FALSE;
PWSTR NewQQPathDir = NULL;
bProtect = CheckAndRecordRenameInfor(
FileHandle,
IoStatusBlock,
FileInformation,
Length,
FileInformationClass,
&NewQQPathDir );
if( bProtect )
{
status = STATUS_ACCESS_DENIED;
goto exit;
}
else
{
PZWSETINFORMATIONFILE OrgFuncAddr = (PZWSETINFORMATIONFILE)
g_BaseHookTbl[ BaseHookId_ZwSetInformationFile ].OriginalFuncAddress;
if( !OrgFuncAddr || !MmIsAddressValid( OrgFuncAddr))
{
if( g_Org_Ssdt_Func_table != NULL &&
(LONG)g_BaseHookTbl[ BaseHookId_ZwSetInformationFile ].IndexInSsdt >= 0 &&
g_BaseHookTbl[ BaseHookId_ZwSetInformationFile ].IndexInSsdt < KeServiceDescriptorTable.NumberOfServices)
{
OrgFuncAddr = (PZWSETINFORMATIONFILE)g_Org_Ssdt_Func_table[ g_BaseHookTbl[ BaseHookId_ZwSetInformationFile ].IndexInSsdt];
if( !OrgFuncAddr )
OrgFuncAddr = (PZWSETINFORMATIONFILE)g_BaseHookTbl[ BaseHookId_ZwSetInformationFile ].OriginalFuncAddress;
}
}
status = OrgFuncAddr( FileHandle,
IoStatusBlock,
FileInformation,
Length,
FileInformationClass);
if( FileInformationClass = FileRenameInformation && NT_SUCCESS( status ))
{
if( !NewQQPathDir )
return status;
SetNewQQPathAndProtectExePathInReg( NewQQPathDir );
}
}//end if bProtec else
exit:
if( NewQQPathDir )
ExFreePool( NewQQPathDir );
return status;
}
BOOLEAN
NTAPI
CheckAndRecordRenameInfor(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
OUT PWSTR *NewQQPathDir)
/*++
NOTE:
the caller must call ExFreePool to free the memory that returned by NewQQPathDir
--*/
{
WCHAR FileName[MAX_UNICODE_STRING_CHARS + 1 ] = {0};
IO_STATUS_BLOCK ioStatusBlock = {0};
FILE_STANDARD_INFORMATION FileInfor = {0};
HANDLE hFile = 0;
BOOLEAN bResult = FALSE;
ULONG chars = 0,bytes = 0,current_pid = 0;
REGISTRY_DB_HELPER_DATA HelperData = {0};
if( !g_bFileMon ||
!(g_GlobalControlBlock.MonFlag & 0x10) ||
( FileInformationClass != FileRenameInformation &&
FileInformationClass != FileLinkInformation &&
FileInformationClass != FileDispositionInformation &&
FileInformationClass != FileAllocationInformation) ||
ExGetPreviousMode() == KernelMode ||
FileHandle == 0 ||
IsProcessInList5AndBelievable( current_pid = (ULONG)PsGetCurrentProcessId(),6,NULL )
)
{
goto exit;
}
if( !NT_SUCCESS( DuplicateHandle( FileHandle,*IoFileObjectType,&hFile)))
goto exit;
if( !NT_SUCCESS( ZwQueryInformationFile( hFile,
&ioStatusBlock,
&FileInfor,
sizeof(FileInfor),
FileStandardInformation)))
goto exit;
if( FileInfor.DeletePending == TRUE )
goto exit;
bResult = GetFileDosDeviceNameByHandle( FileHandle,FileName,MAX_UNICODE_STRING_CHARS);
if( !bResult )
goto exit;
AdjustPathString( FileName,MAX_UNICODE_STRING_CHARS );
chars = wcslen( FileName );
if( FileName[ chars - 1 ] == L'\\')
FileName[ chars - 1 ] = L'\0';
__try{
HelperData.Unknown2 = 4;
HelperData.Flags = FileInformationClass;
HelperData.Pid = current_pid;
bResult = IsFileNameProtectedFile( FileName,MAX_UNICODE_STRING_CHARS,0,&HelperData);
}__except( EXCEPTION_EXECUTE_HANDLER )
{
KdPrint(("Exception occurred in CheckAndRecordRenameInfor 1 \n"));
}
if( bResult ||
FileInformationClass != FileRenameInformation ||
FileInformation == NULL )
goto exit;
__try{
VerifyAndHashMemory( FileInformation,sizeof(FILE_RENAME_INFORMATION),4 );
bytes = ((PFILE_RENAME_INFORMATION)FileInformation)->FileNameLength;
if( bytes )
{
VerifyAndHashMemory( ((PFILE_RENAME_INFORMATION)FileInformation)->FileName,
bytes,
sizeof(WCHAR));
if( !IsFileDirectory( hFile ) ||
!(bResult = IsDirectoryInQQSubBinDirTbl( FileName,MAX_UNICODE_STRING_CHARS)) &&
!(bResult = IsDirectoryInMyProtectedDataFileDir(
((PFILE_RENAME_INFORMATION)FileInformation)->FileName,bytes / sizeof(WCHAR)))
)
{
AdjustPathString( ((PFILE_RENAME_INFORMATION)FileInformation)->FileName,
(USHORT)(bytes / sizeof(WCHAR)));
MakeNewQQPathDir( FileName,
((PFILE_RENAME_INFORMATION)FileInformation)->FileName,
bytes / sizeof(WCHAR),
NewQQPathDir );
}
}//end if bytes
}__except(EXCEPTION_EXECUTE_HANDLER )
{
KdPrint(("Exception occurred in CheckAndRecordRenameInfor 2 \n"));
}
exit:
if( hFile )
{
ZwClose( hFile );
hFile = 0;
}
if( bResult )
RecordRequestFileInfor( 6,current_pid,FileName,MAX_UNICODE_STRING_CHARS,4,FALSE );
return bResult;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)