如何试用Hook ZwQueryDirectoryFile的方法隐藏文件? |
尚未結案
|
Vicen
高階會員 發表:13 回覆:145 積分:151 註冊:2005-03-14 發送簡訊給我 |
这是参考一位大大的BCB范例改的,能够HOOK成功,但过滤部分不知道如何写?请各位大大帮忙。 Help Me!
function NewZwQueryDirectoryFile(FileHandle: THANDLE; Event: THANDLE; ApcRoutine: PIO_APC_ROUTINE; ApcContext: PVOID; IoStatusBlock: PIO_STATUS_BLOCK; FileInformation: PVOID; FileInformationLength: ULONG; FileInformationClass: DWORD; ReturnSingleEntry: Bool; FileName: PUnicodeString; RestartScan: Bool): NTStatus; stdcall; function PWideToString( pw : PWideChar ) : string; var p : PChar; iLen : integer; begin {Get memory for the string} iLen := lstrlenw( pw ) 1; GetMem( p, iLen ); {Convert a unicode (PWideChar) to a string} WideCharToMultiByte( CP_ACP, 0, pw, iLen, p, iLen * 2, nil, nil ); Result := p; FreeMem( p, iLen ); end; Var rc : NTStatus; CR0VALUE : ULONG; ansiFileName,ansiDirName,HideDirFile : PAnsiString; uniFileName : PUnicodeString; pFileInfo : PFILE_BOTH_DIR_INFORMATION; bLastOne : BOOL; iPos, iLeft : Integer; sPWS : PWideChar; begin //RtlInitAnsiString(HideDirFile, 'HIDEPROCESS.EXE'); rc := TrueZwQueryDirectoryFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass, ReturnSingleEntry, FileName, RestartScan); if (rc = STATUS_SUCCESS) And (FileInformationClass=FileBothDirectoryInformation) then begin pFileInfo := PFILE_BOTH_DIR_INFORMATION(FileInformation); While pFileInfo.NextEntryOffset<>0 Do begin RtlInitUnicodeString(uniFileName,pFileInfo.FileName); RtlUnicodeStringToAnsiString(ansiFileName,uniFileName,TRUE); RtlUnicodeStringToAnsiString(ansiDirName,ansiDirName,TRUE); RtlUpperString(ansiFileName,ansiDirName); //ansiFileName.Buffer -> 这里根本没取到文件名字 //过滤........ //........... pFileInfo := PFILE_BOTH_DIR_INFORMATION(PChar(pFileInfo) pFileInfo.NextEntryOffset); end; end; RtlFreeAnsiString(ansiDirName); RtlFreeAnsiString(ansiFileName); Result := rc; end; |
本站聲明 |
1. 本論壇為無營利行為之開放平台,所有文章都是由網友自行張貼,如牽涉到法律糾紛一切與本站無關。 2. 假如網友發表之內容涉及侵權,而損及您的利益,請立即通知版主刪除。 3. 請勿批評中華民國元首及政府或批評各政黨,是藍是綠本站無權干涉,但這裡不是政治性論壇! |