SHGetFolderPathA

该API用于获取由CSIDL标识的特殊文件路径,恶意软件常用该API获取一些系统路径释放文件,该API的关键参数是CSIDL

由于此API由shlobj_core.h定义,可以直接使用everthing搜索本机的shlobj_core.h查看
image.png

搜索 #define CSIDL_ 即可得到想要的结果
image.png

记录下:

define CSIDL_DESKTOP 0x0000 //


#define CSIDLINTERNET 0x0001 // Internet Explorer (icon on desktop)
#define CSIDL_PROGRAMS 0x0002 // Start Menu\Programs
#define CSIDL_CONTROLS 0x0003 // My Computer\Control Panel
#define CSIDL_PRINTERS 0x0004 // My Computer\Printers
#define CSIDL_PERSONAL 0x0005 // My Documents
#define CSIDL_FAVORITES 0x0006 // \Favorites
#define CSIDL_STARTUP 0x0007 // Start Menu\Programs\Startup
#define CSIDL_RECENT 0x0008 // \Recent
#define CSIDL_SENDTO 0x0009 // \SendTo
#define CSIDL_BITBUCKET 0x000a // \Recycle Bin
#define CSIDL_STARTMENU 0x000b // \Start Menu
#define CSIDL_MYDOCUMENTS CSIDL_PERSONAL // Personal was just a silly name for My Documents
#define CSIDL_MYMUSIC 0x000d // “My Music” folder
#define CSIDL_MYVIDEO 0x000e // “My Videos” folder
#define CSIDL_DESKTOPDIRECTORY 0x0010 // \Desktop
#define CSIDL_DRIVES 0x0011 // My Computer
#define CSIDL_NETWORK 0x0012 // Network Neighborhood (My Network Places)
#define CSIDL_NETHOOD 0x0013 // \nethood
#define CSIDL_FONTS 0x0014 // windows\fonts
#define CSIDL_TEMPLATES 0x0015
#define CSIDL_COMMON_STARTMENU 0x0016 // All Users\Start Menu
#define CSIDL_COMMON_PROGRAMS 0X0017 // All Users\Start Menu\Programs
#define CSIDL_COMMON_STARTUP 0x0018 // All Users\Startup
#define CSIDL_COMMON_DESKTOPDIRECTORY 0x0019 // All Users\Desktop
#define CSIDL_APPDATA 0x001a // \Application Data
#define CSIDL_PRINTHOOD 0x001b // \PrintHood

#ifndef CSIDL_LOCAL_APPDATA
#define CSIDL_LOCAL_APPDATA 0x001c // \Local Settings\Applicaiton Data (non roaming)
#endif // CSIDL_LOCAL_APPDATA

#define CSIDL_ALTSTARTUP 0x001d // non localized startup
#define CSIDL_COMMON_ALTSTARTUP 0x001e // non localized common startup
#define CSIDL_COMMON_FAVORITES 0x001f

#ifndef _SHFOLDER_H
#define CSIDLINTERNET_CACHE 0x0020
#define CSIDL_COOKIES 0x0021
#define CSIDL_HISTORY 0x0022
#define CSIDL_COMMON_APPDATA 0x0023 // All Users\Application Data
#define CSIDL_WINDOWS 0x0024 // GetWindowsDirectory()
#define CSIDL_SYSTEM 0x0025 // GetSystemDirectory()
#define CSIDL_PROGRAM_FILES 0x0026 // C:\Program Files
#define CSIDL_MYPICTURES 0x0027 // C:\Program Files\My Pictures
#endif // _SHFOLDER_H

#define CSIDLPROFILE 0x0028 // USERPROFILE
#define CSIDL_SYSTEMX86 0x0029 // x86 system directory on RISC
#define CSIDL_PROGRAM_FILESX86 0x002a // x86 C:\Program Files on RISC

#ifndef _SHFOLDER_H
#define CSIDLPROGRAM_FILES_COMMON 0x002b // C:\Program Files\Common
#endif // _SHFOLDER_H

#define CSIDLPROGRAM_FILES_COMMONX86 0x002c // x86 Program Files\Common on RISC
#define CSIDL_COMMON_TEMPLATES 0x002d // All Users\Templates

#ifndef _SHFOLDER_H
#define CSIDLCOMMON_DOCUMENTS 0x002e // All Users\Documents
#define CSIDL_COMMON_ADMINTOOLS 0x002f // All Users\Start Menu\Programs\Administrative Tools
#define CSIDL_ADMINTOOLS 0x0030 // \Start Menu\Programs\Administrative Tools
#endif // _SHFOLDER_H

#define CSIDLCONNECTIONS 0x0031 // Network and Dial-up Connections
#define CSIDL_COMMON_MUSIC 0x0035 // All Users\My Music
#define CSIDL_COMMON_PICTURES 0x0036 // All Users\My Pictures
#define CSIDL_COMMON_VIDEO 0x0037 // All Users\My Video
#define CSIDL_RESOURCES 0x0038 // Resource Direcotry

#ifndef _SHFOLDER_H
#define CSIDLRESOURCES_LOCALIZED 0x0039 // Localized Resource Direcotry
#endif // _SHFOLDER_H

#define CSIDL_COMMON_OEM_LINKS 0x003a // Links to All Users OEM specific apps
#define CSIDL_CDBURN_AREA 0x003b // USERPROFILE\Local Settings\Application Data\Microsoft\CD