打开创建文件
- 初始化对象属性
- InitializeObjectAttributes();有5个参数
- 第一个为对象属性
- 第二个为unicode 文件路径(符号链接路径)
- 第三个为属性,我们设置为obj 不区分大小写,使我们大小写不区分和object 内核句柄
- 最后两个不经常用 设置为null
- 创建文件 ZwCreateFile 包含大量参数,并且每个参数包含很多选项
- 第一个参数为文件handle
- 第二个为访问类型:GENERIC_READ OR GENERIC_WRITE
- 第三个为obj 初始化对象
- 第四个为IO_STATUS_BLOCK类型的值
- 第五个为allocationsize ,通常设置为null,我们的文件从0字节开始
- 下一个为文件属性 我们使用normal
- 接下来是文件共享最常用,共享读取或共享写入,如果设置为共享写,那么其他模块使用读访问打开文件,它将无法打开
- 下一个为createdispostion:我们使用FILE_OPEN_IF,文件不存在会自动创建,否则打开它
- file_non_directory_file 表示目标文件不是目录
- file_synchronous_io_nonalert 进行同步操作,表示函数返回时,文件操作已经完成
- 最后两个参数是可选的,
```c
include
VOID Unload(IN PDRIVER_OBJECT DriverObject) {
DbgPrint("driver unload\r\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {
DriverObject->DriverUnload = Unload;NTSTATUS status;HANDLE filehandle = NULL;IO_STATUS_BLOCK iostatusblok = { 0 };OBJECT_ATTRIBUTES object_attribute;UNICODE_STRING filename = RTL_CONSTANT_STRING(L"\\??\\c:\\1.txt");InitializeObjectAttributes(&object_attribute,&filename,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);status = ZwCreateFile(&filehandle,GENERIC_READ,&object_attribute,&iostatusblok,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);if (!NT_SUCCESS(status)){DbgPrint("create file failed \r\n");}if (filehandle!=NULL){ZwClose(filehandle);}return STATUS_SUCCESS;
}
<a name="nrPjv"></a># 文件拷贝创建文件用 FILE_OPEN_IF<br />读取存在的文件用 FILE_OPEN<br />写入文件 需要把权限加上读取权限,GENERIC_READ | GENERIC_WRITE```c#include <ntddk.h>#define tag 'file'VOID Unload(IN PDRIVER_OBJECT DriverObject) {DbgPrint("driver unload\r\n");}NTSTATUS copyfile(HANDLE fileR,HANDLE filew){NTSTATUS status;IO_STATUS_BLOCK iostatusblock = { 0 };PVOID buffer = NULL;ULONG length;length = 4096;LARGE_INTEGER offset = { 0 };buffer = ExAllocatePoolWithTag(NonPagedPool,length,tag);if (buffer ==NULL){goto error;}while (1){length = 4096;status = ZwReadFile(fileR,NULL,NULL,NULL,&iostatusblock,buffer,length,&offset,NULL);if (!NT_SUCCESS(status)){if (status == STATUS_END_OF_FILE){DbgPrint("file end\r\n");break;}else{goto error;}}length = iostatusblock.Information;status = ZwWriteFile(filew,NULL,NULL,NULL,&iostatusblock,buffer,length,&offset,NULL);if (!NT_SUCCESS(status)){goto error;}offset.QuadPart += length;}ExFreePool(buffer);return STATUS_SUCCESS;error:if (buffer!=NULL){ExFreePool(buffer);}return STATUS_UNSUCCESSFUL;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {DriverObject->DriverUnload = Unload;NTSTATUS status;HANDLE filehandleW = NULL,filehandleR = NULL;IO_STATUS_BLOCK iostatusblokR = { 0 };IO_STATUS_BLOCK iostatusblokW = { 0 };OBJECT_ATTRIBUTES object_attributeR;OBJECT_ATTRIBUTES object_attributeW;UNICODE_STRING filenameW = RTL_CONSTANT_STRING(L"\\??\\c:\\1.txt");UNICODE_STRING filenameR = RTL_CONSTANT_STRING(L"\\??\\c:\\2.txt");InitializeObjectAttributes(&object_attributeW, &filenameW, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwCreateFile(&filehandleW,GENERIC_READ|GENERIC_WRITE,&object_attributeW,&iostatusblokW,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);if (!NT_SUCCESS(status)){DbgPrint("create file failed \r\n");goto end;}InitializeObjectAttributes(&object_attributeR, &filenameR, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwCreateFile(&filehandleR, GENERIC_READ | GENERIC_WRITE, &object_attributeR, &iostatusblokR,NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN,FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,NULL, 0);if (!NT_SUCCESS(status)){DbgPrint("open file failed \r\n");goto end;}status = copyfile(filehandleR,filehandleW);if (!NT_SUCCESS(status)){DbgPrint("writing file failed!\r\n");goto end;}end:if (filehandleW!=NULL){ZwClose(filehandleW);}if (filehandleR!=NULL){ZwClose(filehandleR);}return STATUS_SUCCESS;}
获取文件大小
#include <ntddk.h>VOID Unload(IN PDRIVER_OBJECT DriverObject) {DbgPrint("driver unload\r\n");}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {DriverObject->DriverUnload = Unload;NTSTATUS status;HANDLE filehandleR = NULL;IO_STATUS_BLOCK iostatusblokR = { 0 };OBJECT_ATTRIBUTES object_attributeR;FILE_STANDARD_INFORMATION fileinfo = {0};UNICODE_STRING filenameR = RTL_CONSTANT_STRING(L"\\??\\c:\\2.txt");InitializeObjectAttributes(&object_attributeR, &filenameR, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwCreateFile(&filehandleR, GENERIC_READ , &object_attributeR, &iostatusblokR,NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN,FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,NULL, 0);status = ZwQueryInformationFile(filehandleR,&iostatusblokR,&fileinfo,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation);//文件句柄//fileinfo 结构体//结构体大小//文件信息格式//文件大小存在EndOfFile.QuadPart 中if (NT_SUCCESS(status)){DbgPrint("file size is:%d \r\n",fileinfo.EndOfFile.QuadPart);}return STATUS_SUCCESS;}
删除文件
我们需要一个 ntifs.h 文件头
删除文件非常简单,我们不需要打开文件,只需要初始化一个指定文件路径的 属性对象
如果在自己的程序中,即包含ntddk.h和ntifs.h的时候,编译的时候会出现如下编译错误:
7600.16385.0\inc\ddk\ntifs.h(85) : error C2371: ‘PEPROCESS’ : redefinition; different basic types,7600.16385.0\inc\ddk\wdm.h(79) : see declaration of ‘PEPROCESS’
解决方法是先include ntifs.h,然后再include ntddk.h,就可以解决。
include <ntifs.h>#include <ntddk.h>VOID Unload(IN PDRIVER_OBJECT DriverObject) {DbgPrint("driver unload\r\n");}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {DriverObject->DriverUnload = Unload;NTSTATUS status;HANDLE filehandleR = NULL;IO_STATUS_BLOCK iostatusblokR = { 0 };OBJECT_ATTRIBUTES object_attributeR;UNICODE_STRING filenameR = RTL_CONSTANT_STRING(L"\\??\\C:\\2.txt");InitializeObjectAttributes(&object_attributeR, &filenameR, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwDeleteFile(&object_attributeR);if (NT_SUCCESS(status)){DbgPrint("del file \r\n");}return STATUS_SUCCESS;}
重命名文件
若有收获,就点个赞吧
0 人点赞
