关于文件隐藏问题。
NTSTATUS
HookNtQueryDirectoryFile(IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN ULONG ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN ULONG RestartScan)
{
NTSTATUS ret;
ULONG CR0VALUE;
ANSI_STRING ansiPathName,ansiFileName;
UNICODE_STRING uniPathName;
PCWSTR pProcPath = NULL;
ULONG name_length;
char buff[1024] = {0};
DWORD dwProId = -1;
BOOLEAN bToLong = FALSE;
ret = ((NtQUERYDIRECTORYFILE)(OldNtQueryDirectoryFile))(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan
);
if (!NT_SUCCESS(ret))
return ret;
if( !g_bClientRuning )
return ret;
/*对返回结果进行处理*/
switch(FileInformationClass)
{
case FileBothDirectoryInformation:
case FileDirectoryInformation:
case FileFullDirectoryInformation:
case FileIdBothDirectoryInformation:
case FileIdFullDirectoryInformation:
case FileNamesInformation:
{
PFILE_LIST now,last = NULL;
ULONG name_length;
PWCHAR file_name;
now = (PFILE_LIST)FileInformation;
while( now != NULL )
{
GetDosNameChar(FileHandle);
RtlInitUnicodeString( &uniPathName,FileDirectory );
RtlUnicodeStringToAnsiString( &ansiPathName , &uniPathName , TRUE );
name_length = GetFileName(FileInformationClass,now);
//RtlInitUnicodeString( &uniFileName , L"2.txt" );
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
strcpy( buff , ansiPathName.Buffer );
strcat( buff , "\\" );
strcat( buff , ansiFileName.Buffer );
if ( InHideFileList( buff ) )
{
DbgPrint( "是要隐藏的文件" );
if( NULL != last )
{
if( now->NextEntryOffset != 0 )
{
DbgPrint( "NULL != last if( now->NextEntryOffset != 0 )" );
last->NextEntryOffset += now->NextEntryOffset;
}
else
{
DbgPrint( "NULL != last else if( now->NextEntryOffset != 0 )" );
last->NextEntryOffset = 0;
}
}
else
{
if( now->NextEntryOffset == 0 )
{
RtlZeroMemory(FileInformation,FileInformationLength);
DbgPrint( "ReturnSingleEntry:%d" , ReturnSingleEntry );
if( ReturnSingleEntry )
{
NTSTATUS status2;
DbgPrint( "NULL == last now->NextEntryOffset == 0 ReturnSingleEntry == TRUE" );
status2 = HookNtQueryDirectoryFile(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
FALSE
);
RtlFreeAnsiString(&ansiPathName);
RtlFreeAnsiString(&ansiFileName);
return status2;
}
DbgPrint( "NULL == last now->NextEntryOffset == 0 ReturnSingleEntry == FALSE" );
IoStatusBlock->Status = STATUS_NO_SUCH_FILE;
IoStatusBlock->Information = 0;
IoStatusBlock->Pointer = 0;
RtlFreeAnsiString(&ansiPathName);
RtlFreeAnsiString(&ansiFileName);
return ret;
//return ret;
//return STATUS_NO_MORE_FILES;
}
else
{
ULONG len = FileInformationLength - now->NextEntryOffset;
IoStatusBlock->Information -= now->NextEntryOffset;
RtlCopyMemory(now,(PUCHAR)now + now->NextEntryOffset,len);
DbgPrint( "NULL == last now->NextEntryOffset != 0" );
continue;
}
}
}
else
{
last = now;
}
if ( 0 != now->NextEntryOffset )
now = (PFILE_LIST)((PUCHAR)now + now -> NextEntryOffset);
else
break;
}
RtlFreeAnsiString(&ansiPathName);
RtlFreeAnsiString(&ansiFileName);
}
}
return ret;
}
以上是我文件隐藏的主要代码,目前有这么一个BUG,当偶尔一个文件加入到隐藏列表中时,(这种情况只有在if( now->NextEntryOffset == 0 ) 而且ReturnSingleEntry等于FALSE时才会出现这种情况)会导致所有文件不可见。不知道是什么问题导致的,看哪位可以帮忙解决下,谢谢。
[解决办法]
IoStatusBlock->Status = STATUS_NO_SUCH_FILE;
IoStatusBlock->Information = 0;
这表示获取目录信息失败了,你应该返回成功和过滤后的信息长度。
[解决办法]
NextEntryOffset=0表示此次获取的最后一个文件信息,并不表示目录中的最后一个。即使是最后一个也要返回成功,不能返回失败。
[解决办法]
把要隐藏的文件信息从缓冲区中摘出去。
[解决办法]
要处理多种FileInformationClass.
