explorer.c

使用内核方法检测隐藏文件

	PUCHAR lpNext; 
	dwBytesReturned = 0; 
	status = STATUS_UNSUCCESSFUL; 
	RtlZeroMemory(buffer,1024); 
	strcpy(buffer,"\\DosDevices\\"); 
	strcat(buffer,lpDirName); 
	RtlInitAnsiString(&anFileName,buffer); 
	RtlAnsiStringToUnicodeString(&unFileName,&anFileName,TRUE); 
	InitializeObjectAttributes(&oa,&unFileName,OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE,NULL,NULL); 
	status = ZwOpenFile(&hFile,FILE_LIST_DIRECTORY + SYNCHRONIZE+FILE_ANY_ACCESS,&oa,&ios,FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE,FILE_DIRECTORY_FILE + FILE_SYNCHRONOUS_IO_NONALERT); 
	if(NT_SUCCESS(status)) 
	{ 
		DbgPrint("ZwOpenFile Success\n"); 
	}
	else 
		goto endcddir; 
	status =ObReferenceObjectByHandle(hFile,FILE_LIST_DIRECTORY + SYNCHRONIZE,0,KernelMode,&lpFileObject,NULL); 
	if(!NT_SUCCESS(status)) 
	{ 
		ZwClose(hFile); 
		goto endcddir; 
	} 
	DbgPrint("open file object success\n"); 
	lpDeviceObject = MyIoGetRelatedDeviceObject(lpFileObject); 
	lpirp = IoAllocateIrp(lpDeviceObject->StackSize,FALSE); 
	if(!lpirp) 
	{ 
		DbgPrint("allocate irp failed\n"); 
		ObDereferenceObject(lpFileObject); 
		ZwClose(hFile); 
		goto endcddir; 
	} 
	DbgPrint("allocate irp success\n"); 
	KeInitializeEvent(&event,SynchronizationEvent,FALSE); 
	lpInformation = ExAllocatePool(PagedPool,655350); 
	lpSystemBuffer = ExAllocatePool(PagedPool,655350); 
	RtlZeroMemory(lpSystemBuffer,655350); 
	RtlZeroMemory(lpInformation,655350); 
	lpirp->UserEvent = &event; 
	lpirp->UserBuffer = lpInformation; 
	lpirp->AssociatedIrp.SystemBuffer = lpInformation; 
	lpirp->MdlAddress = NULL; 
	lpirp->Flags = 0; 
	lpirp->UserIosb = &ios; 
	lpirp->Tail.Overlay.OriginalFileObject = lpFileObject; 
	lpirp->Tail.Overlay.Thread = PsGetCurrentThread(); 
	lpirp->RequestorMode = KernelMode; 
	lpsp = IoGetNextIrpStackLocation(lpirp); 
	lpsp->MajorFunction = IRP_MJ_DIRECTORY_CONTROL; 
	lpsp->MinorFunction = IRP_MN_QUERY_DIRECTORY; 
	lpsp->FileObject = lpFileObject; 
	lpsp->DeviceObject = lpDeviceObject; 
	lpsp->Flags = SL_RESTART_SCAN; 
	lpsp->Control = 0; 
	lpsp->Parameters.QueryDirectory.FileIndex = 0; 
	lpsp->Parameters.QueryDirectory.FileInformationClass = FileDirectoryInformation; 
	lpsp->Parameters.QueryDirectory.FileName = NULL; 
	lpsp->Parameters.QueryDirectory.Length = 655350; 
	IoSetCompletionRoutine(lpirp,EventCompletion,0,TRUE,TRUE,TRUE); 
	status = MyIoCallDriver(lpDeviceObject,lpirp); 
	KeWaitForSingleObject(&event,Executive,KernelMode,TRUE,0); 
	lpDirInfo = (PDIRECTORY_INFO)lpSystemBuffer; 
	lpRealInformation = lpInformation; 
	while(1) 
	{ 
		UN.Length = (USHORT)lpInformation->FileNameLength; 
		UN.MaximumLength = (USHORT)lpInformation->FileNameLength; 
		UN.Buffer = &(lpInformation->FileName[0]); 
		RtlUnicodeStringToAnsiString(&anFileName,&UN,TRUE); 
		strcpy(lpDirInfo->FileName,anFileName.Buffer); 
		KdPrint(("%s\n",anFileName.Buffer));
		RtlFreeAnsiString(&anFileName); 
		lpDirInfo->AllocationSize=lpInformation->AllocationSize;
		lpDirInfo->FileAttributes=lpInformation->FileAttributes;
		RtlTimeToTimeFields(&(lpInformation->CreationTime),&(lpDirInfo->CreationTime)); 
		RtlTimeToTimeFields(&(lpInformation->LastAccessTime),&(lpDirInfo->LastAccessTime));  
		RtlTimeToTimeFields(&(lpInformation->LastWriteTime),&(lpDirInfo->LastWriteTime));  
		RtlTimeToTimeFields(&(lpInformation->ChangeTime),&(lpDirInfo->ChangeTime));  
		lpDirInfo->FileAttributes = lpInformation->FileAttributes; 
		dwBytesReturned+=sizeof(DIRECTORY_INFO); 
		if(!lpInformation->NextEntryOffset) goto exit; 
		lpNext = (PUCHAR)lpInformation; 
		lpNext+=lpInformation->NextEntryOffset; 
		lpInformation = (PFILE_DIRECTORY_INFORMATION)(lpNext);  
		lpDirInfo++; 
	} 
endcddir: 
	RtlFreeUnicodeString(&unFileName); 
	return NULL; 
exit: 
	ExFreePool(lpRealInformation); 
	ObDereferenceObject(lpFileObject); 
	ZwClose(hFile); 
	RtlFreeUnicodeString(&unFileName); 
	*dwRetSize = dwBytesReturned; 
	return lpSystemBuffer;               
}
NTSTATUS
FORCEINLINE
MyIoCallDriver(
			   IN PDEVICE_OBJECT DeviceObject,
			   IN OUT PIRP Irp
			   )
{
    PIO_STACK_LOCATION irpSp;
    PDRIVER_OBJECT driverObject;
    NTSTATUS status;
    ASSERT( Irp->Type == IO_TYPE_IRP );
    Irp->CurrentLocation--;
    if (Irp->CurrentLocation <= 0) {
        KeBugCheckEx( NO_MORE_IRP_STACK_LOCATIONS, (ULONG_PTR) Irp, 0, 0 ,0);
    }
    irpSp = IoGetNextIrpStackLocation( Irp );
    Irp->Tail.Overlay.CurrentStackLocation = irpSp;
    irpSp->DeviceObject = DeviceObject;
    driverObject = DeviceObject->DriverObject;
    status = driverObject->MajorFunction[irpSp->MajorFunction]( DeviceObject,
		Irp );
    return status;
}  
HANDLE
SkillIoOpenFile(
				IN PCSTR FileName,
				IN ACCESS_MASK DesiredAccess,
				IN ULONG ShareAccess
				)
{
	NTSTATUS              ntStatus;
	UNICODE_STRING        uniFileName;
	OBJECT_ATTRIBUTES     objectAttributes;
	HANDLE                ntFileHandle;
	IO_STATUS_BLOCK       ioStatus;
	ANSI_STRING           anFileName; 
	CHAR                  buffer[256]; 
	if (KeGetCurrentIrql() > PASSIVE_LEVEL)
	{
		return 0;
	}
	RtlZeroMemory(buffer,256); 
	strcpy(buffer,"\\DosDevices\\"); 
	strcat(buffer,FileName); 
	RtlInitAnsiString(&anFileName,buffer);
	RtlAnsiStringToUnicodeString(&uniFileName,&anFileName,TRUE); 
	KdPrint(("%wZ\n",&uniFileName));
	InitializeObjectAttributes(&objectAttributes, &uniFileName,
		OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
	ntStatus = IoCreateFile(&ntFileHandle,
		DesiredAccess,
		&objectAttributes,
		&ioStatus,
		0,
		FILE_ATTRIBUTE_NORMAL,
		ShareAccess,
		FILE_OPEN,
		0,
		NULL,
		0,
		0,
		NULL,
		IO_NO_PARAMETER_CHECKING);
	if (!NT_SUCCESS(ntStatus))
	{
		return 0;
	}
	
	return ntFileHandle;
}
BOOLEAN
DeleteFile(
           IN   char   *name
           )
{
	   HANDLE    hFileHandle ;
	   hFileHandle = SkillIoOpenFile(name, 
		   FILE_READ_ATTRIBUTES,
		   FILE_SHARE_DELETE);
	   if (hFileHandle!=NULL)
	   {
		   KdPrint(("ok"));
		   if(SKillDeleteFile(hFileHandle))
		   {
			   ZwClose(hFileHandle);
			   return TRUE;
		   }
		   ZwClose(hFileHandle);
	   } 
	   return FALSE;
}   
NTSTATUS
SkillSetFileCompletion(
					   IN PDEVICE_OBJECT DeviceObject,
					   IN PIRP Irp,
					   IN PVOID Context
					   )
{
	Irp->UserIosb->Status = Irp->IoStatus.Status;
	Irp->UserIosb->Information = Irp->IoStatus.Information;
	KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, FALSE);
	IoFreeIrp(Irp);
	return STATUS_MORE_PROCESSING_REQUIRED;
}

BOOLEAN
SKillStripFileAttributes(
						 IN HANDLE    FileHandle
						 )
{
	NTSTATUS          ntStatus = STATUS_SUCCESS;
	PFILE_OBJECT      fileObject;
	PDEVICE_OBJECT    DeviceObject;
	PIRP              Irp;
	KEVENT            event;
	FILE_BASIC_INFORMATION    FileInformation;
	IO_STATUS_BLOCK ioStatus;
	PIO_STACK_LOCATION irpSp;
	
	ntStatus = ObReferenceObjectByHandle(FileHandle,
		DELETE,
		*IoFileObjectType,
		KernelMode,
		&fileObject,
		NULL);
	
	if (!NT_SUCCESS(ntStatus))
	{
		return FALSE;
	}
	
	DeviceObject = IoGetRelatedDeviceObject(fileObject);
	Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);
	
	if (Irp == NULL)
	{
		ObDereferenceObject(fileObject);
		return FALSE;
	}
	KeInitializeEvent(&event, SynchronizationEvent, FALSE);
	memset(&FileInformation,0,0x28);
	FileInformation.FileAttributes = FILE_ATTRIBUTE_NORMAL;
	Irp->AssociatedIrp.SystemBuffer = &FileInformation;
	Irp->UserEvent = &event;
	Irp->UserIosb = &ioStatus;
	Irp->Tail.Overlay.OriginalFileObject = fileObject;
	Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
	Irp->RequestorMode = KernelMode;
	irpSp = IoGetNextIrpStackLocation(Irp);
	irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
	irpSp->DeviceObject = DeviceObject;
	irpSp->FileObject = fileObject;
	irpSp->Parameters.SetFile.Length = sizeof(FILE_BASIC_INFORMATION);
	irpSp->Parameters.SetFile.FileInformationClass = FileBasicInformation;
	irpSp->Parameters.SetFile.FileObject = fileObject;
	IoSetCompletionRoutine(
		Irp,
		SkillSetFileCompletion,
		&event,
		TRUE,
		TRUE,
		TRUE);
	IoCallDriver(DeviceObject, Irp);
	KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
	ObDereferenceObject(fileObject);
	return TRUE;
}
BOOLEAN
SKillDeleteFile(
				IN HANDLE    FileHandle
				)
{
	NTSTATUS          ntStatus = STATUS_SUCCESS;
	PFILE_OBJECT      fileObject;
	PDEVICE_OBJECT    DeviceObject;
	PIRP              Irp;
	KEVENT            event;
	FILE_DISPOSITION_INFORMATION    FileInformation;
	IO_STATUS_BLOCK ioStatus;
	PIO_STACK_LOCATION irpSp;
	PSECTION_OBJECT_POINTERS pSectionObjectPointer;     ////////////////////
	SKillStripFileAttributes( FileHandle);          //去掉只读属性，才能删除只读文件
	ntStatus = ObReferenceObjectByHandle(FileHandle,
		DELETE,
		*IoFileObjectType,
		KernelMode,
		&fileObject,
		NULL);
	if (!NT_SUCCESS(ntStatus))
	{
		return FALSE;
	}
	DeviceObject = MyIoGetRelatedDeviceObject(fileObject);
	Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);
	if (Irp == NULL)
	{
		ObDereferenceObject(fileObject);
		return FALSE;
	}
	KeInitializeEvent(&event, SynchronizationEvent, FALSE);
	FileInformation.DeleteFile = TRUE;
	Irp->AssociatedIrp.SystemBuffer = &FileInformation;
	Irp->UserEvent = &event;
	Irp->UserIosb = &ioStatus;
	Irp->Tail.Overlay.OriginalFileObject = fileObject;
	Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
	Irp->RequestorMode = KernelMode;
	irpSp = IoGetNextIrpStackLocation(Irp);
	irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
	irpSp->DeviceObject = DeviceObject;
	irpSp->FileObject = fileObject;
	irpSp->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);
	irpSp->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
	irpSp->Parameters.SetFile.FileObject = fileObject;
	IoSetCompletionRoutine(
		Irp,
		SkillSetFileCompletion,
		&event,
		TRUE,
		TRUE,
		TRUE);
	pSectionObjectPointer = fileObject->SectionObjectPointer;
	pSectionObjectPointer->ImageSectionObject = 0;
	pSectionObjectPointer->DataSectionObject = 0;
	IoCallDriver(DeviceObject, Irp);
	KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
	ObDereferenceObject(fileObject);
	return TRUE;
}