📄 irpfile.c
字号:
IrpSp->MajorFunction = IRP_MJ_WRITE;
IrpSp->MinorFunction = IRP_MN_NORMAL;
IrpSp->DeviceObject = deviceObject;
IrpSp->FileObject = FileObject;
IrpSp->Parameters.Write.Length = Length;
IrpSp->Parameters.Write.ByteOffset = *ByteOffset;
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
IoSetCompletionRoutine(Irp, IoCompletionRoutine, NULL, TRUE, TRUE, TRUE);
status = IoCallDriver(deviceObject, Irp);
if (status == STATUS_PENDING)
status = KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);
return status;
}
//删除文件
NTSTATUS IrpDeleteFile( IN HANDLE FileHandle )
{
NTSTATUS ntStatus;
PFILE_OBJECT pFileObject;
PDEVICE_OBJECT DeviceObject;
FILE_DISPOSITION_INFORMATION fdi;
ntStatus = ObReferenceObjectByHandle(
FileHandle,
0,
*IoFileObjectType,
KernelMode,
&pFileObject,
NULL);
if ( !NT_SUCCESS(ntStatus) )
{
return ntStatus;
}
DeviceObject = IoGetRelatedDeviceObject( pFileObject );
//fnCloseFile(deviceObject, fileObject);
fdi.DeleteFile = TRUE;
//FileDispositionInformation causes the file to be marked for deletion
ntStatus = IoSetInformation(
pFileObject,
FileDispositionInformation, //Marked for deletion
sizeof(FILE_DISPOSITION_INFORMATION),
&fdi);
ObDereferenceObject( pFileObject );
return ntStatus;
}
/*
typedef struct _FILE_REQUEST_CREATE
{
HANDLE FileHandle; //OUT PHANDLE FileHandle,
ULONG ShareAccess; //IN ULONG ShareAccess,
ULONG DesiredAccess; //IN ACCESS_MASK DesiredAccess,
ULONG CreateDisposition; //IN ULONG CreateDisposition,
CHAR FileName[];
} FILE_REQUEST_CREATE, *PFILE_REQUEST_CREATE;
*/
NTSTATUS
fnCreateFile(
IN PFILE_REQUEST_CREATE FileRequestCreate,
IN ULONG InputBufferLength, //sizeof(FILE_REQUEST_CREATE)
OUT PIO_STATUS_BLOCK IoStatusBlock ) //OUT PIO_STATUS_BLOCK IoStatusBlock
{
PDEVICE_OBJECT deviceObject;
PDEVICE_OBJECT realDevice;
PFILE_OBJECT fileObject;
NTSTATUS ntStatus;
HANDLE newHandle;
ANSI_STRING fname;
UNICODE_STRING fileName;
if (InputBufferLength <= sizeof(FILE_REQUEST_CREATE))
return STATUS_INVALID_PARAMETER;
if ( (FileRequestCreate->ShareAccess & ~FILE_SHARE_VALID_FLAGS) ||
(FileRequestCreate->CreateDisposition > FILE_MAXIMUM_DISPOSITION))
return STATUS_INVALID_PARAMETER;
fname.Length = (USHORT)InputBufferLength - sizeof(FILE_REQUEST_CREATE);
fname.Buffer = FileRequestCreate->FileName;
fname.MaximumLength = fname.Length;
if (fname.Buffer[fname.Length - 1] == '\0')
fname.Length--;
if (fname.Length < 3)
return STATUS_INVALID_PARAMETER;
DbgPrint("Open %s %d\n", fname.Buffer, fname.Length);
FileRequestCreate->FileHandle = NULL;
if (fname.Buffer[1] != ':')
return STATUS_INVALID_PARAMETER;
if (!GetDriveObject(fname.Buffer[0], &deviceObject, &realDevice))
{
return STATUS_UNSUCCESSFUL;
}
fname.Buffer += 2;
fname.MaximumLength -= 2;
fname.Length -= 2;
if (!NT_SUCCESS(RtlAnsiStringToUnicodeString( &fileName,
&fname,
TRUE)))
{
return STATUS_INSUFFICIENT_RESOURCES;
}
__try
{
DbgPrint("deviceObject = %x\n", deviceObject);
ntStatus = IRPCreateFile( &fileName,
FileRequestCreate->DesiredAccess,
FILE_ATTRIBUTE_NORMAL,
FileRequestCreate->ShareAccess,
FileRequestCreate->CreateDisposition,
0,
deviceObject,
realDevice,
&fileObject);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
ntStatus = GetExceptionCode();
DbgPrint("IrpCreate exception! error=%x\n", ntStatus);
RtlFreeUnicodeString(&fileName);
return ntStatus;
}
RtlFreeUnicodeString(&fileName);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint(("Irp open file failed\n"));
return ntStatus;
}
ntStatus = ObOpenObjectByPointer(
fileObject,
0,
NULL,
FileRequestCreate->DesiredAccess,
*IoFileObjectType,
KernelMode,
&newHandle);
ObDereferenceObject(fileObject);
if ( !NT_SUCCESS(ntStatus) )
{
DbgPrint(("ObOpenObjectByPointer failed\n"));
return ntStatus;
}
FileRequestCreate->FileHandle = newHandle;
IoStatusBlock->Information = sizeof(HANDLE);
return ntStatus;
}
NTSTATUS
fnReadFile(
IN PFILE_REQUEST_READ FileRequestRead,
IN ULONG InputBufferLength,
OUT PIO_STATUS_BLOCK IoStatusBlock )
{
NTSTATUS ntStatus;
PFILE_OBJECT FileObject;
IO_STATUS_BLOCK ioStatus;
if ( InputBufferLength < sizeof(FILE_REQUEST_READ) )
return STATUS_INVALID_PARAMETER;
if (InputBufferLength < sizeof(FILE_REQUEST_READ) + FileRequestRead->Length)
return STATUS_INVALID_PARAMETER;
DbgPrint("read file\n");
ntStatus = ObReferenceObjectByHandle( FileRequestRead->FileHandle,
GENERIC_READ,
*IoFileObjectType,
KernelMode,
&FileObject,
NULL);
if ( !NT_SUCCESS(ntStatus) )
return ntStatus;
__try
{
ntStatus = IRPReadFile(
FileObject,
NULL,
FileRequestRead->Length,
FileRequestRead->Buffer,
&ioStatus);
ntStatus = ioStatus.Status;
FileRequestRead->ReadLength = sizeof(FILE_REQUEST_READ) + ioStatus.Information;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
ntStatus = GetExceptionCode();
DbgPrint("IrpRead exception! error=%x\n", ntStatus);
}
ObDereferenceObject(FileObject);
return ntStatus;
}
/*
NTSTATUS
QueryHandleInfo(
IN PQUERY_HANDLE_INFO QueryHandleInfo,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength
)
{
NTSTATUS status;
HANDLE processHandle, objectHandle;
PEPROCESS process;
PVOID object;
OBJECT_ATTRIBUTES objectAttributes;
CLIENT_ID clientID;
POBJECT_NAME_INFORMATION objectName;
ANSI_STRING objectNameA;
ULONG returnLength;
__try
{
if (QueryHandleInfo->Pid < 8)
{
PsLookupProcessByProcessId( (HANDLE)QueryHandleInfo->Pid,
&process);
KeAttachProcess(process);
status = ObReferenceObjectByHandle( (HANDLE)QueryHandleInfo->Handle,
GENERIC_READ,
NULL,
KernelMode,
&object,
NULL);
KeDetachProcess();
if (!NT_SUCCESS(status))
{
return status;
}
}
else
{
InitializeObjectAttributes( &objectAttributes,
NULL,
0,
NULL,
NULL);
clientID.UniqueProcess = (HANDLE)QueryHandleInfo->Pid;
clientID.UniqueThread = 0;
status = ZwOpenProcess( &processHandle,
PROCESS_DUP_HANDLE,
&objectAttributes,
&clientID);
if (!NT_SUCCESS(status))
{
return status;
}
status = ZwDuplicateObject( processHandle,
(HANDLE)QueryHandleInfo->Handle,
NtCurrentProcess(),
&objectHandle,
0,
FALSE,
DUPLICATE_SAME_ACCESS);
ZwClose(processHandle);
if (!NT_SUCCESS(status))
{
return status;
}
status = ObReferenceObjectByHandle( objectHandle,
GENERIC_READ,
NULL,
KernelMode,
&object,
NULL);
ZwClose(objectHandle);
if (!NT_SUCCESS(status))
{
return status;
}
}
if (object != (PVOID)QueryHandleInfo->Object)
{
ObDereferenceObject(object);
return STATUS_OBJECT_TYPE_MISMATCH;
}
if (*(PULONG)object == 0x700005)
{
DbgPrint("0x700005, link?\n");
return STATUS_SUCCESS;
}
objectName = ExAllocatePool(NonPagedPool, 0x400);
if (objectName == NULL)
{
ObDereferenceObject(object);
return STATUS_INSUFFICIENT_RESOURCES;
}
status = ObQueryNameString( object,
objectName,
0x400,
&returnLength);
ObDereferenceObject(object);
if (!NT_SUCCESS(status))
{
ExFreePool(objectName);
return status;
}
status = RtlUnicodeStringToAnsiString( &objectNameA,
&objectName->Name,
TRUE);
ExFreePool(objectName);
if (!NT_SUCCESS(status))
{
return status;
}
if (objectNameA.Length >= OutputBufferLength)
{
RtlFreeAnsiString(&objectNameA);
return STATUS_BUFFER_TOO_SMALL;
}
strcpy(OutputBuffer, objectNameA.Buffer);
RtlFreeAnsiString(&objectNameA);
return STATUS_SUCCESS;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_ACCESS_VIOLATION;
}
}
*/
//获取磁盘驱动对象
BOOLEAN GetDriveObject(
IN ULONG DriveNumber,
OUT PDEVICE_OBJECT *DeviceObject,
OUT PDEVICE_OBJECT *ReadDevice )
{
WCHAR driveName[] = L"\\DosDevices\\A:\\";
UNICODE_STRING usDeviceName;
HANDLE DeviceHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK ioStatus;
PFILE_OBJECT pFileObject;
NTSTATUS ntStatus;
if ( DriveNumber >= 'A' && DriveNumber <= 'Z' )
{
driveName[12] = (CHAR)DriveNumber;
}
else if (DriveNumber >= 'a' && DriveNumber <= 'z')
{
driveName[12] = (CHAR)DriveNumber - 'a' + 'A';
}
else
{
return FALSE;
}
RtlInitUnicodeString(&usDeviceName, driveName);
InitializeObjectAttributes(
&ObjectAttributes,
&usDeviceName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
ntStatus = IoCreateFile(
&DeviceHandle,
SYNCHRONIZE | FILE_ANY_ACCESS,
&ObjectAttributes,
&ioStatus,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE,
NULL,
0,
CreateFileTypeNone,
NULL,
0x100);
if ( !NT_SUCCESS(ntStatus) )
{
DbgPrint( "Could not open drive %c: %x\n", DriveNumber, ntStatus );
return FALSE;
}
ntStatus = ObReferenceObjectByHandle(
DeviceHandle,
FILE_READ_DATA,
*IoFileObjectType,
KernelMode,
&pFileObject,
NULL);
if ( !NT_SUCCESS(ntStatus) )
{
DbgPrint( "Could not get fileobject from handle: %c\n", DriveNumber );
ZwClose( DeviceHandle );
return FALSE;
}
if ( pFileObject->Vpb == 0 || pFileObject->Vpb->RealDevice == NULL )
{
ObDereferenceObject( pFileObject );
ZwClose( DeviceHandle );
return FALSE;
}
*DeviceObject = pFileObject->Vpb->DeviceObject;
*ReadDevice = pFileObject->Vpb->RealDevice;
ObDereferenceObject( pFileObject );
ZwClose( DeviceHandle );
return TRUE;
}
//获取Hive文件
NTSTATUS GetHiveFile()
{
NTSTATUS ntStatus;
HANDLE hKey, hFile;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES KeyObjAttr,FileObjAttr;
UNICODE_STRING usKeyPath, usFilePath;
RtlInitUnicodeString( &usKeyPath,
L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services");
RtlInitUnicodeString( &usFilePath,
L"\\Device\\HarddiskVolume1\\my.dat");
InitializeObjectAttributes(
&KeyObjAttr,
&usKeyPath,
OBJ_CASE_INSENSITIVE,
0, 0 );
InitializeObjectAttributes(
&FileObjAttr,
&usFilePath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
0, 0 );
ntStatus = ZwOpenKey( &hKey, KEY_ALL_ACCESS, &KeyObjAttr );
if ( !NT_SUCCESS(ntStatus) )
return STATUS_UNSUCCESSFUL;
ntStatus = ZwCreateFile(
&hFile,
FILE_ALL_ACCESS,
&FileObjAttr,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_CREATE | FILE_OPEN | FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0 );
if ( !NT_SUCCESS(ntStatus) )
return STATUS_UNSUCCESSFUL;
ntStatus = ZwSaveKey( hKey, hFile );
if ( !NT_SUCCESS(ntStatus) )
return STATUS_UNSUCCESSFUL;
return STATUS_SUCCESS;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -