|
使用DriverStudio自带的例子Daytime进行目录枚举功能扩展。
编写MyNT.h文件如下:
#ifndef _MyNT_H
#define _MyNT_H
#include
#pragma pack(8)
typedef struct _FILE_BOTH_DIR_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
char shortNameLength;
WCHAR ShortName[12];
WCHAR Filename[1];
}FILE_BOTH_DIR_INFORMATION,*PFILE_BOTH_DIR_INFORMATION;
#pragma pack()
#define FileBothDirectoryInformation 3
extern "C"
{
NTSYSAPI NTSTATUS NTAPI
NtQueryDirectoryFile(IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK ioStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN ULONG FileInformationClass,
IN BOOLEAN ReturnSignleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan);
}
NTSTATUS MyFindNextFile(HANDLE hHandle,unsigned char *bBuffer,int len);
#endif
编写MyNT.cpp文件如下:
#include "MyNT.h"
#pragma comment(lib,"ntdll.lib")
NTSTATUS MyFindNextFile(HANDLE hHandle,unsigned char *bBuffer,int len)
{
NTSTATUS status;
IO_STATUS_BLOCK io_block;
status = NtQueryDirectoryFile(hHandle,NULL,NULL,NULL,
&io_block,(PVOID)bBuffer,len,
FileBothDirectoryInformation,
FALSE,NULL,FALSE);
return status;
}
之后,在Daytime.cpp文件中添加如下代码:
#include "MyNT.h"
在工程中添加MyNT.cpp文件。
在Daytime类中加入Public函数:
VOID Test(VOID);
该函数定义如下:
VOID Daytime::Test(VOID)
{
HANDLE hFileHandle;
NTSTATUS status;
IO_STATUS_BLOCK ioStatusBlock;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING uParentName;
WCHAR wParentName[256];
char ansiParentName[256];
UNICODE_STRING uChildName;
WCHAR wChildName[256];
char ansiChildName[256];
memset(wParentName,0,sizeof(wParentName));
wcscpy(wParentName,L"\\??\\C:\\WINDOWS\\");
RtlInitUnicodeString(&uParentName,wParentName);
InitializeObjectAttributes(&objectAttributes,&uParentName,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
hFileHandle = NULL;
status = ZwOpenFile(&hFileHandle,GENERIC_READ|GENERIC_WRITE,
&objectAttributes,&ioStatusBlock,FILE_SHARE_READ,
FILE_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT);
if(status == STATUS_SUCCESS)
DbgPrint("ZwOpen Successed.\n");
else
{
DbgPrint("ZwOpen Failed.\n");
return;
}
if(hFileHandle == NULL)return;
unsigned char ansiUse[4096];
memset(ansiUse,0,sizeof(ansiUse));
status = MyFindNextFile(hFileHandle,ansiUse,sizeof(ansiUse));
if(hFileHandle != NULL)ZwClose(hFileHandle);
FILE_BOTH_DIR_INFORMATION fdInfo;
unsigned long fdOffset = 0;
int i,j,k;
if(status == STATUS_SUCCESS)
{
while(1)
{
memset(&fdInfo,0,sizeof(fdInfo));
memcpy(&fdInfo,ansiUse+fdOffset,sizeof(fdInfo));
k = fdInfo.FileNameLength;
memset(wChildName,0,sizeof(wChildName));
memcpy(wChildName,ansiUse+fdOffset+0x5e,k);
i = wcslen(wChildName);
memset(ansiChildName,0,sizeof(ansiChildName));
for(j = 0;j < i;j ++)ansiChildName[j] = (char)wChildName[j];
DbgPrint("Daytime: %s\n",ansiChildName);
if(fdInfo.NextEntryOffset == 0)break;
fdOffset = fdOffset+fdInfo.NextEntryOffset;
}
}
else
DbgPrint("Failed to query.\n");
}
编译后出现一个错误:Daytime.obj : error LNK2019: unresolved external symbol __chkstk referenced in function "public: void __thiscall Daytime::Test(void)" (?Test@Daytime@@QAEXXZ).\objchk\i386\Daytime.sys : fatal error LNK1120: 1 unresolved externals
为什么呢?谢谢各位!急急急!!!
|
|