关于在WIN32调用一些Zw系列的文件操作函数
Posted 朝闻道
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了关于在WIN32调用一些Zw系列的文件操作函数相关的知识,希望对你有一定的参考价值。
转自:http://blog.csdn.net/cooblily/archive/2007/10/27/1848037.aspx
都好久沒上來写文章了,都不知道做什么好,結果还是学写了一下用Native API的程序,這些API的原型当然久在DDK里面找啦,不过因为NTDLL.DLL有导出啊,所以可以LoadLibrary调入这个动态连接文件,再GetProcAddress找到相应的API的地址,然后当然就可以调用啦.
整個过程最麻烦的就是要将DDK翻来翻去找到要用到的函数原型,函数所用到的結构,和一些宏.复制到程序裏面,好啦,以下是我学习的成果.
以下代码是在C:中创建一个ForZwFileTest.txt的文件并写入內容,然後删除.其实都沒什么用的,反正有微軟公开的API不用,而用這些沒公开的API來实现这个功能完全是因为无聊.嘻嘻.
- #include <windows.h>
- #include <stdio.h>
- #include <stdlib.h>
- typedef unsigned long NTSTATUS;
- typedef unsigned short USHORT;
- typedef unsigned long ULONG;
- typedef unsigned long DWORD;
- typedef long LONG;
- typedef __int64 LONGLONG;
- typedef struct UNICODE_STRING{
- USHORT Length;
- USHORT MaxLen;
- USHORT *Buffer;
- } UNICODE_STRING,*PUNICODE_STRING;
- #define OBJ_INHERIT 0x00000002L
- #define OBJ_PERMANENT 0x00000010L
- #define OBJ_EXCLUSIVE 0x00000020L
- #define OBJ_CASE_INSENSITIVE 0x00000040L
- #define OBJ_OPENIF 0x00000080L
- #define OBJ_OPENLINK 0x00000100L
- #define OBJ_KERNEL_HANDLE 0x00000200L
- #define OBJ_FORCE_ACCESS_CHECK 0x00000400L
- #define OBJ_VALID_ATTRIBUTES 0x000007F2L
- #define FILE_ATTRIBUTE_NORMAL 0x00000080
- #define FILE_SHARE_DELETE 0x00000004
- #define FILE_OPEN_IF 0x00000003
- #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
- #define GENERIC_WRITE (0x40000000L)
- #define SYNCHRONIZE (0x00100000L)
- #define GENERIC_READ (0x80000000L)
- typedef struct _OBJECT_ATTRIBUTES{
- ULONG Length;
- HANDLE RootDirectory;
- PUNICODE_STRING ObjectName;
- ULONG Attributes;
- PVOID SecurityDescriptor;
- PVOID SecurityQualityOfService;
- } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
- typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
- typedef NTSTATUS (__stdcall *ZWDELETEFILE)(
- IN POBJECT_ATTRIBUTES ObjectAttributes);
- typedef VOID (__stdcall *RTLINITUNICODESTRING)(
- IN OUT PUNICODE_STRING DestinationString,
- IN PCWSTR SourceString);
- typedef struct _IO_STATUS_BLOCK{
- DWORD Status;
- ULONG Information;
- } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
- typedef NTSTATUS (__stdcall *ZWCREATEFILE)(
- OUT PHANDLE FileHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PIO_STATUS_BLOCK iostatusBlock,
- IN PLARGE_INTEGER AllocationSize OPTIONAL,
- IN ULONG FileAttributes,
- IN ULONG ShareAccess,
- IN ULONG CreateDisposition,
- IN ULONG CreateOptions,
- IN PVOID EaBuffer OPTIONAL,
- IN ULONG EaLength);
- typedef VOID (NTAPI *PIO_APC_ROUTINE) (
- IN PVOID ApcContext,
- IN PIO_STATUS_BLOCK IoStatusBlock,
- IN ULONG Reserved);
- typedef NTSTATUS (__stdcall *ZWWRITEFILE)(
- IN HANDLE FileHandle,
- IN HANDLE Event OPTIONAL,
- IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
- IN PVOID ApcContext OPTIONAL,
- OUT PIO_STATUS_BLOCK IoStatusBlock,
- IN PVOID Buffer,
- IN ULONG Length,
- IN PLARGE_INTEGER ByteOffset OPTIONAL,
- IN PULONG Key OPTIONAL);
- typedef NTSTATUS (__stdcall *ZWCLOSE)(
- IN HANDLE Handle);
- int main()
- {
- HINSTANCE hNtDll;
- ZWDELETEFILE ZwDeleteFile;
- RTLINITUNICODESTRING RtlInitUnicodeString;
- ZWCREATEFILE ZwCreateFile;
- ZWWRITEFILE ZwWriteFile;
- ZWCLOSE ZwClose;
- hNtDll = LoadLibrary ("NTDLL");
- if (!hNtDll)
- return 0;
- ZwDeleteFile = (ZWDELETEFILE)GetProcAddress (hNtDll,"ZwDeleteFile");
- RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress (hNtDll,"RtlInitUnicodeString");
- ZwCreateFile = (ZWCREATEFILE)GetProcAddress (hNtDll,"ZwCreateFile");
- ZwWriteFile = (ZWWRITEFILE)GetProcAddress (hNtDll,"ZwWriteFile");
- ZwClose = (ZWCLOSE)GetProcAddress (hNtDll,"ZwClose");
- UNICODE_STRING ObjectName;
- RtlInitUnicodeString(&ObjectName,L"//??//C://ForZwFileTest.txt");//記得這裏是要有//??//在前面的,DDK說的.
- OBJECT_ATTRIBUTES ObjectAttributes = {
- sizeof(OBJECT_ATTRIBUTES), // Length
- NULL, // RootDirectory
- &ObjectName, // ObjectName
- OBJ_CASE_INSENSITIVE, // Attributes
- 0, // SecurityDescriptor
- NULL, // SecurityQualityOfService
- };
- HANDLE hFile;
- PVOID content = "ForZwFileTest";
- IO_STATUS_BLOCK IoStatusBlock;
- ZwCreateFile(&hFile,
- GENERIC_WRITE|SYNCHRONIZE|GENERIC_READ,
- &ObjectAttributes,
- &IoStatusBlock,
- 0,
- FILE_ATTRIBUTE_NORMAL,
- FILE_SHARE_DELETE,
- FILE_OPEN_IF,
- FILE_SYNCHRONOUS_IO_NONALERT,
- NULL,
- 0);
- ZwWriteFile(hFile, 0, 0, 0, &IoStatusBlock, content, 12, NULL, NULL);
- ZwClose(hFile);
- // ZwDeleteFile(&ObjectAttributes);
- FreeLibrary (hNtDll);
- return 0;
- }
转自:http://blog.csdn.net/cooblily/archive/2007/10/27/1848037.aspx
以上是关于关于在WIN32调用一些Zw系列的文件操作函数的主要内容,如果未能解决你的问题,请参考以下文章
从ZwProtectVirtualMemory到NtProtectVirtualMemory-内核函数调用
003 关于调用.dll文件设置win7 64位的CAXA缩略图
使用AllocConsole在Win32程序中调用控制台调试输出