注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

驱动文件操作  

2011-03-27 22:16:06|  分类: Win32汇编学习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

.386
.model flat,stdcall
option casemap:none

include D:\RadASM\masm32\include\w2k\ntstatus.inc
include D:\RadASM\masm32\include\w2k\ntifs.inc

includelib D:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include D:\RadASM\masm32\include\w2k\ntoskrnl.inc
include D:\RadASM\masm32\macros\Strings.mac

.const
CCOUNTED_UNICODE_STRING "\\??\\c:\\FileDriver\\test.txt",g_usFileName,4
CCOUNTED_UNICODE_STRING "\\??\\c:\\FileDriver",g_usDirName,4

.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                      CreateDirectory                                             
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CreateDirectory proc
 
 local oa:OBJECT_ATTRIBUTES
 local iosb:IO_STATUS_BLOCK
 local hDirectory:HANDLE
 
 invoke DbgPrint,$CTA0("\nFileDriver:Creating %ws directory\n"),g_usDirName.Buffer
 
 InitializeObjectAttributes addr oa, addr g_usDirName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL   ;初始化OBJECT_ATTRIBUTES
 invoke ZwCreateFile, addr hDirectory, SYNCHRONIZE, addr oa, addr iosb, 0, FILE_ATTRIBUTE_NORMAL, \
      0, FILE_OPEN_IF, FILE_DIRECTORY_FILE + FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
 .if eax == STATUS_SUCCESS
  .if iosb.Information == FILE_CREATED
   invoke DbgPrint, $CTA0("FileDriver: Directory created\n")
  .elseif iosb.Information == FILE_OPENED
   invoke DbgPrint, $CTA0("FileDriver: Directory exists and was opened\n")
  .endif
  invoke ZwClose, hDirectory
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't create directory. Status: %08X\n"), eax
 .endif
 
 ret

CreateDirectory endp


;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                        CreateFile                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

CreateFile proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE

 ; Remember that the Unicode format codes (%C, %S, %lc, %ls, %wc, %ws, %wZ)
 ; can only be used at IRQL PASSIVE_LEVEL.
 invoke DbgPrint, $CTA0("\nFileDriver: Creating %ws file\n"), g_usFileName.Buffer

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

 ; If the file already exists, fail the request and do not create or open the given file.
 ; If it does not, create the given file.

 invoke ZwCreateFile, addr hFile, SYNCHRONIZE, addr oa, addr iosb, 0, FILE_ATTRIBUTE_NORMAL, \
      0, FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
 .if eax == STATUS_SUCCESS

  invoke DbgPrint, $CTA0("FileDriver: File created\n")
  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't create file. Status: %08X\n"), eax
 .endif
 
 ret

CreateFile endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                            WriteFile                                             
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

WriteFile proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file for writing\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
 
 ; ZwCreateFile can be used for opening existing file. FILE_OPEN should be specified.
 ; I use:
 ; - FILE_WRITE_DATA because only I want is to write data into the file;
 ; - SYNCHRONIZE because of FILE_SYNCHRONOUS_IO_NONALERT.
 ; But you can simply use less strict FILE_ALL_ACCESS.

 invoke ZwCreateFile, addr hFile, FILE_WRITE_DATA + SYNCHRONIZE, addr oa, addr iosb, \
      0, 0, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  CTA0 "Data can be written to an open file", g_szData, 4      ;宏定义

  invoke ZwWriteFile, hFile, 0, NULL, NULL, addr iosb, \
      addr g_szData, sizeof g_szData - 1, NULL, NULL
  .if eax == STATUS_SUCCESS
   invoke DbgPrint, $CTA0("FileDriver: File was written\n")
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't write to the file. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

WriteFile endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                        MarkAsReadOnly                                            
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

MarkAsReadOnly proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE
local fbi:FILE_BASIC_INFORMATION

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file for changing attributes\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
 
 ; ZwCreateFile can be used for opening existing file. FILE_OPEN should be specified.
 ; I use:
 ; - FILE_READ_ATTRIBUTES because I want to query file attributes;
 ; - FILE_WRITE_ATTRIBUTES because I want to change file attributes;
 ; - SYNCHRONIZE because of FILE_SYNCHRONOUS_IO_NONALERT.
 ; But you can simply use less strict FILE_ALL_ACCESS.

 invoke ZwCreateFile, addr hFile, FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + SYNCHRONIZE, \
      addr oa, addr iosb, 0, 0, FILE_SHARE_READ, \
      FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  ; Protect the file from deletion.
  invoke ZwQueryInformationFile, hFile, addr iosb, addr fbi, sizeof fbi, FileBasicInformation
  ; Undocumented ZwQueryAttributesFile does the same.
  .if eax == STATUS_SUCCESS
   invoke DbgPrint, $CTA0("FileDriver: File attributes were: %08X\n"), fbi.FileAttributes
   or fbi.FileAttributes, FILE_ATTRIBUTE_READONLY     ;标记文件为只读
   invoke ZwSetInformationFile, hFile, addr iosb, addr fbi, sizeof fbi, FileBasicInformation  
   .if eax == STATUS_SUCCESS
    invoke DbgPrint, $CTA0("FileDriver: Now file marked as read-only\n")
   .else
    invoke DbgPrint, $CTA0("FileDriver: Can't change file attributes. Status: %08X\n"), eax
   .endif
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't query file attributes. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

MarkAsReadOnly endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                          ReadFile                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ReadFile proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE
local p:PVOID
local cb:DWORD
local fsi:FILE_STANDARD_INFORMATION

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file for reading\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
 invoke ZwOpenFile, addr hFile, FILE_READ_DATA + SYNCHRONIZE, addr oa, addr iosb, \
    FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT
 .if eax == STATUS_SUCCESS

  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  invoke ZwQueryInformationFile, hFile, addr iosb, addr fsi, sizeof fsi, FileStandardInformation
  .if eax == STATUS_SUCCESS

   mov eax, fsi.EndOfFile.LowPart
   inc eax        ; one byte more for terminating zero
   mov cb, eax                                                     ;得到文件的大小,分配相等的内存大小

   invoke ExAllocatePool, PagedPool, cb
   .if eax != NULL
    mov p, eax

    invoke RtlZeroMemory, p, cb

    invoke ZwReadFile, hFile, 0, NULL, NULL, addr iosb, p, cb, 0, NULL
    .if eax == STATUS_SUCCESS
     invoke DbgPrint, $CTA0("FileDriver: File content: \=%s\=\n"), p
    .else
     invoke DbgPrint, $CTA0("FileDriver: Can't read from the file. Status: %08X\n"), eax
    .endif

    invoke ExFreePool, p

   .else
    invoke DbgPrint, $CTA0("FileDriver: Can't allocate memory. Status: %08X\n"), eax
   .endif
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't query file size. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile

 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

ReadFile endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                        UnmarkAsReadOnly                                          
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

UnmarkAsReadOnly proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE
local fbi:FILE_BASIC_INFORMATION

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file for changing attributes\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
 
 ; ZwCreateFile can be used for opening existing file. FILE_OPEN should be specified.
 ; I use:
 ; - FILE_READ_ATTRIBUTES because I want to query file attributes;
 ; - FILE_WRITE_ATTRIBUTES because I want to change file attributes;
 ; - SYNCHRONIZE because of FILE_SYNCHRONOUS_IO_NONALERT.
 ; But you can simply use less strict FILE_ALL_ACCESS.

 invoke ZwCreateFile, addr hFile, FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + SYNCHRONIZE, \
      addr oa, addr iosb, 0, 0, FILE_SHARE_READ, FILE_OPEN, \
      FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  ; Allow delete file.
  invoke ZwQueryInformationFile, hFile, addr iosb, addr fbi, sizeof fbi, FileBasicInformation
  ; Undocumented ZwQueryAttributesFile does the same.
  .if eax == STATUS_SUCCESS
   invoke DbgPrint, $CTA0("FileWorks: File attributes were: %08X\n"), fbi.FileAttributes
   and fbi.FileAttributes, not FILE_ATTRIBUTE_READONLY       ;不标记为只读
   invoke ZwSetInformationFile, hFile, addr iosb, addr fbi, sizeof fbi, FileBasicInformation
   .if eax == STATUS_SUCCESS
    invoke DbgPrint, $CTA0("FileDriver: Now file can be written or deleted\n")
   .else
    invoke DbgPrint, $CTA0("FileDriver: Can't change file attributes. Status: %08X\n"), eax
   .endif
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't query file attributes. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

UnmarkAsReadOnly endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                         AppendFile                                               
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

AppendFile proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file to append data\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

 ; If only the FILE_APPEND_DATA and SYNCHRONIZE flags are set, the caller can write
 ; only to the end of the file, and any offset information on writes to the file is ignored.
 ; However, the file will automatically be extended as necessary
 ; for this type of write operation.

 invoke ZwOpenFile, addr hFile, FILE_APPEND_DATA + SYNCHRONIZE, addr oa, addr iosb, \
         FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  CTA0 " using ZwWriteFile", g_szDataToAppend, 4          ;定义增加的字符串

  ; If the call to ZwOpenFile set only the DesiredAccess flag FILE_APPEND_DATA,
  ; ByteOffset is ignored. Data in the given Buffer, for Length bytes,
  ; is written starting at the current end of file.

  invoke ZwWriteFile, hFile, 0, NULL, NULL, addr iosb, \
      addr g_szDataToAppend, sizeof g_szDataToAppend - 1, NULL, NULL
  .if eax == STATUS_SUCCESS
   invoke DbgPrint, $CTA0("FileDriver: Data appended to the file\n")
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't append data to file. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

AppendFile endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                        TruncateFile                                              
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

TruncateFile proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE
local fsi:FILE_STANDARD_INFORMATION
local feofi:FILE_END_OF_FILE_INFORMATION

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file to truncate\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

 ; Or just use FILE_GENERIC_WRITE
 
 invoke ZwOpenFile, addr hFile, FILE_WRITE_DATA + SYNCHRONIZE, addr oa, addr iosb, \
      FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  invoke ZwQueryInformationFile, hFile, addr iosb, \
      addr fsi, sizeof fsi, FileStandardInformation
  .if eax == STATUS_SUCCESS

   invoke DbgPrint, $CTA0("FileDriver: EOF was: %08X\n"), fsi.EndOfFile.LowPart

   and feofi.EndOfFile.HighPart, 0
   mov eax, fsi.EndOfFile.LowPart
   shr eax, 1                       ; truncate to half size,
   mov feofi.EndOfFile.LowPart, eax
   invoke ZwSetInformationFile, hFile, addr iosb, \
      addr feofi, sizeof feofi, FileEndOfFileInformation
   .if eax == STATUS_SUCCESS
    invoke DbgPrint, $CTA0("FileDriver: File truncated to its half size\n")
   .else
    invoke DbgPrint, $CTA0("FileDriver: Can't truncate file. Status: %08X\n"), eax  
   .endif

  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't query file info. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

TruncateFile endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                         DeleteFile                                               
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DeleteFile proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hFile:HANDLE
local fdi:FILE_DISPOSITION_INFORMATION

 invoke DbgPrint, $CTA0("\nFileDriver: Opening file for deletion\n")

 InitializeObjectAttributes addr oa, addr g_usFileName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
 invoke ZwCreateFile, addr hFile, DELETE + SYNCHRONIZE, addr oa, addr iosb, \
      0, 0, FILE_SHARE_DELETE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("FileDriver: File openeded\n")

  mov fdi.DeleteFile, TRUE
  invoke ZwSetInformationFile, hFile, addr iosb, addr fdi, sizeof fdi, FileDispositionInformation
  .if eax == STATUS_SUCCESS
   ; The file has been marked for deletion. Do nothing with the file handle except closing it.
   invoke DbgPrint, $CTA0("FileDriver: File has been marked for deletion\n")
   invoke DbgPrint, $CTA0("FileDriver: It should be deleted when the last open handle is closed\n")
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't mark file for deletion. Status: %08X\n"), eax
  .endif

  invoke ZwClose, hFile
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open file. Status: %08X\n"), eax
 .endif

 ret

DeleteFile endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       DeleteDirectory                                            
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DeleteDirectory proc

local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local hDirectory:HANDLE

 InitializeObjectAttributes addr oa, addr g_usDirName, \
      OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

 ; The DDK stands that ZwDeleteFile exist only on Windows XP and later
 ; but it's not true.

 invoke ZwDeleteFile, addr oa
 .if eax == STATUS_SUCCESS
  invoke DbgPrint, $CTA0("\nFileDriver: Directory deleted\n")   
 .else
  invoke DbgPrint, $CTA0("\nFileDriver: Can't delete directory. Status: %08X\n"), eax
 .endif

 ret

DeleteDirectory endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                      EnumerateFiles                                              
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

EnumerateFiles proc uses esi

local status:NTSTATUS
local oa:OBJECT_ATTRIBUTES
local hSystemRootDirectory:HANDLE
local hDriversDirectory:HANDLE
local as:ANSI_STRING
local us:UNICODE_STRING
local iosb:IO_STATUS_BLOCK
local tf:TIME_FIELDS
local cb:DWORD
local pfdi:PFILE_DIRECTORY_INFORMATION

 invoke DbgPrint, $CTA0("\nFileDriver: Opening directory to enumerate files\n")
 
 InitializeObjectAttributes addr oa, $CCOUNTED_UNICODE_STRING("\\SystemRoot"), \
        OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
        
 invoke ZwOpenFile, addr hSystemRootDirectory, FILE_LIST_DIRECTORY + SYNCHRONIZE, addr oa, \
      addr iosb, FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, \
      FILE_DIRECTORY_FILE + FILE_SYNCHRONOUS_IO_NONALERT
 .if eax == STATUS_SUCCESS
 
  ; Specify pathname relative to the directory file represented by the hSystemRootDirectory.
  
  InitializeObjectAttributes addr oa, $CCOUNTED_UNICODE_STRING("system32\\drivers"), \
       OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, hSystemRootDirectory, NULL
       
  invoke ZwOpenFile, addr hDriversDirectory, FILE_LIST_DIRECTORY + SYNCHRONIZE, addr oa, \
       addr iosb, FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, \
       FILE_DIRECTORY_FILE + FILE_SYNCHRONOUS_IO_NONALERT
  .if eax == STATUS_SUCCESS

   ; 256 bites is enough to hold file name
   
   mov cb, sizeof FILE_DIRECTORY_INFORMATION + 256

   invoke ExAllocatePool, PagedPool, cb
   .if eax != NULL

    mov pfdi, eax
    mov esi, eax
    assume esi:ptr FILE_DIRECTORY_INFORMATION

    invoke DbgPrint, \
      $CTA0("\nFileDriver: ---------- Starting enumerate files ----------\n")

    ; DDK stands ZwQueryDirectoryFile is available on Windows XP and later
    ; but it's not true.
    ; Let's enumerate all files which name starts whith 'c' for example.
    
    invoke ZwQueryDirectoryFile, hDriversDirectory, NULL, NULL, NULL, addr iosb, \
       esi, cb, FileDirectoryInformation, \
       TRUE, $CCOUNTED_UNICODE_STRING("c*"), TRUE
       
    .while eax != STATUS_NO_MORE_FILES

     .if ( eax == STATUS_SUCCESS )

      ; Fill UNICODE_STRING manually instead of calling RtlInitUnicodeString
      ; because of FILE_DIRECTORY_INFORMATION.FileName is not null-terminated
      
      mov eax, [esi].FileNameLength
      mov us._Length, ax
      mov us.MaximumLength, ax
      lea eax, [esi].FileName
      mov us.Buffer, eax
      
      invoke RtlUnicodeStringToAnsiString, addr as, addr us, TRUE
      
      .if eax == STATUS_SUCCESS

       invoke RtlTimeToTimeFields, addr [esi].CreationTime, addr tf
       movzx eax, tf.Day
       movzx ecx, tf.Month
       movzx edx, tf.Year

       ; Who knows, may be sometime driver files grow bigger then 4Gb :-(((
       ; But in our days we can be shure that LowPart is enough

       invoke DbgPrint, $CTA0("    %s   size=%d   created on %d.%02d.%04d\n"), \
          as.Buffer, [esi].EndOfFile.LowPart, eax, ecx, edx

       invoke RtlFreeAnsiString, addr as
      .endif

     .endif
     
     ; Continue scanning
     
     invoke ZwQueryDirectoryFile, hDriversDirectory, NULL, NULL, NULL, addr iosb, \
        esi, cb, FileDirectoryInformation, \
        TRUE, NULL, FALSE
    .endw
    
    invoke DbgPrint, \
     $CTA0("FileDriver: ------------------------------------------------\n")

    assume esi:nothing
    invoke ExFreePool, pfdi
    
   .endif
   
   invoke ZwClose, hDriversDirectory
   
  .else
   invoke DbgPrint, $CTA0("FileDriver: Can't open drivers directory. Status: %08X\n"), eax
  .endif
  
  invoke ZwClose, hSystemRootDirectory
  
 .else
  invoke DbgPrint, $CTA0("FileDriver: Can't open system root directory. Status: %08X\n"), eax
 .endif

 ret

EnumerateFiles endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       UnloadDriver                                               
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
 

 invoke DbgPrint, $CTA0("Driver: Unloading...\n")

 ret

DriverUnload endp


;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       DriverEntry                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

 invoke DbgPrint, $CTA0("\nFileDriver: Entering DriverEntry\n")

 invoke CreateDirectory
 invoke CreateFile
 invoke WriteFile
 invoke MarkAsReadOnly
 invoke ReadFile
 invoke UnmarkAsReadOnly
 invoke AppendFile
 invoke ReadFile
 invoke TruncateFile
 invoke ReadFile
 invoke DeleteFile
 invoke DeleteDirectory
 invoke EnumerateFiles

 invoke DbgPrint, $CTA0("\nFileDriver: Leaving DriverEntry\n\n")

; mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
 mov eax,pDriverObject
 assume eax:ptr DRIVER_OBJECT
 mov [eax].DriverUnload,offset DriverUnload
 assume eax:nothing
 
 mov eax,STATUS_SUCCESS
 ret

DriverEntry endp

end DriverEntry

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

  评论这张
 
阅读(223)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017