關于在WIN32調用一些Zw系列的文件操作函數.

都好久沒上來寫文章了,都不知道做什麽好,結果還是學寫了一下用Native API的程序,這些API的原型當然久在DDK裏面找喇,不過因爲NTDLL.DLL有導出啊,所以可以LoadLibrary調入這個動態連接文件,再GetProcAddress找到相應的API的地址,然後當然就可以調用喇.

整個過程最麻煩的就是要將DDK繙來繙去找到要用到的函數原型,函數所用到的結構,和一些宏.複製到程序裏面,好喇,以下是我學習的成果.

以下代碼是在C:中創建一個ForZwFileTest.txt的文件并寫入內容,然後删除.其實都沒什麽用的反正有微軟公開的API不用,而用這些沒公開的API來實現這個功能完全是因爲無聊.嘻嘻.

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>

 

typedef unsigned long NTSTATUS;

typedef unsigned short USHORT;

typedef unsigned long ULONG;

typedef unsigned long DWORD;

typedef long LONG;

typedef __int64 LONGLONG;

 

typedef struct UNICODE_STRING{

    USHORT Length;

    USHORT MaxLen;

    USHORT *Buffer;

} UNICODE_STRING,*PUNICODE_STRING;

 

#define OBJ_INHERIT             0x00000002L

#define OBJ_PERMANENT           0x00000010L

#define OBJ_EXCLUSIVE           0x00000020L

#define OBJ_CASE_INSENSITIVE    0x00000040L

#define OBJ_OPENIF              0x00000080L

#define OBJ_OPENLINK            0x00000100L

#define OBJ_KERNEL_HANDLE       0x00000200L

#define OBJ_FORCE_ACCESS_CHECK  0x00000400L

#define OBJ_VALID_ATTRIBUTES    0x000007F2L

 

#define FILE_ATTRIBUTE_NORMAL               0x00000080

#define FILE_SHARE_DELETE                   0x00000004

#define FILE_OPEN_IF                        0x00000003

#define FILE_SYNCHRONOUS_IO_NONALERT        0x00000020

#define GENERIC_WRITE                       (0x40000000L)

#define SYNCHRONIZE                         (0x00100000L)

#define GENERIC_READ                        (0x80000000L)

 

typedef struct _OBJECT_ATTRIBUTES{

    ULONG  Length;

    HANDLE  RootDirectory;

    PUNICODE_STRING  ObjectName;

    ULONG  Attributes;

    PVOID  SecurityDescriptor;

    PVOID  SecurityQualityOfService;

} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;

 

typedef NTSTATUS (__stdcall *ZWDELETEFILE)(

        IN POBJECT_ATTRIBUTES  ObjectAttributes);

 

typedef VOID (__stdcall *RTLINITUNICODESTRING)(

        IN OUT PUNICODE_STRING  DestinationString,

        IN PCWSTR  SourceString);

 

typedef struct _IO_STATUS_BLOCK{

        DWORD Status;

        ULONG Information;

} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

 

typedef NTSTATUS (__stdcall *ZWCREATEFILE)(

    OUT PHANDLE  FileHandle,

    IN ACCESS_MASK  DesiredAccess,

    IN POBJECT_ATTRIBUTES  ObjectAttributes,

    OUT PIO_STATUS_BLOCK  IoStatusBlock,

    IN PLARGE_INTEGER  AllocationSize  OPTIONAL,

    IN ULONG  FileAttributes,

    IN ULONG  ShareAccess,

    IN ULONG  CreateDisposition,

    IN ULONG  CreateOptions,

    IN PVOID  EaBuffer  OPTIONAL,

    IN ULONG  EaLength);

 

typedef VOID (NTAPI *PIO_APC_ROUTINE) (

   IN PVOID ApcContext,

   IN PIO_STATUS_BLOCK IoStatusBlock,

   IN ULONG Reserved);

 

typedef NTSTATUS (__stdcall *ZWWRITEFILE)(

    IN HANDLE  FileHandle,

    IN HANDLE  Event  OPTIONAL,

    IN PIO_APC_ROUTINE  ApcRoutine  OPTIONAL,

    IN PVOID  ApcContext  OPTIONAL,

    OUT PIO_STATUS_BLOCK  IoStatusBlock,

    IN PVOID  Buffer,

    IN ULONG  Length,

    IN PLARGE_INTEGER  ByteOffset  OPTIONAL,

    IN PULONG  Key  OPTIONAL);

 

typedef NTSTATUS (__stdcall *ZWCLOSE)(

    IN HANDLE  Handle);

 

int main()

{

    HINSTANCE hNtDll;

    ZWDELETEFILE ZwDeleteFile;

    RTLINITUNICODESTRING RtlInitUnicodeString;

    ZWCREATEFILE ZwCreateFile;

    ZWWRITEFILE ZwWriteFile;

    ZWCLOSE ZwClose;

 

    hNtDll = LoadLibrary ("NTDLL");

    if (!hNtDll)

        return 0;

 

    ZwDeleteFile = (ZWDELETEFILE)GetProcAddress (hNtDll,"ZwDeleteFile");

    RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress (hNtDll,"RtlInitUnicodeString");

    ZwCreateFile = (ZWCREATEFILE)GetProcAddress (hNtDll,"ZwCreateFile");

    ZwWriteFile = (ZWWRITEFILE)GetProcAddress (hNtDll,"ZwWriteFile");

    ZwClose = (ZWCLOSE)GetProcAddress (hNtDll,"ZwClose");

 

    UNICODE_STRING ObjectName;

    RtlInitUnicodeString(&ObjectName,L"//??//C://ForZwFileTest.txt");//記得這裏是要有//??//在前面的,DDK說的.

 

    OBJECT_ATTRIBUTES ObjectAttributes = {

        sizeof(OBJECT_ATTRIBUTES),         // Length

        NULL,                               // RootDirectory

        &ObjectName,                        // ObjectName

        OBJ_CASE_INSENSITIVE,               // Attributes

        0,                                  // SecurityDescriptor

        NULL,                               // SecurityQualityOfService

    };

 

    HANDLE hFile;

    PVOID content = "ForZwFileTest";

    IO_STATUS_BLOCK IoStatusBlock;

 

    ZwCreateFile(&hFile,

        GENERIC_WRITE|SYNCHRONIZE|GENERIC_READ,

        &ObjectAttributes,

        &IoStatusBlock,

        0,

        FILE_ATTRIBUTE_NORMAL,

        FILE_SHARE_DELETE,

        FILE_OPEN_IF,

        FILE_SYNCHRONOUS_IO_NONALERT,

        NULL,

        0);

    ZwWriteFile(hFile, 0, 0, 0, &IoStatusBlock, content, 12, NULL, NULL);

    ZwClose(hFile);

 

    ZwDeleteFile(&ObjectAttributes);

 

    FreeLibrary (hNtDll);

    return 0;

}