一段文件删除代码(动态加载驱动)
来源:互联网 发布:神仙劫羽翼进阶数据 编辑:程序博客网 时间:2024/05/09 17:27
#include <ntddk.h>#define NT_DEVICE_NAME L"\\Device\\SuperKill"#define DOS_DEVICE_NAME L"\\DosDevices\\SuperKill"VOID SKillUnloadDriver( IN PDRIVER_OBJECT DriverObject ){PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;UNICODE_STRING uniSymLink;RtlInitUnicodeString(&uniSymLink, DOS_DEVICE_NAME);IoDeleteSymbolicLink(&uniSymLink);IoDeleteDevice(deviceObject);}HANDLESkillIoOpenFile(IN PCWSTR FileName,IN ACCESS_MASK DesiredAccess,IN ULONG ShareAccess){NTSTATUS ntStatus;UNICODE_STRING uniFileName;OBJECT_ATTRIBUTES objectAttributes;HANDLE ntFileHandle;IO_STATUS_BLOCK ioStatus;if (KeGetCurrentIrql() > PASSIVE_LEVEL){return 0;}RtlInitUnicodeString(&uniFileName, FileName);InitializeObjectAttributes(&objectAttributes, &uniFileName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);ntStatus = IoCreateFile(&ntFileHandle,DesiredAccess,&objectAttributes,&ioStatus,0,FILE_ATTRIBUTE_NORMAL,ShareAccess,FILE_OPEN,0,NULL,0,0,NULL,IO_NO_PARAMETER_CHECKING);if (!NT_SUCCESS(ntStatus)){return 0;}return ntFileHandle;}NTSTATUSSkillSetFileCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ){Irp->UserIosb->Status = Irp->IoStatus.Status;Irp->UserIosb->Information = Irp->IoStatus.Information;KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, FALSE);IoFreeIrp(Irp);return STATUS_MORE_PROCESSING_REQUIRED;}BOOLEANSKillStripFileAttributes( IN HANDLE FileHandle ){NTSTATUS ntStatus = STATUS_SUCCESS;PFILE_OBJECT fileObject;PDEVICE_OBJECT DeviceObject;PIRP Irp;KEVENT event1;FILE_BASIC_INFORMATION FileInformation;IO_STATUS_BLOCK ioStatus;PIO_STACK_LOCATION irpSp;ntStatus = ObReferenceObjectByHandle(FileHandle,DELETE,*IoFileObjectType,KernelMode,&fileObject,NULL);//我想知道的是这个文件句柄是在哪个进程的句柄表中if (!NT_SUCCESS(ntStatus)){return FALSE;}DeviceObject = IoGetRelatedDeviceObject(fileObject);Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);if (Irp == NULL){ObDereferenceObject(fileObject);return FALSE;}KeInitializeEvent(&event1, SynchronizationEvent, FALSE);memset(&FileInformation,0,0x28);FileInformation.FileAttributes = FILE_ATTRIBUTE_NORMAL;Irp->AssociatedIrp.SystemBuffer = &FileInformation;Irp->UserEvent = &event1;Irp->UserIosb = &ioStatus;Irp->Tail.Overlay.OriginalFileObject = fileObject;Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();Irp->RequestorMode = KernelMode;irpSp = IoGetNextIrpStackLocation(Irp);irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;irpSp->DeviceObject = DeviceObject;irpSp->FileObject = fileObject;irpSp->Parameters.SetFile.Length = sizeof(FILE_BASIC_INFORMATION);irpSp->Parameters.SetFile.FileInformationClass = FileBasicInformation;irpSp->Parameters.SetFile.FileObject = fileObject;IoSetCompletionRoutine(Irp,SkillSetFileCompletion,&event1,TRUE,TRUE,TRUE);IoCallDriver(DeviceObject, Irp);//调用这个设备对象的驱动对象,并且IO_StACK_LOCAtion会指向下一个,也就是刚刚设置的 //如果没有文件系统驱动建立的设备对象没有Attacked的话,就调用文件系统驱动的IRP_MJ_SET_INFORMATION分派例程//会调用NTFS.sys驱动的NtfsFsdSetInformation例程,再会进入NtfsSetBasicInfo()函数,最后它会设置代表此文件的FCB(文件//控制块结构的一些信息,用来设置代表此文件的属性。最后不知道在哪里会调用IoCompleteRequest,它会依次调用先前设置的回调函数//回调函数会释放刚分配的IRP和设置事件对象为受信状态。KeWaitForSingleObject(&event1, Executive, KernelMode, TRUE, NULL);//一等到事件对象变成受信状态就会继续向下执行。ObDereferenceObject(fileObject);return TRUE;}BOOLEANSKillDeleteFile(IN HANDLE FileHandle){NTSTATUS ntStatus = STATUS_SUCCESS;PFILE_OBJECT fileObject;PDEVICE_OBJECT DeviceObject;PIRP Irp;KEVENT event1;FILE_DISPOSITION_INFORMATION FileInformation;IO_STATUS_BLOCK ioStatus;PIO_STACK_LOCATION irpSp;PSECTION_OBJECT_POINTERS pSectionObjectPointer; ////////////////////SKillStripFileAttributes( FileHandle); //去掉只读属性,才能删除只读文件ntStatus = ObReferenceObjectByHandle(FileHandle,DELETE,*IoFileObjectType,KernelMode,&fileObject,NULL);if (!NT_SUCCESS(ntStatus)){return FALSE;}DeviceObject = IoGetRelatedDeviceObject(fileObject);//如果NTFS.sys驱动建立的设备对象上没有附加的设备对象的话,就返回NTFS.sys建立的设备对象//否则返回的是这个设备对象的highest level设备对象。Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);//如果没有附加,StackSize为7if (Irp == NULL){ObDereferenceObject(fileObject);return FALSE;}KeInitializeEvent(&event1, SynchronizationEvent, FALSE);FileInformation.DeleteFile = TRUE;Irp->AssociatedIrp.SystemBuffer = &FileInformation;Irp->UserEvent = &event1;Irp->UserIosb = &ioStatus;Irp->Tail.Overlay.OriginalFileObject = fileObject;Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();Irp->RequestorMode = KernelMode;irpSp = IoGetNextIrpStackLocation(Irp); //得到文件系统NTFS.sys驱动的设备IO_STACK_LOCATIONirpSp->MajorFunction = IRP_MJ_SET_INFORMATION;irpSp->DeviceObject = DeviceObject;irpSp->FileObject = fileObject;irpSp->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);irpSp->Parameters.SetFile.FileInformationClass = FileDispositionInformation;irpSp->Parameters.SetFile.FileObject = fileObject;IoSetCompletionRoutine(Irp,SkillSetFileCompletion,&event1,TRUE,TRUE,TRUE);//再加上下面这三行代码 ,MmFlushImageSection 函数通过这个结构来检查是否可以删除文件。pSectionObjectPointer = fileObject->SectionObjectPointer;pSectionObjectPointer->ImageSectionObject = 0;pSectionObjectPointer->DataSectionObject = 0;IoCallDriver(DeviceObject, Irp);//这里会依次进入NTFS.sys驱动的NtfsFsdSetInformation例程->NtfsSetDispositionInfo()->MmFlushImageSection(),//MmFlushImageSection()这函数是用来检查FILE_OBJECT对象的SECTION_OBJECT_POINTER结构的变量,检查这个文件//在内存有没有被映射。也就是有没有执行。如果上面那样设置了,也就是说文件可以删除了。我们也可以HOOK NTFS.sys导入表中的//的MmFlushImageSection(),来检查这个文件对象是不是我们要删除 的,是的话,返回TRUE就行了。KeWaitForSingleObject(&event1, Executive, KernelMode, TRUE, NULL);ObDereferenceObject(fileObject);return TRUE;}NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ){UNICODE_STRING uniDeviceName;UNICODE_STRING uniSymLink;NTSTATUS ntStatus;PDEVICE_OBJECT deviceObject = NULL;HANDLE hFileHandle;RtlInitUnicodeString(&uniDeviceName, NT_DEVICE_NAME);RtlInitUnicodeString(&uniSymLink, DOS_DEVICE_NAME);ntStatus = IoCreateDevice(DriverObject,0x100u,&uniDeviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,TRUE,&deviceObject);if (!NT_SUCCESS(ntStatus)){return ntStatus;}ntStatus = IoCreateSymbolicLink(&uniSymLink, &uniDeviceName);if (!NT_SUCCESS(ntStatus)){IoDeleteDevice(deviceObject);return ntStatus;}DriverObject->DriverUnload = SKillUnloadDriver;//// 重点在这//hFileHandle = SkillIoOpenFile(L"\\Device\\HarddiskVolume1\\", FILE_READ_ATTRIBUTES,FILE_SHARE_DELETE); //得到文件句柄if (hFileHandle!=NULL){SKillDeleteFile(hFileHandle);ZwClose(hFileHandle);}return STATUS_SUCCESS;}
对应的测试代码:动态加载驱动服务程序
加载NT驱动的代码
1、调用OpenSCManager,打开SCM管理器
2、调用CreateService,创建服务,成功则到步骤6
3、用GetLastError得到错误返回值
4、如果创建错误,返回值为ERROR_IO_PENDING,说明服务已经创建过,不需要重新创建,用OpenService打开此服务
5、错误返回失败
6、调用StartService开启服务
7、成功返回
#include <windows.h> #include <winsvc.h> #include <conio.h> #include <stdio.h>#define DRIVER_NAME L"SuperKill"#define DRIVER_PATH L"..\\SuperKill.sys"//装载NT驱动程序BOOL LoadNTDriver(LPTSTR lpszDriverName,LPTSTR lpszDriverPath){LPTSTR szDriverImagePath=NULL;//得到完整的驱动路径//GetFullPathName(lpszDriverPath, 256, szDriverImagePath, NULL);szDriverImagePath=L"D:\\drivertest\\sure\\SuperKill.sys";BOOL bRet = FALSE;SC_HANDLE hServiceMgr=NULL;//SCM管理器的句柄SC_HANDLE hServiceDDK=NULL;//NT驱动程序的服务句柄//打开服务控制管理器hServiceMgr = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );if( hServiceMgr == NULL ) {//OpenSCManager失败printf( "OpenSCManager() Faild %d ! \n", GetLastError() );bRet = FALSE;goto BeforeLeave;}else{////OpenSCManager成功printf( "OpenSCManager() ok ! \n" ); }//创建驱动所对应的服务hServiceDDK = CreateService( hServiceMgr,lpszDriverName, //驱动程序的在注册表中的名字 lpszDriverName, // 注册表驱动程序的 DisplayName 值 SERVICE_ALL_ACCESS, // 加载驱动程序的访问权限 SERVICE_KERNEL_DRIVER,// 表示加载的服务是驱动程序 SERVICE_DEMAND_START, // 注册表驱动程序的 Start 值 SERVICE_ERROR_IGNORE, // 注册表驱动程序的 ErrorControl 值 szDriverImagePath, // 注册表驱动程序的 ImagePath 值 NULL, NULL, NULL, NULL, NULL); DWORD dwRtn;//判断服务是否失败if( hServiceDDK == NULL ) { dwRtn = GetLastError();if( dwRtn != ERROR_IO_PENDING && dwRtn != ERROR_SERVICE_EXISTS ) { //由于其他原因创建服务失败printf( "CrateService() Faild %d ! \n", dwRtn ); bRet = FALSE;goto BeforeLeave;} else {//服务创建失败,是由于服务已经创立过printf( "CrateService() Faild Service is ERROR_IO_PENDING or ERROR_SERVICE_EXISTS! \n" ); }// 驱动程序已经加载,只需要打开 hServiceDDK = OpenService( hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS ); if( hServiceDDK == NULL ) {//如果打开服务也失败,则意味错误dwRtn = GetLastError(); printf( "OpenService() Faild %d ! \n", dwRtn ); bRet = FALSE;goto BeforeLeave;} else {printf( "OpenService() ok ! \n" );}} else {printf( "CrateService() ok ! \n" );}//开启此项服务bRet= StartService( hServiceDDK, NULL, NULL ); if( !bRet ) { DWORD dwRtn = GetLastError(); if( dwRtn != ERROR_IO_PENDING && dwRtn != ERROR_SERVICE_ALREADY_RUNNING ) { printf( "StartService() Faild %d ! \n", dwRtn ); bRet = FALSE;goto BeforeLeave;} else { if( dwRtn == ERROR_IO_PENDING ) { //设备被挂住printf( "StartService() Faild ERROR_IO_PENDING ! \n");bRet = FALSE;goto BeforeLeave;} else { //服务已经开启printf( "StartService() Faild ERROR_SERVICE_ALREADY_RUNNING ! \n");bRet = TRUE;goto BeforeLeave;} } }bRet = TRUE;//离开前关闭句柄BeforeLeave:if(hServiceDDK){CloseServiceHandle(hServiceDDK);}if(hServiceMgr){CloseServiceHandle(hServiceMgr);}return bRet;}//卸载驱动程序 BOOL UnloadNTDriver( LPTSTR szSvrName ) {BOOL bRet = FALSE;SC_HANDLE hServiceMgr=NULL;//SCM管理器的句柄SC_HANDLE hServiceDDK=NULL;//NT驱动程序的服务句柄SERVICE_STATUS SvrSta;//打开SCM管理器hServiceMgr = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS ); if( hServiceMgr == NULL ) {//带开SCM管理器失败printf( "OpenSCManager() Faild %d ! \n", GetLastError() ); bRet = FALSE;goto BeforeLeave;} else {//带开SCM管理器失败成功printf( "OpenSCManager() ok ! \n" ); }//打开驱动所对应的服务hServiceDDK = OpenService( hServiceMgr, szSvrName, SERVICE_ALL_ACCESS ); if( hServiceDDK == NULL ) {//打开驱动所对应的服务失败printf( "OpenService() Faild %d ! \n", GetLastError() ); bRet = FALSE;goto BeforeLeave;} else { printf( "OpenService() ok ! \n" ); } //停止驱动程序,如果停止失败,只有重新启动才能,再动态加载。 if( !ControlService( hServiceDDK, SERVICE_CONTROL_STOP , &SvrSta ) ) { printf( "ControlService() Faild %d !\n", GetLastError() ); } else {//打开驱动所对应的失败printf( "ControlService() ok !\n" ); } //动态卸载驱动程序。 if( !DeleteService( hServiceDDK ) ) {//卸载失败printf( "DeleteSrevice() Faild %d !\n", GetLastError() ); } else { //卸载成功printf( "DelServer:eleteSrevice() ok !\n" ); } bRet = TRUE;BeforeLeave://离开前关闭打开的句柄if(hServiceDDK){CloseServiceHandle(hServiceDDK);}if(hServiceMgr){CloseServiceHandle(hServiceMgr);}return bRet;} void TestDriver(){//测试驱动程序 HANDLE hDevice = CreateFile(L"\\\\.\\SuperKill", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL); if( hDevice != INVALID_HANDLE_VALUE ) {printf( "Create Device ok ! \n" ); }else {printf( "Create Device faild %d ! \n", GetLastError() ); }CloseHandle( hDevice );} int main(int argc, char* argv[]) {//加载驱动BOOL bRet = LoadNTDriver(DRIVER_NAME,DRIVER_PATH);if (!bRet){printf("LoadNTDriver error\n");return 0;}//加载成功printf( "press any to create device!\n" ); //getch(); TestDriver();//这时候你可以通过注册表,或其他查看符号连接的软件验证。 printf( "press any to unload the driver!\n" ); //getch(); //卸载驱动UnloadNTDriver(DRIVER_NAME);if (!bRet){printf("UnloadNTDriver error\n");return 0;}return 0; }
- 一段文件删除代码(动态加载驱动)
- 一段删除文件和文件夹的代码
- 释放-加载-删除驱动的代码
- 简单动态加载磁盘文件----删除功能
- 批量删除的一段代码。
- 动态加载js文件的jsLoader代码
- LED驱动动态加载方式(xc2440)
- 动态加载NT驱动(源码)
- 模块化驱动动态加载
- ZwSetSystemInformation 动态加载驱动
- 动态加载驱动-2
- 驱动动态加载
- 动态加载流驱动
- 动态加载驱动 DDK
- 模块化驱动动态加载
- 一段代码文件的注释
- 一段保存文件的代码
- Jsp下载文件 一段代码
- Java中Jndi连接数据库
- 找出数组中出现次数超过一半的数
- 把单通道图像转成3通道进行处理
- C/C++中的日期和时间函数
- Windows 7中Telnet功能安装与测试
- 一段文件删除代码(动态加载驱动)
- 编程珠玑 Chap 2
- WindowsForm应用程序调用WebService
- TTL和CMOS电平总结
- Java学习(回顾)笔记之day2
- Java与Flex学习笔记(18)----Flex中创建右键菜单
- struts2 ognl中两个迭代器的使用
- linux 下关闭启动sendmail 服务
- (译)一个cocos2d节点不显示的各种原因