内核复制文件

众所周知内核中并不存在 ZwCopyFile,但可利用ZwReadFile,ZwWriteFile来实现

#include <ntddk.h>VOID DriverUnload(IN PDRIVER_OBJECT DriverObject){DbgPrint("卸载完成!\n");}BOOLEAN MyCopyFile(PCWSTR desFile,PCWSTR srcFile){HANDLE readFileHandle;HANDLE writeFileHandle;OBJECT_ATTRIBUTES ObjectAttributes;OBJECT_ATTRIBUTES ObjectAttributes1;UNICODE_STRING readFilePath;UNICODE_STRING writeFilePath;IO_STATUS_BLOCK IoStatusBlock;NTSTATUS status;PVOID saveBuffer=NULL;LARGE_INTEGER byteOffset;ULONG length=0;byteOffset.QuadPart=0;RtlInitUnicodeString(&readFilePath,srcFile);RtlInitUnicodeString(&writeFilePath,desFile);saveBuffer=ExAllocatePoolWithTag(PagedPool,1000,"tag1");InitializeObjectAttributes(&ObjectAttributes,&readFilePath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);InitializeObjectAttributes(&ObjectAttributes1,&writeFilePath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);status=ZwCreateFile(&readFileHandle,GENERIC_ALL,&ObjectAttributes,&IoStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);if(!NT_SUCCESS(status)){DbgPrint("Can not create");if(readFileHandle!=NULL)ZwClose(readFileHandle);if(saveBuffer!=NULL)ExFreePool(saveBuffer);return FALSE;}status=ZwCreateFile(&writeFileHandle,GENERIC_ALL,&ObjectAttributes1,&IoStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);if(!NT_SUCCESS(status)){  if(readFileHandle!=NULL)    ZwClose(readFileHandle);    if(writeFileHandle!=NULL)ZwClose(writeFileHandle);    if(saveBuffer!=NULL)  ExFreePool(saveBuffer); DbgPrint("Can not create");return FALSE;}do {length=1000;status=ZwReadFile(readFileHandle,NULL,NULL,NULL,&IoStatusBlock,saveBuffer,length,&byteOffset,NULL);//读取数据if(!NT_SUCCESS(status)){if(status==STATUS_END_OF_FILE)DbgPrint("read File End");if(readFileHandle!=NULL)ZwClose(readFileHandle);if(writeFileHandle!=NULL)ZwClose(writeFileHandle);if(saveBuffer!=NULL)ExFreePool(saveBuffer);return FALSE;}length=IoStatusBlock.Information;//返回实际读取数据的大小status=ZwWriteFile(writeFileHandle,NULL,NULL,NULL,&IoStatusBlock,saveBuffer,length,&byteOffset,NULL);if(!NT_SUCCESS(status)){DbgPrint("Can not write File ");if(readFileHandle!=NULL)ZwClose(readFileHandle);if(writeFileHandle!=NULL)ZwClose(writeFileHandle);if(saveBuffer!=NULL)ExFreePool(saveBuffer);return FALSE;}byteOffset.QuadPart+=length;//文件偏移移动} while (1);if(readFileHandle!=NULL)ZwClose(readFileHandle);if(writeFileHandle!=NULL)ZwClose(writeFileHandle);if(saveBuffer!=NULL)ExFreePool(saveBuffer);return TRUE;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath){if(MyCopyFile(L"\\??\\c:\\xxxx.rar",L"\\??\\c:\\xxxx1.rar"))  DbgPrint("CopyFile Sucessfully");DriverObject->DriverUnload = DriverUnload;return STATUS_SUCCESS;}