枚举驱动符号链接
来源:互联网 发布:人类简史读后感知乎 编辑:程序博客网 时间:2024/05/22 14:36
枚举符号链接:
#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <tchar.h>// 定义函数返回值//typedef ULONG NTSTATUS;// 宽字节字符串结构定义typedef struct _UNICODE_STRING {USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;// 对象属性定义typedef struct _OBJECT_ATTRIBUTES {ULONG Length;HANDLE RootDirectory;UNICODE_STRING *ObjectName;ULONG Attributes;PSECURITY_DESCRIPTOR SecurityDescriptor;PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;} OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES;// 基本信息定义typedef struct _DIRECTORY_BASIC_INFORMATION {UNICODE_STRING ObjectName;UNICODE_STRING ObjectTypeName;} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;// 返回值或状态类型定义#define OBJ_CASE_INSENSITIVE 0x00000040L#define DIRECTORY_QUERY (0x0001)#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth#define STATUS_MORE_ENTRIES ((NTSTATUS)0x00000105L)#define STATUS_NO_MORE_ENTRIES ((NTSTATUS)0x8000001AL)#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)#define SYMBOLIC_LINK_QUERY (0x0001)#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)// 初始化对象属性宏定义#define InitializeObjectAttributes( p, n, a, r, s ) { \(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \(p)->RootDirectory = r; \(p)->Attributes = a; \(p)->ObjectName = n; \(p)->SecurityDescriptor = s; \(p)->SecurityQualityOfService = NULL; \}// 字符串初始化typedef VOID (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR);RTLINITUNICODESTRING RtlInitUnicodeString;// 字符串比较typedefBOOLEAN(WINAPI *RTLEQUALUNICODESTRING)(const UNICODE_STRING *String1,const UNICODE_STRING *String2,BOOLEAN CaseInSensitive);RTLEQUALUNICODESTRING RtlEqualUnicodeString;// 打开对象typedef NTSTATUS (WINAPI *ZWOPENDIRECTORYOBJECT)(OUT PHANDLE DirectoryHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes);ZWOPENDIRECTORYOBJECT ZwOpenDirectoryObject;// 查询对象typedefNTSTATUS(WINAPI *ZWQUERYDIRECTORYOBJECT)( IN HANDLE DirectoryHandle, OUT PVOID Buffer, IN ULONG BufferLength, IN BOOLEAN ReturnSingleEntry, IN BOOLEAN RestartScan, IN OUT PULONG Context, OUT PULONG ReturnLength OPTIONAL );ZWQUERYDIRECTORYOBJECT ZwQueryDirectoryObject;// 打开符号链接对象typedefNTSTATUS(WINAPI *ZWOPENSYMBOLICKLINKOBJECT)(OUT PHANDLE SymbolicLinkHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes);ZWOPENSYMBOLICKLINKOBJECT ZwOpenSymbolicLinkObject;// 查询符号链接对象typedefNTSTATUS(WINAPI *ZWQUERYSYMBOLICKLINKOBJECT)( IN HANDLE SymbolicLinkHandle, IN OUT PUNICODE_STRING TargetName, OUT PULONG ReturnLength OPTIONAL );ZWQUERYSYMBOLICKLINKOBJECT ZwQuerySymbolicLinkObject;// 关闭已经打开的对象typedefNTSTATUS(WINAPI *ZWCLOSE)( IN HANDLE Handle );ZWCLOSE ZwClose;//int main(){HMODULE hNtdll = NULL;hNtdll = LoadLibrary(_T("ntdll.dll" ));if ( NULL == hNtdll ){printf("[%s]--Load ntdll.dll failed(%ld).\r\n", __FUNCTION__, GetLastError());goto EXIT;}printf("[%s]--Load ntdll.dll sucess now get proc.\r\n", __FUNCTION__);RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(hNtdll, "RtlInitUnicodeString");RtlEqualUnicodeString = (RTLEQUALUNICODESTRING)GetProcAddress(hNtdll, "RtlEqualUnicodeString");ZwOpenDirectoryObject = (ZWOPENDIRECTORYOBJECT)GetProcAddress(hNtdll, "ZwOpenDirectoryObject");ZwQueryDirectoryObject = (ZWQUERYDIRECTORYOBJECT)GetProcAddress(hNtdll, "ZwQueryDirectoryObject");ZwOpenSymbolicLinkObject = (ZWOPENSYMBOLICKLINKOBJECT)GetProcAddress(hNtdll, "ZwOpenSymbolicLinkObject");ZwQuerySymbolicLinkObject = (ZWQUERYSYMBOLICKLINKOBJECT)GetProcAddress(hNtdll, "ZwQuerySymbolicLinkObject");ZwClose = (ZWCLOSE)GetProcAddress(hNtdll, "ZwClose");UNICODE_STRING strDirName;OBJECT_ATTRIBUTES oba;NTSTATUS ntStatus; HANDLE hDirectory;RtlInitUnicodeString(&strDirName, _T("\\BaseNamedObjects"));//global??,BaseNamedObjectsInitializeObjectAttributes(&oba, &strDirName, OBJ_CASE_INSENSITIVE, NULL, NULL);printf("[%s]--Open directory object now.\r\n", __FUNCTION__);ntStatus = ZwOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &oba);if ( ntStatus != STATUS_SUCCESS ){printf("[%s]--Open directory object failed(%ld).\r\n", __FUNCTION__, GetLastError());goto EXIT;}printf("[%s]--Open directory object success.\r\n", __FUNCTION__);UNICODE_STRING symbolicLink;UNICODE_STRING targetName;BYTE buffer[2048] = {0};ULONG ulLength = 2048; ULONG ulContext = 0;ULONG ulRet = 0; RtlInitUnicodeString(&symbolicLink, L"SymbolicLink");targetName.Length = 0;targetName.Buffer = (PWSTR)calloc(2, 1024);if ( targetName.Buffer == NULL ){printf("[%s]--calloc failed(%ld).\r\n", __FUNCTION__, GetLastError());goto EXIT;}targetName.MaximumLength = 1024;do{ntStatus = ZwQueryDirectoryObject(hDirectory, buffer, ulLength, TRUE, FALSE, &ulContext, &ulRet);if ( (ntStatus != STATUS_SUCCESS) && (ntStatus != STATUS_NO_MORE_ENTRIES) ){printf("[%s]--ZwQueryDirectoryObject failed(%ld).\r\n", __FUNCTION__, GetLastError());goto EXIT;}else if ( STATUS_NO_MORE_ENTRIES == ntStatus ){printf("[%s]--No more object.\r\n", __FUNCTION__);goto EXIT;}PDIRECTORY_BASIC_INFORMATION directoryInfo = (PDIRECTORY_BASIC_INFORMATION)buffer;printf("ObjectName: [%S]---ObjectTypeName: [%S]\n", directoryInfo->ObjectName.Buffer, directoryInfo->ObjectTypeName.Buffer);if ( RtlEqualUnicodeString(&directoryInfo->ObjectTypeName, &symbolicLink, TRUE) ){OBJECT_ATTRIBUTES symbolicLinkAttributes;HANDLE hSymbolicLink;// 初始化符号链接对象属性InitializeObjectAttributes(&symbolicLinkAttributes,&directoryInfo->ObjectName, OBJ_CASE_INSENSITIVE, hDirectory, NULL);// 打开符号链接对象ntStatus = ZwOpenSymbolicLinkObject(&hSymbolicLink, SYMBOLIC_LINK_QUERY, &symbolicLinkAttributes);if ( ntStatus != STATUS_SUCCESS ){printf("[%s]--ZwOpenSymbolicLinkObject failed(%ld).\r\n", __FUNCTION__, GetLastError());goto EXIT;}// 查询符号链接对象ntStatus = ZwQuerySymbolicLinkObject(hSymbolicLink, &targetName, NULL); if ( ntStatus != STATUS_SUCCESS ){printf("[%s]--ZwQuerySymbolicLinkObject failed(%ld).\r\n", __FUNCTION__, GetLastError());ZwClose(hSymbolicLink);goto EXIT;}// TODO: 添加针对符号链接的处理代码// 清空targetNamememset((LPVOID)targetName.Buffer, 0, targetName.Length*sizeof(WCHAR));// 关闭符号链接句柄ZwClose(hSymbolicLink);}}while(TRUE);EXIT:if ( hDirectory != NULL ){ZwClose(hDirectory);}getchar();return 0;}比如说,需要枚举程序A有几个实例在运行,可以根据其 GUID 实现查找:
PDIRECTORY_BASIC_INFORMATION directoryInfo = (PDIRECTORY_BASIC_INFORMATION)buffer;std::wstring objectName = directoryInfo->ObjectName.Buffer;if ( objectName.find( L"{FED3DBE6-1256-46fc-8DAE-C13360CB46C8}" ) != std::wstring::npos ){++g_nAppClientCount;//} 0 0
- 枚举驱动符号链接
- 符号链接枚举
- 枚举符号链接
- 驱动视频:Windows驱动讲稿1.7 -- 符号链接
- 驱动开发之符号链接和设备名称
- 驱动开发之符号链接和设备名称
- 驱动开发之符号链接和设备名称
- 驱动开发之符号链接和设备名称
- 应用层打开驱动层创建的符号链接
- 符号链接
- 符号链接
- 符号链接
- 链接与符号链接
- 驱动枚举
- 驱动中通过设备链接名取得磁盘符号的方法
- 删除驱动符号链接出错-变量作用域和RtlInitUnicodeString的问题
- 0.driverbase-驱动对象、设备对象、DriverEntry、IoCreateDevice、符号链接、DriverUnLoad、WDM
- 【Window内核驱动开发】——通过符号链接获取真实设备
- c的双向链表
- 根据入栈顺序输出所有可能的出栈顺序 (Java)
- 构造函数、析构函数抛出异常的问题
- 段错误原因分析和查找
- 利用MSSQL数据字典_查看相关数据
- 枚举驱动符号链接
- android中的ContentResolver获取手机本地图片
- HDU 5876 2016网预 大连
- 朋友,我用python给你发了一封邮件
- 如何创建一个新的ASP.NET项目
- Linux free -m命令 结果详解
- View的测量
- 归档存数据对比(NSUserDefaults)
- 推荐:经典SQL语句大全
