文件操作-Malloc笔记

本文详细介绍了使用Windows内核API进行文件操作的方法,包括创建、读取、写入、复制、移动及删除文件等基本操作,并提供了具体示例代码。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

创建文件/文件夹
读/写
拷贝
移动
删除
属性访问与设置


应用层:”c:\\hi.txt”
内核:L”\\??\\c:\\hi.txt”
R3:
设备名:L”\\\\.\\xxxDrv”
R0
设备名:”\\device\\xxxDrv”
符号连接名:”\\dosdevices\\xxxDrv”




常用API
ZwCreateFile //集创建文件 文件夹 打开 
ZwWriteFile 
ZwReadFile
ZwQueryInformationFile  //查询文件信息
ZwQueryFullAttributesFile //查询文件属性 比如是不是文件 文件夹
ZwSetInformationFile //设置文件
ZwClose
ZwQueryDirectoryFile //枚举文件


ZwCreateFile(
		&hFile, 
		GENERIC_WRITE,
	        &objAttrib, 
		&io_status, 
		NULL, 
		FILE_ATTRIBUTE_NORMAL,
	        FILE_SHARE_READ | FILE_SHARE_WRITE | 		FILE_SHARE_DELETE, 
		FILE_OPEN_IF,
	        FILE_SYNCHRONOUS_IO_NONALERT | 			FILE_NON_DIRECTORY_FILE, 
		NULL, 
		0);


ZwReadFile (                                             
           hSrcFile, 
                NULL,
NULL,
NULL,                    
&io_status,
buffer, 
PAGE_SIZE,
&offset,
NULL
);


ZwWriteFile(
           hDstFile,
	NULL,
	NULL,
	NULL,
	&io_status,
	buffer,
	length,
	&offset,
	NULL
	);





ZwQueryInformationFile

ZwSetInformationFile



ZwQueryInformationFile(
		handle, 
		&iosb,
		&basicInfo,
		sizeof(basicInfo),
		FileBasicInformation
		);


ZwSetInformationFile(
	handle, 
	&iosb,                    	&basicInfo, 	sizeof(basicInfo), 	FileBasicInformation
	);



FileBasicInformation
FileStandardInformation
FileDispositionInformation
FilePositionInformation
FileRenameInformation


typedef struct _FILE_BASIC_INFORMATION {
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    ULONG FileAttributes;
} FILE_BASIC_INFORMATION, 
*PFILE_BASIC_INFORMATION;


typedef struct 
_FILE_STANDARD_INFORMATION {
    LARGE_INTEGER AllocationSize;
    LARGE_INTEGER EndOfFile;
    ULONG NumberOfLinks;
    BOOLEAN DeletePending;
    BOOLEAN Directory;
} FILE_STANDARD_INFORMATION, 
*PFILE_STANDARD_INFORMATION;


typedef struct _FILE_POSITION_INFORMATION {
    LARGE_INTEGER CurrentByteOffset;
} FILE_POSITION_INFORMATION, 
*PFILE_POSITION_INFORMATION;


typedef struct _FILE_RENAME_INFORMATION {   
	BOOLEAN ReplaceIfExists;    
	HANDLE RootDirectory;    
	ULONG FileNameLength;    
	WCHAR FileName[1];
}FILE_RENAME_INFORMATION, 
*PFILE_RENAME_INFORMATION;


typedef struct _FILE_NETWORK_OPEN_INFORMATION {
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER AllocationSize;
    LARGE_INTEGER EndOfFile;
    ULONG FileAttributes;
} FILE_NETWORK_OPEN_INFORMATION, 
*PFILE_NETWORK_OPEN_INFORMATION;


typedef struct _FILE_DISPOSITION_INFORMATION {
    BOOLEAN DeleteFile;
} FILE_DISPOSITION_INFORMATION, 
*PFILE_DISPOSITION_INFORMATION;


删除文件


普通的删除
NTSTATUS ntDeleteFile1(const WCHAR * filename)
{
		NTSTATUS				ntStatus	= 0;
		OBJECT_ATTRIBUTES		objAttr		= {0};
		UNICODE_STRING			uName		= {0};


		RtlInitUnicodeString(&uName, filename);
		InitializeObjectAttributes(
			&objAttr,
			&uName,
			OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
			NULL,
			NULL
			);
		ntStatus = ZwDeleteFile(&objAttr);
		
		return ntStatus;
}



暴力一点的删除 (设置属性)
ZwCreateFile with DELETE




成功?   ----->  NO    ----->  ZwCreateFile with FILE_READ_ATTRIBUTES  FILE_WRITE_ATTRIBUTES 




YES   <----------------------------------   FILE_ATTRIBUTE_NORMAL


ZwSetInformationFile


以 SYNCHRONIZE | FILE_WRITE_DATA | DELETE 打开文件
status = ZwCreateFile(
		&handle, 
		SYNCHRONIZE | FILE_WRITE_DATA | DELETE,
        &objAttributes, 
		&iosb, 
		NULL, 
		FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
		FILE_OPEN,
        FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE, 
		NULL, 
		0);


如果失败则以SYNCHRONIZE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES打开
status = ZwCreateFile(
				&handle, 
				SYNCHRONIZE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES,//这个改变
                &objAttributes, 
				&iosb, 
				NULL, 
				FILE_ATTRIBUTE_NORMAL,
                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
				FILE_OPEN,
                FILE_SYNCHRONOUS_IO_NONALERT, //这个改变
				NULL, 
				0);

如果打开了 则设置FileAttributes = FILE_ATTRIBUTE_NORMAL
然然后再次以DELETE打开(第一种)
如果还失败了就返回了
如果成功了 则设置FILE_DISPOSITION_INFORMATION 结构的DeleteFile = TRUE;
并应用到文件上即可 失败就返回


代码:

NTSTATUS ntDeleteFile2(const WCHAR *fileName)
{
    OBJECT_ATTRIBUTES                	objAttributes	= {0};
    IO_STATUS_BLOCK                    	iosb			= {0};
    HANDLE                           	handle			= NULL;
    FILE_DISPOSITION_INFORMATION    	disInfo			= {0};
	UNICODE_STRING						uFileName		= {0};
    NTSTATUS                        	status			= 0;
	
	RtlInitUnicodeString(&uFileName, fileName);
	
    InitializeObjectAttributes(&objAttributes, 
							&uFileName,
							OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
							NULL,
							NULL);
	
    status = ZwCreateFile(
		&handle, 
		SYNCHRONIZE | FILE_WRITE_DATA | DELETE,
        &objAttributes, 
		&iosb, 
		NULL, 
		FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
		FILE_OPEN,
        FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE, 
		NULL, 
		0);
    if (!NT_SUCCESS(status)) 
	{
        if (status == STATUS_ACCESS_DENIED)
		{
            status = ZwCreateFile(
				&handle, 
				SYNCHRONIZE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES,
                &objAttributes, 
				&iosb, 
				NULL, 
				FILE_ATTRIBUTE_NORMAL,
                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
				FILE_OPEN,
                FILE_SYNCHRONOUS_IO_NONALERT, 
				NULL, 
				0);
            if (NT_SUCCESS(status)) 
			{
                FILE_BASIC_INFORMATION        basicInfo = {0};
				
                status = ZwQueryInformationFile(handle, &iosb,
                    &basicInfo, sizeof(basicInfo), FileBasicInformation);
                if (!NT_SUCCESS(status)) 
				{
                    DbgPrint("ZwQueryInformationFile(%wZ) failed(%x)\n", &uFileName, status);
                }
				
                basicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL;
                status = ZwSetInformationFile(handle, &iosb,
                    &basicInfo, sizeof(basicInfo), FileBasicInformation);
                if (!NT_SUCCESS(status)) 
				{
                    DbgPrint("ZwSetInformationFile(%wZ) failed(%x)\n", &uFileName, status);
                }
				
                ZwClose(handle);
                status = ZwCreateFile(
					&handle, 
					SYNCHRONIZE | FILE_WRITE_DATA | DELETE,
                    &objAttributes, 
					&iosb, 
					NULL, 
					FILE_ATTRIBUTE_NORMAL,
                    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
					FILE_OPEN,
                    FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE, 
					NULL, 
					0);
            }
        }
		
        if (!NT_SUCCESS(status)) 
		{
            DbgPrint("ZwCreateFile(%wZ) failed(%x)\n", &uFileName, status);
            return status;
        }
    }
	
    disInfo.DeleteFile = TRUE;
    status = ZwSetInformationFile(handle, &iosb,
        &disInfo, sizeof(disInfo), FileDispositionInformation);
    if (!NT_SUCCESS(status)) 
	{
        DbgPrint("ZwSetInformationFile(%wZ) failed(%x)\n", &uFileName, status);
    }
	
    ZwClose(handle);
    return status;
}


封装好的代码:
#include <ntifs.h>
#include <ntddk.h>


NTSTATUS ntCreateFile(WCHAR *szFileName);
NTSTATUS ntCreateDirectory(WCHAR *szDirName);


NTSTATUS ntWriteFile(WCHAR *szFileName);
NTSTATUS ntReadFile(WCHAR *szFile);
NTSTATUS ntCopyFile(const WCHAR * src, const WCHAR * dst);
NTSTATUS ntMoveFile(const WCHAR * src, const WCHAR * dst);
NTSTATUS ntDeleteFile1(const WCHAR * filename);
NTSTATUS ntDeleteFile2(const WCHAR *fileName);


ULONG ntGetFileAttributes(const WCHAR * filename);
NTSTATUS ntSetFileAttribute (WCHAR *szFileName);






VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
		NTSTATUS ntStatus= 0;


		WCHAR			*szFileName1	= L"\\??\\d:\\1.txt";
		WCHAR			*szFileName2	= L"\\??\\d:\\2.txt";


	 	ntStatus = ntDeleteFile2(szFileName1);
	 	if (!NT_SUCCESS(ntStatus))
	 	{
	 		DbgPrint("ntDeleteFile2() failed%d\n", ntStatus);
	 		//return;
	 	}
	 
	 	ntStatus = ntDeleteFile2(szFileName2);
	 	if (!NT_SUCCESS(ntStatus))
	 	{
	 		DbgPrint("ntDeleteFile2() failed%ws,%x\n", szFileName2,ntStatus);
	 		return;
		}
		DbgPrint("Driver Unloaded\n");
}


NTSTATUS FileOper(VOID);


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	DbgPrint("Driver begin\n");
	pDriverObject->DriverUnload = DriverUnload;


	FileOper();


	return STATUS_SUCCESS;
}


NTSTATUS FileOper(VOID)
{
	NTSTATUS		ntStatus		= STATUS_SUCCESS;
	ULONG			ulAttributes	= 0;
	WCHAR			*szDirName		= L"\\??\\D:\\Mallocfree\\";
	WCHAR			*szFileName1	= L"\\??\\d:\\1.txt";
	WCHAR			*szFileName2	= L"\\??\\d:\\2.txt";
	WCHAR			*szFileName3	= L"\\??\\D:\\Mallocfree\\3.txt";
	WCHAR			*szFileName4	= L"\\??\\D:\\Mallocfree\\4.txt";




	ntStatus = ntCreateFile(szFileName1);
	if (!NT_SUCCESS(ntStatus))
	{
		
		DbgPrint("ntCreateFile() failed:%x\n", ntStatus);
		return ntStatus;
	}


	ntStatus = ntCreateDirectory(szDirName);
	if (!NT_SUCCESS(ntStatus))
	{
		DbgPrint("ntCreateDirectory() failed:%x\n", ntStatus);
		return ntStatus;
	}




	ntStatus = ntWriteFile(szFileName1);
	if (!NT_SUCCESS(ntStatus))
	{
		DbgPrint("ntWriteFile() failed:%x\n", ntStatus);
		return ntStatus;
	}


	ntStatus = ntReadFile(szFileName1);
	if (!NT_SUCCESS(ntStatus))
	{
		DbgPrint("ntReadFile() failed:%x\n", ntStatus);
		return ntStatus;
	}


	ntStatus = ntCopyFile(szFileName1, szFileName2);


	if (!NT_SUCCESS(ntStatus))
	{
		DbgPrint("ntCopyFile() failed:%x\n", ntStatus);
		return ntStatus;
	}


	ntStatus = ntCopyFile(szFileName1, szFileName3);
	
	if (!NT_SUCCESS(ntStatus))
	{
		DbgPrint("ntCopyFile() failed:%x\n", ntStatus);
		return ntStatus;
	}




	ntStatus = ntMoveFile(szFileName1, szFileName4);
	
	if (!NT_SUCCESS(ntStatus))
	{
		DbgPrint("ntMoveFile() failed:%x\n", ntStatus);
		return ntStatus;
	}




	ulAttributes = ntGetFileAttributes(szFileName1);
	if(ulAttributes & FILE_ATTRIBUTE_DIRECTORY)
	{
		DbgPrint("%S is a directory\n", szFileName1);
	}
	else
	{
		DbgPrint("%S is not a directory\n", szFileName1);


	}


	ulAttributes = ntGetFileAttributes(szDirName);
	if(ulAttributes & FILE_ATTRIBUTE_DIRECTORY)
	{
		DbgPrint("%S is a directory\n", szDirName);
	}
	else
	{
		DbgPrint("%S is not a directory\n", szDirName);
		
	}


// 	ntStatus = ntDeleteFile2(szFileName1);
// 	if (!NT_SUCCESS(ntStatus))
// 	{
// 		DbgPrint("ntDeleteFile2() failed\n", ntStatus);
// 		return ntStatus;
// 	}
// 
// 	ntStatus = ntDeleteFile2(szFileName2);
// 	if (!NT_SUCCESS(ntStatus))
// 	{
// 		DbgPrint("ntDeleteFile2() failed\n", ntStatus);
// 		return ntStatus;
// 	}


	return ntStatus;
}


NTSTATUS ntCreateFile(WCHAR *szFileName)
{
	OBJECT_ATTRIBUTES		objAttrib	={0};
	UNICODE_STRING			uFileName	={0};
	IO_STATUS_BLOCK 		io_status	= {0};
	HANDLE					hFile		= NULL;
	NTSTATUS				status		= 0;


	RtlInitUnicodeString(&uFileName, szFileName);
	InitializeObjectAttributes(
		&objAttrib,
		& uFileName,
		OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
		NULL,
		NULL
		);




	status = ZwCreateFile(
			&hFile, 
			GENERIC_WRITE,
	        &objAttrib, 
			&io_status, 
			NULL, 
			FILE_ATTRIBUTE_NORMAL,
	        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
			FILE_OPEN_IF,
	        FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, 
			NULL, 
			0);


	if(NT_SUCCESS(status))
	{
		ZwClose(hFile);
	}


	return status;
}


NTSTATUS ntCreateDirectory(WCHAR *szDirName)
{
	OBJECT_ATTRIBUTES		objAttrib	=	{0};
	UNICODE_STRING			uDirName	=	{0};
	IO_STATUS_BLOCK 		io_status	=	{0};
	HANDLE					hFile		=	NULL;
	NTSTATUS				status		=	0;


	RtlInitUnicodeString(&uDirName, szDirName);
	InitializeObjectAttributes(&objAttrib,
							&uDirName,
							OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
							NULL,
							NULL);


	status = ZwCreateFile(&hFile, 
			GENERIC_READ | GENERIC_WRITE,
	        &objAttrib, 
			&io_status, 
			NULL, 
			FILE_ATTRIBUTE_DIRECTORY,
	        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
			FILE_OPEN_IF,
	        FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, 
			NULL, 
			0);
	if (NT_SUCCESS(status))
	{
		ZwClose(hFile);
	}


	return status;


}


ULONG ntGetFileAttributes(const WCHAR * filename)
{
	ULONG							dwRtn 		= 0;
	NTSTATUS						ntStatus	= STATUS_UNSUCCESSFUL;
	OBJECT_ATTRIBUTES				objAttr		= {0};
	UNICODE_STRING					uName		= {0};
	FILE_NETWORK_OPEN_INFORMATION 	info		= {0};




	if (filename == NULL)
	{
		return ntStatus;
	}
	RtlInitUnicodeString(&uName, filename);
	RtlZeroMemory(&info, sizeof(FILE_NETWORK_OPEN_INFORMATION));


	InitializeObjectAttributes(
			&objAttr,
			&uName,
			OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
			NULL,
			NULL
			);
	ntStatus = ZwQueryFullAttributesFile(
			&objAttr,
			&info);
	if (NT_SUCCESS(ntStatus))
	{
		dwRtn = info.FileAttributes;
	}
	if(dwRtn & FILE_ATTRIBUTE_DIRECTORY)
	{
		DbgPrint("%S is a directory\n", filename);
	}
	return dwRtn;
}


NTSTATUS ntSetFileAttribute (WCHAR *szFileName) 
{
	OBJECT_ATTRIBUTES 			objectAttributes	= {0};
	IO_STATUS_BLOCK 			iostatus			= {0};
	HANDLE 						hfile				= NULL;
	UNICODE_STRING 				uFile				= {0};
	FILE_STANDARD_INFORMATION	fsi					= {0};
	FILE_POSITION_INFORMATION	fpi					= {0};
	NTSTATUS					ntStatus			= 0;




	RtlInitUnicodeString( &uFile, szFileName);
	InitializeObjectAttributes(&objectAttributes,
							&uFile,
							OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 
							NULL, 
							NULL );


	ntStatus = ZwCreateFile( &hfile, 
							GENERIC_READ,
							&objectAttributes, 
							&iostatus, 
							NULL,
							FILE_ATTRIBUTE_NORMAL, 
							0,
							FILE_OPEN, 
							FILE_SYNCHRONOUS_IO_NONALERT, 
							NULL, 
							0 );
	if (!NT_SUCCESS(ntStatus))
	{
		return ntStatus;
	}


	ntStatus = ZwQueryInformationFile(hfile,
								&iostatus,
								&fsi,
								sizeof(FILE_STANDARD_INFORMATION),
								FileStandardInformation);
	if (!NT_SUCCESS(ntStatus))
	{
		ZwClose(hfile);
		return ntStatus;
	}
	
	fpi.CurrentByteOffset.QuadPart = 100i64;




	ntStatus = ZwSetInformationFile(hfile,
							&iostatus,
							&fpi,
							sizeof(FILE_POSITION_INFORMATION),
							FilePositionInformation);


	ZwClose(hfile);
	return ntStatus;
}


NTSTATUS ntWriteFile(WCHAR *szFileName) 
{
	OBJECT_ATTRIBUTES 	objectAttributes	= {0};
	IO_STATUS_BLOCK 	iostatus			= {0};
	HANDLE 				hfile				= NULL;
	UNICODE_STRING 		uFile				= {0};
	LARGE_INTEGER		number				= {0};
	PUCHAR				pBuffer				= NULL;
	NTSTATUS			ntStatus			= STATUS_SUCCESS;




	RtlInitUnicodeString( &uFile, szFileName);
	
	InitializeObjectAttributes(&objectAttributes,
							&uFile,
							OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
							NULL, 
							NULL );


	//创建文件
	ntStatus = ZwCreateFile( &hfile, 
							GENERIC_WRITE,
							&objectAttributes, 
							&iostatus, 
							NULL,
							FILE_ATTRIBUTE_NORMAL, 
							FILE_SHARE_WRITE,
							FILE_OPEN_IF, 
							FILE_SYNCHRONOUS_IO_NONALERT, 
							NULL, 
							0 );
	if (!NT_SUCCESS(ntStatus))
	{
		return ntStatus;
	}


	pBuffer = (PUCHAR)ExAllocatePoolWithTag(PagedPool,1024, 'ELIF');
	if (pBuffer == NULL)
	{
		ZwClose(hfile);
		return STATUS_INSUFFICIENT_RESOURCES;
	}


	RtlZeroMemory(pBuffer,1024);


	RtlCopyMemory(pBuffer, L"Hello, world", wcslen(L"Hello, world")*sizeof(WCHAR));
	//写文件
	ntStatus = ZwWriteFile(hfile,NULL,NULL,NULL,&iostatus,pBuffer,1024,NULL,NULL);




	ZwClose(hfile);


	ExFreePool(pBuffer);
	return ntStatus;
}


NTSTATUS ntReadFile(WCHAR *szFile) 
{
	OBJECT_ATTRIBUTES 			objectAttributes	= {0};
	IO_STATUS_BLOCK 			iostatus			= {0};
	HANDLE 						hfile				= NULL;
	UNICODE_STRING 				uFile				= {0};
	FILE_STANDARD_INFORMATION	fsi					= {0};
	PUCHAR						pBuffer				= NULL;
	NTSTATUS					ntStatus			= 0;


	RtlInitUnicodeString( &uFile, szFile);
	InitializeObjectAttributes(&objectAttributes,
							&uFile,
							OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
							NULL, 
							NULL );


	ntStatus = ZwCreateFile( &hfile, 
							GENERIC_READ,
							&objectAttributes, 
							&iostatus, 
							NULL,
							FILE_ATTRIBUTE_NORMAL, 
							FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
							FILE_OPEN,
							FILE_SYNCHRONOUS_IO_NONALERT, 
							NULL, 
							0 );


	if (!NT_SUCCESS(ntStatus))
	{
		return ntStatus;
	}


	ntStatus = ZwQueryInformationFile(hfile,
					&iostatus,
					&fsi,
					sizeof(FILE_STANDARD_INFORMATION),
					FileStandardInformation);
	if (!NT_SUCCESS(ntStatus))
	{
		ZwClose(hfile);
		return ntStatus;
	}


 	pBuffer = (PUCHAR)ExAllocatePoolWithTag(PagedPool,
							(LONG)fsi.EndOfFile.QuadPart,'ELIF');
	if (pBuffer == NULL)
	{
		ZwClose(hfile);
		return STATUS_INSUFFICIENT_RESOURCES;
	}


	ntStatus = ZwReadFile(
				hfile,
				NULL,
				NULL,
				NULL,
				&iostatus,
				pBuffer,
				(LONG)fsi.EndOfFile.QuadPart,
				NULL,NULL);


	ZwClose(hfile);
	ExFreePool(pBuffer);


	return ntStatus;
}


NTSTATUS ntCopyFile(const WCHAR * src, const WCHAR * dst)
{




	HANDLE					hSrcFile		= NULL;
	HANDLE					hDstFile		= NULL;
	UNICODE_STRING			uSrc			= {0};
	UNICODE_STRING			uDst			= {0};
	OBJECT_ATTRIBUTES		objSrcAttrib	= {0};
	OBJECT_ATTRIBUTES		objDstAttrib	= {0};
	NTSTATUS				status			= 0;
	ULONG					uReadSize		= 0;
	ULONG					uWriteSize		= 0;
	ULONG					length			= 0;
	PVOID 					buffer			= NULL;
	LARGE_INTEGER 			offset			= {0};
	IO_STATUS_BLOCK 		io_status		= {0};


	RtlInitUnicodeString(&uSrc, src);
	RtlInitUnicodeString(&uDst, dst);


	InitializeObjectAttributes(&objSrcAttrib,
		&uSrc,
		OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
		NULL,
		NULL);
	InitializeObjectAttributes(&objDstAttrib,
		&uDst,
		OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
		NULL,
		NULL);


	status = ZwCreateFile(
			&hSrcFile, 
			FILE_READ_DATA | FILE_READ_ATTRIBUTES,
	        &objSrcAttrib, 
			&io_status, 
			NULL, 
			FILE_ATTRIBUTE_NORMAL,
	        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
			FILE_OPEN,
	        FILE_SYNCHRONOUS_IO_NONALERT, 
			NULL, 
			0);
	if (!NT_SUCCESS(status))
	{
		return status;
	}


	status = ZwCreateFile(
			&hDstFile, 
			GENERIC_WRITE,
	        &objDstAttrib, 
			&io_status, 
			NULL, 
			FILE_ATTRIBUTE_NORMAL,
	        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
			FILE_OPEN_IF,
	        FILE_SYNCHRONOUS_IO_NONALERT, 
			NULL, 
			0);
	if (!NT_SUCCESS(status))
	{
		ZwClose(hSrcFile);
		return status;
	}


	buffer = ExAllocatePoolWithTag(PagedPool, 1024, 'ELIF');
	if (buffer == NULL)
	{
		ZwClose(hSrcFile);
		ZwClose(hDstFile);
		return STATUS_INSUFFICIENT_RESOURCES;
	} 


	while(1)
	{
		status = ZwReadFile (
                    hSrcFile,NULL,NULL,NULL,
                    &io_status,buffer, PAGE_SIZE,&offset,
                    NULL);
        if(!NT_SUCCESS(status))
        {
               if(status == STATUS_END_OF_FILE)
				{
                     status = STATUS_SUCCESS;
				}
               break;
          }


          length = (ULONG)io_status.Information;


          status = ZwWriteFile(
                    hDstFile,NULL,NULL,NULL,
                    &io_status,
                    buffer,length,&offset,
                    NULL);
           if(!NT_SUCCESS(status))
                    break;


            offset.QuadPart += length;


	}


	ExFreePool(buffer);


	ZwClose(hSrcFile);
	ZwClose(hDstFile);


	return status;
}


NTSTATUS ntMoveFile(const WCHAR * src, const WCHAR * dst)
{
	NTSTATUS		status = 0;
	
	status = ntCopyFile(src, dst);
	
	if (NT_SUCCESS(status))
	{
		status = ntDeleteFile2(src);
	}
	
	return status;
}


NTSTATUS ntDeleteFile1(const WCHAR * filename)
{
		NTSTATUS				ntStatus	= 0;
		OBJECT_ATTRIBUTES		objAttr		= {0};
		UNICODE_STRING			uName		= {0};


		RtlInitUnicodeString(&uName, filename);
		InitializeObjectAttributes(
			&objAttr,
			&uName,
			OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
			NULL,
			NULL
			);
		ntStatus = ZwDeleteFile(&objAttr);
		
		return ntStatus;


}


NTSTATUS ntDeleteFile2(const WCHAR *fileName)
{
    OBJECT_ATTRIBUTES                	objAttributes	= {0};
    IO_STATUS_BLOCK                    	iosb			= {0};
    HANDLE                           	handle			= NULL;
    FILE_DISPOSITION_INFORMATION    	disInfo			= {0};
	UNICODE_STRING						uFileName		= {0};
    NTSTATUS                        	status			= 0;
	
	RtlInitUnicodeString(&uFileName, fileName);
	
    InitializeObjectAttributes(&objAttributes, 
							&uFileName,
							OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
							NULL,
							NULL);
	
    status = ZwCreateFile(
		&handle, 
		SYNCHRONIZE | FILE_WRITE_DATA | DELETE,
        &objAttributes, 
		&iosb, 
		NULL, 
		FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
		FILE_OPEN,
        FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE, 
		NULL, 
		0);
    if (!NT_SUCCESS(status)) 
	{
        if (status == STATUS_ACCESS_DENIED)
		{
            status = ZwCreateFile(
				&handle, 
				SYNCHRONIZE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES,
                &objAttributes, 
				&iosb, 
				NULL, 
				FILE_ATTRIBUTE_NORMAL,
                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
				FILE_OPEN,
                FILE_SYNCHRONOUS_IO_NONALERT, 
				NULL, 
				0);
            if (NT_SUCCESS(status)) 
			{
                FILE_BASIC_INFORMATION        basicInfo = {0};
				
                status = ZwQueryInformationFile(handle, &iosb,
                    &basicInfo, sizeof(basicInfo), FileBasicInformation);
                if (!NT_SUCCESS(status)) 
				{
                    DbgPrint("ZwQueryInformationFile(%wZ) failed(%x)\n", &uFileName, status);
                }
				
                basicInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL;
                status = ZwSetInformationFile(handle, &iosb,
                    &basicInfo, sizeof(basicInfo), FileBasicInformation);
                if (!NT_SUCCESS(status)) 
				{
                    DbgPrint("ZwSetInformationFile(%wZ) failed(%x)\n", &uFileName, status);
                }
				
                ZwClose(handle);
                status = ZwCreateFile(
					&handle, 
					SYNCHRONIZE | FILE_WRITE_DATA | DELETE,
                    &objAttributes, 
					&iosb, 
					NULL, 
					FILE_ATTRIBUTE_NORMAL,
                    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 
					FILE_OPEN,
                    FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE, 
					NULL, 
					0);
            }
        }
		
        if (!NT_SUCCESS(status)) 
		{
            DbgPrint("ZwCreateFile(%wZ) failed(%x)\n", &uFileName, status);
            return status;
        }
    }
	
    disInfo.DeleteFile = TRUE;
    status = ZwSetInformationFile(handle, &iosb,
        &disInfo, sizeof(disInfo), FileDispositionInformation);
    if (!NT_SUCCESS(status)) 
	{
        DbgPrint("ZwSetInformationFile(%wZ) failed(%x)\n", &uFileName, status);
    }
	
    ZwClose(handle);
    return status;
}





评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值