1
我迷上了原生api ZwCreateFile和wdk doc說windows使用ZwCreateFile創建或打開一個目錄。我可以檢測到打開testdir的操作,但是我無法停止打開的目錄操作。 我自己FakeZwCreateFile像這樣的代碼:如何使用ssdt鉤子技術攔截創建新文件夾的操作?
NTSTATUS FakeZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
)
{
NTSTATUS rtStatus = STATUS_SUCCESS;
UNICODE_STRING test = RTL_CONSTANT_STRING(L"\\??\\c:\\testdir");
if (!RtlCompareUnicodeString(ObjectAttributes->ObjectName, &test, TRUE))
{
DbgPrint("%wZ\n", &test);
FileHandle = NULL;
IoStatusBlock->Status = rtStatus = STATUS_ACCESS_DENIED;
goto exit;
}
Orig:
OrigZwOpenFile = (NTOPENFILE)oldServiceAddr[SYSTEM_INDEX(ZwOpenFile)];
rtStatus = OrigZwOpenFile(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions
);
exit:
return rtStatus;
}
爲什麼我未能阻止打開C:\ TESTDIR目錄?我做了什麼來攔截創建新文件夾的操作?