标签:locate bool 截图 return 打开 技术 大小 原因 kernel
来自:
BOOLEAN MyZwCopyFile(PCWSTR desFile, UNICODE_STRING srcFile)
{
HANDLE readFileHandle;
HANDLE writeFileHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
OBJECT_ATTRIBUTES ObjectAttributes1;
UNICODE_STRING readFilePath = srcFile;
UNICODE_STRING writeFilePath;
IO_STATUS_BLOCK IoStatusBlock;
NTSTATUS status;
PVOID saveBuffer = NULL;
LARGE_INTEGER byteOffset;
ULONG length = 0;
byteOffset.QuadPart = 0;
//RtlInitUnicodeString(&readFilePath, srcFile);
RtlInitUnicodeString(&writeFilePath, desFile);
saveBuffer = ExAllocatePoolWithTag(PagedPool, 1000, "tag1");
InitializeObjectAttributes(&ObjectAttributes, &readFilePath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
InitializeObjectAttributes(&ObjectAttributes1, &writeFilePath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwCreateFile(&readFileHandle, GENERIC_READ, &ObjectAttributes, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (!NT_SUCCESS(status))
{
DbgPrint("ZwCreateFile readFileHandle failed and status is 0X%x , filepath %S\n" ,status, srcFile);
DbgPrint("ZwCreateFile readFileHandle failed and status is 0X%x , filepath %ws\n", status, srcFile);
DbgPrint("ZwCreateFile readFileHandle failed and status is 0X%x , filepath %wZ\n", status, srcFile);
if (readFileHandle != NULL)
ZwClose(readFileHandle);
if (saveBuffer != NULL)
ExFreePool(saveBuffer);
return FALSE;
}
status = ZwCreateFile(&writeFileHandle, GENERIC_WRITE, &ObjectAttributes1, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (!NT_SUCCESS(status))
{
if (readFileHandle != NULL)
ZwClose(readFileHandle);
if (writeFileHandle != NULL)
ZwClose(writeFileHandle);
if (saveBuffer != NULL)
ExFreePool(saveBuffer);
DbgPrint("writeFileHandle failed and status is 0X%x ,filepath %S\n", status, desFile);
DbgPrint("writeFileHandle failed and status is 0X%x ,filepath %ws\n", status, desFile);
DbgPrint("writeFileHandle failed and status is 0X%x ,filepath %wZ\n", status, desFile);
return FALSE;
}
do
{
length = 1000;
status = ZwReadFile(readFileHandle, NULL, NULL, NULL, &IoStatusBlock, saveBuffer, length, &byteOffset, NULL);//读取数据
if (!NT_SUCCESS(status))
{
if (status == STATUS_END_OF_FILE)
DbgPrint("ZwReadFile readFileHandle read File End");
if (readFileHandle != NULL)
ZwClose(readFileHandle);
if (writeFileHandle != NULL)
ZwClose(writeFileHandle);
if (saveBuffer != NULL)
ExFreePool(saveBuffer);
return FALSE;
}
length = IoStatusBlock.Information;
status = ZwWriteFile(writeFileHandle, NULL, NULL, NULL, &IoStatusBlock, saveBuffer, length, &byteOffset, NULL);
if (!NT_SUCCESS(status))
{
DbgPrint("ZwWriteFile writeFileHandle Can not write File ");
if (readFileHandle != NULL)
ZwClose(readFileHandle);
if (writeFileHandle != NULL)
ZwClose(writeFileHandle);
if (saveBuffer != NULL)
ExFreePool(saveBuffer);
return FALSE;
}
byteOffset.QuadPart += length;
} while (1);
if (readFileHandle != NULL)
ZwClose(readFileHandle);
if (writeFileHandle != NULL)
ZwClose(writeFileHandle);
if (saveBuffer != NULL)
ExFreePool(saveBuffer);
return TRUE;
} 标签:locate bool 截图 return 打开 技术 大小 原因 kernel
原文地址:http://blog.51cto.com/haidragon/2347366
