转自:http://blog.csdn.net/cooblily/archive/2007/10/27/1848037.aspx
都好久沒上來写文章了,都不知道做什么好,結果还是学写了一下用Native API的程序,這些API的原型当然久在DDK里面找啦,不过因为NTDLL.DLL有导出啊,所以可以LoadLibrary调入这个动态连接文件,再GetProcAddress找到相应的API的地址,然后当然就可以调用啦.
整個过程最麻烦的就是要将DDK翻来翻去找到要用到的函数原型,函数所用到的結构,和一些宏.复制到程序裏面,好啦,以下是我学习的成果.
以下代码是在C:中创建一个ForZwFileTest.txt的文件并写入內容,然後删除.其实都沒什么用的,反正有微軟公开的API不用,而用這些沒公开的API來实现这个功能完全是因为无聊.嘻嘻.
#include #include #include typedef unsigned long NTSTATUS; typedef unsigned short USHORT; typedef unsigned long ULONG; typedef unsigned long DWORD; typedef long LONG; typedef __int64 LONGLONG; typedef struct UNICODE_STRING{ USHORT Length; USHORT MaxLen; USHORT *Buffer; } UNICODE_STRING,*PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_FORCE_ACCESS_CHECK 0x00000400L #define OBJ_VALID_ATTRIBUTES 0x000007F2L #define FILE_ATTRIBUTE_NORMAL 0x00000080 #define FILE_SHARE_DELETE 0x00000004 #define FILE_OPEN_IF 0x00000003 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define GENERIC_WRITE (0x40000000L) #define SYNCHRONIZE (0x00100000L) #define GENERIC_READ (0x80000000L) typedef struct _OBJECT_ATTRIBUTES{ ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; typedef NTSTATUS (__stdcall *ZWDELETEFILE)( IN POBJECT_ATTRIBUTES ObjectAttributes); typedef VOID (__stdcall *RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString); typedef struct _IO_STATUS_BLOCK{ DWORD Status; ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef NTSTATUS (__stdcall *ZWCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength); typedef VOID (NTAPI *PIO_APC_ROUTINE) ( IN PVOID ApcContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG Reserved); typedef NTSTATUS (__stdcall *ZWWRITEFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL); typedef NTSTATUS (__stdcall *ZWCLOSE)( IN HANDLE Handle); int main() { HINSTANCE hNtDll; ZWDELETEFILE ZwDeleteFile; RTLINITUNICODESTRING RtlInitUnicodeString; ZWCREATEFILE ZwCreateFile; ZWWRITEFILE ZwWriteFile; ZWCLOSE ZwClose; hNtDll = LoadLibrary ("NTDLL"); if (!hNtDll) return 0; ZwDeleteFile = (ZWDELETEFILE)GetProcAddress (hNtDll,"ZwDeleteFile"); RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress (hNtDll,"RtlInitUnicodeString"); ZwCreateFile = (ZWCREATEFILE)GetProcAddress (hNtDll,"ZwCreateFile"); ZwWriteFile = (ZWWRITEFILE)GetProcAddress (hNtDll,"ZwWriteFile"); ZwClose = (ZWCLOSE)GetProcAddress (hNtDll,"ZwClose"); UNICODE_STRING ObjectName; RtlInitUnicodeString(&ObjectName,L"//??//C://ForZwFileTest.txt");//記得這裏是要有//??//在前面的,DDK說的. OBJECT_ATTRIBUTES ObjectAttributes = { sizeof(OBJECT_ATTRIBUTES), // Length NULL, // RootDirectory &ObjectName, // ObjectName OBJ_CASE_INSENSITIVE, // Attributes 0, // SecurityDescriptor NULL, // SecurityQualityOfService }; HANDLE hFile; PVOID content = "ForZwFileTest"; IO_STATUS_BLOCK IoStatusBlock; ZwCreateFile(&hFile, GENERIC_WRITE|SYNCHRONIZE|GENERIC_READ, &ObjectAttributes, &IoStatusBlock, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_DELETE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(hFile, 0, 0, 0, &IoStatusBlock, content, 12, NULL, NULL); ZwClose(hFile); // ZwDeleteFile(&ObjectAttributes); FreeLibrary (hNtDll); return 0; }
转自:http://blog.csdn.net/cooblily/archive/2007/10/27/1848037.aspx