内核复制文件

众所周知内核中并不存在 ZwCopyFile,但可利用ZwReadFile,ZwWriteFile来实现

#include 

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	DbgPrint("卸载完成!\n");
}



BOOLEAN MyCopyFile(PCWSTR desFile,PCWSTR srcFile)
{


	HANDLE readFileHandle;
	HANDLE writeFileHandle;
	OBJECT_ATTRIBUTES ObjectAttributes;
	OBJECT_ATTRIBUTES ObjectAttributes1;
	UNICODE_STRING readFilePath;
	UNICODE_STRING writeFilePath;
	IO_STATUS_BLOCK IoStatusBlock;
	NTSTATUS status;

	PVOID saveBuffer=NULL;
	LARGE_INTEGER byteOffset;
	ULONG length=0;

	


	byteOffset.QuadPart=0;
	RtlInitUnicodeString(&readFilePath,srcFile);
	RtlInitUnicodeString(&writeFilePath,desFile);

	saveBuffer=ExAllocatePoolWithTag(PagedPool,1000,"tag1");
	InitializeObjectAttributes(&ObjectAttributes,&readFilePath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
	InitializeObjectAttributes(&ObjectAttributes1,&writeFilePath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);	
	status=ZwCreateFile(&readFileHandle,GENERIC_ALL,&ObjectAttributes,&IoStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);

	if(!NT_SUCCESS(status))
	{
		DbgPrint("Can not create");
		if(readFileHandle!=NULL)
			ZwClose(readFileHandle);

	
		if(saveBuffer!=NULL)
			ExFreePool(saveBuffer);


		return FALSE;
	}

	status=ZwCreateFile(&writeFileHandle,GENERIC_ALL,&ObjectAttributes1,&IoStatusBlock,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,FILE_OPEN_IF,FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);

	if(!NT_SUCCESS(status))
	{  
		if(readFileHandle!=NULL)
	    ZwClose(readFileHandle);

    	if(writeFileHandle!=NULL)
		ZwClose(writeFileHandle);

    	if(saveBuffer!=NULL)
	  	ExFreePool(saveBuffer);
		 DbgPrint("Can not create");
		return FALSE;
	}


	do 
	{

		length=1000;
		status=ZwReadFile(readFileHandle,NULL,NULL,NULL,&IoStatusBlock,saveBuffer,length,&byteOffset,NULL);//读取数据



		if(!NT_SUCCESS(status))
		{
			if(status==STATUS_END_OF_FILE)

				DbgPrint("read File End");
			if(readFileHandle!=NULL)
				ZwClose(readFileHandle);

			if(writeFileHandle!=NULL)
				ZwClose(writeFileHandle);

			if(saveBuffer!=NULL)
				ExFreePool(saveBuffer);
			return FALSE;
		}

		length=IoStatusBlock.Information;//返回实际读取数据的大小

		status=ZwWriteFile(writeFileHandle,NULL,NULL,NULL,&IoStatusBlock,saveBuffer,length,&byteOffset,NULL);

		if(!NT_SUCCESS(status))
		{
			DbgPrint("Can not write File ");
			if(readFileHandle!=NULL)
				ZwClose(readFileHandle);

			if(writeFileHandle!=NULL)
				ZwClose(writeFileHandle);

			if(saveBuffer!=NULL)
				ExFreePool(saveBuffer);
			return FALSE;
		}

		byteOffset.QuadPart+=length;//文件偏移移动

	} while (1);

	if(readFileHandle!=NULL)
		ZwClose(readFileHandle);

	if(writeFileHandle!=NULL)
		ZwClose(writeFileHandle);

	if(saveBuffer!=NULL)
		ExFreePool(saveBuffer);
	return TRUE;
}






NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{


if(MyCopyFile(L"\\??\\c:\\xxxx.rar",L"\\??\\c:\\xxxx1.rar"))
  DbgPrint("CopyFile Sucessfully");
DriverObject->DriverUnload = DriverUnload;


	return STATUS_SUCCESS;
}