几个重要的函数:
[特别划来的几个底层函数很有用,有公开的、也有没公开的,有用就收起来]
± NtQueryDirectoryFile
± 在WINNT里在某些目录中寻找某个文件的方法是枚举它里面所有的文件和它的子目录下的所有文件。文件的枚举是使用NtQueryDirectoryFile函数。
NTSTATUS NtQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
对我们来说重要的参数是FileHandle,FileInformation和FileInformationClass。FileHandle是从NtOpenFile获得的目录对象句柄。FileInformation是一个指针,指向函数要写入需要的数据的已分配内存。FileInformationClass决定写入FileImformation的记录的类型。
//---------------------------------------------------------------------------------------------------------------------------------------
± NtQuerySystemInformation
± 各种进程信息是通过NtQuerySystemInformation获取的。
NTSTATUS NtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
SystemInformationClass标明了我们想要获得的信息的类别,SystemInformation是一个指向函数输出缓冲区的指针,SystemInformationLength是这个缓冲区的长度,ReturnLength是写入字节的数目。 对于正在运行的进程的枚举我们使用设置为SystemProcessesAndThreadsInformation的SystemInformationClass。
//---------------------------------------------------------------------------------------------------------------------------------------
± NtEnumerateKey
± 因为注册表的结构我们不能请求某个指定部分所有键的列表。我们只能在注册表某个部分通过查询指定键的索引以获得它的信息。这里提供了NtEnumerateKey。
NTSTATUS NtEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG KeyInformationLength,
OUT PULONG ResultLength
);
KeyHandle是已经用索引标明我们想要从中获取信息的子键的句柄。KeyInformationClass标明了返回信息类型。数据最后写入KeyInformaiton缓冲区,缓冲区长度为KeyInformationLength。写入的字节数由ResultLength返回。
//---------------------------------------------------------------------------------------------------------------------------------------
± NtVdmControl
± DOS的枚举NTVDM能够通过函数NtVdmControl也能获得文件的列表
NTSTATUS NtVdmControl(
IN ULONG ControlCode,
IN PVOID ControlData
);
ConcrolCode标明了在缓冲区ControlData中申请数据的子函数。如果ControlCode为VdmDiretoryFile那么这个函数的功能将和FileInformation设置为FileBothDirectoryInformation的函数NtQueryDirectoryFile功能一样。
//---------------------------------------------------------------------------------------------------------------------------------------
± NtDeviceIoControlFile
± MSDN-2004中有此函数的详细说明
NTSTATUS NtDeviceIoControlFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
//---------------------------------------------------------------------------------------------------------------------------------------
± NtQueryInformationProcess
± 我们需要通过NtQueryInformationProcess获取目标进程的PEB(进程环境块)
NTSTATUS NtQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
//---------------------------------------------------------------------------------------------------------------------------------------
± NtQueryInformationThread
± NtQueryInformationThread能给我们指定线程是属于哪个进程的信息
NTSTATUS NtQueryInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
//---------------------------------------------------------------------------------------------------------------------------------------
± LdrLoadDll
± 其他模块都是在进程被挂钩之后在运行过程中才被动态加载的。这就是我们还得挂钩加载新模块的函数LdrLoadDll的原因
NTSTATUS LdrLoadDll(
PWSTR szcwPath,
PDWORD pdwLdrErr,
PUNICODE_STRING pUniModuleName,
PHINSTANCE pResultInstance
);
//---------------------------------------------------------------------------------------------------------------------------------------
± NtFsControlFile
± NtFsControlFile is used with FSCTL_XXX codes only!(They generate different IRP_MJ_XXX requests).
± This function is used to send File System Control (FSCTL) commands into file system drivers. Its definition is in ntdll.dll (ntdll.lib), a file shipped with the NTDDK
No.1:
NTSTATUS NtFsControlFile(
HANDLE FileHandle,
HANDLE Event, // optional
PIO_APC_ROUTINE ApcRoutine, // optional
PVOID ApcContext, // optional
PIO_STATUS_BLOCK IoStatusBlock,
ULONG FsControlCode,
PVOID InputBuffer, // optional
ULONG InputBufferLength,
PVOID OutputBuffer, // optional
ULONG OutputBufferLength
);
No.2:
NTSTATUS NtFsControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
//---------------------------------------------------------------------------------------------------------------------------------------
± KeAddSystemServiceTable
± 函数KeAddSystemServiceTable允许Win32.sys和其他设备驱动程序添加系统服务表。除了Win32k.sys服务表外,使用KeAddSystemServiceTable添加的服务表会被同时复制到KeServiceDescriptorTable和KeServiceDescriptorTableShadow中去。
BOOL _KeAddSystemServiceTable
(
LPSSTAT lpAddressTable, // Pointer to the SSTAT structure of the SST.
BOOL bUnknown, // Unknown. Always set to FALSE. If you have
// any information regarding this please let me know.
DWORD dwNumEntries, // Number of entries in the SST.
LPSSTPT lpParameterTable, // Pointer to the SSTPT structure of the SST.
DWORD dwTableID // Index of the SSD to add the SST to.
}