HOOK 文件保护,隐藏 禁止访问
三个主要的函数:NtQueryDirectoryFile、NtCreateFile、NtOpenFile, 其它函数定义未用,保留。
源码.h头文件PathProtect.h:
#pragma once
#include "APIHook.h"
#include "FileInfoDef.h"
//typedef用来声明自定义数据类型
typedef NTSTATUS (WINAPI *NtQueryDirectoryFile_CALLBACK) (
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
typedef NTSTATUS (WINAPI * NtQueryInfomationFile_CALLBACK) (
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
typedef NTSTATUS (WINAPI * NtCreateFile_CALLBACK)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength );
typedef NTSTATUS (WINAPI *NtOpenFile_CALLBACK)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions );
typedef NTSTATUS (WINAPI *ZwReadFile_CALLBACK)(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key );
typedef NTSTATUS (WINAPI *ZwWriteFile_CALLBACK)(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key);
typedef NTSTATUS (WINAPI *ZwSetInformationFile_CALLBACK)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass );
typedef NTSTATUS (WINAPI *ZwDeleteFile_CALLBACK)(
POBJECT_ATTRIBUTES ObjectAttributes );
typedef HANDLE (WINAPI *CreateFileW_CALLBACK)(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile);
typedef HANDLE (WINAPI *CreateFileA_CALLBACK)(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile);
class CPathProtect
{
public:
CPathProtect(void);
~CPathProtect(void);
public:
//启动
void StartHook();
public:
static CAPIHook m_HookNtQueryDirectoryFile;
static CAPIHook m_HookNtCreateFile;
static CAPIHook m_HookNtOpenFile;
static CAPIHook m_HookZwReadFile;
//static CAPIHook m_HookNtWriteFile;
static CAPIHook m_HookCreateFileW;
static CAPIHook m_HookCreateFileA;
private:
static NTSTATUS WINAPI My_NtQueryDirectoryFile(
HANDLE FileHandle, //是一个可以从NtOpenFlie得到的目录对象句柄
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation, //是一个指针,指向函数要写入需要的数据的已分配的内存
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass, //决定用户在FileInformation中写入记录的类型
BOOLEAN ReturnSingleEntry,
PUNICODE_STRING FileName,
BOOLEAN RestartScan);
static NTSTATUS WINAPI My_NtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength );
static NTSTATUS WINAPI My_NtOpenFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions );
static NTSTATUS WINAPI My_ZwReadFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key );
static NTSTATUS WINAPI My_ZwWriteFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key);
static NTSTATUS WINAPI My_ZwSetInformationFile(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass );
static NTSTATUS WINAPI My_ZwDeleteFile( POBJECT_ATTRIBUTES ObjectAttributes );
static HANDLE WINAPI My_CreateFileW(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile);
static HANDLE WINAPI My_CreateFileA(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile);
static BOOL IsInControl( wchar_t * _Str, ULONG _StrLen=0 )
{
if( _StrLen==38 )
{
wchar_t *pwStr = wcsstr( _Str, L"CYReader_TempFolder" );
//宽字符比较,暂用WCSSTR
if( pwStr!=NULL )
{
return TRUE;
}
}
else if( 0==_StrLen )
{
wchar_t *pStr = wcsstr( _Str, L"CYReader_TempFolder" );
//宽字符比较,暂用WCSSTR
if( pStr!=NULL )
{
return TRUE;
}
}
return FALSE;
}
static BOOL IsInControl( CHAR * _Str, ULONG _StrLen=0 )
{
CHAR *pStr = strstr( _Str, "CYReader_TempFolder" );
//宽字符比较,暂用WCSSTR
if( pStr!=NULL )
{
if( 0==_StrLen )
{
return TRUE;
}
else if( pStr+19<=_Str+_StrLen )
{
return TRUE;
}
}
return FALSE;
}
};
CPP文件PathProtect.cpp":
#include "PathProtect.h"
#include <stdio.h>
CAPIHook CPathProtect::m_HookNtQueryDirectoryFile;
CAPIHook CPathProtect::m_HookNtCreateFile;
CAPIHook CPathProtect::m_HookNtOpenFile;
CAPIHook CPathProtect::m_HookZwReadFile;
CAPIHook CPathProtect::m_HookCreateFileW;
CAPIHook CPathProtect::m_HookCreateFileA;
CPathProtect::CPathProtect(void)
{
}
CPathProtect::~CPathProtect(void)
{
}
//启动
void CPathProtect::StartHook()
{
m_HookNtQueryDirectoryFile.StartHook("ntdll.dll", "NtQueryDirectoryFile", (PROC)CPathProtect::My_NtQueryDirectoryFile);
m_HookNtCreateFile.StartHook("ntdll.dll", "NtCreateFile", (PROC)CPathProtect::My_NtCreateFile);
m_HookNtOpenFile.StartHook("ntdll.dll", "NtOpenFile", (PROC)CPathProtect::My_NtOpenFile);
//m_HookCreateFileW.StartHook("Kernel32.dll", "CreateFileW", (PROC)CPathProtect::My_CreateFileW);
//m_HookCreateFileW.StartHook("Kernel32.dll", "CreateFileA", (PROC)CPathProtect::My_CreateFileA);
//m_HookZwReadFile.StartHook("ntdll.dll", "ZwReadFile", (PROC)CPathProtect::My_ZwReadFile);
}
/*自定义NtQueryDirectoryFile**************************************************/
NTSTATUS WINAPI CPathProtect::My_NtQueryDirectoryFile(
HANDLE FileHandle, //是一个可以从NtOpenFlie得到的目录对象句柄
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,//是一个指针,指向函数要写入需要的数据的已分配的内存
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass,//决定用户在FileInformation中写入记录的类型
BOOLEAN ReturnSingleEntry,
PUNICODE_STRING FileName,
BOOLEAN RestartScan )
{
NtQueryDirectoryFile_CALLBACK pRawFun = (NtQueryDirectoryFile_CALLBACK)(PROC)m_HookNtQueryDirectoryFile;
if( pRawFun==NULL )
{
return 0xFFFFFFFF;
}
//先调用原有函数
NTSTATUS rret = pRawFun( FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
Length,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan );
if (!NT_SUCCESS(rret))
{
return rret;
}
if(FileInformationClass==FileIdBothDirectoryInformation)
{
//Vista或Win7 返回的而是FileIdBothDirectoryInformation
PFILE_ID_BOTH_DIR_INFORMATION pFileInfo;
PFILE_ID_BOTH_DIR_INFORMATION pLastFileInfo;
pFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION)FileInformation;
pLastFileInfo = NULL;
BOOLEAN flag=false;
//OutputDebugStringW(L"[NtQueryFile]Start...");
do
{
//WCHAR Temp[MAX_PATH] = {0};
//memcpy( Temp, L"[NtQueryFile]", 26 );
//memcpy( Temp+13, pFileInfo->FileName, pFileInfo->FileNameLength>200?200:pFileInfo->FileNameLength );
//OutputDebugStringW(Temp);
flag = !( pFileInfo->NextEntryOffset ); //NextEntryOffset是写入FileInformation中的列表的中的项的偏移地址,既是详细列表项的长度
if( IsInControl(pFileInfo->FileName, pFileInfo->FileNameLength ) )
{
//如果能在文件名中找到CYReader_TempFolder
if(flag)
{
if( pLastFileInfo != NULL )
{
pLastFileInfo->NextEntryOffset = 0;
}
break;
}
else
{
//将对应链表节点移除
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation;
int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset;
memcpy( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft );
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_ID_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);
}while(!flag);
}
else if (FileInformationClass==FileBothDirectoryInformation)
{
//XP
PFILE_BOTH_DIRECTORY_INFORMATION pFileInfo;
PFILE_BOTH_DIRECTORY_INFORMATION pLastFileInfo;
pFileInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)FileInformation;
pLastFileInfo = NULL;
BOOLEAN flag=false;
do
{
flag = !( pFileInfo->NextEntryOffset ); //NextEntryOffset是写入FileInformation中的列表的中的项的偏移地址,既是详细列表项的长度
if( IsInControl(pFileInfo->FileName) )
{
//如果能在文件名中找到CYReader_TempFolder
if(flag)
{
if( pLastFileInfo != NULL )
{
pLastFileInfo->NextEntryOffset = 0;
}
break;
}
else
{
//将对应链表节点移除
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation;
int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset;
memcpy( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft );
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);
}while(!flag);
}
return rret;
}
/*自定义NtCreateFile**************************************************/
NTSTATUS WINAPI CPathProtect::My_NtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength )
{
//WCHAR Temp[MAX_PATH] = {0};
//wcscat( Temp, L"[CreateFile]" );
//wcscat( Temp, ObjectAttributes->ObjectName->Buffer );
//OutputDebugStringW(Temp);
//FILE_OPEN 0x00000001
if( CreateDisposition==0x01 && ObjectAttributes->ObjectName->Length>0 && IsInControl(ObjectAttributes->ObjectName->Buffer) )
{
//返回失败
FileHandle = NULL;
return 0;
}
NtCreateFile_CALLBACK pRawFun = (NtCreateFile_CALLBACK)(PROC)m_HookNtCreateFile;
if( pRawFun==NULL )
{
return 0xFFFFFFFF;
}
//先调用原有函数
NTSTATUS rret = pRawFun( FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength );
if (!NT_SUCCESS(rret))
{
return rret;
}
return rret;
}
/*自定义NtOpenFile**************************************************/
NTSTATUS WINAPI CPathProtect::My_NtOpenFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions )
{
//WCHAR Temp[MAX_PATH] = {0};
//wcscat( Temp, L"[OpenFile]" );
//wcscat( Temp, ObjectAttributes->ObjectName->Buffer );
//OutputDebugStringW(Temp);
if( ObjectAttributes->ObjectName->Length>0 && IsInControl(ObjectAttributes->ObjectName->Buffer) )
{
//返回失败
FileHandle = NULL;
return 0;
}
NtOpenFile_CALLBACK pRawFun = (NtOpenFile_CALLBACK)(PROC)m_HookNtOpenFile;
if( pRawFun==NULL )
{
return 0xFFFFFFFF;
}
//先调用原有函数
NTSTATUS rret = pRawFun( FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions );
if (!NT_SUCCESS(rret))
{
return rret;
}
return rret;
}
/*自定义NtOpenFile**************************************************/
NTSTATUS WINAPI CPathProtect::My_ZwReadFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key )
{
OutputDebugStringW( L"[ReadFile]" );
HINSTANCE ntdll_dll = GetModuleHandle( L"ntdll.dll" );
if( ntdll_dll!=NULL )
{
NtQueryInfomationFile_CALLBACK dwFunAddress = NULL;
dwFunAddress = (NtQueryInfomationFile_CALLBACK)GetProcAddress(ntdll_dll, "NtQueryInformationFile");
if( NULL!=dwFunAddress )
{
IO_STATUS_BLOCK isb = { 0 };
FILE_ID_BOTH_DIR_INFORMATION fni = { 0 };
if( 0==dwFunAddress( FileHandle, &isb, &fni, sizeof(fni), FileIdBothDirectoryInformation ) )
{
WCHAR Temp[MAX_PATH] = {0};
wcscat( Temp, L"[ReadFile]" );
wcscat( Temp, fni.FileName );
OutputDebugStringW(Temp);
if(IsInControl(fni.FileName) )
{
//返回失败
OutputDebugStringW(L"ReadFile Err");
FileHandle = NULL;
return 0xFFFFFFFF;
}
}
}
}
ZwReadFile_CALLBACK pRawFun = (ZwReadFile_CALLBACK)(PROC)m_HookZwReadFile;
if( pRawFun==NULL )
{
return 0xFFFFFFFF;
}
//先调用原有函数
NTSTATUS rret = pRawFun( FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
Buffer,
Length,
ByteOffset,
Key );
if (!NT_SUCCESS(rret))
{
return rret;
}
return rret;
}
NTSTATUS WINAPI CPathProtect::My_ZwWriteFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Buffer,
ULONG Length,
PLARGE_INTEGER ByteOffset,
PULONG Key)
{
return 0;
}
NTSTATUS WINAPI CPathProtect::My_ZwSetInformationFile(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass )
{
return 0;
}
NTSTATUS WINAPI CPathProtect::My_ZwDeleteFile( POBJECT_ATTRIBUTES ObjectAttributes )
{
return 0;
}
HANDLE WINAPI CPathProtect::My_CreateFileW(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile)
{
if( NULL!=lpFileName )
{
WCHAR Temp[MAX_PATH] = {0};
wcscat( Temp, L"[CreateFileW]" );
wcscat( Temp, lpFileName );
OutputDebugStringW(Temp);
}
if( NULL!=lpFileName && IsInControl( (wchar_t *)lpFileName ) )
{
OutputDebugStringW( L"My_CreateFileW NULL" );
return NULL;
}
CreateFileW_CALLBACK pRawFun = (CreateFileW_CALLBACK)(PROC)m_HookCreateFileW;
if( pRawFun==NULL )
{
return NULL;
}
//先调用原有函数
return pRawFun( lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile );
}
HANDLE WINAPI CPathProtect::My_CreateFileA(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile)
{
if( NULL!=lpFileName )
{
CHAR Temp[MAX_PATH] = {0};
strcat( Temp, "[CreateFileA]" );
strcat( Temp, lpFileName );
OutputDebugStringA( Temp );
}
if( NULL!=lpFileName && IsInControl( (CHAR *)lpFileName ) )
{
OutputDebugStringA( "My_CreateFileA NULL" );
return NULL;
}
CreateFileA_CALLBACK pRawFun = (CreateFileA_CALLBACK)(PROC)m_HookCreateFileA;
if( pRawFun==NULL )
{
return NULL;
}
//先调用原有函数
return pRawFun( lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile );
}
结构定义FileInfoDef.h:
//从ntddk中拿出来的一些结构体定义,在ZwQueryDirectoryFile()中要用到
#define NT_SUCCESS(Status) ((NTSTATUS)(Status)>=0)
typedef LONG NTSTATUS;
namespace nsPathProtectStruct
{
// //参数类型
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
//字符串类型
typedef struct _UNICODE_STRING
{
USHORT Length; //buffer的字节长度,不包括终止符NULL;
USHORT MaximumLength; //buffer的的总的字节大小
PWSTR Buffer; //指向宽字符串的指针
} UNICODE_STRING, *PUNICODE_STRING;
//枚举类型,主要利用FileBothDirectoryInformation
typedef enum _FILE_INFORMATION_CLASS{
FileDirectoryInformation = 1,
FileFullDirectoryInformation = 2,
FileBothDirectoryInformation = 3,
FileBasicInformation = 4,
FileStandardInformation = 5,
FileInternalInformation = 6,
FileEaInformation = 7,
FileAccessInformation = 8,
FileNameInformation = 9,
FileRenameInformation = 10,
FileLinkInformation = 11,
FileNamesInformation = 12,
FileDispositionInformation = 13,
FilePositionInformation = 14,
FileFullEaInformation = 15,
FileModeInformation = 16,
FileAlignmentInformation = 17,
FileAllInformation = 18,
FileAllocationInformation = 19,
FileEndOfFileInformation = 20,
FileAlternateNameInformation = 21,
FileStreamInformation = 22,
FilePipeInformation = 23,
FilePipeLocalInformation = 24,
FilePipeRemoteInformation = 25,
FileMailslotQueryInformation = 26,
FileMailslotSetInformation = 27,
FileCompressionInformation = 28,
FileObjectIdInformation = 29,
FileCompletionInformation = 30,
FileMoveClusterInformation = 31,
FileQuotaInformation = 32,
FileReparsePointInformation = 33,
FileNetworkOpenInformation = 34,
FileAttributeTagInformation = 35,
FileTrackingInformation = 36,
FileIdBothDirectoryInformation = 37,
FileIdFullDirectoryInformation = 38,
FileValidDataLengthInformation = 39,
FileShortNameInformation = 40,
FileIoCompletionNotificationInformation = 41,
FileIoStatusBlockRangeInformation = 42,
FileIoPriorityHintInformation = 43,
FileSfioReserveInformation = 44,
FileSfioVolumeInformation = 45,
FileHardLinkInformation = 46,
FileProcessIdsUsingFileInformation = 47,
FileNormalizedNameInformation = 48,
FileNetworkPhysicalNameInformation = 49,
FileMaximumInformation = 50
} FILE_INFORMATION_CLASS,*PFILE_INFORMATION_CLASS;
typedef VOID (NTAPI *PIO_APC_ROUTINE)(
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved);
typedef struct _FILE_BOTH_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaInformationLength;
UCHAR AlternateNameLength;
WCHAR AlternateName[12];
WCHAR FileName[1];
} FILE_BOTH_DIRECTORY_INFORMATION,*PFILE_BOTH_DIRECTORY_INFORMATION;
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
}
using namespace nsPathProtectStruct;