/*
本文整理自网络,
起源于WinObjEx.exe的无聊的使用.
大家都知道如何获取:%windir% = %SystemRoot%
今天的是获取:%WINDIR%\system32,注意获得的路径的后面是不带\的.
注释:%system%在2003和win 7上是无效的,别的没有测试.
注意还有个路径:L"\\KnownDlls\\KnownDllPath",这个只存在于64位的系统。
*/
#include <ntddk.h>
VOID OnUnload(PDRIVER_OBJECT DriverObject){}
NTSTATUS DriverEntry(__in PDRIVER_OBJECT pDriverObject,__in PUNICODE_STRING pRegistryPath)
{//方法一:
ULONG ActualLength;
HANDLE LinkHandle;
WCHAR NameBuffer[128];//这个可能定义的小了.
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING LinkString, NameString;
_asm int 3
LinkString.Buffer = NameBuffer;
LinkString.MaximumLength = sizeof(NameBuffer);
RtlZeroMemory(NameBuffer, sizeof(NameBuffer));
RtlInitUnicodeString(&NameString, L"\\KnownDlls\\KnownDllPath");//不可以用//,不然会ZwOpenSymbolicLinkObject调用失败.就是得到的句柄为0.
InitializeObjectAttributes(&ObjectAttributes, &NameString, OBJ_KERNEL_HANDLE, NULL, NULL);
ZwOpenSymbolicLinkObject(&LinkHandle, SYMBOLIC_LINK_QUERY, &ObjectAttributes);
ZwQuerySymbolicLinkObject(LinkHandle, &LinkString, &ActualLength);//LinkString就是想要的值.
KdPrint(("KnownDllPath: %wZ \n",&LinkString));
ZwClose(LinkHandle);
////////////////////////////////////////////////////////////////////////////////////////////////////////
//方法二:
{
NTSTATUS ZwOpenDirectoryObject(
__out PHANDLE DirectoryHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes);
UNICODE_STRING usDirName,usSymbolicName,usSymbolic;
OBJECT_ATTRIBUTES ObjDir,ObjSymbolic;
WCHAR wchBuffer[128];
HANDLE hDir,hSymbolic;
RtlInitUnicodeString (&usDirName,L"\\KnownDlls");
InitializeObjectAttributes( &ObjDir,&usDirName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
ZwOpenDirectoryObject ( &hDir,DIRECTORY_QUERY,&ObjDir);
RtlInitUnicodeString (&usSymbolicName , L"KnownDllPath");
InitializeObjectAttributes(&ObjSymbolic,&usSymbolicName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,hDir,NULL);
ZwOpenSymbolicLinkObject (&hSymbolic,GENERIC_READ,&ObjSymbolic);
usSymbolic.Buffer = wchBuffer;
usSymbolic.MaximumLength = 256*sizeof(WCHAR);
usSymbolic.Length =0;
ZwQuerySymbolicLinkObject ( hSymbolic,&usSymbolic,NULL);
KdPrint(("KnownDllPath: %wZ \n",&usSymbolic));
}
pDriverObject->DriverUnload = OnUnload;
return 0;
}
//made by correy
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/*
在驱动中把dos-name转换nt-name.
made at 20140605.
*/
#include <ntifs.h>
#include <windef.h>
#define TAG 'tset' //test
DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
}
#pragma INITCODE
DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
ULONG ActualLength;
HANDLE LinkHandle = 0;
WCHAR NameBuffer[128];//这个可能定义的小了.
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING LinkString, NameString;
NTSTATUS status = STATUS_SUCCESS;
KdBreakPoint();
DriverObject->DriverUnload = Unload;
LinkString.Buffer = NameBuffer;
LinkString.MaximumLength = sizeof(NameBuffer);
RtlZeroMemory(NameBuffer, sizeof(NameBuffer));
RtlInitUnicodeString(&NameString, L"\\??\\c:");//注意格式。
InitializeObjectAttributes(&ObjectAttributes, &NameString, OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenSymbolicLinkObject(&LinkHandle, SYMBOLIC_LINK_QUERY | GENERIC_READ , &ObjectAttributes);
status = ZwQuerySymbolicLinkObject(LinkHandle, &LinkString, &ActualLength);
KdPrint(("%wZ \n",&LinkString));//得到的值形如:"\Device\HarddiskVolume1"。
ZwClose(LinkHandle);
return 0;
}
2012年7月5日星期四
\\KnownDlls\\KnownDllPath.C
订阅:
博文评论 (Atom)
没有评论:
发表评论