Написах този код за науча повече затова как работят NT недокументирани функций и в частност NtQueryDirectoryFile :) Мисля че кода може да ви бъде много полезен затова го поствам с още класове които съм намерил в интернет и се ползват от NtQueryDirectoryFile но които практически не са нужни в тази програма :)
#include stdio.h
#include windows.h
#include string.h
#include wchar.h
#include ntsecapi.h
#include stdlib.h
#include malloc.h
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
}StatusBlock;
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef VOID (*PIO_APC_ROUTINE) (
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG Reserved
);
typedef enum _FILE_INFORMATION_CLASS {
FileDirectoryInformation = 1,
FileFullDirectoryInformation,
FileBothDirectoryInformation,
FileBasicInformation,
FileStandardInformation,
FileInternalInformation,
FileEaInformation,
FileAccessInformation,
FileNameInformation,
FileRenameInformation,
FileLinkInformation,
FileNamesInformation,
FileDispositionInformation,
FilePositionInformation,
FileFullEaInformation,
FileModeInformation,
FileAlignmentInformation,
FileAllInformation,
FileAllocationInformation,
FileEndOfFileInformation,
FileAlternateNameInformation,
FileStreamInformation,
FilePipeInformation,
FilePipeLocalInformation,
FilePipeRemoteInformation,
FileMailslotQueryInformation,
FileMailslotSetInformation,
FileCompressionInformation,
FileCopyOnWriteInformation,
FileCompletionInformation,
FileMoveClusterInformation,
FileOleClassIdInformation,
FileOleStateBitsInformation,
FileNetworkOpenInformation,
FileObjectIdInformation,
FileOleAllInformation,
FileOleDirectoryInformation,
FileContentIndexInformation,
FileInheritContentIndexInformation,
FileOleInformation,
FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
typedef struct _FILE_FULL_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
WCHAR FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
typedef DWORD (__stdcall *NQDF)(
IN HANDLE FileHandle,
IN HANDLE Event,
//IN PIO_APC_ROUTINE ApcRoutine,
IN void* x,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileMask,
IN BOOLEAN RestartScan );
#define ALLOCSIZE sizeof(FILE_FULL_DIR_INFORMATION) * 512
int main() {
IO_STATUS_BLOCK IoStatusBlock;
HANDLE Dir;
NQDF Addr;
PFILE_FULL_DIR_INFORMATION buffer=NULL,DirInfo=NULL;
WCHAR Directory[MAX_PATH];
LPCWSTR Module = L"ntdll.dll";
DWORD err;
printf("Enter Directory To Enumerate... \n");
wscanf(L"%ws",&Directory);
buffer = (PFILE_FULL_DIR_INFORMATION)calloc(ALLOCSIZE,1);
Dir = CreateFileW(Directory,FILE_LIST_DIRECTORY,FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL);
Addr = (NQDF) GetProcAddress(GetModuleHandle(Module),"NtQueryDirectoryFile");
err = Addr(Dir,NULL,NULL,NULL,&IoStatusBlock,buffer,ALLOCSIZE,FileFullDirectoryInformation,0, NULL, FALSE);
DirInfo = buffer;
if(err == 0) { printf("Enumerating Directory Files: \n"); }
else { printf("you still have a lot to learn Neo"); system("PAUSE"); return 0; }
DirInfo = (PFILE_FULL_DIR_INFORMATION)(((PUCHAR)DirInfo) + (DirInfo->NextEntryOffset));
do {
DirInfo = (PFILE_FULL_DIR_INFORMATION)(((PUCHAR)DirInfo) + (DirInfo->NextEntryOffset));
PWSTR file = DirInfo->FileName;
wprintf( L"%ws\n", file);
}while(DirInfo->NextEntryOffset!=NULL);
system("PAUSE");
return 0;
}
Няма коментари:
Публикуване на коментар