kernel32!OpenFile与ntdll!NtOpenFile
kernel32!OpenFile并不是直接调用的ntdll!NtOpenFile,其调用的是ntdll!NtCreateFile。
ntdll!NtOpenFile
ntdll!NtOpenFile函数并没有声明,如果要调用的话需要GetProcAddress动态获取。
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef void( __stdcall* RtlInitUnicodeStringA)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef int (__stdcall *NtOpenFileA)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
UNICODE_STRING stFileName = { 0 };
RtlInitUnicodeStringA RtlInitUnicodeString =(RtlInitUnicodeStringA) GetProcAddress(LoadLibrary(TEXT("ntdll.dll")), "RtlInitUnicodeString");
NtOpenFileA NtOpenFile = (NtOpenFileA)GetProcAddress(LoadLibrary(TEXT("ntdll.dll")), "NtOpenFile");
- ntdll!NtOpenFile返回0xC000003B,说明给出的文件的路径错误。
- 注意调用ntdll!NtOpenFile给出的文件名需要加上"\??\"。
- RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)函数在使用时注意其第二个参数为宽字符。
kernel32!DeleteFile与ntdll!NtDeleteFile
kernel32!DeleteFile底层调用的并不是ntdll!NtDeleteFile,其调用的是ntdll!SetInformationFile(传入FileDispositionInformation/FileDispositionInformationEx参数)
ntdll!NtDeleteFile
ntdll!NtDeleteFile函数并没有声明,调用的话需要GetProcAddress获得函数地址进行调用