首页新闻找找看学习计划

通过detours 来 hook ZwQueryDirectoryFile 时遇到的问题?

0
悬赏园豆:15 [已关闭问题] 关闭于 2013-10-15 13:18

从网上拿到一份代码,说是通过hook ZwQueryDirectoryFile可以实现文件隐藏,但我想通过detours1.5实现hook,因为我很多源码是detours1.5的,也比较稳定。写到dll中后,编译通过,但链接出现错误,高手给指点下。源码和报错信息分别如下(WDK for win7已经安装):

#include "stdafx.h"
#include <atlbase.h>
#include "shlwapi.h"
#include "detours.h"
#include "windows.h"
#include <tlhelp32.h>
#include <iostream.h>
#include <fstream.h>
#include <sstream>
#include <string>
#include <io.h>
#include <winnt.h>
using namespace std;;

typedef LONG NTSTATUS;

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef enum _FILE_INFORMATION_CLASS {
    FileDirectoryInformation         = 1,
        FileFullDirectoryInformation,   // 2
        FileBothDirectoryInformation,   // 3
        FileBasicInformation,           // 4 wdm
        FileStandardInformation,        // 5 wdm
        FileInternalInformation,        // 6
        FileEaInformation,              // 7
        FileAccessInformation,          // 8
        FileNameInformation,            // 9
        FileRenameInformation,          // 10
        FileLinkInformation,            // 11
        FileNamesInformation,           // 12
        FileDispositionInformation,     // 13
        FilePositionInformation,        // 14 wdm
        FileFullEaInformation,          // 15
        FileModeInformation,            // 16
        FileAlignmentInformation,       // 17
        FileAllInformation,             // 18
        FileAllocationInformation,      // 19
        FileEndOfFileInformation,       // 20 wdm
        FileAlternateNameInformation,   // 21
        FileStreamInformation,          // 22
        FilePipeInformation,            // 23
        FilePipeLocalInformation,       // 24
        FilePipeRemoteInformation,      // 25
        FileMailslotQueryInformation,   // 26
        FileMailslotSetInformation,     // 27
        FileCompressionInformation,     // 28
        FileObjectIdInformation,        // 29
        FileCompletionInformation,      // 30
        FileMoveClusterInformation,     // 31
        FileQuotaInformation,           // 32
        FileReparsePointInformation,    // 33
        FileNetworkOpenInformation,     // 34
        FileAttributeTagInformation,    // 35
        FileTrackingInformation,        // 36
        FileIdBothDirectoryInformation, // 37
        FileIdFullDirectoryInformation, // 38
        FileValidDataLengthInformation, // 39
        FileShortNameInformation,       // 40
        FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;

typedef struct _FILE_BOTH_DIR_INFORMATION {
    ULONG             NextEntryOffset;
    ULONG             FileIndex;
    LARGE_INTEGER     CreationTime;
    LARGE_INTEGER     LastAccessTime;
    LARGE_INTEGER     LastWriteTime;
    LARGE_INTEGER     ChangeTime;
    LARGE_INTEGER     EndOfFile;
    LARGE_INTEGER     AllocationSize;
    ULONG             FileAttributes;
    ULONG             FileNameLength;
    ULONG             EaSize;
    CCHAR             ShortNameLength;
    WCHAR             ShortName[12];
    WCHAR             FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

typedef struct _STRING {
    USHORT Length;
    USHORT MaximumLength;
    PCHAR Buffer;
} UNICODE_STRING,*PUNICODE_STRING;

typedef struct _IO_STATUS_BLOCK{  
    DWORD Status;  
    ULONG Information;  
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE)(PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG Reserved);

typedef NTSTATUS (*ZWQUERYDIRECTORYFILE)(
    IN  HANDLE FileHandle,
    IN  HANDLE Event OPTIONAL,
    IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN  PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    OUT PVOID FileInformation,
    IN  ULONG Length,
    IN  FILE_INFORMATION_CLASS FileInformationClass,
    IN  BOOLEAN ReturnSingleEntry,
    IN  PUNICODE_STRING FileName OPTIONAL,
    IN  BOOLEAN RestartScan
);

//hook zwQueryDirectoryFile
NTSTATUS WINAPI CopyZwQueryDirectoryFile(                        
    IN  HANDLE FileHandle,
    IN  HANDLE Event OPTIONAL,
    IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN  PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    OUT PVOID FileInformation,
    IN  ULONG Length,
    IN  FILE_INFORMATION_CLASS FileInformationClass,
    IN  BOOLEAN ReturnSingleEntry,
    IN  PUNICODE_STRING FileName OPTIONAL,
    IN  BOOLEAN RestartScan
);
NTSTATUS WINAPI MyZwQueryDirectoryFile(                        
     IN  HANDLE FileHandle,
     IN  HANDLE Event OPTIONAL,
     IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
     IN  PVOID ApcContext OPTIONAL,
     OUT PIO_STATUS_BLOCK IoStatusBlock,
     OUT PVOID FileInformation,
     IN  ULONG Length,
     IN  FILE_INFORMATION_CLASS FileInformationClass,
     IN  BOOLEAN ReturnSingleEntry,
     IN  PUNICODE_STRING FileName OPTIONAL,
     IN  BOOLEAN RestartScan
     )
{
    return 0;
}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    HMODULE hModuleNT;
    ZWQUERYDIRECTORYFILE* zwQueryDirectoryFile;

    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
            hModuleNT = LoadLibrary("ntdll.dll");
            zwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE*)GetProcAddress(hModuleNT, "ZwQueryDirectoryFile");
            DetourFunctionWithEmptyTrampoline((PBYTE)zwQueryDirectoryFile,(PBYTE)CopyZwQueryDirectoryFile,(PBYTE)MyZwQueryDirectoryFile);
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
        case DLL_PROCESS_DETACH:
            DetourRemoveWithTrampoline((PBYTE)CopyZwQueryDirectoryFile, (PBYTE)MyZwQueryDirectoryFile);
            break;
    }
    return TRUE;
}

--------------------Configuration: HookApi - Win32 Release-------------------- Compiling...

HookApi.cpp Linking...

HookApi.obj : error LNK2001: unresolved external symbol "long __stdcall CopyZwQueryDirectoryFile(void *,void *,void (__stdcall*)(void *,struct _IO_STATUS_BLOCK *,unsigned long),void *,struct _IO_STATUS_BLOCK *,void *,unsigned long,enum _FILE_INFORMA TION_CLASS,unsigned char,struct _STRING *,unsigned char)" (?CopyZwQueryDirectoryFile@@YGJPAX0P6GX0PAU_IO_STATUS_BLOCK@@K@Z010KW4_FILE_INFORMATION_CLASS@@EPAU_STRING@@E@Z) ../../test.dll : fatal error LNK1120: 1 unresolved externals

执行 link.exe 时出错. Creating browse info file...

test.dll - 1 error(s), 0 warning(s)

< >
分享
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册