Several important functions

xiaoxiao2021-03-06  121

Several important functions:

[Specially planked several underlying functions is useful, there is public, and there is no public, useful to accept it]

± NTQueryDirectoryFile ± Find a file in some directories in Winnt is to enumerate all files inside and all files in its subdirectory. The enumeration of the file is to use the NTQueryDirectoryFile function. NTSTATUS NtQueryDirectoryFile (IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG FileInformationLength, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan );

Important parameters for us is FileHandle, Fileinformation and FileinformationClass. FileHandle is a directory object handle obtained from NTOPENFILE. FILEINFORMATION is a pointer that points to the allocated memory of the data to be written. FILEINFORMATIONCLASS determines the type of record that is written to FileImformation.

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± NTQuerySystemInformation

± various process information is obtained by NTQuerySystemInformation.

NTSTATUS NTQUERYSYSTEMINFORMATION (in system_information_class systeminformationclass, in out pvoid systeminformation, in ulong systeminformationLENGTH, OUT PULONG RETURNLENO)

SysteminformationClass indicates the category of the information we want to get. SystemInformation is a pointer to the function output buffer. SystemInformationLength is the length of this buffer. ReturnLength is the number of write bytes. For enumerations that are running, we use the systemInformationClass set to SystemProcesSandthreadsinformation.

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± nTenumerateKey

± Structure of the registry we cannot request a list of all keys for a specified part. We can only pass the index of the specified key by querying some part of the registry to obtain its information. NTENUMERATEKEY is available here.

NTSTATUS NtEnumerateKey (IN HANDLE KeyHandle, IN ULONG Index, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG KeyInformationLength, OUT PULONG ResultLength); KeyHandle is already using the index indicated we want to get a handle sub-key information. KeyInformationClass indicates the return information type. The data is last written to the KeyInFormaiton buffer, and the buffer length is KeyinformationLength. The number of bytes written is returned by ResultLength.

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± NTVDMControl

± DOS enumeration NTVDM can get a list of files through function NTVDMControl

NTSTATUS NTVDMControl (in Ulong Controlcode, in PVOID ControlData); Concrolcode indicates a sub-function to apply for data in buffer ControlData. If ControlCode is the functionality of this function, the functionality of this function is set to FileBothDirectoryIctureFile function, the function ntquerydirectoryFile function.

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± NTDeviceiocontrolfile

Detailed description of this function in ± MSDN-2004

NTSTATUS NtDeviceIoControlFile (HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength);

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± NTQueryInformationProcess

± We need to get the PEB (process environment block) for getting target processes through NTQueryInformationProcess

NTSTATUS NtQueryInformationProcess (IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL); // ----------------------- -------------------------------------------------- -------------------------------------------------- ----------------

± NTQueryInformationthreadthread

± NTQUERYINFORMATIONTHREAD can give us a message that is a process that belongs to?

NTSTATUS NtQueryInformationThread (IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL); // ----------------------- -------------------------------------------------- -------------------------------------------------- ----------------

± LDRLOADDLL

± Other modules are dynamically loaded during the run after the process is hooked. This is why we have to hook functions of LDRLOADDLL to load new modules.

NTSTATUS LDRLOADLL (PWSTR SZCWPATH, PDWORD PDWLDRERR, PUNICODE_STRING PUNIMODULENAME, PhINSTANCE PRESULTINSTANCE);

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± NTFSControlFile

± NTFSCONTROLFILE IS Used with fsctl_xxx cots online (the generate diffreent Irp_mj_xxx).

± this function is buy to send file system control (fsctl) Commands Into file system drivers. Its definition is in ntdll.dll (ntdll.lib), A file shipped with the NTDDK

NO.1:

NTSTATUS NTFSCONTROLFILE

Handle FileHandle,

Handle Event, // Optional

PIO_APC_ROUTINE APCROUTINE, / / ​​OPTIONAL

Pvoid ​​APCCONTEXT, // Optional

PIO_STATUS_BLOCK IOSTATUSBLOCK,

Ulong fscontrolcode,

Pvoid ​​InputBuffer, // Optionalulong InputBufferLength,

Pvoid ​​OutputBuffer, // Optional

Ulong OutputBufferLength

);

No.2:

NTSTATUS NTFSCONTROLFILE

In Handle FileHandle,

In Handle Event Optional,

IN PIO_APC_ROUTINE APCROUTINE OPTIONAL,

In Pvoid ​​APCCONText Optional,

OUT PIO_STATUS_BLOCK IOSTATUSBLOCK,

In Ulong IoControlcode,

In Pvoid ​​InputBuffer Optional,

In Ulong InputBufferLength,

Out Pvoid ​​OutputBuffer Optional,

In Ulong OutputBufferlength

);

/ / -------------------------------------------------------------------------------------------- -------------------------------------------------- -------------------------------------

± KeaddsystemServentable

± function keaddsystemServentable allows Win32.sys and other device drivers to add a system service table. In addition to the Win32k.sys service table, the service table added to the KeaddsystemServentable added will be copied to KeserviceDescriptable and KeserviceDescriptAbleshadow.

Bool_KeaddsystemServentetable

(

LPSSTAT LPADDRESSTABLE, / / ​​POINTER TO THE SSTAT STRUCTURE OF THE SST.

Bool Bunknown, // unknown. Always set to false. If you have

// Any Information regarding this please let me know.

DWORD DWNUMENTRIES, // Number of Entries in The SST.

LPSSTPT LPPARETABLE, / / ​​POINTER TO The SST.

DWORD DWTABLEID / / INDEX of The SSD To Add The Sst To.

}

转载请注明原文地址:https://www.9cbs.com/read-104024.html

New Post(0)