如何使用ZwQueryDirectoryFile的输出/输入获取文件路径? [英] How to get a file path using the output/input of ZwQueryDirectoryFile?

问题描述

我已经使用了将ZwQueryDirectryFile钩在ssdt中的代码，并且每当调用此函数时，就会执行我的函数NewZwQueryDirectryFile.我需要知道打开目录中文件的完整路径，但我只会得到名称.有什么方法可以获取目录中文件的完整路径吗?
我无法使用windows.h中包含的GetFileNameFromHandle之类的函数，因为我正在编写驱动程序并且包含"windows.h"会给我带来很多麻烦.

P.S.
我正在尝试编写防病毒软件.

谢谢.

Hi,

I have used a code which hooks ZwQueryDirectryFile in ssdt and whenever this function is called, my function, NewZwQueryDirectryFile, is executed. I need to know the full pathes of the files in the opened directory but I only get the names. Is there any way I can get the full path of the files in the direcory?
I can not use functions like GetFileNameFromHandle which are included in windows.h because I am writing a driver and including "windows.h" casues me a lot of trouble.

P.S.
I am trying to write an anti-virus.

Thank you.

推荐答案

您可以尝试使用ZwQueryInformationFile(使用FileNameInformation类)，并将目录句柄传递给ZwQueryDirectryFile

You can try to use ZwQueryInformationFile (using FileNameInformation class) with directory handle passed to ZwQueryDirectryFile

Windows.h给您带来了问题，然后在不包括Windows.h的情况下使用这些功能.

只需先调用LoadLibrary然后调用GetProcAddress来加载函数然后调用它，那将是最简单的解决方案，如下所示...

If including Windows.h creates a problem for you, then use those functions without including Windows.h

Just call LoadLibrary and then GetProcAddress to load up the function and then call it, that''d be the simplest solution, like shown below...

typedef DWORD (CALLBACK* LP_GFPNBH)(HANDLE, LPTSTR, DWORD, DWORD);
HMODULE hModule = ::LoadLibrary("Kernel32.dll");
LP_GFPNBH func = (LP_GFPNBH)::GetProcAddress(hModule, "GetFinalPathNameByHandle");

// Calling function:
func(...parameters...);

这篇关于如何使用ZwQueryDirectoryFile的输出/输入获取文件路径?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！