//最简单的删除操作,局限性:如果被占用则无法删除,file_path要加上头:\\??\\C
NTSTATUS KenelDeleteFile(PCHAR file_path) {
UNICODE_STRING filepath = { 0 };
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES obja = { 0 };
RtlInitUnicodeString(&filepath, file_path);
InitializeObjectAttributes(&obja, &filepath, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwDeleteFile(&obja);
if (!NT_SUCCESS(status)) {
DbgPrint("[info] Delete file Fail~");
return STATUS_UNSUCCESSFUL;
}
DbgPrint("[info] Delete file Success~");
return STATUS_SUCCESS;
}
//。。。。。。。
//调用:
KenelDeleteFile(L"\\??\\C:\\123.exe");
内核拷贝(直接拷贝不适用于大文件)
//内核拷贝
NTSTATUS KernelCopyFile(PWCHAR de_file_path, PWCHAR sour_file_path) {
//Zw-----》检查参数 检查发起操作的模式-----》Nt函数
NTSTATUS status = STATUS_SUCCESS;
HANDLE hsourfile = NULL;
UNICODE_STRING sourfilepath = { 0 };
OBJECT_ATTRIBUTES sourobja = { 0 };
IO_STATUS_BLOCK souriosb = { 0 };
RtlInitUnicodeString(&sourfilepath, sour_file_path);
InitializeObjectAttributes(&sourobja, &sourfilepath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenFile(&hsourfile, GENERIC_ALL, &sourobja, &souriosb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT);
if (!NT_SUCCESS(status)) {
DbgPrint("[info] Open Source file Fail~");
return STATUS_UNSUCCESSFUL;
}
FILE_STANDARD_INFORMATION fbi = { 0 };
status = ZwQueryInformationFile(hsourfile, &souriosb, &fbi, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation);
if (!NT_SUCCESS(status)) {
DbgPrint("[info] QueryInformation Source file Fail~");
ZwClose(&hsourfile);
return STATUS_UNSUCCESSFUL;
}
PVOID filebuffer = NULL;
filebuffer = ExAllocatePool(NonPagedPool, fbi.EndOfFile.QuadPart);
if (!filebuffer) {
DbgPrint("[info] Allocate Buffer Fail~");
ZwClose(&hsourfile);
return STATUS_UNSUCCESSFUL;
}
RtlZeroMemory(filebuffer, fbi.EndOfFile.QuadPart);
LARGE_INTEGER readoffset = { 0 };
readoffset.QuadPart = 0;
status = ZwReadFile(hsourfile, NULL, NULL, NULL, &souriosb,filebuffer,fbi.EndOfFile.QuadPart,&readoffset,NULL);
if (!filebuffer) {
DbgPrint("[info] read FileFailed:%x\n", status);
ZwClose(hsourfile);
ExFreePool(filebuffer);
return STATUS_UNSUCCESSFUL;
}
DbgPrint("[info] ----IoInfo---%d\n", souriosb.Information);
ZwClose(hsourfile);
//
// 创建新文件
//
HANDLE hdefile = NULL;
UNICODE_STRING defilepath;
OBJECT_ATTRIBUTES deobja = {0};
IO_STATUS_BLOCK deiosb = { 0 };
RtlInitUnicodeString(&defilepath, de_file_path);
InitializeObjectAttributes(&deobja, &defilepath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwCreateFile(&hdefile,GENERIC_ALL,&deobja,&deiosb,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_SUPERSEDE, FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
if (!NT_SUCCESS(status)) {
DbgPrint("Create File Failed:%x\n");
ExFreePool(filebuffer);
ZwClose(hdefile);
return STATUS_UNSUCCESSFUL;
}
LARGE_INTEGER writeoffset = { 0 };
status = ZwWriteFile(hdefile, NULL, NULL, NULL, &deiosb, filebuffer, fbi.EndOfFile.QuadPart, &writeoffset, NULL);
if (!NT_SUCCESS(status)) {
DbgPrint("Write File Failed:%x\n");
ExFreePool(filebuffer);
ZwClose(hdefile);
return STATUS_UNSUCCESSFUL;
}
DbgPrint("------Write:------%d\n",deiosb.Information);
ExFreePool(filebuffer);
ZwClose(hdefile);
return STATUS_SUCCESS;
}
分段拷贝
//内核拷贝
NTSTATUS KernelCopyFile(PWCHAR de_file_path, PWCHAR sour_file_path) {
//Zw-----》检查参数 检查发起操作的模式-----》Nt函数
NTSTATUS status = STATUS_SUCCESS;
HANDLE hsourfile = NULL;
UNICODE_STRING sourfilepath = { 0 };
OBJECT_ATTRIBUTES sourobja = { 0 };
IO_STATUS_BLOCK souriosb = { 0 };
//打开源文件
RtlInitUnicodeString(&sourfilepath, sour_file_path);
InitializeObjectAttributes(&sourobja, &sourfilepath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenFile(&hsourfile, GENERIC_ALL, &sourobja, &souriosb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT);
if (!NT_SUCCESS(status)) {
DbgPrint("[info] Open Source file Fail~");
return STATUS_UNSUCCESSFUL;
}
//获取源文件信息
FILE_STANDARD_INFORMATION fbi = { 0 };
status = ZwQueryInformationFile(hsourfile, &souriosb, &fbi, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation);
if (!NT_SUCCESS(status)) {
DbgPrint("[info] QueryInformation Source file Fail~");
ZwClose(&hsourfile);
return STATUS_UNSUCCESSFUL;
}
//
// 创建新文件
//
HANDLE hdefile = NULL;
UNICODE_STRING defilepath;
OBJECT_ATTRIBUTES deobja = {0};
IO_STATUS_BLOCK deiosb = { 0 };
RtlInitUnicodeString(&defilepath, de_file_path);
InitializeObjectAttributes(&deobja, &defilepath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwCreateFile(&hdefile,GENERIC_ALL,&deobja,&deiosb,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_SUPERSEDE, FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
if (!NT_SUCCESS(status)) {
DbgPrint("Create File Failed:%x\n");
ExFreePool(filebuffer);
ZwClose(hdefile);
return STATUS_UNSUCCESSFUL;
}
//创建缓冲区
PVOID filebuffer = NULL;
filebuffer = ExAllocatePool(NonPagedPool, BUFFERSIZE);
if (!filebuffer) {
DbgPrint("[info] Allocate Buffer Fail~");
ZwClose(&hsourfile);
return STATUS_UNSUCCESSFUL;
}
//分段拷贝文件
LARGE_INTEGER readoffset = { 0 };
LARGE_INTEGER writeoffset = { 0 };
readoffset.QuadPart = 0;//读偏移
writeoffset.QuadPart = 0;
while (readoffset.QuadPart < fbi.EndOfFile.QuadPart)
{
RtlZeroMemory(filebuffer, BUFFERSIZE);
LONGLONG buffsize = readoffset.QuadPart + BUFFERSIZE < fbi.EndOfFile.QuadPart ? BUFFERSIZE : (fbi.EndOfFile.QuadPart - readoffset.QuadPart);
status = ZwReadFile(hsourfile, NULL, NULL, NULL, &souriosb, filebuffer, buffsize, &readoffset, NULL);
if (!filebuffer) {
DbgPrint("[info] read FileFailed:%x\n", status);
ZwClose(hsourfile);
ExFreePool(filebuffer);
return STATUS_UNSUCCESSFUL;
}
status = ZwWriteFile(hdefile, NULL, NULL, NULL, &deiosb, filebuffer, buffsize, &writeoffset, NULL);
if (!NT_SUCCESS(status)) {
DbgPrint("Write File Failed:%x\n");
ExFreePool(filebuffer);
ZwClose(hdefile);
return STATUS_UNSUCCESSFUL;
}
readoffset.QuadPart += buffsize;
writeoffset.QuadPart += buffsize;
}
ZwClose(hsourfile);
ZwClose(hdefile);
DbgPrint("------Copy Over------%d\n");
ExFreePool(filebuffer);
return STATUS_SUCCESS;
}