16,466
社区成员
发帖
与我相关
我的任务
分享
CreateFile("C:\\Windows\\System32\\ActionQueue.dll", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
BOOL EnableX64FileRedirect(BOOL bEnable)
{
typedef BOOL (__stdcall *Fun_Wow64DisableWow64FsRedirection)(PVOID*);
typedef BOOL (__stdcall *Fun_Wow64RevertWow64FsRedirection)(PVOID);
static Fun_Wow64DisableWow64FsRedirection _Wow64DisableWow64FsRedirection = NULL;
static Fun_Wow64RevertWow64FsRedirection _Wow64RevertWow64FsRedirection = NULL;
static VOID *s_pOldVal = NULL;
BOOL bRetVal;
if(_Wow64DisableWow64FsRedirection == NULL || _Wow64RevertWow64FsRedirection == NULL)
{
HINSTANCE hinstLib;
hinstLib = LoadLibrary(_T("Kernel32.dll"));
_Wow64DisableWow64FsRedirection = (Fun_Wow64DisableWow64FsRedirection) GetProcAddress(hinstLib, "Wow64DisableWow64FsRedirection");
_Wow64RevertWow64FsRedirection = (Fun_Wow64RevertWow64FsRedirection) GetProcAddress(hinstLib, "Wow64RevertWow64FsRedirection");
}
if(_Wow64DisableWow64FsRedirection == NULL || _Wow64RevertWow64FsRedirection == NULL)
return FALSE;
if(bEnable)
{
bRetVal = _Wow64RevertWow64FsRedirection(&s_pOldVal);
}
else
{
bRetVal = _Wow64DisableWow64FsRedirection(&s_pOldVal);
}
return bRetVal;
}
int main()
{
if(!EnableX64FileRedirect(FALSE))
return 0;
//测试1
HANDLE hFile = ::CreateFile(_T("C:\\Windows\\System32\\ActionQueue.dll"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
//测试2
TCHAR strFile[MAX_PATH];
OPENFILENAMEA ofn;
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.lpstrFile = strFile;
ofn.nMaxFile = MAX_PATH;
ofn.lpstrInitialDir = _T("C:\\Windows\\System32");
ofn.lpstrFile[0] = _T('\0');
ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST | OFN_FORCESHOWHIDDEN;
GetOpenFileName(&ofn);
return 1;
}
发现现在用CreateFile成功了,说明CreateFile时重定向已经关闭了,但是在打开文件对话框中仍然定位到了SysWOW64文件夹
HINSTANCE hinstLib;
hinstLib = LoadLibrary(_T("Kernel32.dll"));
_Wow64DisableWow64FsRedirection = (Fun_Wow64DisableWow64FsRedirection) GetProcAddress(hinstLib, "Wow64DisableWow64FsRedirection");
BOOL NSys::EnableX64FileRedirect(BOOL bEnable)
{
typedef BOOL (__stdcall *Fun_Wow64DisableWow64FsRedirection)(PVOID*);
typedef BOOL (__stdcall *Fun_Wow64RevertWow64FsRedirection)(PVOID);
static Fun_Wow64DisableWow64FsRedirection _Wow64DisableWow64FsRedirection = NULL;
static Fun_Wow64RevertWow64FsRedirection _Wow64RevertWow64FsRedirection = NULL;
static VOID *s_pOldVal = NULL;
BOOL bRetVal;
if(_Wow64DisableWow64FsRedirection == NULL || _Wow64RevertWow64FsRedirection == NULL)
{
_Wow64DisableWow64FsRedirection = (Fun_Wow64DisableWow64FsRedirection)NSys::GetDllProcAdders("Kernel32.dll", "Wow64DisableWow64FsRedirection");
_Wow64RevertWow64FsRedirection = (Fun_Wow64RevertWow64FsRedirection)NSys::GetDllProcAdders("Kernel32.dll", "Wow64RevertWow64FsRedirection");
}
if(_Wow64DisableWow64FsRedirection == NULL || _Wow64RevertWow64FsRedirection == NULL)
return FALSE;
if(bEnable)
{
bRetVal = _Wow64RevertWow64FsRedirection(&s_pOldVal);
}
else
{
bRetVal = _Wow64DisableWow64FsRedirection(&s_pOldVal);
}
return bRetVal;
}
void NTAPI tls_callback(PVOID h, DWORD reason, PVOID pv);
#pragma data_seg(".tls")
#pragma comment(linker, "/INCLUDE:__tls_used")
#pragma data_seg(".CRT$XLB")
PIMAGE_TLS_CALLBACK p_thread_callback[] = {tls_callback,0};
#pragma data_seg(".rdata$T")
#pragma data_seg()
DWORD _tls_index=0;
DWORD _tls_start=0;
DWORD _tls_end=0;
PIMAGE_TLS_CALLBACK tls_callbacktbl[] = {tls_callback,0};
IMAGE_TLS_DIRECTORY32 _tls_used=
{
(DWORD)&_tls_start,
(DWORD)&_tls_end,
(DWORD)&_tls_index,
(DWORD)tls_callbacktbl,
0,
0
};
BOOL EnableX64FileRedirect(BOOL bEnable)
{
typedef BOOL (__stdcall *Fun_Wow64DisableWow64FsRedirection)(PVOID*);
typedef BOOL (__stdcall *Fun_Wow64RevertWow64FsRedirection)(PVOID);
static Fun_Wow64DisableWow64FsRedirection _Wow64DisableWow64FsRedirection = NULL;
static Fun_Wow64RevertWow64FsRedirection _Wow64RevertWow64FsRedirection = NULL;
static VOID *s_pOldVal = NULL;
BOOL bRetVal;
if(_Wow64DisableWow64FsRedirection == NULL || _Wow64RevertWow64FsRedirection == NULL)
{
HINSTANCE hinstLib;
hinstLib = LoadLibrary(_T("Kernel32.dll"));
_Wow64DisableWow64FsRedirection = (Fun_Wow64DisableWow64FsRedirection) GetProcAddress(hinstLib, "Wow64DisableWow64FsRedirection");
_Wow64RevertWow64FsRedirection = (Fun_Wow64RevertWow64FsRedirection) GetProcAddress(hinstLib, "Wow64RevertWow64FsRedirection");
}
if(_Wow64DisableWow64FsRedirection == NULL || _Wow64RevertWow64FsRedirection == NULL)
return FALSE;
if(bEnable)
{
bRetVal = _Wow64RevertWow64FsRedirection(&s_pOldVal);
}
else
{
bRetVal = _Wow64DisableWow64FsRedirection(&s_pOldVal);
}
return bRetVal;
}
void NTAPI tls_callback(PVOID h, DWORD reason, PVOID pv)
{
if(reason==DLL_PROCESS_ATTACH || reason==DLL_THREAD_ATTACH)
{
EnableX64FileRedirect(FALSE);
}
};
int main()
{
TCHAR strFile[MAX_PATH];
OPENFILENAMEA ofn;
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.lpstrFile = strFile;
ofn.nMaxFile = MAX_PATH;
ofn.lpstrInitialDir = _T("C:\\Windows\\System32");
ofn.lpstrFile[0] = _T('\0');
ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST;
GetOpenFileName(&ofn);
return 1;
}
上面代码可能导致一些不需要关闭重定向的线程因关闭而出错,只些可以具体在优化了,比如用一个变量控制是否执行EnableX64FileRedirect函数