9,506
社区成员
发帖
与我相关
我的任务
分享ZwCreateFile和ZwOpenFile
我写了段小程序,Hook了ZwCreateFile和ZwOpenFile,里面添加了一条语句:
DbgPrint("ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=%ws",ObjectAttributes->ObjectName->Buffer);
然后我装载了这个驱动,查看它的输出,发现输出了很多东西,我不明白为什么一直在调用ZwCreateFile和ZwOpenFile,消息如下:
##########################################################################
Monitor Reader thread started
Monitor Remote reader thread started
51.828 Default ZwOpenFile ObjectAttributes->ObjectName=\Device\{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
51.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
51.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}
52.750 Default ZwOpenFile ObjectAttributes->ObjectName=\??\C:\Program Files\VMware\VMware Tools\VMwareTray.exeZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dllZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dllZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dll
52.766 Default ZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dllZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
52.781 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfgZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfgZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfg
52.781 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfg
52.828 Default ZwOpenFile ObjectAttributes->ObjectName=\Device\{76A16408-6D24-418A-86DF-A272F0C46E18}ZwOpenFile ObjectAttributes->ObjectName=\??\C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.confZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
52.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
52.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}
52.875 Default ZwOpenFile ObjectAttributes->ObjectName=\??\C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.conf
53.828 Default ZwOpenFile ObjectAttributes->ObjectName=\Device\{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
53.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
53.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}
################################################################################
希望牛人能帮帮我,谢谢!
DbgPrint("ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=%ws",ObjectAttributes->ObjectName->Buffer);
然后我装载了这个驱动,查看它的输出,发现输出了很多东西,我不明白为什么一直在调用ZwCreateFile和ZwOpenFile,消息如下:
##########################################################################
Monitor Reader thread started
Monitor Remote reader thread started
51.828 Default ZwOpenFile ObjectAttributes->ObjectName=\Device\{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
51.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
51.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}
52.750 Default ZwOpenFile ObjectAttributes->ObjectName=\??\C:\Program Files\VMware\VMware Tools\VMwareTray.exeZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dllZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dllZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dll
52.766 Default ZwOpenFile ObjectAttributes->ObjectName=\??\C:\WINDOWS\system32\Msimtf.dllZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
52.781 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfgZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfgZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfg
52.781 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfg
52.828 Default ZwOpenFile ObjectAttributes->ObjectName=\Device\{76A16408-6D24-418A-86DF-A272F0C46E18}ZwOpenFile ObjectAttributes->ObjectName=\??\C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.confZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
52.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
52.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}
52.875 Default ZwOpenFile ObjectAttributes->ObjectName=\??\C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.conf
53.828 Default ZwOpenFile ObjectAttributes->ObjectName=\Device\{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
53.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\Tcp6
53.828 Default ZwCreateFile ACCESS_DENIED ObjectAttributes->ObjectName=\Device\NetBT_Tcpip_{76A16408-6D24-418A-86DF-A272F0C46E18}
################################################################################
希望牛人能帮帮我,谢谢!
...全文
请发表友善的回复…
发表回复
yvqvan 2010-04-13
- 打赏
- 举报
111
chenhao1988 2009-07-08
- 打赏
- 举报
[Quote=引用 9 楼 kongruojun 的回复:]
OpenFile不单单是打开文件的用处,还可以用来打开驱动中的设备对象,\Device\XXX这种类型的就是打开设备对象,内核对驱动的调用.我是这么理解的.
[/Quote]
恩,应该是这样的,好多操作都是通过OpenFile的。
OpenFile不单单是打开文件的用处,还可以用来打开驱动中的设备对象,\Device\XXX这种类型的就是打开设备对象,内核对驱动的调用.我是这么理解的.
[/Quote]
恩,应该是这样的,好多操作都是通过OpenFile的。
kongruojun 2009-07-02
- 打赏
- 举报
OpenFile不单单是打开文件的用处,还可以用来打开驱动中的设备对象,\Device\XXX这种类型的就是打开设备对象,内核对驱动的调用.我是这么理解的.
chenhao1988 2009-06-15
- 打赏
- 举报
没有人。。。
chenhao1988 2009-05-19
- 打赏
- 举报
谁能给我解释啊~~~~~~~~~~~~等待!!!
oyljerry 2009-05-18
- 打赏
- 举报
既然取出全路径了,自己查找一下,应该可以找到...查找 _T("C:\\test")
chenhao1988 2009-05-18
- 打赏
- 举报
[Quote=引用 3 楼 ibican 的回复:]
要取盘符和路径再组合,据我所知还不能一下子把全路径取出来
[/Quote]
当ObjectAttributes->RootDirectory为空时,是可以取到全路径的吧,上文输出的时候不是已经输出了ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfg 吗?
要取盘符和路径再组合,据我所知还不能一下子把全路径取出来
[/Quote]
当ObjectAttributes->RootDirectory为空时,是可以取到全路径的吧,上文输出的时候不是已经输出了ObjectAttributes->ObjectName=\??\C:\Program Files\VVSN\vvsn.cfg 吗?
ibican 2009-05-18
- 打赏
- 举报
[Quote=引用 1 楼 chenhao1988 的回复:]
自己顶一下!牛人们,快快来~
另外,我想判断ObjectAttributes->ObjectName中的路径是否包含C:\test,怎么判断,我用wcsstr好像不管用。。。
[/Quote]
要取盘符和路径再组合,据我所知还不能一下子把全路径取出来
自己顶一下!牛人们,快快来~
另外,我想判断ObjectAttributes->ObjectName中的路径是否包含C:\test,怎么判断,我用wcsstr好像不管用。。。
[/Quote]
要取盘符和路径再组合,据我所知还不能一下子把全路径取出来
zhaozhijun0207 2009-05-18
- 打赏
- 举报
不懂这个;
chenhao1988 2009-05-18
- 打赏
- 举报
[Quote=引用 5 楼 oyljerry 的回复:]
既然取出全路径了,自己查找一下,应该可以找到...查找 _T("C:\\test")
[/Quote]
谢谢5楼,现在我已经知道了怎么比较的了,但是谁能给我解释一下为什么会一直在调用ZwOpenFile和ZwCreateFile,那些输出是什么意思?
既然取出全路径了,自己查找一下,应该可以找到...查找 _T("C:\\test")
[/Quote]
谢谢5楼,现在我已经知道了怎么比较的了,但是谁能给我解释一下为什么会一直在调用ZwOpenFile和ZwCreateFile,那些输出是什么意思?
chenhao1988 2009-05-17
- 打赏
- 举报
自己顶一下!牛人们,快快来~
另外,我想判断ObjectAttributes->ObjectName中的路径是否包含C:\test,怎么判断,我用wcsstr好像不管用。。。
另外,我想判断ObjectAttributes->ObjectName中的路径是否包含C:\test,怎么判断,我用wcsstr好像不管用。。。
