H
hgkhghj
Guest
I have the following code that works fine on Windows 32, already when tested on Windows 64 the text (the path of file) comes missing somes bytes, example:
\Program Files\Folder Software\Subfolder\123456.dll > Windows 32 OK
rogram Files\Folder Software\Subfolder\123456.dll > Windows 64 comes missing some first bytes
this is a bug of ZwQueryInformationFile() on Win64 or there is something wrong with the following code that i'm not seeing? Thanks in advance.
#include <ntifs.h>
#include <ntddk.h>
#include <windef.h>
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationFile(IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass);
HANDLE GetFileHandle(IN PCWSTR FileName, IN ACCESS_MASK DesiredAccess, IN ULONG ShareAccess)
{
NTSTATUS ntStatus;
UNICODE_STRING uniFileName;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE ntFileHandle;
IO_STATUS_BLOCK ioStatus;
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
DbgPrint("KeGetCurrentIrql() > PASSIVE_LEVEL \n");
return 0;
}
RtlInitUnicodeString(&uniFileName, FileName);
InitializeObjectAttributes(&objectAttributes, &uniFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = IoCreateFile(&ntFileHandle, DesiredAccess, &objectAttributes, &ioStatus, 0, FILE_ATTRIBUTE_NORMAL, ShareAccess, FILE_OPEN, 0, NULL, 0, 0, NULL, IO_NO_PARAMETER_CHECKING);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("IoCreateFile() error - 0x%X \n", ntStatus);
return 0;
}
return ntFileHandle;
}
void test()
{
POBJECT_NAME_INFORMATION pfni;
IO_STATUS_BLOCK IoStatus = { 0 };
NTSTATUS status;
HANDLE hFileHandle;
SIZE_T allocSize;
hFileHandle = GetFileHandle(L"\\??\\C:\\Program Files\\Folder Software\\Subfolder\\123456.dll", FILE_READ_ATTRIBUTES, FILE_SHARE_DELETE);
if (hFileHandle != NULL)
{
allocSize = sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH * sizeof(WCHAR);
pfni = (POBJECT_NAME_INFORMATION)(ExAllocatePool(NonPagedPool, allocSize));
if (pfni != NULL)
{
RtlZeroMemory(pfni, allocSize);
status = ZwQueryInformationFile(hFileHandle, &IoStatus, pfni, allocSize, FileNameInformation);
if (!NT_SUCCESS(status))
DbgPrint("ZwQueryInformationFile() error - 0x%X \n", status);
else
DbgPrint("Filename: %ws \n", &pfni->Name.Buffer);
ExFreePool(pfni);
}
}
}
Continue reading...
\Program Files\Folder Software\Subfolder\123456.dll > Windows 32 OK
rogram Files\Folder Software\Subfolder\123456.dll > Windows 64 comes missing some first bytes
this is a bug of ZwQueryInformationFile() on Win64 or there is something wrong with the following code that i'm not seeing? Thanks in advance.
#include <ntifs.h>
#include <ntddk.h>
#include <windef.h>
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationFile(IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass);
HANDLE GetFileHandle(IN PCWSTR FileName, IN ACCESS_MASK DesiredAccess, IN ULONG ShareAccess)
{
NTSTATUS ntStatus;
UNICODE_STRING uniFileName;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE ntFileHandle;
IO_STATUS_BLOCK ioStatus;
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
DbgPrint("KeGetCurrentIrql() > PASSIVE_LEVEL \n");
return 0;
}
RtlInitUnicodeString(&uniFileName, FileName);
InitializeObjectAttributes(&objectAttributes, &uniFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = IoCreateFile(&ntFileHandle, DesiredAccess, &objectAttributes, &ioStatus, 0, FILE_ATTRIBUTE_NORMAL, ShareAccess, FILE_OPEN, 0, NULL, 0, 0, NULL, IO_NO_PARAMETER_CHECKING);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("IoCreateFile() error - 0x%X \n", ntStatus);
return 0;
}
return ntFileHandle;
}
void test()
{
POBJECT_NAME_INFORMATION pfni;
IO_STATUS_BLOCK IoStatus = { 0 };
NTSTATUS status;
HANDLE hFileHandle;
SIZE_T allocSize;
hFileHandle = GetFileHandle(L"\\??\\C:\\Program Files\\Folder Software\\Subfolder\\123456.dll", FILE_READ_ATTRIBUTES, FILE_SHARE_DELETE);
if (hFileHandle != NULL)
{
allocSize = sizeof(OBJECT_NAME_INFORMATION) + MAX_PATH * sizeof(WCHAR);
pfni = (POBJECT_NAME_INFORMATION)(ExAllocatePool(NonPagedPool, allocSize));
if (pfni != NULL)
{
RtlZeroMemory(pfni, allocSize);
status = ZwQueryInformationFile(hFileHandle, &IoStatus, pfni, allocSize, FileNameInformation);
if (!NT_SUCCESS(status))
DbgPrint("ZwQueryInformationFile() error - 0x%X \n", status);
else
DbgPrint("Filename: %ws \n", &pfni->Name.Buffer);
ExFreePool(pfni);
}
}
}
Continue reading...