I see some Program After setting the Hidden Folder function, select the tool -- folder option -- display all files and folders cannot be displayed. How can this problem be solved?
---------------------------------------------------------------
Write an API for the driver to intercept nt to hide the file directory
At present, there are many methods to hide files and directories in NT. The simplest one is to add system and hidden properties to files and folders so that the operating system will not be displayed, however, this method is not thorough and has no availability! Next we will introduce how to use the NT driver to intercept ntapi to completely hide files and directories. There is a file NTDLL. dll in NT. Most ntapis are encapsulated in this library. The zwquerydirectoryfile API is used to find Files And Directories. Therefore, you only need to intercept this API to completely hide the files and directories! Do not implement the following steps (preparation: Find a WDM Driver Model in ntddk, that is, the simplest driver ):
1. Define the structure No. 3rd of file_information_class: _ file_both_dir_information, which is a required parameter for zwquerydirectoryfile.
2. Declare zwquerydirectoryfile and then define the prototype of zwquerydirectoryfile:
Extern ntsysapi ntstatus ntapi zwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );
// Define the prototype of zwquerydirectoryfile
Typedef ntstatus (* realzwquerydirectoryfile) (IN handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );
// Define an original function pointer
Realzwquerysysteminformation;
3. Define a prototype for replacing an API function:
Ntstatus hookzwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );
4. Add the following statement to the DriverEntry function:
// Save the actual zwquerydirectoryfile function address
6. Now the preparation is complete, and all the function pointers have been set and switched. The rest is to implement the custom replacement function hookzwquerydirectoryfile. The Code is as follows:
Ntstatus hookzwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery)
{
Ntstatus RC;
Ulong cr0value;
Thank you for your answers to kugou123 (cool dog) (learn VC every day and add your own.
But I seem to find that program does not use the driver.
After selecting "show all files" in the folder option each time, the next time you open the folder, you will find that the settings have been changed back, point to "do not show hidden files and folders" (the "Hide protected operating system files" option has been removed ).
I doubt whether there are any hook programs that are monitored in the background?
-------------------------------------------------------------------------------
All files can be seen from the command line, but they cannot be seen from EXPLORER. Who knows why?
-------------------------------------------------------------------------------
From the point mentioned by the landlord, we can see that the program actually uses the hook api method and attaches zwquerydirectoryfile.
APIS for listing file directories, such as the method mentioned above, to protect specific directories. If the directory name is the name you want to protect, return true directly; if not, it is called normally.
The disadvantage of this method is that the Dir command in cmd mode is invalid because the Dir command does not call this API, so you can see it, but you cannot see the protected file directory in the desktop environment.
-------------------------------------------------------------------------------
Problem solved!
In the registry key hkey_local_ma
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.