Hide the folder (system API blocking)

I see some Program After setting the Hidden Folder function, select the tool -- folder option -- display all files and folders cannot be displayed. How can this problem be solved?
---------------------------------------------------------------

Write an API for the driver to intercept nt to hide the file directory
At present, there are many methods to hide files and directories in NT. The simplest one is to add system and hidden properties to files and folders so that the operating system will not be displayed, however, this method is not thorough and has no availability! Next we will introduce how to use the NT driver to intercept ntapi to completely hide files and directories. There is a file NTDLL. dll in NT. Most ntapis are encapsulated in this library. The zwquerydirectoryfile API is used to find Files And Directories. Therefore, you only need to intercept this API to completely hide the files and directories! Do not implement the following steps (preparation: Find a WDM Driver Model in ntddk, that is, the simplest driver ):

1. Define the structure No. 3rd of file_information_class: _ file_both_dir_information, which is a required parameter for zwquerydirectoryfile.

Typedef struct _ file_both_dir_information {
Ulong nextentryoffset;
Ulong fileindex;
Large_integer creationtime;
Large_integer lastaccesstime;
Large_integer lastwritetime;
Large_integer changetime;
Large_integer endoffile;
Large_integer allocationsize;
Ulong fileattributes;
Ulong filenamelength;
Ulong easize;
Cchar shortnamelength;
Wchar shortname [12];
Wchar filename [1];
} File_both_dir_information, * pfile_both_dir_information;



2. Declare zwquerydirectoryfile and then define the prototype of zwquerydirectoryfile:

Extern ntsysapi ntstatus ntapi zwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );

// Define the prototype of zwquerydirectoryfile

Typedef ntstatus (* realzwquerydirectoryfile) (IN handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );

// Define an original function pointer
Realzwquerysysteminformation;

3. Define a prototype for replacing an API function:

Ntstatus hookzwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );

4. Add the following statement to the DriverEntry function:

// Save the actual zwquerydirectoryfile function address

Realzwquerydirectoryfile = (realzwquerydirectoryfile) (systemservice (zwquerydirectoryfile ));

// Point the custom replacement function pointer to the real zwquerydirectoryfile Function

(Realzwquerydirectoryfile) (systemservice (zwquerydirectoryfile) = hookzwquerydirectoryfile;

5. Add restoration to the driverunload function. Code :

// Restore the original function pointer

(Realzwquerydirectoryfile) (systemservice (zwquerydirectoryfile) = realzwquerydirectoryfile;

6. Now the preparation is complete, and all the function pointers have been set and switched. The rest is to implement the custom replacement function hookzwquerydirectoryfile. The Code is as follows:

Ntstatus hookzwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery)
{
Ntstatus RC;
Ulong cr0value;

Ansi_string ansifilename, ansidirname, hidedirfile;
Unicode_string unifilename;

// The name of the file to be uploaded is debug.exe.
Rtlinitansistring (& hidedirfile, "dbgview. EXE ");

// Execute the real zwquerydirectoryfile Function
Rc = (realzwquerydirectoryfile ))(
Hfile,
Hevent,
Ioapcroutine,
Ioapccontext,
Piostatusblock,
Fileinformationbuffer,
Fileinformationbufferlength,
Fileinfoclass,
Breturnonlyoneentry,
Pathmask,
Brestartquery );
/* If the execution is successful (and the value of file_information_class is filebothdirectoryinformation, We will process and filter out */
If (nt_success (RC) & (fileinfoclass = filebothdirectoryinformation ))
{
Pfile_both_dir_information pfileinfo;
Pfile_both_dir_information plastfileinfo;
Bool blastone;
// Assign the execution result to pfileinfo
Pfileinfo = (pfile_both_dir_information) fileinformationbuffer;
Plastfileinfo = NULL;
// Cyclic check
Do
{
Blastone =! (Pfileinfo-> nextentryoffset );
Rtlinitunicodestring (& uniilename, pfileinfo-> filename );
Rtlunicodestringtoansistring (& ansifilename, & unifilename, true );
Rtlunicodestringtoansistring (& ansidirname, & unifilename, true );
Rtlupperstring (& ansifilename, & ansidirname );
// Print the result. Use debugview to view the printed result.
Dbuplint ("ansifilename: % s \ n", ansifilename. buffer );
Dbuplint ("hidedirfile: % s \ n", hidedirfile. buffer );

// Start the comparison. If the comparison is found, the file or directory will be hidden.
If (rtlcomparememory (ansifilename. buffer, hidedirfile. buffer, hidedirfile. Length) = hidedirfile. length)
{
Dbuplint ("this is hidedirfile! \ N ");
If (blastone)
{
If (pfileinfo = (pfile_both_dir_information) fileinformationbuffer)
{
Rc = 0x80000006; // hide a file or directory;
}
Else
{
Plastfileinfo-> nextentryoffset = 0;
}
Break;
}
Else // move the pointer backward
{
Int IPOs = (ulong) pfileinfo)-(ulong) fileinformationbuffer;
Int ileft = (DWORD) fileinformationbufferlength-IPOs-pfileinfo-> nextentryoffset;
Rtlcopymemory (pvoid) pfileinfo, (pvoid) (char *) pfileinfo + pfileinfo-> nextentryoffset), (DWORD) ileft );
Continue;
}
}
Plastfileinfo = pfileinfo;
Pfileinfo = (pfile_both_dir_information) (char *) pfileinfo + pfileinfo-> nextentryoffset );

} While (! Blastone );
Rtlfreeansistring (& ansidirname );
Rtlfreeansistring (& ansifilename );
}
Return (RC );
}

This code is successfully tested on the development machine (WINXP + SP1 + xpddk!

-------------------------------------------------------------------------------

Thank you for your answers to kugou123 (cool dog) (learn VC every day and add your own.
But I seem to find that program does not use the driver.
After selecting "show all files" in the folder option each time, the next time you open the folder, you will find that the settings have been changed back, point to "do not show hidden files and folders" (the "Hide protected operating system files" option has been removed ).
I doubt whether there are any hook programs that are monitored in the background?
-------------------------------------------------------------------------------

All files can be seen from the command line, but they cannot be seen from EXPLORER. Who knows why?
-------------------------------------------------------------------------------
From the point mentioned by the landlord, we can see that the program actually uses the hook api method and attaches zwquerydirectoryfile.
APIS for listing file directories, such as the method mentioned above, to protect specific directories. If the directory name is the name you want to protect, return true directly; if not, it is called normally.
The disadvantage of this method is that the Dir command in cmd mode is invalid because the Dir command does not call this API, so you can see it, but you cannot see the protected file directory in the desktop environment.
-------------------------------------------------------------------------------
Problem solved!
In the registry key hkey_local_ma