Windows内核下的文件管理技术：内核API实现<\/h1>

前言<\/h2>
Windows内核下的Rootkit开发技术学习。用户数据通常以文件形式存储在本地磁盘上，Rootkit等恶意软件需要操作文件的功能（增、删、查、改）。文件管理主要有三种方式：<\/p>
基于导出的内核API直接操作文件<\/li>
通过构造I\/O请求包(IRP)发送IRP操作文件<\/li>
根据文件系统格式(NTFS)解析硬盘二进制数据<\/li> <\/ol>
本文重点介绍第一种方式——使用内核API实现文件操作。<\/p>
内核API概述<\/h2>
内核API是一组从内核组件中输出的函数，主要实现于：<\/p>
内核本身模块(NtOskrnl.exe)<\/li>
其他模块(如hal.dll)<\/li> <\/ul>
常见内核API前缀：<\/p>
Ex<\/code>: 通用执行体函数(如ExAllocatePool<\/code>)<\/li>
Ke<\/code>: 通用内核函数(如KeAcquireSpinLock<\/code>)<\/li>
Io<\/code>: I\/O管理器函数(如IoCompleteRequest<\/code>)<\/li>
Zw<\/code>: 原生API包装(如ZwCreateFile<\/code>)<\/li>
<\/ul>
Zw与Nt系列函数<\/h3>

Nt<\/code>系列函数(如NtCreateFile<\/code>)是Windows内核提供的原生API，直接与内核模式交互<\/li>
Zw<\/code>系列函数是原生API的包装，实现几乎相同但通过不同入口点进入系统<\/li>
内核模式调用Nt<\/code>函数会检查调用上下文(用户\/内核模式)<\/li>
调用Zw<\/code>函数则直接设置PreviousMode<\/code>为KernelMode<\/code><\/li>
<\/ul>
关键数据结构<\/h2>
OBJECT_ATTRIBUTES结构<\/h3>
用于描述操作系统对象(文件、设备、事件等)属性，传递给如ZwCreateFile<\/code>、ZwOpenKey<\/code>等API。<\/p>
typedef<\/span> struct<\/span> _OBJECT_ATTRIBUTES {
<\/span><\/span>    ULONG Length;                     \/\/ 结构体大小(字节)
<\/span><\/span><\/span><\/span>    HANDLE RootDirectory;             \/\/ 对象名称的根目录句柄
<\/span><\/span><\/span><\/span>    PUNICODE_STRING ObjectName;       \/\/ 对象名称(UNICODE_STRING指针)
<\/span><\/span><\/span><\/span>    ULONG Attributes;                 \/\/ 对象属性标志
<\/span><\/span><\/span><\/span>    PSECURITY_DESCRIPTOR SecurityDescriptor;  \/\/ 安全描述符(通常NULL)
<\/span><\/span><\/span><\/span>    PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;  \/\/ 安全服务质量(通常NULL)
<\/span><\/span><\/span><\/span>} OBJECT_ATTRIBUTES, *<\/span>POBJECT_ATTRIBUTES;
<\/span><\/span><\/code><\/pre>常用属性标志：<\/p>

OBJ_CASE_INSENSITIVE<\/code>: 名称比较不区分大小写<\/li>
OBJ_KERNEL_HANDLE<\/code>: 句柄仅内核模式可访问<\/li>
OBJ_OPENIF<\/code>: 对象存在则打开，否则不失败<\/li>
OBJ_PERMANENT<\/code>: 创建永久对象(不自动删除)<\/li>
<\/ul>
InitializeObjectAttributes宏<\/h3>
用于初始化OBJECT_ATTRIBUTES<\/code>结构体：<\/p>
#define InitializeObjectAttributes(p, n, a, r, s) { \
<\/span><\/span><\/span>    (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
<\/span><\/span><\/span>    (p)->RootDirectory = r; \
<\/span><\/span><\/span>    (p)->Attributes = a; \
<\/span><\/span><\/span>    (p)->ObjectName = n; \
<\/span><\/span><\/span>    (p)->SecurityDescriptor = s; \
<\/span><\/span><\/span>    (p)->SecurityQualityOfService = NULL; \
<\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>文件操作API详解<\/h2>
1. 文件创建(ZwCreateFile)<\/h3>
用于创建或打开文件对象，也可用于目录操作。<\/p>
NTSTATUS ZwCreateFile<\/span>(
<\/span><\/span>    PHANDLE FileHandle,              \/\/ 接收文件句柄的指针
<\/span><\/span><\/span><\/span>    ACCESS_MASK DesiredAccess,       \/\/<\/span> 访问类型<\/span>(读<\/span>\/<\/span>写<\/span>\/<\/span>执行等<\/span>)
<\/span><\/span>    POBJECT_ATTRIBUTES ObjectAttributes, \/\/ 已初始化的OBJECT_ATTRIBUTES
<\/span><\/span><\/span><\/span>    PIO_STATUS_BLOCK IoStatusBlock,  \/\/ I\/O状态块指针
<\/span><\/span><\/span><\/span>    PLARGE_INTEGER AllocationSize,   \/\/ 文件分配大小
<\/span><\/span><\/span><\/span>    ULONG FileAttributes,            \/\/ 文件属性
<\/span><\/span><\/span><\/span>    ULONG ShareAccess,               \/\/ 共享模式
<\/span><\/span><\/span><\/span>    ULONG CreateDisposition,         \/\/ 创建方式
<\/span><\/span><\/span><\/span>    ULONG CreateOptions,             \/\/ 创建选项
<\/span><\/span><\/span><\/span>    PVOID EaBuffer,                  \/\/ 扩展属性缓冲区(通常NULL)
<\/span><\/span><\/span><\/span>    ULONG EaLength                   \/\/ EaBuffer长度
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>内核模式创建文件步骤<\/h4>

初始化UNICODE_STRING<\/code>结构(文件路径)<\/li>
设置OBJECT_ATTRIBUTES<\/code>结构体<\/li>
调用ZwCreateFile<\/code><\/li>
操作完成后用ZwClose<\/code>关闭句柄<\/li>
<\/ol>
示例代码：<\/strong><\/p>
void<\/span> CreateFileTest<\/span>() {
<\/span><\/span>    NTSTATUS status;
<\/span><\/span>    HANDLE hFile;
<\/span><\/span>    OBJECT_ATTRIBUTES objAttr;
<\/span><\/span>    IO_STATUS_BLOCK ioStatusBlock;
<\/span><\/span>    UNICODE_STRING fileName;
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化UNICODE_STRING
<\/span><\/span><\/span><\/span>    RtlInitUnicodeString(&<\/span>fileName, L<\/span>"<\/span>\\<\/span>??<\/span>\\<\/span>C:<\/span>\\<\/span>path<\/span>\\<\/span>MyFile.txt"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化OBJECT_ATTRIBUTES
<\/span><\/span><\/span><\/span>    InitializeObjectAttributes(&<\/span>objAttr, &<\/span>fileName, 
<\/span><\/span>        OBJ_CASE_INSENSITIVE |<\/span> OBJ_KERNEL_HANDLE, NULL, NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 调用ZwCreateFile
<\/span><\/span><\/span><\/span>    status =<\/span> ZwCreateFile(&<\/span>hFile, GENERIC_WRITE |<\/span> GENERIC_READ, &<\/span>objAttr,
<\/span><\/span>        &<\/span>ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0<\/span>, FILE_OPEN_IF,
<\/span><\/span>        FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (NT_SUCCESS(status)) {
<\/span><\/span>        DbgPrint("File created\/opened successfully.<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        ZwClose(hFile);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        DbgPrint("Failed to create\/open file. Status: 0x%X<\/span>\n<\/span>"<\/span>, status);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意事项：<\/strong><\/p>

文件路径需包含\\??\\<\/code>前缀（内核符号链接）<\/li>
FILE_OPEN_IF<\/code>标志：存在则打开，不存在则创建<\/li>
驱动需在测试模式下加载，VS需用x64生成<\/li>
<\/ul>
2. 文件删除(ZwDeleteFile)<\/h3>
删除指定文件：<\/p>
NTSTATUS ZwDeleteFile<\/span>(
<\/span><\/span>    _In_ POBJECT_ATTRIBUTES ObjectAttributes
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>3. 获取文件信息(ZwQueryInformationFile)<\/h3>
获取文件大小等信息：<\/p>
NTSTATUS ZwQueryInformationFile<\/span>(
<\/span><\/span>    [in] HANDLE FileHandle,                  \/\/ 文件句柄
<\/span><\/span><\/span><\/span>    [out] PIO_STATUS_BLOCK IoStatusBlock,    \/\/ I\/O状态块
<\/span><\/span><\/span><\/span>    [out] PVOID FileInformation,             \/\/ 接收信息的缓冲区
<\/span><\/span><\/span><\/span>    [in] ULONG Length,                       \/\/ 缓冲区大小
<\/span><\/span><\/span><\/span>    [in] FILE_INFORMATION_CLASS FileInformationClass \/\/ 信息类型
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>常用信息类型：<\/p>

FileBasicInformation<\/code>: 基本文件信息<\/li>
FileStandardInformation<\/code>: 标准文件信息(含大小)<\/li>
FilePositionInformation<\/code>: 文件指针位置<\/li>
<\/ul>
FILE_STANDARD_INFORMATION结构<\/h4>
typedef<\/span> struct<\/span> _FILE_STANDARD_INFORMATION {
<\/span><\/span>    LARGE_INTEGER AllocationSize;  \/\/ 分配大小
<\/span><\/span><\/span><\/span>    LARGE_INTEGER EndOfFile;       \/\/ 实际大小
<\/span><\/span><\/span><\/span>    ULONG NumberOfLinks;           \/\/ 硬链接数
<\/span><\/span><\/span><\/span>    BOOLEAN DeletePending;         \/\/ 是否标记为删除
<\/span><\/span><\/span><\/span>    BOOLEAN Directory;             \/\/ 是否为目录
<\/span><\/span><\/span><\/span>} FILE_STANDARD_INFORMATION, *<\/span>PFILE_STANDARD_INFORMATION;
<\/span><\/span><\/code><\/pre>4. 文件读写(ZwReadFile\/ZwWriteFile)<\/h3>
NTSTATUS ZwReadFile<\/span>(
<\/span><\/span>    HANDLE FileHandle,             \/\/ 文件句柄
<\/span><\/span><\/span><\/span>    HANDLE Event,                  \/\/ 可选事件句柄
<\/span><\/span><\/span><\/span>    PIO_APC_ROUTINE ApcRoutine,    \/\/ 可选APC例程
<\/span><\/span><\/span><\/span>    PVOID ApcContext,              \/\/ 可选APC上下文
<\/span><\/span><\/span><\/span>    PIO_STATUS_BLOCK IoStatusBlock,\/\/ I\/O状态块
<\/span><\/span><\/span><\/span>    PVOID Buffer,                  \/\/<\/span> 数据缓冲区<\/span>(读取<\/span>)
<\/span><\/span>    ULONG Length,                  \/\/ 要读取的字节数
<\/span><\/span><\/span><\/span>    PLARGE_INTEGER ByteOffset,     \/\/ 读取位置
<\/span><\/span><\/span><\/span>    PULONG Key                     \/\/ 关联键(通常NULL)
<\/span><\/span><\/span><\/span>);
<\/span><\/span>
<\/span><\/span>NTSTATUS ZwWriteFile<\/span>(
<\/span><\/span>    \/\/ 参数同ZwReadFile，但Buffer为要写入的数据
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>5. 文件重命名(ZwSetInformationFile)<\/h3>
NTSTATUS ZwSetInformationFile<\/span>(
<\/span><\/span>    _In_ HANDLE FileHandle,
<\/span><\/span>    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
<\/span><\/span>    _In_ PVOID FileInformation,
<\/span><\/span>    _In_ ULONG Length,
<\/span><\/span>    _In_ FILE_INFORMATION_CLASS FileInformationClass
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>使用FileRenameInformation<\/code>信息类型和FILE_RENAME_INFORMATION<\/code>结构：<\/p>
typedef<\/span> struct<\/span> _FILE_RENAME_INFORMATION {
<\/span><\/span>    BOOLEAN ReplaceIfExists;  \/\/ 存在是否替换
<\/span><\/span><\/span><\/span>    HANDLE RootDirectory;      \/\/ 根目录句柄
<\/span><\/span><\/span><\/span>    ULONG FileNameLength;      \/\/ 文件名长度
<\/span><\/span><\/span><\/span>    WCHAR FileName[1<\/span>];         \/\/ 文件名(灵活数组成员)
<\/span><\/span><\/span><\/span>} FILE_RENAME_INFORMATION, *<\/span>PFILE_RENAME_INFORMATION;
<\/span><\/span><\/code><\/pre>内存分配：<\/strong><\/p>

使用ExAllocatePoolWithTag<\/code>动态分配内存<\/li>
内存大小计算：sizeof(FILE_RENAME_INFORMATION) + FileNameLength<\/code><\/li>
完成后用ExFreePoolWithTag<\/code>释放<\/li>
<\/ul>
6. 文件遍历(ZwQueryDirectoryFile)<\/h3>
枚举目录内容：<\/p>
NTSTATUS ZwQueryDirectoryFile<\/span>(
<\/span><\/span>    HANDLE FileHandle,             \/\/ 目录句柄
<\/span><\/span><\/span><\/span>    HANDLE Event,                  \/\/ 可选事件
<\/span><\/span><\/span><\/span>    PIO_APC_ROUTINE ApcRoutine,    \/\/ 可选APC例程
<\/span><\/span><\/span><\/span>    PVOID ApcContext,              \/\/ 可选APC上下文
<\/span><\/span><\/span><\/span>    PIO_STATUS_BLOCK IoStatusBlock,\/\/ I\/O状态块
<\/span><\/span><\/span><\/span>    PVOID FileInformation,         \/\/ 文件信息缓冲区
<\/span><\/span><\/span><\/span>    ULONG Length,                  \/\/ 缓冲区长度
<\/span><\/span><\/span><\/span>    FILE_INFORMATION_CLASS FileInformationClass, \/\/ 信息类型
<\/span><\/span><\/span><\/span>    BOOLEAN ReturnSingleEntry,     \/\/ 是否只返回单个条目
<\/span><\/span><\/span><\/span>    PUNICODE_STRING FileName,      \/\/<\/span> 文件名掩码<\/span>(如<\/span>*<\/span>.txt)
<\/span><\/span>    BOOLEAN RestartScan            \/\/ 是否从头重新扫描
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>常用信息类型：<\/p>

FileDirectoryInformation<\/code>: 基本目录信息<\/li>
FileFullDirectoryInformation<\/code>: 扩展目录信息<\/li>
FileBothDirectoryInformation<\/code>: 包含短文件名<\/li>
<\/ul>
FILE_DIRECTORY_INFORMATION结构<\/h4>
typedef<\/span> struct<\/span> _FILE_DIRECTORY_INFORMATION {
<\/span><\/span>    ULONG NextEntryOffset;        \/\/ 下一条目偏移(0表示最后)
<\/span><\/span><\/span><\/span>    ULONG FileIndex;              \/\/ 文件索引号
<\/span><\/span><\/span><\/span>    LARGE_INTEGER CreationTime;   \/\/ 创建时间
<\/span><\/span><\/span><\/span>    LARGE_INTEGER LastAccessTime; \/\/ 最后访问时间
<\/span><\/span><\/span><\/span>    LARGE_INTEGER LastWriteTime;  \/\/ 最后写入时间
<\/span><\/span><\/span><\/span>    LARGE_INTEGER ChangeTime;     \/\/ 最后修改时间
<\/span><\/span><\/span><\/span>    LARGE_INTEGER EndOfFile;      \/\/ 文件大小
<\/span><\/span><\/span><\/span>    LARGE_INTEGER AllocationSize; \/\/ 分配大小
<\/span><\/span><\/span><\/span>    ULONG FileAttributes;         \/\/ 文件属性
<\/span><\/span><\/span><\/span>    ULONG FileNameLength;         \/\/ 文件名长度
<\/span><\/span><\/span><\/span>    WCHAR FileName[1<\/span>];            \/\/ 文件名(灵活数组成员)
<\/span><\/span><\/span><\/span>} FILE_DIRECTORY_INFORMATION, *<\/span>PFILE_DIRECTORY_INFORMATION;
<\/span><\/span><\/code><\/pre>内存分配API<\/h2>
ExAllocatePoolWithTag<\/h3>
PVOID ExAllocatePoolWithTag<\/span>(
<\/span><\/span>    [in] POOL_TYPE PoolType,    \/\/ 池类型
<\/span><\/span><\/span><\/span>    [in] SIZE_T NumberOfBytes,  \/\/ 字节数
<\/span><\/span><\/span><\/span>    [in] ULONG Tag             \/\/ 池标记
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>常用池类型：<\/p>

NonPagedPool<\/code>: 非分页池(任意IRQL可访问)<\/li>
PagedPool<\/code>: 分页池(IRQL<=APC_LEVEL)<\/li>
NonPagedPoolNx<\/code>: 非分页池(禁止执行代码)<\/li>
<\/ul>
ExAllocatePool2 (Win10 2004+)<\/h3>
新版本替代函数：<\/p>
PVOID ExAllocatePool2<\/span>(
<\/span><\/span>    POOL_FLAGS PoolFlags,  \/\/ 池标志
<\/span><\/span><\/span><\/span>    SIZE_T NumberOfBytes,  \/\/ 字节数
<\/span><\/span><\/span><\/span>    ULONG Tag              \/\/ 池标记
<\/span><\/span><\/span><\/span>);
<\/span><\/span><\/code><\/pre>特点：<\/p>

默认初始化内存为零<\/li>
更丰富的参数控制<\/li>
<\/ul>
总结<\/h2>
本文详细介绍了Windows内核模式下使用内核API进行文件操作的技术，包括：<\/p>

文件创建\/打开(ZwCreateFile<\/code>)<\/li>
文件删除(ZwDeleteFile<\/code>)<\/li>
文件信息查询(ZwQueryInformationFile<\/code>)<\/li>
文件读写(ZwReadFile<\/code>\/ZwWriteFile<\/code>)<\/li>
文件重命名(ZwSetInformationFile<\/code>)<\/li>
目录遍历(ZwQueryDirectoryFile<\/code>)<\/li>
<\/ol>
这些技术是Rootkit和内核驱动开发中文件操作的基础，理解这些API和数据结构对于开发内核级文件管理功能至关重要。<\/p>