我是想记录日志到文件,运行到 ZwCreateFile 就蓝屏,搞不清楚为什么,谢谢各位帮忙。代码如下:BOOLEAN drvfunc_save_filecontent( IN LPCWSTR lpcwszFilename, IN CONST PVOID lpvContent, IN DWORD dwSize )
{
//
// lpcwszFilename - IN,类似 L"\\??\\C:\\DeAntiHack.log"
// lpvContent - IN 文件内容
// dwSize - IN 文件内容大小
// BOOLEAN bRet;
NTSTATUS ntStatus;
HANDLE FileHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING usFileName;
IO_STATUS_BLOCK IoStatus;
FILE_POSITION_INFORMATION stFilePos;
FILE_STANDARD_INFORMATION stStandardInfo;
ULONG nWriteBytes; // ...
if ( NULL == lpcwszFilename || NULL == lpvContent || 0 == dwSize )
{
return FALSE;
}
if ( 0 == wcslen( lpcwszFilename ) )
{
return FALSE;
} // ...
bRet = FALSE;
ntStatus = STATUS_UNSUCCESSFUL;
RtlInitUnicodeString( &usFileName, lpcwszFilename );
InitializeObjectAttributes
(
&ObjectAttributes, // ptr to structure
&usFileName, // ptr to file spec
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, // attributes
NULL, // root directory handle
NULL // ptr to security descriptor
); ntStatus = ZwCreateFile
(
&FileHandle, // returned file handle
GENERIC_WRITE | GENERIC_READ, // desired access
&ObjectAttributes, // ptr to object attributes
&IoStatus, // ptr to I/O status block
NULL, // alloc size = none
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_NO_INTERMEDIATE_BUFFERING,
NULL, // eabuffer
0 // ealength
);
if ( NT_SUCCESS( ntStatus ) && NT_SUCCESS( IoStatus.Status ) )
{
ntStatus = ZwQueryInformationFile
(
FileHandle, &IoStatus, &stStandardInfo,
sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation
);
if ( NT_SUCCESS( ntStatus ) )
{
stFilePos.CurrentByteOffset = stStandardInfo.EndOfFile;
ntStatus = ZwSetInformationFile
(
FileHandle, &IoStatus, &stFilePos,
sizeof(FILE_POSITION_INFORMATION), FilePositionInformation
);
if ( NT_SUCCESS( ntStatus ) )
{
nWriteBytes = dwSize;
ntStatus = ZwWriteFile
(
FileHandle, NULL, NULL, NULL,
&IoStatus, lpvContent, nWriteBytes, NULL, NULL
);
if ( NT_SUCCESS( ntStatus ) && IoStatus.Information == nWriteBytes )
{
bRet = TRUE;
//KdPrint(("KWriteOpToLogFile: Write Data %s\n", pszData ));
}
else
{
KdPrint( ("KWriteOpToLogFile: Write Data is Error,status=0x%4x, Pre Write=%d, WriteBytes=%d\n",
ntStatus, nWriteBytes, nWriteBytes ));
}
}
else
{
KdPrint(("KWriteOpToLogFile: cann't Set End of File,status=0x%4x\n", ntStatus));
}
}
else
{
KdPrint(("KWriteOpToLogFile: cann't get file size,status=0x%4x\n", ntStatus));
} // ..
ZwClose( FileHandle );
}
else
{
KdPrint( ("KWriteOpToLogFile: Open %ws is fail, status=0x%4x\n", lpcwszFilename, ntStatus) );
} return bRet;
}
{
//
// lpcwszFilename - IN,类似 L"\\??\\C:\\DeAntiHack.log"
// lpvContent - IN 文件内容
// dwSize - IN 文件内容大小
// BOOLEAN bRet;
NTSTATUS ntStatus;
HANDLE FileHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING usFileName;
IO_STATUS_BLOCK IoStatus;
FILE_POSITION_INFORMATION stFilePos;
FILE_STANDARD_INFORMATION stStandardInfo;
ULONG nWriteBytes; // ...
if ( NULL == lpcwszFilename || NULL == lpvContent || 0 == dwSize )
{
return FALSE;
}
if ( 0 == wcslen( lpcwszFilename ) )
{
return FALSE;
} // ...
bRet = FALSE;
ntStatus = STATUS_UNSUCCESSFUL;
RtlInitUnicodeString( &usFileName, lpcwszFilename );
InitializeObjectAttributes
(
&ObjectAttributes, // ptr to structure
&usFileName, // ptr to file spec
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, // attributes
NULL, // root directory handle
NULL // ptr to security descriptor
); ntStatus = ZwCreateFile
(
&FileHandle, // returned file handle
GENERIC_WRITE | GENERIC_READ, // desired access
&ObjectAttributes, // ptr to object attributes
&IoStatus, // ptr to I/O status block
NULL, // alloc size = none
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_NO_INTERMEDIATE_BUFFERING,
NULL, // eabuffer
0 // ealength
);
if ( NT_SUCCESS( ntStatus ) && NT_SUCCESS( IoStatus.Status ) )
{
ntStatus = ZwQueryInformationFile
(
FileHandle, &IoStatus, &stStandardInfo,
sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation
);
if ( NT_SUCCESS( ntStatus ) )
{
stFilePos.CurrentByteOffset = stStandardInfo.EndOfFile;
ntStatus = ZwSetInformationFile
(
FileHandle, &IoStatus, &stFilePos,
sizeof(FILE_POSITION_INFORMATION), FilePositionInformation
);
if ( NT_SUCCESS( ntStatus ) )
{
nWriteBytes = dwSize;
ntStatus = ZwWriteFile
(
FileHandle, NULL, NULL, NULL,
&IoStatus, lpvContent, nWriteBytes, NULL, NULL
);
if ( NT_SUCCESS( ntStatus ) && IoStatus.Information == nWriteBytes )
{
bRet = TRUE;
//KdPrint(("KWriteOpToLogFile: Write Data %s\n", pszData ));
}
else
{
KdPrint( ("KWriteOpToLogFile: Write Data is Error,status=0x%4x, Pre Write=%d, WriteBytes=%d\n",
ntStatus, nWriteBytes, nWriteBytes ));
}
}
else
{
KdPrint(("KWriteOpToLogFile: cann't Set End of File,status=0x%4x\n", ntStatus));
}
}
else
{
KdPrint(("KWriteOpToLogFile: cann't get file size,status=0x%4x\n", ntStatus));
} // ..
ZwClose( FileHandle );
}
else
{
KdPrint( ("KWriteOpToLogFile: Open %ws is fail, status=0x%4x\n", lpcwszFilename, ntStatus) );
} return bRet;
}
用windbg调试吧。