ZwQueryDirectoryFile
http://msdn2.microsoft.com/en-us/library/ms801001.aspxна асме выглядит так:
http://megalib.com/books/917/kmd11.html#k11d11;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; EnumerateFiles
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
EnumerateFiles proc uses esi
local status:NTSTATUS
local oa:OBJECT_ATTRIBUTES
local hSystemRootDirectory:HANDLE
local hDriversDirectory:HANDLE
local as:ANSI_STRING
local us:UNICODE_STRING
local iosb:IO_STATUS_BLOCK
local tf:TIME_FIELDS
local cb:DWORD
local pfdi:PFILE_DIRECTORY_INFORMATION
invoke DbgPrint, $CTA0("\nFileWorks: Opening directory to enumerate files\n")
InitializeObjectAttributes addr oa, $CCOUNTED_UNICODE_STRING("\\SystemRoot"), \
OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwOpenFile, addr hSystemRootDirectory, FILE_LIST_DIRECTORY + SYNCHRONIZE, addr oa, \
addr iosb, FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, \
FILE_DIRECTORY_FILE + FILE_SYNCHRONOUS_IO_NONALERT
.if eax == STATUS_SUCCESS
InitializeObjectAttributes addr oa, $CCOUNTED_UNICODE_STRING("system32\\drivers"), \
OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, hSystemRootDirectory, NULL
invoke ZwOpenFile, addr hDriversDirectory, FILE_LIST_DIRECTORY + SYNCHRONIZE, addr oa, \
addr iosb, FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, \
FILE_DIRECTORY_FILE + FILE_SYNCHRONOUS_IO_NONALERT
.if eax == STATUS_SUCCESS
mov cb, sizeof FILE_DIRECTORY_INFORMATION + 256
invoke ExAllocatePool, PagedPool, cb
.if eax != NULL
mov pfdi, eax
mov esi, eax
assume esi:ptr FILE_DIRECTORY_INFORMATION
invoke DbgPrint, \
$CTA0("\nFileWorks: ---------- Starting enumerate files ----------\n")
invoke ZwQueryDirectoryFile, hDriversDirectory, NULL, NULL, NULL, addr iosb, \
esi, cb, FileDirectoryInformation, \
TRUE, $CCOUNTED_UNICODE_STRING("c*"), TRUE
.while eax != STATUS_NO_MORE_FILES
.if ( eax == STATUS_SUCCESS )
mov eax, [esi].FileNameLength
mov us._Length, ax
mov us.MaximumLength, ax
lea eax, [esi].FileName
mov us.Buffer, eax
invoke RtlUnicodeStringToAnsiString, addr as, addr us, TRUE
.if eax == STATUS_SUCCESS
invoke RtlTimeToTimeFields, addr [esi].CreationTime, addr tf
movzx eax, tf.Day
movzx ecx, tf.Month
movzx edx, tf.Year
invoke DbgPrint, $CTA0(" %s size=%d created on %d.%02d.%04d\n"), \
as.Buffer, [esi].EndOfFile.LowPart, eax, ecx, edx
invoke RtlFreeAnsiString, addr as
.endif
.endif
invoke ZwQueryDirectoryFile, hDriversDirectory, NULL, NULL, NULL, addr iosb, \
esi, cb, FileDirectoryInformation, \
TRUE, NULL, FALSE
.endw
invoke DbgPrint, \
$CTA0("FileWorks: ------------------------------------------------\n")
assume esi:nothing
invoke ExFreePool, pfdi
.endif
invoke ZwClose, hDriversDirectory
.else
invoke DbgPrint, $CTA0("FileWorks: Can't open drivers directory. Status: %08X\n"), eax
.endif
invoke ZwClose, hSystemRootDirectory
.else
invoke DbgPrint, $CTA0("FileWorks: Can't open system root directory. Status: %08X\n"), eax
.endif
ret
EnumerateFiles endp
а вообще не понимаю... интернет есть. DDK есть. все - есть!
поиск занял минут 5-10 от силы. в чем проблемма то?
http://www.osronline.com/ShowThread.cfm?link=128195