kernel32！OpenFile与ntdll！NtOpenFile

kernel32！OpenFile并不是直接调用的ntdll！NtOpenFile，其调用的是ntdll！NtCreateFile。

ntdll！NtOpenFile

ntdll！NtOpenFile函数并没有导出，如果要调用的话需要GetProcAddress动态获取。

typedef struct _IO_STATUS_BLOCK {
  union {
    NTSTATUS Status;
    PVOID    Pointer;
  };
  ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;


typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
  ULONG           Length;
  HANDLE          RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG           Attributes;
  PVOID           SecurityDescriptor;
  PVOID           SecurityQualityOfService;
} OBJECT_ATTRIBUTES;

typedef void( __stdcall* RtlInitUnicodeStringA)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef int (__stdcall *NtOpenFileA)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);


UNICODE_STRING stFileName = { 0 };
RtlInitUnicodeStringA RtlInitUnicodeString =(RtlInitUnicodeStringA) GetProcAddress(LoadLibrary(TEXT("ntdll.dll")), "RtlInitUnicodeString");
NtOpenFileA  NtOpenFile = (NtOpenFileA)GetProcAddress(LoadLibrary(TEXT("ntdll.dll")), "NtOpenFile");

• ntdll！NtOpenFile返回0xC000003B，说明给出的文件的路径错误。
• 注意调用ntdll！NtOpenFile给出的文件名需要加上"??"。
• RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)函数在使用时注意其第二个参数为宽字符。

标签：OpenFile,STRING,NtOpenFile,kernel32,PUNICODE,ntdll,typedef,ULONG
来源： https://www.cnblogs.com/revercc/p/15861854.html