文件删除的windows下面的三种路径(轻量级)

文件常规删除的三种方法都比较熟悉。
#define FILE_DELETE_ON_CLOSE                    0x00001000


@1 Nt/ZwCreateFile  Nt/ZwOpenFile    
填充OpenPacket结构，标记FILE_DELETE_ON_CLOSE    (WRK)
@2 Nt/ZwDeleteFile
@3 Nt/ZwSetInformationFile  使用FileDispositionInformation (enum 0d==13)
IoCallDriver( deviceObject, irp );


XP WIN7 cmd中del 命令完整的栈回溯

del c:4
1: kd> kvn
 # ChildEBP RetAddr  Args to Child              
00 b1dd2cb0 804e23c9 82102020 81fde1e8 81fde1f8 Ntfs!NtfsFsdSetInformation (FPO: [Non-Fpo])
01 b1dd2cc0 805dc2c1 b1dd2d64 0013efd0 805804ed nt!IopfCallDriver+0x31 (FPO: [0,0,0])
02 b1dd2d48 804de98f 00000090 0013f010 0013f033 nt!NtSetInformationFile+0x533 (FPO: [Non-Fpo])
03 b1dd2d48 7c92e514 00000090 0013f010 0013f033 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b1dd2d64)
04 0013efb0 7c92dc6a 7c832054 00000090 0013f010 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0013efb4 7c832054 00000090 0013f010 0013f033 ntdll!NtSetInformationFile+0xc (FPO: [5,0,0])
06 0013f028 4ad17d07 0113f050 0015d990 001591c0 kernel32!DeleteFileW+0x23f (FPO: [Non-Fpo])
07 0013f46c 4ad08fc1 001591c0 0015d990 00000000 cmd!NewEraseFile+0x1b2 (FPO: [Non-Fpo])
08 0013f6d4 4ad09148 001591c0 00000000 00000006 cmd!ExpandAndApplyToFS+0x22a (FPO: [Non-Fpo])
09 0013f774 4ad0937c 001591c0 00000000 00000006 cmd!WalkTree+0x40 (FPO: [Non-Fpo])
0a 0013f9d0 4ad092df 0013f9e8 0015a0c8 0015913c cmd!DelPatterns+0x6a (FPO: [Non-Fpo])
0b 0013fc60 4ad091a3 0015a060 0013fe9c 4ad05a92 cmd!DelWork+0x13c (FPO: [Non-Fpo])
0c 0013fc6c 4ad05a92 0015a0c8 00000000 0015a0c8 cmd!eDelete+0x10 (FPO: [Non-Fpo])
0d 0013fe9c 4ad013eb 0015a0c8 0015a0c8 00000002 cmd!FindFixAndRun+0x1f5 (FPO: [Non-Fpo])
0e 0013fee0 4ad0f138 00000000 00000001 00000000 cmd!Dispatch+0x137 (FPO: [Non-Fpo])
0f 0013ff44 4ad05154 00000001 00034068 00032bf8 cmd!main+0x216 (FPO: [Non-Fpo])
10 0013ffc0 7c817077 80000001 01b0ea68 7ffd3000 cmd!mainCRTStartup+0x125 (FPO: [Non-Fpo])
11 0013fff0 00000000 4ad05046 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
1: kd> dds esp
b1dd2cb4  804e23c9 nt!IopfCallDriver+0x31
b1dd2cb8  82102020 pdevice_objet
b1dd2cbc  81fde1e8 pirp

NTSTATUS
NtfsFsdSetInformation (
    IN PVOLUME_DEVICE_OBJECT VolumeDeviceObject,
    IN PIRP Irp
    )
1: kd> dt _device_object 82102020 -r
ntdll!_DEVICE_OBJECT
   +0x000 Type             : 0n3
   +0x002 Size             : 0x860
   +0x004 ReferenceCount   : 0n0
   +0x008 DriverObject     : 0x82237ca0 _DRIVER_OBJECT
      +0x01c DriverName       : _UNICODE_STRING "FileSystemNtfs"
         +0x000 Length           : 0x20
         +0x002 MaximumLength    : 0x20
         +0x004 Buffer           : 0xe140e128  "FileSystemNtfs"


1: kd> dt _irp 81fde1e8 -r
ntdll!_IRP
   +0x000 Type             : 0n6    //#define IRP_MJ_SET_INFORMATION          0x06
   +0x040 Tail             : __unnamed
      +0x000 Overlay          : __unnamed
         +0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
         +0x000 DriverContext    : [4] (null) 
         +0x010 Thread           : 0x81ca8518 _ETHREAD
         +0x014 AuxiliaryBuffer  : (null) 
         +0x018 ListEntry        : _LIST_ENTRY [ 0x0 - 0x0 ]
         +0x020 CurrentStackLocation : 0x81fde330 _IO_STACK_LOCATION
         +0x020 PacketType       : 0x81fde330
         +0x024 OriginalFileObject : 0x81c63660 _FILE_OBJECT
1: kd> dt _file_object 0x81c63660 
ntdll!_FILE_OBJECT
   +0x026 ReadAccess       : 0 ''
   +0x027 WriteAccess      : 0 ''
   +0x028 DeleteAccess     : 0x1 ''
   +0x029 SharedRead       : 0x1 ''
   +0x02a SharedWrite      : 0x1 ''
   +0x02b SharedDelete     : 0x1 ''
   +0x02c Flags            : 0x40040
   +0x030 FileName         : _UNICODE_STRING "4"
Win8.0 win8.1 (9200 9600)
使用的是ZwOpenFile  FILE_DELETE_ON_CLOSE  标志