驱动文件操作

一、创建文件

#pragma INITCODE
VOID CreateFileTest()
{
 OBJECT_ATTRIBUTES objectAttributes;
 IO_STATUS_BLOCK iostatus;
 HANDLE hfile;
 UNICODE_STRING logFileUnicodeString;

 //初始化UNICODE_STRING字符串
 RtlInitUnicodeString( &logFileUnicodeString,
  L"\??\C:\1.log");
 //或者写成 "\Device\HarddiskVolume1\1.LOG"

 //初始化objectAttributes
 InitializeObjectAttributes(&objectAttributes,
       &logFileUnicodeString,
       OBJ_CASE_INSENSITIVE,
       NULL,
       NULL );

 //创建文件
 NTSTATUS ntStatus = ZwCreateFile( &hfile,
       GENERIC_WRITE,
       &objectAttributes,
       &iostatus,
       NULL,
       FILE_ATTRIBUTE_NORMAL,
       FILE_SHARE_READ,
       FILE_OPEN_IF,//即使存在该文件，也创建
       FILE_SYNCHRONOUS_IO_NONALERT,
       NULL,
       0 );
 if ( NT_SUCCESS(ntStatus))
 {
  KdPrint(("Create file succussfully! "));
 }else
 {
  KdPrint(("Create file  unsuccessfully! "));
 }

 //文件操作
 //.......

 //关闭文件句柄
 ZwClose(hfile);
}
二、打开文件

#pragma INITCODE
VOID OpenFileTest2()
{
 OBJECT_ATTRIBUTES objectAttributes;
 IO_STATUS_BLOCK iostatus;
 HANDLE hfile;
 UNICODE_STRING logFileUnicodeString;

 //初始化UNICODE_STRING字符串
 RtlInitUnicodeString( &logFileUnicodeString,
  L"\??\C:\1.log");
 //或者写成 "\Device\HarddiskVolume1\1.LOG"

 //初始化objectAttributes
 InitializeObjectAttributes(&objectAttributes,
       &logFileUnicodeString,
       OBJ_CASE_INSENSITIVE,
       NULL,
       NULL );

 //创建文件
 NTSTATUS ntStatus = ZwOpenFile( &hfile,
       GENERIC_ALL,
       &objectAttributes,
       &iostatus,
       FILE_SHARE_READ|FILE_SHARE_WRITE,
       FILE_SYNCHRONOUS_IO_NONALERT);
 if ( NT_SUCCESS(ntStatus))
 {
  KdPrint(("Create file succussfully! "));
 }else
 {
  KdPrint(("Create file  unsuccessfully! "));
 }

 //文件操作
 //.......

 //关闭文件句柄
 ZwClose(hfile);
}

#pragma INITCODE
VOID OpenFileTest1()
{
 OBJECT_ATTRIBUTES objectAttributes;
 IO_STATUS_BLOCK iostatus;
 HANDLE hfile;
 UNICODE_STRING logFileUnicodeString;

 //初始化UNICODE_STRING字符串
 RtlInitUnicodeString( &logFileUnicodeString,
  L"\??\C:\1.log");
 //或者写成 "\Device\HarddiskVolume1\1.LOG"

 //初始化objectAttributes
 InitializeObjectAttributes(&objectAttributes,
       &logFileUnicodeString,
       OBJ_CASE_INSENSITIVE,//对大小写敏感
       NULL,
       NULL );

 //创建文件
 NTSTATUS ntStatus = ZwCreateFile( &hfile,
       GENERIC_READ,
       &objectAttributes,
       &iostatus,
       NULL,
       FILE_ATTRIBUTE_NORMAL,
       FILE_SHARE_WRITE,
       FILE_OPEN,//对文件打开，如果不存在则返回错误
       FILE_SYNCHRONOUS_IO_NONALERT,
       NULL,
       0 );
 if ( NT_SUCCESS(ntStatus))
 {
  KdPrint(("Open file succussfully! "));
 }else
 {
  KdPrint(("Open file  unsuccessfully! "));
 }

 //文件操作
 //.......

 //关闭文件句柄
 ZwClose(hfile);
}

三、修改文件的属性（可能有问题）

#pragma INITCODE
VOID ReadFileTest()
{
 OBJECT_ATTRIBUTES objectAttributes;
 IO_STATUS_BLOCK iostatus;
 HANDLE hfile;
 UNICODE_STRING logFileUnicodeString;

 //初始化UNICODE_STRING字符串
 RtlInitUnicodeString( &logFileUnicodeString,
  L"\??\C:\1.log");
 
 //或者写成 "\Device\HarddiskVolume1\1.LOG"

 //初始化objectAttributes
 InitializeObjectAttributes(&objectAttributes,
       &logFileUnicodeString,
       OBJ_CASE_INSENSITIVE,//对大小写敏感
       NULL,
       NULL );

 //创建文件
 NTSTATUS ntStatus = ZwCreateFile( &hfile,
       GENERIC_READ,
       &objectAttributes,
       &iostatus,
       NULL,
       FILE_ATTRIBUTE_NORMAL,
       FILE_SHARE_READ,
       FILE_OPEN,//即使存在该文件，也创建
       FILE_SYNCHRONOUS_IO_NONALERT,
       NULL,
       0 );

 if (!NT_SUCCESS(ntStatus))
 {
  KdPrint(("The file is not exist! "));
  return;
 }

 FILE_STANDARD_INFORMATION fsi;
 //读取文件长度
 ntStatus = ZwQueryInformationFile(hfile,
         &iostatus,
         &fsi,
         sizeof(FILE_STANDARD_INFORMATION),
         FileStandardInformation);

 KdPrint(("The program want to read %d bytes ",fsi.EndOfFile.QuadPart));

 //为读取的文件分配缓冲区
  PUCHAR pBuffer = (PUCHAR)ExAllocatePool(PagedPool,
        (LONG)fsi.EndOfFile.QuadPart);

 //读取文件
 ZwReadFile(hfile,NULL,
    NULL,NULL,
    &iostatus,
    pBuffer,
    (LONG)fsi.EndOfFile.QuadPart,
    NULL,NULL);
 KdPrint(("The program really read %d bytes ",iostatus.Information));
 //关闭文件句柄
 ZwClose(hfile);

 //释放缓冲区
 ExFreePool(pBuffer);
}

四、写文件的操作

#pragma INITCODE
VOID WriteFileTest()
{
 OBJECT_ATTRIBUTES objectAttributes;
 IO_STATUS_BLOCK iostatus;
 HANDLE hfile;
 UNICODE_STRING logFileUnicodeString;

 //初始化UNICODE_STRING字符串
 RtlInitUnicodeString( &logFileUnicodeString,
  L"\??\C:\1.log");
 //或者写成 "\Device\HarddiskVolume1\1.LOG"

 //初始化objectAttributes
 InitializeObjectAttributes(&objectAttributes,
       &logFileUnicodeString,
       OBJ_CASE_INSENSITIVE,//对大小写敏感
       NULL,
       NULL );

 //创建文件
 NTSTATUS ntStatus = ZwCreateFile( &hfile,
       GENERIC_WRITE,
       &objectAttributes,
       &iostatus,
       NULL,
       FILE_ATTRIBUTE_NORMAL,
       FILE_SHARE_WRITE,
       FILE_OPEN_IF,//即使存在该文件，也创建
       FILE_SYNCHRONOUS_IO_NONALERT,
       NULL,
       0 );
#define BUFFER_SIZE 1024
 PUCHAR pBuffer = (PUCHAR)ExAllocatePool(PagedPool,BUFFER_SIZE);
 //构造要填充的数据
 RtlFillMemory(pBuffer,BUFFER_SIZE,0xAA);

 KdPrint(("The program will write %d bytes ",BUFFER_SIZE));
 //写文件
 ZwWriteFile(hfile,NULL,NULL,NULL,&iostatus,pBuffer,BUFFER_SIZE,NULL,NULL);
 KdPrint(("The program really wrote %d bytes ",iostatus.Information));

 //构造要填充的数据
 RtlFillMemory(pBuffer,BUFFER_SIZE,0xBB);

 KdPrint(("The program will append %d bytes ",BUFFER_SIZE));
 //追加数据
 LARGE_INTEGER number;
 number.QuadPart = 1024i64;//设置文件指针
 //对文件进行附加写
 ZwWriteFile(hfile,NULL,NULL,NULL,&iostatus,pBuffer,BUFFER_SIZE,&number,NULL);
 KdPrint(("The program really appended %d bytes ",iostatus.Information));

 //关闭文件句柄
 ZwClose(hfile);

 ExFreePool(pBuffer);
}

五、读文件的操作（可能有问题）

#pragma INITCODE
VOID ReadFileTest()
{
 OBJECT_ATTRIBUTES objectAttributes;
 IO_STATUS_BLOCK iostatus;
 HANDLE hfile;
 UNICODE_STRING logFileUnicodeString;

 //初始化UNICODE_STRING字符串
 RtlInitUnicodeString( &logFileUnicodeString,
  L"\??\C:\1.log");
 
 //或者写成 "\Device\HarddiskVolume1\1.LOG"

 //初始化objectAttributes
 InitializeObjectAttributes(&objectAttributes,
       &logFileUnicodeString,
       OBJ_CASE_INSENSITIVE,//对大小写敏感
       NULL,
       NULL );

 //创建文件
 NTSTATUS ntStatus = ZwCreateFile( &hfile,
       GENERIC_READ,
       &objectAttributes,
       &iostatus,
       NULL,
       FILE_ATTRIBUTE_NORMAL,
       FILE_SHARE_READ,
       FILE_OPEN,//即使存在该文件，也创建
       FILE_SYNCHRONOUS_IO_NONALERT,
       NULL,
       0 );

 if (!NT_SUCCESS(ntStatus))
 {
  KdPrint(("The file is not exist! "));
  return;
 }

 FILE_STANDARD_INFORMATION fsi;
 //读取文件长度
 ntStatus = ZwQueryInformationFile(hfile,
         &iostatus,
         &fsi,
         sizeof(FILE_STANDARD_INFORMATION),
         FileStandardInformation);

 KdPrint(("The program want to read %d bytes ",fsi.EndOfFile.QuadPart));

 //为读取的文件分配缓冲区
  PUCHAR pBuffer = (PUCHAR)ExAllocatePool(PagedPool,
        (LONG)fsi.EndOfFile.QuadPart);

 //读取文件
 ZwReadFile(hfile,NULL,
    NULL,NULL,
    &iostatus,
    pBuffer,
    (LONG)fsi.EndOfFile.QuadPart,
    NULL,NULL);
 KdPrint(("The program really read %d bytes ",iostatus.Information));
 //关闭文件句柄
 ZwClose(hfile);

 //释放缓冲区
 ExFreePool(pBuffer);
}

 //ZwCreateFile

   参数DesiredAccess [in] 追加 FILE_APPEND_DATA  

和 GENERIC_* 一起执行或操作。FILE_APPEND_DATA 是不起作用的 必须和 FILE_*组合