Sh4dow's Blog
活了二十几年,从来没有人给过我一次意外感动或惊喜,也没有人在我生日的时候给过我特别的礼物,生病的时候得到的只是一些不在身边的语言安慰,也不见谁真正的照顾过自己,甚至有的时候自己蒙头睡一觉就好了,也有人喜欢过我,但是从没见谁坚持过。
NTFS流文件漏洞发现与NT Path在API接口的一些调试
代码:
----------------------
using System;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Text;
class Program
{
[StructLayout(LayoutKind.Sequential)]
struct UNICODE_STRING
{
public ushort Length;
public ushort MaximumLength;
public IntPtr Buffer;
public override string ToString()
{
if (Buffer != IntPtr.Zero)
return Marshal.PtrToStringUni(Buffer, Length / 2);
return "(null)";
}
}
[StructLayout(LayoutKind.Sequential)]
class RTL_RELATIVE_NAME
{
public UNICODE_STRING RelativeName;
public IntPtr ContainingDirectory;
public IntPtr CurDirRef;
}
[DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
static extern int RtlDosPathNameToRelativeNtPathName_U_WithStatus(
string DosFileName,
out UNICODE_STRING NtFileName,
out IntPtr ShortPath,
[Out] RTL_RELATIVE_NAME RelativeName
);
enum RTL_PATH_TYPE
{
RtlPathTypeUnknown,
RtlPathTypeUncAbsolute,
RtlPathTypeDriveAbsolute,
RtlPathTypeDriveRelative,
RtlPathTypeRooted,
RtlPathTypeRelative,
RtlPathTypeLocalDevice,
RtlPathTypeRootLocalDevice
}
[DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
static extern RTL_PATH_TYPE RtlDetermineDosPathNameType_U(string Path);
[DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
static extern int RtlGetFullPathName_UEx(
string FileName,
int BufferLength,
[Out] StringBuilder Buffer,
IntPtr FilePart,
out int FinalLength);
[DllImport("ntdll.dll")]
static extern int RtlNtStatusToDosError(int NtStatus);
static void PrintStatus(int status)
{
Console.WriteLine("Error: {0}",
new Win32Exception(RtlNtStatusToDosError(status)).Message);
}
static void ConvertPath(string path)
{
Console.WriteLine("Converting: '{0}'", path);
UNICODE_STRING ntname = new UNICODE_STRING();
IntPtr filename = IntPtr.Zero;
RTL_RELATIVE_NAME relative_name = new RTL_RELATIVE_NAME();
int status = RtlDosPathNameToRelativeNtPathName_U_WithStatus(
path,
out ntname,
out filename,
relative_name);
if (status == 0)
{
Console.WriteLine("To: '{0}'",
ntname);
Console.WriteLine("Type: {0}",
RtlDetermineDosPathNameType_U(path));
Console.WriteLine("FileName: {0}",
Marshal.PtrToStringUni(filename));
if (relative_name.RelativeName.Length > 0)
{
Console.WriteLine("RelativeName: '{0}'",
relative_name.RelativeName);
Console.WriteLine("Directory: 0x{0:X}",
relative_name.ContainingDirectory.ToInt64());
Console.WriteLine("CurDirRef: 0x{0:X}",
relative_name.CurDirRef.ToInt64());
}
}
else
{
PrintStatus(status);
}
int length = 0;
StringBuilder builder = new StringBuilder(260);
status = RtlGetFullPathName_UEx(
path,
builder.Capacity * 2,
builder,
IntPtr.Zero,
out length);
if (status == 0)
{
Console.WriteLine("FullPathName: '{0}'",
builder.ToString());
}
else
{
PrintStatus(status);
}
}
static void Main(string[] args)
{
if (args.Length < 1)
{
Console.WriteLine("Usage: ConvertDosPathToNtPath DosPath");
}
else
{
ConvertPath(args[0]);
}
}
}
-----------------------
编译
C:\test>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 1.cs
Microsoft(R) Visual C# 编译器版本 4.0.30319.34209
用于 Microsoft(R) .NET Framework 4.5
版权所有 (C) Microsoft Corporation。保留所有权利。
可以查看一些流文件的差别
C:\test>1.exe c:\test
Converting: 'c:\test'
To: '\??\c:\test'
Type: RtlPathTypeDriveAbsolute
FileName: test
FullPathName: 'c:\test'
C:\test>1.exe \??\X:\ABC
Converting: '\??\X:\ABC'
To: '\??\X:\ABC'
Type: RtlPathTypeRooted
FileName: ABC
FullPathName: 'C:\??\X:\ABC'
C:\test>1.exe abc
Converting: 'abc'
To: '\??\C:\test\abc'
Type: RtlPathTypeRelative
FileName: abc
RelativeName: 'abc'
Directory: 0xC
CurDirRef: 0x242C60
FullPathName: 'C:\test\abc'
差别在哪?
可能不明显,给出NT PATH FULLPATH DOSpAth
<sp>是空格
可以去研究路径的转换,可以研究出很多好玩的出来,
© Sh4dow's Blog | Powered by LOFTER