通过文件句柄取得到文件名(三)

从文件句柄获得文件名方法(三)， 这次是用wdk函数ZwQueryInformationFile()，和GetVolumeInformation()。

通过判断取得的dwVolumeSerialNumber来确定盘符。

其他的内核函数比如说ObDereferenceObject()也可以。

参考了Adly's blog 的 通过文件句柄得到文件所在路径的一种新方法 —— 得到完整路径名

LPWSTR GetFileNameFromHandleW3(HANDLE hFile, LPWSTR lpFilePath) {

const int FileNameInformation = 9; // enum FILE_INFORMATION_CLASS; Defined in winddk.h

typedef struct _IO_STATUS_BLOCK {

union {

ULONG Status; // NTSTATUS

PVOID Pointer;

};

ULONG_PTR Information;

} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; // Defined in Wdm.h

typedef struct _FILE_NAME_INFORMATION {

ULONG FileNameLength;

WCHAR FileName[MAX_PATH];

} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;

typedef LONG (CALLBACK* ZWQUERYINFORMATIONFILE)(

HANDLE FileHandle,

IO_STATUS_BLOCK *IoStatusBlock,

PVOID FileInformation,

ULONG Length,

ULONG FileInformationClass

);

lpFilePath[0] = 0x00;

HMODULE hNtDLL = LoadLibraryW(L"ntdll.dll");

if (hNtDLL == 0x00) { return 0x00; }

ZWQUERYINFORMATIONFILE ZwQueryInformationFile = (ZWQUERYINFORMATIONFILE)GetProcAddress(hNtDLL, "ZwQueryInformationFile");

if (ZwQueryInformationFile == 0x00) { return 0x00; }

FILE_NAME_INFORMATION fni;

IO_STATUS_BLOCK isb;

if (ZwQueryInformationFile(hFile, &isb, &fni, sizeof(fni), FileNameInformation) != 0) { return 0x00; }

fni.FileName[fni.FileNameLength / sizeof(WCHAR)] = 0x00;

BY_HANDLE_FILE_INFORMATION fi;

if(!GetFileInformationByHandle(hFile, &fi) || (fi.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) { return 0x00; }

WCHAR szDrive [MAX_PATH];

WCHAR *lpDrive = szDrive;

int iPathLen;

if (GetLogicalDriveStringsW(MAX_PATH - 1, szDrive) >= MAX_PATH) { return 0x00; }

while ((iPathLen = lstrlenW(lpDrive)) != 0) {

DWORD dwVolumeSerialNumber;

if(!GetVolumeInformation(lpDrive, NULL, NULL, &dwVolumeSerialNumber,NULL, NULL, NULL, NULL)) { return 0x00; }

if (dwVolumeSerialNumber == fi.dwVolumeSerialNumber) {

lstrcpynW(lpFilePath, lpDrive, lstrlen(lpDrive));

lstrcatW(lpFilePath, fni.FileName);

break;

}

lpDrive += iPathLen + 1;

}

return lpFilePath;

}