- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
unit ZwDeleteFileSample;
interface
uses Windows, nt_status, native, hal, fcall, macros, ntoskrnl;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath: PUnicodeString): NTSTATUS; stdcall;
implementation
procedure DriverUnload(pDriverObject: PDriverObject); stdcall;
begin
DbgPrint('Test Driver :: Unloaded');
end;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath: PUnicodeString): NTSTATUS; stdcall;
var UNICODESTRING: UNICODE_STRING;
obj: OBJECT_ATTRIBUTES;
begin
DbgPrint('Test Driver :: Loaded');
DriverObject^.DriverUnload := @DriverUnload;
RtlInitUnicodeString(UNICODESTRING, '\??\C:\test.exe');
InitializeObjectAttributes(obj, @UNICODESTRING, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, 0, nil);
Result := ZwDeleteFile(@obj);
if Result = STATUS_SUCCESS then
begin
DbgPrint('File deleted sucessfully - Result:0x%.8X', Result); // Result to get Error Code
end else
begin
DbgPrint('Fail to delete file - Result:0x%.8X', Result); // Result to get Error Code
DbgPrint('Object name :%wZ', obj.ObjectName); // Result to get Error Code
end;
Result := STATUS_SUCCESS;
end;
end.
Драйвер на дэлфи. Ничего необычного, листайте дальше.
Follow us!
З.Ы. Расшифровывать эти ETW такой гемор, на самом деле. Линупсячьи логи хоть и медленнее, но хоть без ёбли читаются.