ListFiles in kernel mode


#include <ntifs.h>

#define TAG_POOLTEST 'P'

NTSTATUS ListDir() {

    //WCHAR Buffer[8192];
    PVOID Ptr;
    SIZE_T poolSize;
    UNICODE_STRING DirectoryName;
    OBJECT_ATTRIBUTES DirectoryAttributes;
    NTSTATUS Status;
    HANDLE DirectoryHandle;
    IO_STATUS_BLOCK Iosb;
    PFILE_BOTH_DIR_INFORMATION DirInformation;

    poolSize = 8192;

    Ptr = ExAllocatePoolWithTag(PagedPool, poolSize, TAG_POOLTEST);

    if (!Ptr) return STATUS_INSUFFICIENT_RESOURCES;

    RtlInitUnicodeString(&DirectoryName, L"\\??\\C:\\Windows");

        InitializeObjectAttributes(&DirectoryAttributes,
            &DirectoryName,
            OBJ_CASE_INSENSITIVE,
            0,          // absolute open, no relative directory handle
            0);         // no security descriptor necessary

    Status = ZwCreateFile(&DirectoryHandle,
        (FILE_LIST_DIRECTORY | SYNCHRONIZE),
        &DirectoryAttributes,
        &Iosb,
        0,
        0,
        FILE_SHARE_VALID_FLAGS, // FULL sharing
        FILE_OPEN,          // MUST already exist
        (FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE),   // MUST be a directory
        0,
        0);

    if (!NT_SUCCESS(Status)) {
        DbgPrint("%u   Unable to open %S, error = 0x%x\n", DirectoryName.Length / sizeof(WCHAR), DirectoryName.Buffer, Status);
        return Status;
    }

    //
    // We pass NO NAME which is the same as *.*
    //
    Status = ZwQueryDirectoryFile(DirectoryHandle,
        NULL,
        NULL,
        // No APC routine
        NULL,
        // No APC context
        &Iosb,
        Ptr,
        poolSize,
        FileBothDirectoryInformation,
        TRUE,
        NULL,
        FALSE);

    if (!NT_SUCCESS(Status)) {
        DbgPrint("Unable to query directory contents, error 0x%x\n", Status);
        return Status;
    }

    DirInformation = (PFILE_BOTH_DIR_INFORMATION)poolSize;

    // Loop over all files
    for (;;) {
        //
        // Dump the full name of the file.  We could dump the other information
        // here as well, but we'll keep the example shorter instead.
        //
        DbgPrint("%u   %ws\n", DirInformation->FileNameLength / sizeof(WCHAR), &DirInformation->FileName[0]);

        //
        // If there is no offset in the entry, the buffer has been exhausted.
        //
        if (DirInformation->NextEntryOffset == 0) {
            // Re-fill buffer
            Status = ZwQueryDirectoryFile(DirectoryHandle,
                NULL,
                NULL,
                // No APC routine
                NULL,
                // No APC context
                &Iosb,
                Ptr,
                poolSize,
                FileBothDirectoryInformation,
                FALSE,
                NULL,
                FALSE);

            if (!NT_SUCCESS(Status)) {
                if (Status == STATUS_NO_MORE_FILES) break;
                DbgPrint("Unable to query directory contents, error 0x%x\n", Status);
                return Status;
            }

            DirInformation = (PFILE_BOTH_DIR_INFORMATION)poolSize;
            continue;
        }
        //
        // Advance to the next entry.
        //
        DirInformation = (PFILE_BOTH_DIR_INFORMATION)(((PUCHAR)DirInformation) + DirInformation->NextEntryOffset);

    }

    /*NtClose*/ZwClose(DirectoryHandle);
    ExFreePoolWithTag(Ptr, TAG_POOLTEST);
    return Status;
}

VOID /*NTAPI*/ DriverUnload(IN PDRIVER_OBJECT DriverObject) {
    DbgPrint("DriverUnload()!\\n");
    return;
}

/*__declspec (dllexport)*/ NTSTATUS /*NTAPI*/ DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath) {
    NTSTATUS NtStatus = STATUS_SUCCESS;
    pDriverObject->DriverUnload = /*(PDRIVER_UNLOAD)*/DriverUnload;
    DbgPrint("DriverEntry()!\\n");
    ListDir();
    return NtStatus;
}