kernel32！OpenFile与kernel32! DeleteFile

kernel32！OpenFile与ntdll！NtOpenFile

kernel32！OpenFile并不是直接调用的ntdll！NtOpenFile，其调用的是ntdll！NtCreateFile。

ntdll！NtOpenFile

ntdll！NtOpenFile函数并没有声明，如果要调用的话需要GetProcAddress动态获取。

typedef struct _IO_STATUS_BLOCK {
  union {
    NTSTATUS Status;
    PVOID    Pointer;
  };
  ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;


typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
  ULONG           Length;
  HANDLE          RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG           Attributes;
  PVOID           SecurityDescriptor;
  PVOID           SecurityQualityOfService;
} OBJECT_ATTRIBUTES;

typedef void( __stdcall* RtlInitUnicodeStringA)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef int (__stdcall *NtOpenFileA)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);


UNICODE_STRING stFileName = { 0 };
RtlInitUnicodeStringA RtlInitUnicodeString =(RtlInitUnicodeStringA) GetProcAddress(LoadLibrary(TEXT("ntdll.dll")), "RtlInitUnicodeString");
NtOpenFileA  NtOpenFile = (NtOpenFileA)GetProcAddress(LoadLibrary(TEXT("ntdll.dll")), "NtOpenFile");

• ntdll！NtOpenFile返回0xC000003B，说明给出的文件的路径错误。
• 注意调用ntdll！NtOpenFile给出的文件名需要加上"\??\"。
• RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)函数在使用时注意其第二个参数为宽字符。

kernel32！DeleteFile与ntdll！NtDeleteFile

kernel32！DeleteFile底层调用的并不是ntdll！NtDeleteFile，其调用的是ntdll！SetInformationFile（传入FileDispositionInformation/FileDispositionInformationEx参数）

ntdll！NtDeleteFile

ntdll！NtDeleteFile函数并没有声明，调用的话需要GetProcAddress获得函数地址进行调用