|
这个问题解决了。
还有一个问题,
PART -drv list volume 能适配一下这种格式不:\Device\Ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750},目前是获取不到盘符的
PE的X盘就是这种格式的卷名,获取方法是用老大以前写的命令:
REGI .HKLM\SYSTEM\CurrentControlSet\Control\SystemBootDevice,&&arcname
CALL GetSymbolic "\ArcName\%&arcname%" &&volume
mess. [%&volume%] //\Device\Ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}
_SUB GetSymbolic
CALL _INITVAR
SET &nm=%~1
SET$ &hb=*8 0 //HANDLE
SET$ &Attr=*48 0 //OBJECT_ATTRIBUTES
SET$ &arcName=*16 0 //UNICODE_STRING
SET$ &retName=*16 0 //UNICODE_STRING
CALL $--qd --ret:&&ret ntdll.dll,RtlInitUnicodeString,*&arcName,*&nm
ENVI-addr &&arcName_ptr=&arcName
SET$ &buf=*4096 0
ENVI-addr &&buf_ptr=&buf
SET-long retName=8192:2 //retName.MaximumLength = 4096 * 2
SET-ptr retName=%&buf_ptr%:%PtrSz% //retName.Buffer = buf
CALL InitializeObjectAttributes &Attr %&arcName_ptr% %&OBJ_CASE_INSENSITIVE% 0 0
CALL $--qd --ret:&&ret Ntdll.dll,NtOpenSymbolicLinkObject,*&hb,#%SYMBOLIC_LINK_QUERY%,*&Attr
SET?ptr hb=&&h
CALL $--qd --ret:&&ret Ntdll.dll,NtQuerySymbolicLinkObject,#%h%,*&retName,#0
CALL $--qd --ret:&&ret Kernel32.dll,CloseHandle,#%h%
ENVI-ret %~2=%&buf%
_END
_SUB InitializeObjectAttributes //p n a r s
CALC &&Sz=6*%PtrSz%
ENVI-long %~1=%&Sz%:0 //(p)->Length = sizeof(OBJECT_ATTRIBUTES);
ENVI-ptr %~1=%~4:%PtrSz% //(p)->RootDirectory = r
ENVI-ptr %~1=%~2:(%PtrSz%*2) //(%PtrSz%+%PtrSz%) //(p)->ObjectName = n
ENVI-long %~1=%~3:(%PtrSz%*3) //(%PtrSz%+%PtrSz%+%PtrSz%) //(p)->Attributes = a
ENVI-ptr %~1=%~5:(%PtrSz%*4) //(%PtrSz%+%PtrSz%+%PtrSz%+%PtrSz%) //(p)->SecurityDescriptor = s
//ENVI-ptr %~1=0:(%PtrSz%*5) //(p)->SecurityQualityOfService = NULL
_END
_SUB _INITVAR *
IFEX #%&bX64%=3, Set &PtrSz=8! SET &PtrSz=4
SET &OBJ_CASE_INSENSITIVE=0x00000040
SET &SYMBOLIC_LINK_QUERY=0x0001
SET &FILE_SHARE_RW=0x00000003
SET &OPEN_EXISTING=3
CALC #&sizeofMOUNTMGR_MOUNT_POINT=4*3+2*6
CALC -base=16 #&&IOCTL_MOUNTMGR_QUERY_POINTS=shl(0x0000006D,16) | shl(2,2) //CTL_CODE(MOUNTMGRCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
_END
|
|