说明：  检测windows下rootkit对文件的隐藏。some usermode overwrites first few bytes of ZwQueryDirectoryFile and that trick will fail then :( So, you will probably need a small database of the correct indexes for all Windows versions
(under rootkit detection windows of the hidden documents. Some usermode overwrites first few bytes of ZwQueryDirectoryFile and that trick will fail then : (So, you will probably need a small database of the correct indexes for all Windows versions)