madshi.net

I have injected dll in spoolsv.exe with CreateFileW API. But I cannot get particular file path in hooked CreateFileW even HookAPI return 1(success), when I tried in Windows 10 & 8. Although I get that particular file path in Windows 7 properly.
And also got that particular file path in "Process Monitor" into CreateFile. How can I get particular file path in spoolsv into Windows10 & 8?


Thanks.

What file path do you get? None at all? Or a wrong one? Or an empty one?

Is your CreateFileW hook called at all?

Thanks for reply. We are getting only following paths
C:\WINDOWS\SYSTEM32\ntdll.dll,
C:\WINDOWS\system32\spool\DRIVERS\x64\3\primopdf.BPD,
C:\WINDOWS\system32\spool\DRIVERS\x64\3\primopdf.ppd

But we are searching for .spl file path which is created during printing. We are getting .spl path in Windows 7 properly, but not in Windows 8 & 10.

Are you sure that the .spl path really created in Windows 8 and 10?

Of course there are other APIs that might be used to create the file. Have you tried hooking NtCreateFile and NtOpenFile? In theory it could even be a driver which creates the file, in which case we can't hook it in user land.

Have you verified with ProcessMonitor that you hooked the correct process? Maybe Windows 8 + 10 have multiple spooler processes and maybe the spl files are created by a process you haven't hooked yet?

Yes, in Windows 8 and 10 .spl path created by spoolsv.exe process only checked in ProcessMonitor. We couldn't find the .spl path for NtCreateFile and NtOpenFile.

We doubt if it is security issue with higher versions of Windows. Thanks.

Well, as I said: Of course there are other APIs that might be used to create the file. Have you tried hooking NtCreateFile and NtOpenFile?

Also, ProcessMonitor only shows the EXE file name, but not the process ID. Maybe there are multiple spoolsv.exe processes running and you've hooked the wrong one? Just a wild thought, of course.

We couldn't find the .spl path for NtCreateFile and NtOpenFile after hooking that. And there is only one spoolsv.exe is running. We verified Process Id of injected Process and Process Id of spoolsv.exe which is in ProcessMonitor, both are same. This solution is run properly in Windows 7.

We doubt if it is security issue with higher versions of Windows.

Thanks.

You can try this tool:

http://www.rohitab.com/apimonitor

With a bit of luck it might tell you which API the spooler uses to create/open the file.

If HookAPI() returns a non-zero value then hooking should work properly. It's unlikely to be a security issue if DLL injection + HookAPI() both succeed.