CreateFileW hooking in Windows 10

contains all delphi packages mentioned below
Post Reply
sakshisoft
Posts: 4
Joined: Tue May 15, 2018 7:26 am

CreateFileW hooking in Windows 10

Post by sakshisoft »

I have injected dll in spoolsv.exe with CreateFileW API. But I cannot get particular file path in hooked CreateFileW even HookAPI return 1(success), when I tried in Windows 10 & 8. Although I get that particular file path in Windows 7 properly.
And also got that particular file path in "Process Monitor" into CreateFile. How can I get particular file path in spoolsv into Windows10 & 8?


Thanks.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Post by madshi »

What file path do you get? None at all? Or a wrong one? Or an empty one?

Is your CreateFileW hook called at all?
sakshisoft
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Post by sakshisoft »

Thanks for reply. We are getting only following paths
C:\WINDOWS\SYSTEM32\ntdll.dll,
C:\WINDOWS\system32\spool\DRIVERS\x64\3\primopdf.BPD,
C:\WINDOWS\system32\spool\DRIVERS\x64\3\primopdf.ppd

But we are searching for .spl file path which is created during printing. We are getting .spl path in Windows 7 properly, but not in Windows 8 & 10.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Post by madshi »

Are you sure that the .spl path really created in Windows 8 and 10?

Of course there are other APIs that might be used to create the file. Have you tried hooking NtCreateFile and NtOpenFile? In theory it could even be a driver which creates the file, in which case we can't hook it in user land.

Have you verified with ProcessMonitor that you hooked the correct process? Maybe Windows 8 + 10 have multiple spooler processes and maybe the spl files are created by a process you haven't hooked yet?
sakshisoft
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Post by sakshisoft »

Yes, in Windows 8 and 10 .spl path created by spoolsv.exe process only checked in ProcessMonitor. We couldn't find the .spl path for NtCreateFile and NtOpenFile.

We doubt if it is security issue with higher versions of Windows.
Screenshot of ProcessMonitor
Screenshot of ProcessMonitor
Screenshot_Procmon1.jpg (185.02 KiB) Viewed 13995 times
Thanks.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Post by madshi »

Well, as I said: Of course there are other APIs that might be used to create the file. Have you tried hooking NtCreateFile and NtOpenFile?

Also, ProcessMonitor only shows the EXE file name, but not the process ID. Maybe there are multiple spoolsv.exe processes running and you've hooked the wrong one? Just a wild thought, of course.
sakshisoft
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Post by sakshisoft »

We couldn't find the .spl path for NtCreateFile and NtOpenFile after hooking that. And there is only one spoolsv.exe is running. We verified Process Id of injected Process and Process Id of spoolsv.exe which is in ProcessMonitor, both are same. This solution is run properly in Windows 7.

We doubt if it is security issue with higher versions of Windows.

Thanks.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Post by madshi »

You can try this tool:

http://www.rohitab.com/apimonitor

With a bit of luck it might tell you which API the spooler uses to create/open the file.

If HookAPI() returns a non-zero value then hooking should work properly. It's unlikely to be a security issue if DLL injection + HookAPI() both succeed.
Post Reply