How to Hook NtCreateFile

c++ / delphi package - dll injection and api hooking
aiscii
Posts: 7
Joined: Sat May 27, 2006 6:35 am

How to Hook NtCreateFile

Post by aiscii »

thanks!
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Learn to use the "search" feature on this forum.

viewtopic.php?t=929&highlight=ntcreatefile

--Iconic
aiscii
Posts: 7
Joined: Sat May 27, 2006 6:35 am

Post by aiscii »

In my Code


NTSTATUS (WINAPI *NtCreateFileNext)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);

NTSTATUS NtCreateFileCallback(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
NTSTATUS status;

MessageBox("Hook NtCreateFile()");

status = NtCreateFileNext(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength
);


return status;

}


When i Inject it with "DllInjector.exe" ,My system crash.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

You need WINAPI calling convention for your callback too. You also shouldn't be calling MessageBox() like that, it's usually not good especially since you're using Madshi's DLLInjector.exe and injecting your library system / user wide.

--Iconic
aiscii
Posts: 7
Joined: Sat May 27, 2006 6:35 am

Post by aiscii »

thanks
I used 'WINAPI' calling convention for my callback ,fogot type it :P

InjectLibrary GetLastError() = 0x000003E9.

win2000 sp4 vc6+sp5
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

0x3E9 means "endless recursion".
aiscii
Posts: 7
Joined: Sat May 27, 2006 6:35 am

Post by aiscii »

I know,but why?

thanks!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Post the full DLL code, and please in a BBCode "CODE" format block, so it's better readable.

Earlier you said you'd get crashes. Now you say InjectLibrary returns an error. Now what is true? Or both?

Please try injecting an empty dll. Does that work?
aiscii
Posts: 7
Joined: Sat May 27, 2006 6:35 am

Post by aiscii »

Thanks

The full Dll code:

Code: Select all

// Hook.cpp : Defines the entry point for the DLL application.

#include "stdafx.h"

#include <windows.h>
#include "madCHook.h" 

#define NT_SUCCESS(Status)            ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH        ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG  NTSTATUS;
typedef struct _IO_STATUS_BLOCK 
{
    NTSTATUS    Status;
    ULONG        Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING 
{
    USHORT        Length;
    USHORT        MaximumLength;
    PWSTR        Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT             0x00000002L
#define OBJ_PERMANENT           0x00000010L
#define OBJ_EXCLUSIVE           0x00000020L
#define OBJ_CASE_INSENSITIVE    0x00000040L
#define OBJ_OPENIF              0x00000080L
#define OBJ_OPENLINK            0x00000100L
#define OBJ_KERNEL_HANDLE       0x00000200L
#define OBJ_VALID_ATTRIBUTES    0x000003F2L
typedef struct _OBJECT_ATTRIBUTES 
{
    ULONG        Length;
    HANDLE        RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG        Attributes;
    PVOID        SecurityDescriptor;
    PVOID        SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 

// *************************************************************** 

NTSTATUS (WINAPI *NtCreateFileNext)( 
									PHANDLE FileHandle, 
									ACCESS_MASK DesiredAccess, 
									POBJECT_ATTRIBUTES ObjectAttributes, 
									PIO_STATUS_BLOCK IoStatusBlock, 
									PLARGE_INTEGER AllocationSize, 
									ULONG FileAttributes, 
									ULONG ShareAccess, 
									ULONG CreateDisposition, 
									ULONG CreateOptions, 
									PVOID EaBuffer, 
									ULONG EaLength 
									); 

NTSTATUS WINAPI NtCreateFileCallback( 
									 PHANDLE FileHandle, 
									 ACCESS_MASK DesiredAccess, 
									 POBJECT_ATTRIBUTES ObjectAttributes, 
									 PIO_STATUS_BLOCK IoStatusBlock, 
									 PLARGE_INTEGER AllocationSize, 
									 ULONG FileAttributes, 
									 ULONG ShareAccess, 
									 ULONG CreateDisposition, 
									 ULONG CreateOptions, 
									 PVOID EaBuffer, 
									 ULONG EaLength 
									 )
{
	  NTSTATUS    status;
	
    MessageBox(NULL,"Hook NtCreateFile()","Tip",0);
	
    status = NtCreateFileNext(
										FileHandle,
										DesiredAccess,
										ObjectAttributes,
										IoStatusBlock,
										AllocationSize,
										FileAttributes,
										ShareAccess,
										CreateDisposition,
										CreateOptions,
										EaBuffer,
										EaLength
										);
	
	
    return status;
	
}


BOOL APIENTRY DllMain( HANDLE hModule, 
					  DWORD  fdwReason, 
					  LPVOID lpReserved
					  )
{
	if (fdwReason == DLL_PROCESS_ATTACH)
	{ 
		InitializeMadCHook(); 
		
		if(!(GetVersion() & 0x80000000))
			HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCallback, (PVOID*) &NtCreateFileNext); 		
		HookAPI("Kernel32.dll", "CreateFile", CreateFileCallback, (PVOID*) &CreateFileNext); 		
		
	} 
	else if (fdwReason == DLL_PROCESS_DETACH) 
	{
		FinalizeMadCHook();
	}
    return TRUE;
}
Earlier I got crashes,now that is nonexistent.but return an error.Perhaps that is softice question.
inject an empty.dll is ok
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Are you using the non-commercial edition? If yes, you need to copy madCHook.dll to your system32 folder.

What do you need this for?

#include "stdafx.h"

I'm not using this in my C++ demos. I'd suggest that you use a tool like e.g. PEBrowsePro to find out which dlls your hook dll statically links to.
Tuxford
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: How to Hook NtCreateFile

Post by Tuxford »

I got HookProcessCreation and added hooking of NtCreateFile.
OS Windows 7 x64

Code: Select all

NTSTATUS(WINAPI *NtCreateFileNext)(
	PHANDLE            FileHandle,
	ACCESS_MASK        DesiredAccess,
	POBJECT_ATTRIBUTES ObjectAttributes,
	PIO_STATUS_BLOCK   IoStatusBlock,
	PLARGE_INTEGER     AllocationSize,
	ULONG              FileAttributes,
	ULONG              ShareAccess,
	ULONG              CreateDisposition,
	ULONG              CreateOptions,
	PVOID              EaBuffer,
	ULONG              EaLength);

NTSTATUS WINAPI NtCreateFileCB(
	PHANDLE            FileHandle,
	ACCESS_MASK        DesiredAccess,
	POBJECT_ATTRIBUTES ObjectAttributes,
	PIO_STATUS_BLOCK   IoStatusBlock,
	PLARGE_INTEGER     AllocationSize,
	ULONG              FileAttributes,
	ULONG              ShareAccess,
	ULONG              CreateDisposition,
	ULONG              CreateOptions,
	PVOID              EaBuffer,
	ULONG              EaLength	)
{
	return NtCreateFileNext(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition,
		CreateOptions, EaBuffer, EaLength);
}
And added in MainDll

Code: Select all

HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCB, (PVOID*)&NtCreateFileNext);
It works fine if I use x64 build of injection dll. But in case of 32bit dll system behaves very strange. Some application stop working or freeze or crash.

Is there some specific feature or I missed something?
Thanks.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to Hook NtCreateFile

Post by madshi »

Looks alright to me on a quick check. And if you remove that hook again and recompile, everything's fine?
Tuxford
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: How to Hook NtCreateFile

Post by Tuxford »

madshi wrote:Looks alright to me on a quick check. And if you remove that hook again and recompile, everything's fine?
Yes. When I throw out this this code or even uninject dll it works fine.
Tuxford
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: How to Hook NtCreateFile

Post by Tuxford »

Ops.. sorry. Problem occurs ion first hook. E.g. I run cmake-gui and it crashes.

So the problem more global. How to hook 32bit call in x64 environment.
Attachments
Untitled0.jpg
Untitled0.jpg (43.54 KiB) Viewed 16585 times
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to Hook NtCreateFile

Post by madshi »

So you're saying the problem already occurs when recompiling the demo as it is without any changes? I dont know cmake-gui. Which development system and version are you using?
Post Reply