How to Hook NtCreateFile
Learn to use the "search" feature on this forum.
viewtopic.php?t=929&highlight=ntcreatefile
--Iconic
viewtopic.php?t=929&highlight=ntcreatefile
--Iconic
In my Code
NTSTATUS (WINAPI *NtCreateFileNext)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
NTSTATUS NtCreateFileCallback(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
NTSTATUS status;
MessageBox("Hook NtCreateFile()");
status = NtCreateFileNext(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength
);
return status;
}
When i Inject it with "DllInjector.exe" ,My system crash.
NTSTATUS (WINAPI *NtCreateFileNext)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
NTSTATUS NtCreateFileCallback(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
NTSTATUS status;
MessageBox("Hook NtCreateFile()");
status = NtCreateFileNext(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength
);
return status;
}
When i Inject it with "DllInjector.exe" ,My system crash.
Thanks
The full Dll code:
Earlier I got crashes,now that is nonexistent.but return an error.Perhaps that is softice question.
inject an empty.dll is ok
The full Dll code:
Code: Select all
// Hook.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <windows.h>
#include "madCHook.h"
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
// ***************************************************************
NTSTATUS (WINAPI *NtCreateFileNext)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
NTSTATUS WINAPI NtCreateFileCallback(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
)
{
NTSTATUS status;
MessageBox(NULL,"Hook NtCreateFile()","Tip",0);
status = NtCreateFileNext(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength
);
return status;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD fdwReason,
LPVOID lpReserved
)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
InitializeMadCHook();
if(!(GetVersion() & 0x80000000))
HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCallback, (PVOID*) &NtCreateFileNext);
HookAPI("Kernel32.dll", "CreateFile", CreateFileCallback, (PVOID*) &CreateFileNext);
}
else if (fdwReason == DLL_PROCESS_DETACH)
{
FinalizeMadCHook();
}
return TRUE;
}
inject an empty.dll is ok
Re: How to Hook NtCreateFile
I got HookProcessCreation and added hooking of NtCreateFile.
OS Windows 7 x64
And added in MainDll
It works fine if I use x64 build of injection dll. But in case of 32bit dll system behaves very strange. Some application stop working or freeze or crash.
Is there some specific feature or I missed something?
Thanks.
OS Windows 7 x64
Code: Select all
NTSTATUS(WINAPI *NtCreateFileNext)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength);
NTSTATUS WINAPI NtCreateFileCB(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength )
{
return NtCreateFileNext(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition,
CreateOptions, EaBuffer, EaLength);
}
Code: Select all
HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCB, (PVOID*)&NtCreateFileNext);
Is there some specific feature or I missed something?
Thanks.
Re: How to Hook NtCreateFile
Looks alright to me on a quick check. And if you remove that hook again and recompile, everything's fine?
Re: How to Hook NtCreateFile
Yes. When I throw out this this code or even uninject dll it works fine.madshi wrote:Looks alright to me on a quick check. And if you remove that hook again and recompile, everything's fine?
Re: How to Hook NtCreateFile
Ops.. sorry. Problem occurs ion first hook. E.g. I run cmake-gui and it crashes.
So the problem more global. How to hook 32bit call in x64 environment.
So the problem more global. How to hook 32bit call in x64 environment.
- Attachments
-
- Untitled0.jpg (43.54 KiB) Viewed 16740 times
Re: How to Hook NtCreateFile
So you're saying the problem already occurs when recompiling the demo as it is without any changes? I dont know cmake-gui. Which development system and version are you using?