NtOpenFile win7 error

c++ / delphi package - dll injection and api hooking

NtOpenFile win7 error

Postby Nash70 » Mon Jun 09, 2014 2:51 pm

Hi,

i'm still trying, without any luck, to wide hook the ntopenfile and ntcreatefile with v3 of madcodehook in win7 32b.

In debug mode only catch the call's of self process,i'm injecting the dll with dllinjector32.exe (without problem). In the same dll was CreateProcessW hook and works fine.

Code: Select all
NTSTATUS (WINAPI *NtOpenFileNext)(
   PHANDLE FileHandle,
   ACCESS_MASK DesiredAccess,
   POBJECT_ATTRIBUTES ObjectAttributes,
   PIO_STATUS_BLOCK IoStatusBlock,
   ULONG ShareAccess,
   ULONG OpenOptions);


NTSTATUS WINAPI NtOpenFileCallback(PHANDLE FileHandle,
                            ACCESS_MASK DesiredAccess,
                            POBJECT_ATTRIBUTES ObjectAttributes,
                            PIO_STATUS_BLOCK IoStatusBlock,
                            ULONG ShareAccess,
                            ULONG OpenOptions)
{
   NTSTATUS dwRet;

   dwRet = NtOpenFileNext(FileHandle,
      DesiredAccess,
      ObjectAttributes,
      IoStatusBlock,
      ShareAccess,
      OpenOptions);

   RenewHook((PVOID*) &NtOpenFileNext);

   return dwRet;
}

BOOL WINAPI DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpReserved)
{
   if (fdwReason == DLL_PROCESS_ATTACH)
   {
      bool b1=false;
      InitializeMadCHook();
      b1=HookAPI("kernel32.dll", "CreateProcessA", CreateProcessACallback, (PVOID*) &CreateProcessANext);
      b1=HookAPI("kernel32.dll", "CreateProcessW", CreateProcessWCallback, (PVOID*) &CreateProcessWNext);
      b1=HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCallback, (PVOID*) &NtCreateFileNext);
      b1=HookAPI("ntdll.dll", "NtOpenFile", NtOpenFileCallback, (PVOID*) &NtOpenFileNext);
      b1=HookAPI("kernel32.dll",        "WinExec",        WinExecCallback, (PVOID*)        &WinExecNext);
      //HookAPI returns true in all cases
   }
   else
      if (fdwReason == DLL_PROCESS_DETACH)
         FinalizeMadCHook();

   return true;
}


any recomendation?

thanks!
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: NtOpenFile win7 error

Postby madshi » Mon Jun 09, 2014 7:01 pm

What is the problem exactly?
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm

Re: NtOpenFile win7 error

Postby Nash70 » Mon Jun 09, 2014 7:52 pm

hi madshi!

madshi wrote:What is the problem exactly?


the hook ntopenfile seems not to work in systemwide, the CreateProcessW works without problem

:S
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: NtOpenFile win7 error

Postby madshi » Mon Jun 09, 2014 8:10 pm

How do you know it's not working system wide?
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm

Re: NtOpenFile win7 error

Postby Nash70 » Mon Jun 09, 2014 9:09 pm

well, I'm not sure but I think the hook only collects the calls of process itself. The debugger only stops at the calls to ntopenfile of the process itself. With createproccessw stop in every call. guess i'm doing something wrong but do not see it.
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: NtOpenFile win7 error

Postby madshi » Mon Jun 09, 2014 9:38 pm

The debugger only shows API calls that are made by the process you're debugging. In Windows every process is totally separate from the other processes. In order to do system wide API hooking madCodeHook loads a copy of your hook dll into every running process. The CreateProcessW hook should also only work for APIs which are called by the process you're debugging. Please note that the key is the process which is calling the API. It doesn't matter which process CreateProcessW is "creating".
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm

Re: NtOpenFile win7 error

Postby Nash70 » Mon Jun 09, 2014 10:50 pm

this makes a lot of sense, vielen dank madshi!
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 7 guests