i'm still trying, without any luck, to wide hook the ntopenfile and ntcreatefile with v3 of madcodehook in win7 32b.
In debug mode only catch the call's of self process,i'm injecting the dll with dllinjector32.exe (without problem). In the same dll was CreateProcessW hook and works fine.
Code: Select all
NTSTATUS (WINAPI *NtOpenFileNext)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions);
NTSTATUS WINAPI NtOpenFileCallback(PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions)
{
NTSTATUS dwRet;
dwRet = NtOpenFileNext(FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
ShareAccess,
OpenOptions);
RenewHook((PVOID*) &NtOpenFileNext);
return dwRet;
}
BOOL WINAPI DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
bool b1=false;
InitializeMadCHook();
b1=HookAPI("kernel32.dll", "CreateProcessA", CreateProcessACallback, (PVOID*) &CreateProcessANext);
b1=HookAPI("kernel32.dll", "CreateProcessW", CreateProcessWCallback, (PVOID*) &CreateProcessWNext);
b1=HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCallback, (PVOID*) &NtCreateFileNext);
b1=HookAPI("ntdll.dll", "NtOpenFile", NtOpenFileCallback, (PVOID*) &NtOpenFileNext);
b1=HookAPI("kernel32.dll", "WinExec", WinExecCallback, (PVOID*) &WinExecNext);
//HookAPI returns true in all cases
}
else
if (fdwReason == DLL_PROCESS_DETACH)
FinalizeMadCHook();
return true;
}
thanks!