NtOpenFile win7 error

c++ / delphi package - dll injection and api hooking
Post Reply
Nash70
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

NtOpenFile win7 error

Post by Nash70 »

Hi,

i'm still trying, without any luck, to wide hook the ntopenfile and ntcreatefile with v3 of madcodehook in win7 32b.

In debug mode only catch the call's of self process,i'm injecting the dll with dllinjector32.exe (without problem). In the same dll was CreateProcessW hook and works fine.

Code: Select all

NTSTATUS (WINAPI *NtOpenFileNext)(
	PHANDLE FileHandle,
	ACCESS_MASK DesiredAccess,
	POBJECT_ATTRIBUTES ObjectAttributes,
	PIO_STATUS_BLOCK IoStatusBlock,
	ULONG ShareAccess,
	ULONG OpenOptions);


NTSTATUS WINAPI NtOpenFileCallback(PHANDLE FileHandle,
									 ACCESS_MASK DesiredAccess,
									 POBJECT_ATTRIBUTES ObjectAttributes,
									 PIO_STATUS_BLOCK IoStatusBlock,
									 ULONG ShareAccess,
									 ULONG OpenOptions)
{
	NTSTATUS dwRet;

	dwRet = NtOpenFileNext(FileHandle,
		DesiredAccess,
		ObjectAttributes,
		IoStatusBlock,
		ShareAccess,
		OpenOptions);

	RenewHook((PVOID*) &NtOpenFileNext);

	return dwRet;
} 

BOOL WINAPI DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpReserved)
{
	if (fdwReason == DLL_PROCESS_ATTACH)
	{
		bool b1=false;
		InitializeMadCHook();
		b1=HookAPI("kernel32.dll", "CreateProcessA", CreateProcessACallback, (PVOID*) &CreateProcessANext);
		b1=HookAPI("kernel32.dll", "CreateProcessW", CreateProcessWCallback, (PVOID*) &CreateProcessWNext);
		b1=HookAPI("ntdll.dll", "NtCreateFile", NtCreateFileCallback, (PVOID*) &NtCreateFileNext);
		b1=HookAPI("ntdll.dll", "NtOpenFile", NtOpenFileCallback, (PVOID*) &NtOpenFileNext);
		b1=HookAPI("kernel32.dll",        "WinExec",        WinExecCallback, (PVOID*)        &WinExecNext);
		//HookAPI returns true in all cases
	}
	else
		if (fdwReason == DLL_PROCESS_DETACH)
			FinalizeMadCHook();

	return true;
}
any recomendation?

thanks!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: NtOpenFile win7 error

Post by madshi »

What is the problem exactly?
Nash70
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: NtOpenFile win7 error

Post by Nash70 »

hi madshi!
madshi wrote:What is the problem exactly?
the hook ntopenfile seems not to work in systemwide, the CreateProcessW works without problem

:S
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: NtOpenFile win7 error

Post by madshi »

How do you know it's not working system wide?
Nash70
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: NtOpenFile win7 error

Post by Nash70 »

well, I'm not sure but I think the hook only collects the calls of process itself. The debugger only stops at the calls to ntopenfile of the process itself. With createproccessw stop in every call. guess i'm doing something wrong but do not see it.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: NtOpenFile win7 error

Post by madshi »

The debugger only shows API calls that are made by the process you're debugging. In Windows every process is totally separate from the other processes. In order to do system wide API hooking madCodeHook loads a copy of your hook dll into every running process. The CreateProcessW hook should also only work for APIs which are called by the process you're debugging. Please note that the key is the process which is calling the API. It doesn't matter which process CreateProcessW is "creating".
Nash70
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: NtOpenFile win7 error

Post by Nash70 »

this makes a lot of sense, vielen dank madshi!
Post Reply