Page 1 of 1

FileName from NtCreateSection

PostPosted: Thu Sep 20, 2007 1:56 pm
by Sagat
Hello altogether,

I'm trying to hook ntCreateSection in ntdll.dll. In c++ the api function is defined as follows:

NtCreateSection(

OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );

(I can program in delphi and c++, if that matters)

Well, I hooked that function successfull. The hook is really working, but how do I get the filename out of this function? I mean the name (and path) of the file that wants to start due to ntCreateSection. I really don't know if I have to get the Filename out of the variable FileHandle or SectionHandle, or what else.

Thanks for any answer

PostPosted: Thu Sep 20, 2007 3:52 pm
by Sagat
Ok, I found an answer. Using this code here http://forum.madshi.net/viewtopic.php?t=1736, except using NtQueryObject instead of ZwQueryObject, it is just working fine,

thanks to the author of the above mentioned thread.

PostPosted: Fri Sep 21, 2007 5:30 pm
by Sagat
There's something I couldn't realize: How can I get the File that wants to open from ntCreateSection?

I mean the following: With my hook I can catch notepad.exe, cmd.exe, but I cannot tell which file they want to open (e.g. test.txt, hallo.bat).

Is this a disadvantige of ntCreateSection? Or is this name somewhere stored?

PostPosted: Wed Sep 26, 2007 8:41 am
by madshi
I'm not sure myself. It's quite possible that the command line parameters are stored "into" the new process only after NtCreateSection.