FileName from NtCreateSection
Posted: Thu Sep 20, 2007 1:56 pm
Hello altogether,
I'm trying to hook ntCreateSection in ntdll.dll. In c++ the api function is defined as follows:
NtCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
(I can program in delphi and c++, if that matters)
Well, I hooked that function successfull. The hook is really working, but how do I get the filename out of this function? I mean the name (and path) of the file that wants to start due to ntCreateSection. I really don't know if I have to get the Filename out of the variable FileHandle or SectionHandle, or what else.
Thanks for any answer
I'm trying to hook ntCreateSection in ntdll.dll. In c++ the api function is defined as follows:
NtCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
(I can program in delphi and c++, if that matters)
Well, I hooked that function successfull. The hook is really working, but how do I get the filename out of this function? I mean the name (and path) of the file that wants to start due to ntCreateSection. I really don't know if I have to get the Filename out of the variable FileHandle or SectionHandle, or what else.
Thanks for any answer