trying to hook ntSetInfomationFile, but explorer is crashing
Posted: Thu Jul 30, 2009 11:29 am
hello,
im having a problem with hooking ntSetInformationFile. Im trying to prevent certain files from being deleted. im on Vista 32 bit.
so im doing this:
NtSetInformationFileNext is defined as:
then all my callback does (for now) is:
then when i inject and try to delted a file from the desktop, explorer crashes.
the only thing in my code that needs to be mentioned is that i dont have the DDK, so things like FILE_INFORMATION_CLASS and IO_STATUS_BLOCK are not in any win32 header file, i have had to create them myself. but i got them from MSDN so these should be correct. also, the function returns NTSTATUS, but this is also in the DDK somewhere. but this is defined as ULONG so i have declared it as ULONG in my code.
other than that im just forwarding on the function call. but explorer.exe crashes (access violation).
has anyone successfully managed to hook this function in vista ? and if so can you see anything wrong with my code ?
im having a problem with hooking ntSetInformationFile. Im trying to prevent certain files from being deleted. im on Vista 32 bit.
so im doing this:
Code: Select all
HookAPI("ntdll.dll","NtSetInformationFile",NtSetInformationFileCallback,(PVOID*)&NtSetInformationFileNext);
Code: Select all
ULONG (WINAPI *NtSetInformationFileNext) (HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
Code: Select all
ULONG NtSetInformationFileCallback(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass)
{
ULONG ret = NtSetInformationFileNext(FileHandle, IoStatusBlock, FileInformation, Length, FileInformationClass);
return ret;
}
the only thing in my code that needs to be mentioned is that i dont have the DDK, so things like FILE_INFORMATION_CLASS and IO_STATUS_BLOCK are not in any win32 header file, i have had to create them myself. but i got them from MSDN so these should be correct. also, the function returns NTSTATUS, but this is also in the DDK somewhere. but this is defined as ULONG so i have declared it as ULONG in my code.
other than that im just forwarding on the function call. but explorer.exe crashes (access violation).
has anyone successfully managed to hook this function in vista ? and if so can you see anything wrong with my code ?