Hello altogether,
I'm trying to hook ntCreateSection in ntdll.dll. In c++ the api function is defined as follows:
NtCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );
(I can program in delphi and c++, if that matters)
Well, I hooked that function successfull. The hook is really working, but how do I get the filename out of this function? I mean the name (and path) of the file that wants to start due to ntCreateSection. I really don't know if I have to get the Filename out of the variable FileHandle or SectionHandle, or what else.
Thanks for any answer
FileName from NtCreateSection
Ok, I found an answer. Using this code here viewtopic.php?t=1736, except using NtQueryObject instead of ZwQueryObject, it is just working fine,
thanks to the author of the above mentioned thread.
thanks to the author of the above mentioned thread.
There's something I couldn't realize: How can I get the File that wants to open from ntCreateSection?
I mean the following: With my hook I can catch notepad.exe, cmd.exe, but I cannot tell which file they want to open (e.g. test.txt, hallo.bat).
Is this a disadvantige of ntCreateSection? Or is this name somewhere stored?
I mean the following: With my hook I can catch notepad.exe, cmd.exe, but I cannot tell which file they want to open (e.g. test.txt, hallo.bat).
Is this a disadvantige of ntCreateSection? Or is this name somewhere stored?