FileName from NtCreateSection

c++ / delphi package - dll injection and api hooking

FileName from NtCreateSection

Postby Sagat » Thu Sep 20, 2007 1:56 pm

Hello altogether,

I'm trying to hook ntCreateSection in ntdll.dll. In c++ the api function is defined as follows:

NtCreateSection(

OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );

(I can program in delphi and c++, if that matters)

Well, I hooked that function successfull. The hook is really working, but how do I get the filename out of this function? I mean the name (and path) of the file that wants to start due to ntCreateSection. I really don't know if I have to get the Filename out of the variable FileHandle or SectionHandle, or what else.

Thanks for any answer
Sagat
 
Posts: 7
Joined: Fri Sep 14, 2007 12:12 pm

Postby Sagat » Thu Sep 20, 2007 3:52 pm

Ok, I found an answer. Using this code here http://forum.madshi.net/viewtopic.php?t=1736, except using NtQueryObject instead of ZwQueryObject, it is just working fine,

thanks to the author of the above mentioned thread.
Sagat
 
Posts: 7
Joined: Fri Sep 14, 2007 12:12 pm

Postby Sagat » Fri Sep 21, 2007 5:30 pm

There's something I couldn't realize: How can I get the File that wants to open from ntCreateSection?

I mean the following: With my hook I can catch notepad.exe, cmd.exe, but I cannot tell which file they want to open (e.g. test.txt, hallo.bat).

Is this a disadvantige of ntCreateSection? Or is this name somewhere stored?
Sagat
 
Posts: 7
Joined: Fri Sep 14, 2007 12:12 pm

Postby madshi » Wed Sep 26, 2007 8:41 am

I'm not sure myself. It's quite possible that the command line parameters are stored "into" the new process only after NtCreateSection.
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 6 guests