FileName from NtCreateSection

c++ / delphi package - dll injection and api hooking
Post Reply
Sagat
Posts: 7
Joined: Fri Sep 14, 2007 12:12 pm

FileName from NtCreateSection

Post by Sagat »

Hello altogether,

I'm trying to hook ntCreateSection in ntdll.dll. In c++ the api function is defined as follows:

NtCreateSection(

OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributess,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL );

(I can program in delphi and c++, if that matters)

Well, I hooked that function successfull. The hook is really working, but how do I get the filename out of this function? I mean the name (and path) of the file that wants to start due to ntCreateSection. I really don't know if I have to get the Filename out of the variable FileHandle or SectionHandle, or what else.

Thanks for any answer
Sagat
Posts: 7
Joined: Fri Sep 14, 2007 12:12 pm

Post by Sagat »

Ok, I found an answer. Using this code here viewtopic.php?t=1736, except using NtQueryObject instead of ZwQueryObject, it is just working fine,

thanks to the author of the above mentioned thread.
Sagat
Posts: 7
Joined: Fri Sep 14, 2007 12:12 pm

Post by Sagat »

There's something I couldn't realize: How can I get the File that wants to open from ntCreateSection?

I mean the following: With my hook I can catch notepad.exe, cmd.exe, but I cannot tell which file they want to open (e.g. test.txt, hallo.bat).

Is this a disadvantige of ntCreateSection? Or is this name somewhere stored?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I'm not sure myself. It's quite possible that the command line parameters are stored "into" the new process only after NtCreateSection.
Post Reply