I'm sorry. my question is so rough
Code: Select all
NTSTATUS(NTAPI *OrignalNtCreateKey)(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition
);
that is OrignalNtCreateKey.
and
3 param is static function.
Code: Select all
static NTSTATUS WINAPI HookNtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Reserved_ ULONG TitleIndex,
_In_opt_ PUNICODE_STRING Class,
_In_ ULONG CreateOptions,
_Out_opt_ PULONG Disposition
);
Code: Select all
NTSTATUS NTAPI CHookRegistry::HookNtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Reserved_ ULONG TitleIndex,
_In_opt_ PUNICODE_STRING Class,
_In_ ULONG CreateOptions,
_Out_opt_ PULONG Disposition
)
{
CString name = ObjectAttributes->ObjectName->Buffer;
//OutputDebugString(_T("DLL Hooked NtCreateKey!\n"));
if (name.Find(_T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree")) != -1)
{
OutputDebugString(name + _T("\n"));
}
NTSTATUS status = OrignalNtCreateKey(
KeyHandle,
DesiredAccess,
ObjectAttributes,
TitleIndex,
Class,
CreateOptions,
Disposition
);
return status;
}
"well run" is
I think if HookAPI function is failed, 3rd param function is not work.
but debug message is printed well. I think that is Hooking is success. but HookAPI() is return failed... what is mean?