CreateFileW hooking in Windows 10

contains all delphi packages mentioned below

CreateFileW hooking in Windows 10

Postby sakshisoft » Tue May 15, 2018 9:56 am

I have injected dll in spoolsv.exe with CreateFileW API. But I cannot get particular file path in hooked CreateFileW even HookAPI return 1(success), when I tried in Windows 10 & 8. Although I get that particular file path in Windows 7 properly.
And also got that particular file path in "Process Monitor" into CreateFile. How can I get particular file path in spoolsv into Windows10 & 8?


Thanks.
sakshisoft
 
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Postby madshi » Tue May 15, 2018 9:58 am

What file path do you get? None at all? Or a wrong one? Or an empty one?

Is your CreateFileW hook called at all?
madshi
Site Admin
 
Posts: 9883
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Postby sakshisoft » Tue May 15, 2018 10:16 am

Thanks for reply. We are getting only following paths
C:\WINDOWS\SYSTEM32\ntdll.dll,
C:\WINDOWS\system32\spool\DRIVERS\x64\3\primopdf.BPD,
C:\WINDOWS\system32\spool\DRIVERS\x64\3\primopdf.ppd

But we are searching for .spl file path which is created during printing. We are getting .spl path in Windows 7 properly, but not in Windows 8 & 10.
sakshisoft
 
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Postby madshi » Tue May 15, 2018 10:34 am

Are you sure that the .spl path really created in Windows 8 and 10?

Of course there are other APIs that might be used to create the file. Have you tried hooking NtCreateFile and NtOpenFile? In theory it could even be a driver which creates the file, in which case we can't hook it in user land.

Have you verified with ProcessMonitor that you hooked the correct process? Maybe Windows 8 + 10 have multiple spooler processes and maybe the spl files are created by a process you haven't hooked yet?
madshi
Site Admin
 
Posts: 9883
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Postby sakshisoft » Wed May 16, 2018 8:37 am

Yes, in Windows 8 and 10 .spl path created by spoolsv.exe process only checked in ProcessMonitor. We couldn't find the .spl path for NtCreateFile and NtOpenFile.

We doubt if it is security issue with higher versions of Windows.
Screenshot_Procmon1.jpg
Screenshot of ProcessMonitor
Screenshot_Procmon1.jpg (185.71 KiB) Viewed 1019 times


Thanks.
sakshisoft
 
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Postby madshi » Wed May 16, 2018 9:09 am

Well, as I said: Of course there are other APIs that might be used to create the file. Have you tried hooking NtCreateFile and NtOpenFile?

Also, ProcessMonitor only shows the EXE file name, but not the process ID. Maybe there are multiple spoolsv.exe processes running and you've hooked the wrong one? Just a wild thought, of course.
madshi
Site Admin
 
Posts: 9883
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateFileW hooking in Windows 10

Postby sakshisoft » Wed May 16, 2018 10:12 am

We couldn't find the .spl path for NtCreateFile and NtOpenFile after hooking that. And there is only one spoolsv.exe is running. We verified Process Id of injected Process and Process Id of spoolsv.exe which is in ProcessMonitor, both are same. This solution is run properly in Windows 7.

We doubt if it is security issue with higher versions of Windows.

Thanks.
sakshisoft
 
Posts: 4
Joined: Tue May 15, 2018 7:26 am

Re: CreateFileW hooking in Windows 10

Postby madshi » Wed May 16, 2018 10:21 am

You can try this tool:

http://www.rohitab.com/apimonitor

With a bit of luck it might tell you which API the spooler uses to create/open the file.

If HookAPI() returns a non-zero value then hooking should work properly. It's unlikely to be a security issue if DLL injection + HookAPI() both succeed.
madshi
Site Admin
 
Posts: 9883
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCollection

Who is online

Users browsing this forum: No registered users and 0 guests