|
-
September 22nd, 2009, 09:28 PM
#1
NtCreateFile
Hi All i'm developing my Driver , it will be used to intercept some Api.
it did work with : NtWriteFile routine :
********
NTSTATUS FakedNtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
)
{
char aFilename[MAXPATHLEN];
int nicmp;
ULONG TempCurrentProcess;
if (FileHandle==0) return STATUS_SUCCESS;
TempCurrentProcess=(ULONG)PsGetCurrentProcess();
if (HipsCurrentProcess==TempCurrentProcess)
{
return ((NtWriteFile)RealNtWriteFile)(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
Buffer,
Length,
ByteOffset,
Key
);
}
__try
{
GetFullName(FileHandle,aFilename);
}
__except(1)
{
}
nicmp=_strnicmp(aFilename,SafePatch,SafePatchLen);
if (nicmp!=0)
{
return ((NtWriteFile)RealNtWriteFile)(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
Buffer,
Length,
ByteOffset,
Key
);
}
return STATUS_ACCESS_DENIED;
}
********
But how it Could be with the same results as in FakedNtWriteFile with FakedNtCreateFile :
NTSTATUS FakedNtCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
// here what should be as in FakedNtWriteFile to give the same result ?
{
return ((NtCreateFile)RealNtCreateFile)(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize OPTIONAL,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer OPTIONAL,
EaLength
);
}
__try
{
GetFullName(FileHandle,aFilename);
}
__except(1)
{
}
nicmp=_strnicmp(aFilename,SafePatch,SafePatchLen);
if (nicmp!=0)
{
return ((NtCreateFile)RealNtCreateFile)(
FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize OPTIONAL,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer OPTIONAL,
EaLength
);
}
}
and many thanks for your help
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote