How can I hook CreateFile Api?
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 6 of 6

Thread: How can I hook CreateFile Api?

  1. #1
    Join Date
    Jan 2010
    Posts
    10

    Cool How can I hook CreateFile Api?

    Hello everybody;

    I am creating a 3d-map for a game (namely: Counterstrike) and I have developed an app that encrypts it with AES. (I want to protect it from outsiders)

    The problem is that this game cannot read encrypted maps so I wonder if I could hook the CreateFile function in the game and replace it with a function that would decrypt the encrypted map into memory and let the game load it from there.

    It sounds complicated for me, do you think it would be difficult?

    I created first a launcher that takes the encryted map file from disk, decrypts it and stores it in the harddisk (unencrypted!) so that the game can load it but it can still be easily obtained by somebody without advanced knowledge.

    I know that by loading the encrypted file from disk into memory and decrypting it from there is not a memory-dumper-proof option but it will at least harden attempts to get the map.

    Thanks in advance, this is my first post in here and I hope I can help many of you in this wonderful community.

    More information: (not required for answer this post but in case you are interested...)

    If a friend of mine wants this map, he would have to let me use his computer and execute a program that would retrieve his computer MAC, harddisk ID, etc and would create a sha256 hash of this.

    I will give the AES function this HASH as the key to encrypt a unique encrpyed-Map for him in my house. Then I will give my friend the program I want to create + the unique encrypted map.

    If my friend gives the map to a third party, this person will not be able to use the map at all because the Hash created by my application would be different than the one required to decrypt it properly.

  2. #2
    Join Date
    Apr 2004
    Posts
    99

    Re: How can I hook CreateFile Api?

    I wonder if I could hook the CreateFile function in the game and replace it with a function that would decrypt the encrypted map into memory and let the game load it from there.
    One option would be to use SSDT hooking to hook zwCreateFile at the kernel level. This would require a driver.

  3. #3
    Join Date
    Jan 2010
    Posts
    10

    Lightbulb Re: How can I hook CreateFile Api?

    Thanks a lot, BobS0327. I did a new research based on your answer. I've found that the zwCreateFile is automatically called by the CreateFile function and thus controlling the zwCreateFile seems to be a good way.

    I've been monitoring the Half-Life game engine (hl.exe) as it loads the map.




    Now I am 100% sure it uses the CreateFile() but the problem is that this function only returns a handle and does not return the content of the file in a variable for the function that calls/invokes it (as I thought.. silly me...)

    Also, based on what I read in MSDN:
    You cannot use CreateFile to control compression, decompression, or decryption on a file or directory. For more information, see Creating and Opening Files, File Compression and Decompression, and File Encryption.
    From: http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx
    Now I have to research about these troublesome handles, I am more familiar with pointers than with this.

    I am thinking of a DLL that would load the encrypted map, decrypt it and, after it returns a new handle, it will replace (by hooking and patching the IAT of hl.exe) the handle that the game tries to load first with the new one that would point to the decrypted data.
    Last edited by sonnyk88; January 18th, 2010 at 02:05 PM.

  4. #4
    Join Date
    Jan 2010
    Posts
    10

    Red face Re: How can I hook CreateFile Api?

    Silly me, It's not the CreateFile() what I must hook, I must hook ReadFile() which uses the handle returned by CreateFile() to work...

    Down here, there's a simple Function which uses CreateFile to find an existing file on disk and returns a handle (hFile). Later this hFile is used by ReadFile() which loads the contents of the selected file in pszFileText. I believe this resembles the functions in Half-Life game (hl.exe).

    In this case, I should hook the ReadFile() and make it return a LPSTR which would contain the decrypted data of my map...

    Code:
    BOOL LoadFile(HWND hEdit, LPSTR pszFileName)
    {
       HANDLE hFile;
       BOOL bSuccess = FALSE;
    
       hFile = CreateFile(pszFileName, GENERIC_READ, FILE_SHARE_READ, NULL,
          OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
       if(hFile != INVALID_HANDLE_VALUE)
       {
          DWORD dwFileSize;
          dwFileSize = GetFileSize(hFile, NULL);
          if(dwFileSize != 0xFFFFFFFF)
          {
             LPSTR pszFileText;
             pszFileText = LPSTR(GlobalAlloc(GPTR, dwFileSize + 1));
             if(pszFileText != NULL)
             {
                DWORD dwRead;
                if(ReadFile(hFile, pszFileText, dwFileSize, &dwRead, NULL))
                {
                   pszFileText[dwFileSize] = 0; // Null terminator
                   if(SetWindowText(hEdit, pszFileText))
                      bSuccess = TRUE; // It worked!
                }
                GlobalFree(pszFileText);
             }
          }
          CloseHandle(hFile);
       }
       return bSuccess;
    }
    By the way; this is curious:

    According to ProcMon, the application calls the function ReadFile many times, not just once.
    http://img709.imageshack.us/img709/167/prochandle.jpg

    Wish me luck!! and please comment on this!
    Last edited by sonnyk88; January 18th, 2010 at 02:07 PM.

  5. #5
    Join Date
    Oct 2012
    Posts
    1

    Re: How can I hook CreateFile Api?

    You can also do it completely in user mode and only in the process you want.
    You can inject the process with a self written dll using the CreateRemoteThread functionality.
    Then you can hook the Readfile function with a self written Readfile function by overwriting the jmp address of the readfile function.

  6. #6
    Join Date
    May 2007
    Posts
    798

    Re: How can I hook CreateFile Api?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Azure Activities Information Page

Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center