Hook api CreateFile in kernel32.dll

460 views
Skip to first unread message

junjie wang

unread,
Jun 9, 2015, 2:27:36 AM6/9/15
to decaf-platf...@googlegroups.com
Dear all,

When I write a hook for CreateFile api(defined in https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx) according to sample of NtWriteFile.

Here is my code snippet:

createfile_handle = hookapi_hook_function_byname("kernel32.dll", "CreateFile", 1, targetcr3,CreateFile_call, NULL, 0);

I got output like this:
Deferring hooking of ntdll.dll::NtCreateFile
Deferring hooking of kernel32.dll::VirtualAlloc
Deferring hooking of kernel32.dll::CreateFile

Hooking ntdll.dll::NtCreateFile at 0x7c90d0ae
Hooking kernel32.dll::VirtualAlloc at 0x7c809af1

Obviously, there are something wrong with kernel32.dll::CreateFile, and it turns out no outcome from CreateFile information.

Does anyone know the reason?

Thanks in advance!

Junjie

Heng Yin

unread,
Jun 9, 2015, 11:10:34 AM6/9/15
to decaf-platf...@googlegroups.com
CreateFile in Kernel32.dll has two versions: CreateFileA (for ansi filename) and CreateFileW (for unicode filename). CreateFile itself does not exist. So you need to hook one of these two versions. 

Heng

--
You received this message because you are subscribed to the Google Groups "decaf-platform-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to decaf-platform-di...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

junjie wang

unread,
Jun 12, 2015, 3:12:32 AM6/12/15
to decaf-platf...@googlegroups.com
Dear Heng Yin,

Thank you so much.
one more question.
This is prototype of CreateFile.
HANDLE WINAPI CreateFile(
  _In_     LPCTSTR               lpFileName,
  _In_     DWORD                 dwDesiredAccess,
  _In_     DWORD                 dwShareMode,
  _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  _In_     DWORD                 dwCreationDisposition,
  _In_     DWORD                 dwFlagsAndAttributes,
  _In_opt_ HANDLE                hTemplateFile
);

Suppose I have a hook_context_t stucture, as in sample plugin.
typedef struct {
uint32_t call_stack[8]; //paramters and return address
DECAF_Handle hook_handle;
} hook_context_t;

and I fill it using the following statement:
DECAF_read_mem(NULL, cpu_single_env->regs[R_ESP], 8*4, ctx->call_stack);

Now the ctx->call_stack[1] is the address of   LPCTSTR               lpFileName,

char filename[1024]="\0";
DECAF_read_mem(NULL, ctx->call_stack[1], ?, filename);

But how can know the length of this CSTR?

Thanks and Regards,
Junjie




在 2015年6月9日星期二 UTC+8下午11:10:34,Heng Yin写道:
To unsubscribe from this group and stop receiving emails from it, send an email to decaf-platform-discuss+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages