-
-
Fake_NtCreateFile
-
发表于: 2016-3-29 17:37
-
我的问题:WIN7 64位,我SSDT HOOK NtCreateFile 是想实现打开A.TXT经过HOOK的函数后实际上打开的是B.TXT,但是提示:内存位置访问无效,这是为什么,要怎么实现我想要的功能呢?NTSTATUS __fastcall Fake_NtCreateFile(
__out PHANDLE FileHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_opt PLARGE_INTEGER AllocationSize,
__in ULONG FileAttributes,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in PVOID EaBuffer,
__in ULONG EaLength
)
{
NTSTATUS st;
UNICODE_STRING jiangming,jiangming1;
OBJECT_ATTRIBUTES obj_attrib;
RtlInitUnicodeString(&jiangming,L"\\??\\C:\\InstDrv1.txt");
if(RtlEqualUnicodeString(&jiangming,ObjectAttributes->ObjectName,1))
{
RtlInitUnicodeString(&jiangming1,L"\\??\\C:\\InstDrv2.txt");
InitializeObjectAttributes(
&obj_attrib,
&jiangming1,
OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
DbgPrint("%wZ\n", ObjectAttributes->ObjectName);
st=NtCreateFile(FileHandle,DesiredAccess,&obj_attrib,IoStatusBlock, AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}
else
{
st=NtCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock, AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}
return st;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
