1

Topic: NtCreateFile to distinguish a way to a file from pipe, etc

As in global  NtCreateFile (and generally) to distinguish a way to a file on a disk from pipe, device etc. While made stupidly: RtlInitUnicodeString (&MyString, L "\\?? \\C: \\"); if (RtlPrefixUnicodeString (&MyString, ObjectAttributes-> ObjectName, TRUE)) {It is possible to apply  then there will be any drive letter. But it would be desirable regular, this "??" Very much not customs.

2

Re: NtCreateFile to distinguish a way to a file from pipe, etc

Hello, sergey77666, you wrote: S> But it would be desirable regular, this "??" Very much not customs. If arranges a variant a post factum to check up, most easier to cause NtQueryObject and to ask type . Will be File for files. Generally regularly operations over  are intercepted not , and using File System Minifilter Drivers.

3

Re: NtCreateFile to distinguish a way to a file from pipe, etc

Hello, Alexander G, you wrote: AG> Generally regularly operations over  are intercepted not , and using File System Minifilter Drivers. Than better? A read and write can intercept? At  application is wider.

4

Re: NtCreateFile to distinguish a way to a file from pipe, etc

Hello, sergey77666, you wrote: S> Hello, Alexander G, you wrote: AG>> Generally regularly operations over  are intercepted not , and using File System Minifilter Drivers. S> Than filters it is better? S> and a read and write can intercept? S> at  application is wider.

5

Re: NtCreateFile to distinguish a way to a file from pipe, etc

6

Re: NtCreateFile to distinguish a way to a file from pipe, etc

Hello, sergey77666, you wrote: S> Than better? , accordingly compatibility. S> a read and write can intercept? Yes. S> At  application is wider. Yes, filters only for interception I/O.

7

Re: NtCreateFile to distinguish a way to a file from pipe, etc

Hello, Alexander G, you wrote: S>> Than better? AG> Shtatnostju, accordingly compatibility. And is is more specific? We take new  with 10 x64, work  if . Check of signatures? HOOK SSDT:: Hook (const char* apiname, void* newfunc) {SSDTStruct* SSDT = SSDTfind (); if (! SSDT) {Log ("SSDT not found...\r\n"); return 0;} ULONG_PTR SSDTbase = (ULONG_PTR) SSDT-> pServiceTable; if (! SSDTbase) {Log ("ServiceTable not found...\r\n"); return 0;} int FunctionIndex = NTDLL:: GetExportSsdtIndex (apiname); if (FunctionIndex ==-1) return 0; if ((ULONGLONG) FunctionIndex> = SSDT-> NumberOfServices) {Log ("nvalid API offset...\r\n"); return 0;} HOOK hHook = 0; LONG oldValue = SSDT-> pServiceTable [FunctionIndex]; LONG newValue;/* x64 SSDT Hook; 1) find API addr 2) get code page+size 3) find cave address 4) hook cave address (using hooklib) 5) change SSDT value */static ULONG CodeSize = 0; static PVOID CodeStart = 0; if (! CodeStart) {ULONG_PTR Lowest = SSDTbase; ULONG_PTR Highest = Lowest + 0x0FFFFFFF; Log ("Range: 0x%p-0x%p\r\n", Lowest, Highest); CodeSize = 0; CodeStart = PE:: GetPageBase (Undocumented:: GetKernelBase (), &CodeSize, (PVOID) ((oldValue>> 4) + SSDTbase)); if (! CodeStart ||! CodeSize) {Log ("PeGetPageBase failed...\r\n"); return 0;} Log ("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize); if ((ULONG_PTR) CodeStart <Lowest)//start of the page is out of range (impossible, but whatever) {CodeSize - = (ULONG) (Lowest - (ULONG_PTR) CodeStart); CodeStart = (PVOID) Lowest; Log ("CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize);} Log ("Range: 0x%p-0x%p\r\n", CodeStart, (ULONG_PTR) CodeStart + CodeSize);} PVOID CaveAddress = FindCaveAddress (CodeStart, CodeSize, sizeof (HOOKOPCODES)); if (! CaveAddress) {Log ("FindCaveAddress failed...\r\n"); return 0;} Log ("CaveAddress: 0x%p\r\n", CaveAddress); hHook = Hooklib:: Hook (CaveAddress, (void *) newfunc); if (! hHook) return 0; newValue = (LONG) ((ULONG_PTR) CaveAddress - SSDTbase); newValue = (newValue <<4) | oldValue AND 0xF;//update HOOK structure hHook-> SSDTindex = FunctionIndex; hHook-> SSDTold = oldValue; hHook-> SSDTnew = newValue; hHook-> SSDTaddress = (oldValue>> 4) + SSDTbase; InterlockedSet (&SSDT->pServiceTable [FunctionIndex], newValue); Log ("SSDThook (%s:0x%p, 0x%p) \r\n", apiname, hHook-> SSDTold, hHook-> SSDTnew); return hHook;} Hooklib--- static HOOK hook_internal (ULONG_PTR addr, void* newfunc) {//allocate structure HOOK hook = (HOOK) RtlAllocateMemory (true, sizeof (HOOKSTRUCT));//set hooking address hook-> addr = addr;//set hooking opcode #ifdef _WIN64 hook-> hook.mov = 0xB848; #else hook-> hook.mov = 0xB8; #endif hook-> hook.addr = (ULONG_PTR) newfunc; hook-> hook.push = 0x50; hook-> hook.ret = 0xc3;//set original data RtlCopyMemory (&hook->orig, (const void *) addr, sizeof (HOOKOPCODES)); if (! NT_SUCCESS (RtlSuperCopyMemory ((void *) addr, &hook->hook, sizeof (HOOKOPCODES)))) {RtlFreeMemory (hook); return 0;} return hook;}

8

Re: NtCreateFile to distinguish a way to a file from pipe, etc

S>>> Than better? AG>> Shtatnostju, accordingly compatibility. S> and is is more specific? S> we take new  with 10 x64, work  if . Check of signatures? Do not work, since .