在sstd里。 hook NtCreateFile, 如果生产的 .txt 文件。 就文件路径记录在 C:\CreateFile.txt 里.
在调用 NtCreateFile ,失败! 具体代码如下:
NTSTATUS myNtCreateFile(
__out PHANDLE FileHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in_opt PLARGE_INTEGER AllocationSize,
__in ULONG FileAttributes,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in_opt PVOID EaBuffer,
__in ULONG EaLength
)
{
NTSTATUS status;
const wchar_t* pFileName;
status=OldNtCreateFile(
__out FileHandle,
__in DesiredAccess,
__in ObjectAttributes,
__out IoStatusBlock,
__in_opt AllocationSize,
__in FileAttributes,
__in ShareAccess,
__in CreateDisposition,
__in CreateOptions,
__in_opt EaBuffer,
__in EaLength);
if( ObjectAttributes && ObjectAttributes->ObjectName &&
wcsstr( ObjectAttributes->ObjectName->Buffer, L".txt") ) {
// PutFile(L"\\??\\C:\\CreateFile.txt", ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Lenght ,FILE_OPEN_IF );
PutFile(L"\\??\\C:\\CreateFile.txt", L"\r\n", 4 ,FILE_OPEN_IF );
KdPrint( ("NtCreateFile %wZ\n", *(ObjectAttributes->ObjectName) ) );
}
return status;
pFileName = fsGetFilenameByHandle( FileHandle );
if( pFileName ) {
}
if(FsGetFilenameByHandle(FileHandle,FILER_SRING_NAME))
{
DbgPrint("open by myNtCreateFile");
}
NTSTATUS PutFile( const WCHAR* filename, const void* buffer, ULONG buffersize, ULONG uOpenFlag )
{
NTSTATUS rc,s;
HANDLE hStream;
OBJECT_ATTRIBUTES ObjectAttr;
UNICODE_STRING FileName;
CHAR str[256];
PFILE_OBJECT ObjectHeader;
IO_STATUS_BLOCK ioStatusBlock;
IO_STATUS_BLOCK file_status;
FILE_STANDARD_INFORMATION fsi;
FILE_POSITION_INFORMATION fpi;
RtlInitUnicodeString( &FileName, filename );
InitializeObjectAttributes( &ObjectAttr, &FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL, NULL);
rc = NtCreateFile( &hStream, GENERIC_ALL,
&ObjectAttr,
&ioStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
uOpenFlag,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if ( rc != STATUS_SUCCESS )
{
DbgPrint( "comint32:() NtCreateFile() failed.rc = %0x, status = %0x" , rc, ioStatusBlock.Status );
return( STATUS_UNSUCCESSFUL );
}
//////////////////////////////////////////////////////////////////////////
if( FILE_CREATE != uOpenFlag ) {
//获取文件基本信息
ZwQueryInformationFile(hStream, &file_status, &fsi, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation);
fpi.CurrentByteOffset = fsi.EndOfFile; //设置文件指针信息结构中的当前偏移的值 为获取的标准信息结构的文件偏移的尾部
//使用文件指针信息结构去设置当前打开的文件对象文件信息
ZwSetInformationFile(hStream, &file_status, &fpi, sizeof(FILE_POSITION_INFORMATION), FilePositionInformation);
}
s = ObReferenceObjectByHandle(hStream, FILE_READ_DATA,0 ,KernelMode, &ObjectHeader, NULL);
if (NT_SUCCESS(s))
{
// ObjectHeader = IoGetRelatedDeviceObject(ReferencedObject);
if (ObjectHeader->Type == FILE_DEVICE_DATALINK) //是文件对象 FILE_DEVICE_DATALINK
{
DbgPrint("file object name: %ws\n",ObjectHeader->FileName.Buffer);
}
}
///////
rc = NtWriteFile(
hStream,
NULL,
NULL,
NULL,
&ioStatusBlock,
buffer,
buffersize,
NULL,
NULL );
if ( rc != STATUS_SUCCESS )
{
DbgPrint( "comint32: NtWriteFile() failed.\n" );
// _snprintf( string, 255, "comint32: rc = %0x, status = %0x\n", rc, ioStatusBlock.Status );
// DbgPrint( string );
ZwClose( hStream );
return( STATUS_UNSUCCESSFUL );
}
ZwClose( hStream );
return( STATUS_SUCCESS );
}
在putFile 调用时NtCreateFile , 返回0xC0000005, 无效的参数,请问要如何解决?
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!