首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 求助问答
    3. 发新帖
未解决 [求助] 在驱动Hook了NtCreateFile,如何更改NtCreateFile传入的文件名
发表于: 2023-9-15 22:49 2991

未解决 [求助] 在驱动Hook了NtCreateFile,如何更改NtCreateFile传入的文件名

小蚂蚁要丈量大世界 活跃值
2023-9-15 22:49
2991
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
FNtCreateFile g_NtCreateFile = 0;
NTSTATUS MyNtCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength)
{
    if (KeGetCurrentIrql() != PASSIVE_LEVEL) return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
    if (ExGetPreviousMode() == KernelMode) return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
    if (PsGetProcessSessionId(IoGetCurrentProcess()) == 0) return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
 
    if (ObjectAttributes &&
        ObjectAttributes->ObjectName &&
        ObjectAttributes->ObjectName->Buffer)
    {
        wchar_t* name = (wchar_t*)ExAllocatePool(NonPagedPool, ObjectAttributes->ObjectName->Length + sizeof(wchar_t));
        if (name)
        {
            RtlZeroMemory(name, ObjectAttributes->ObjectName->Length + sizeof(wchar_t));
            RtlCopyMemory(name, ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Length);
 
            if (wcsstr(name, L"c:\\tmp\\1.txt"))
            {
                  //新的名字
                UNICODE_STRING nName;
                RtlInitUnicodeString(&nName, L"c:\\tmp\22222.txt");
 
                //复制回ObjectAttributes->ObjectName, 如果nName长度小于ObjectAttributes->ObjectName,那正常能执行。但是nName长度比ObjectAttributes->ObjectName长时候,就出问题了
                RtlCopyUnicodeString(ObjectAttributes->ObjectName, &nName);
                //也加了下面这两句,长度比他原来长时是乱码。。。。
                ObjectAttributes->ObjectName->Length = nName.Length;
                ObjectAttributes->ObjectName->MaximumLength = nName.MaximumLength;
 
                NTSTATUS status = g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
                ExFreePool(name);
                return status;
            }
 
            ExFreePool(name);
        }
    }
 
    return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}
 
}

就是上面RtlCopyUnicodeString(ObjectAttributes->ObjectName, &nName)修改原来的参数里的名称时,比原来的长,就出问题了。像这种修改参数的话,这代码该怎么写? 希望大佬们教教。


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2023-9-15 22:52 被小蚂蚁要丈量大世界编辑 ,原因: 代码添加错了
收藏
免费 0
支持
分享
最新回复 (1)
R0g
雪    币: 1282
活跃值: (4570)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
2
为啥不自己分配Buffer挂上去
2023-9-17 06:38
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//