[求助] 在驱动Hook了NtCreateFile，如何更改NtCreateFile传入的文件名-求助问答-看雪-安全社区|安全招聘|kanxue.com

未解决 [求助] 在驱动Hook了NtCreateFile，如何更改NtCreateFile传入的文件名

2023-9-15 22:49 2871

未解决 [求助] 在驱动Hook了NtCreateFile，如何更改NtCreateFile传入的文件名

2023-9-15 22:49

2871

FNtCreateFile g_NtCreateFile = 0;
NTSTATUS MyNtCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength)
{
    if (KeGetCurrentIrql() != PASSIVE_LEVEL) return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
    if (ExGetPreviousMode() == KernelMode) return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
    if (PsGetProcessSessionId(IoGetCurrentProcess()) == 0) return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
 
    if (ObjectAttributes &&
        ObjectAttributes->ObjectName &&
        ObjectAttributes->ObjectName->Buffer)
    {
        wchar_t* name = (wchar_t*)ExAllocatePool(NonPagedPool, ObjectAttributes->ObjectName->Length + sizeof(wchar_t));
        if (name)
        {
            RtlZeroMemory(name, ObjectAttributes->ObjectName->Length + sizeof(wchar_t));
            RtlCopyMemory(name, ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Length);
 
            if (wcsstr(name, L"c:\\tmp\\1.txt"))
            {
                  //新的名字
                UNICODE_STRING nName;
                RtlInitUnicodeString(&nName, L"c:\\tmp\22222.txt");
 
                //复制回ObjectAttributes->ObjectName， 如果nName长度小于ObjectAttributes->ObjectName，那正常能执行。但是nName长度比ObjectAttributes->ObjectName长时候，就出问题了
                RtlCopyUnicodeString(ObjectAttributes->ObjectName, &nName);
                //也加了下面这两句，长度比他原来长时是乱码。。。。
                ObjectAttributes->ObjectName->Length = nName.Length;
                ObjectAttributes->ObjectName->MaximumLength = nName.MaximumLength;
 
                NTSTATUS status = g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
                ExFreePool(name);
                return status;
            }
 
            ExFreePool(name);
        }
    }
 
    return g_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}
 
}

就是上面RtlCopyUnicodeString(ObjectAttributes->ObjectName, &nName)修改原来的参数里的名称时，比原来的长，就出问题了。像这种修改参数的话，这代码该怎么写? 希望大佬们教教。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

最后于 2023-9-15 22:52 被小蚂蚁要丈量大世界编辑，原因：代码添加错了

收藏・0

免费・0

打赏

最新回复 (1)
R0g 雪币： 1382 活跃值： (3814) 能力值： ( LV6，RANK：90 ) 在线值：发帖 3 回帖 122 粉丝 78 关注私信	R0g 2 2023-9-17 06:38 2 楼 0 为啥不自己分配Buffer挂上去
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复