我hook了zwcreatefile,在newzwcreatefile里面调用WriteToFile来记录某个程序调用zwcreatefile的信息,但是调用oldzwcreatefile有时成功有时失败,导致记录信息不全,是什么原因呢?
NTSTATUS NewZwCreateFile(.....)
{
...........
rc = ((ZWCREATEFILE)(OldZwCreateFile))(....)
if(...)
WriteToFile(.....);
return rc
}
void WriteToFile(UNICODE_STRING pfl,PVOID buffer,ULONG nsize)
{
IO_STATUS_BLOCK IoStatus;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE FileHandle = NULL;
UNICODE_STRING fileName1;
NTSTATUS status;
fileName1.Buffer = NULL;
fileName1.Length = 0;
fileName1.MaximumLength = MAXPATHLEN*2;
fileName1.Buffer = (unsigned short *)ExAllocatePool(NonPagedPool,
fileName1.MaximumLength);
RtlZeroMemory(fileName1.Buffer, fileName1.MaximumLength);
status = RtlAppendUnicodeStringToString(&fileName1, &pfl);
InitializeObjectAttributes (&objectAttributes,
(PUNICODE_STRING)&fileName1,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
{
status=KfRaiseIrql(PASSIVE_LEVEL);//ZwCreateFile必须运行在PASSIVE_LEVEL级别上
DbgPrint("KfRaiseIrql st=0x%X",status);
}
status = ((ZWCREATEFILE)(OldZwCreateFile))(&FileHandle,
FILE_APPEND_DATA,
&objectAttributes,
&IoStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0 );
if(NT_SUCCESS(status))
{
ZwWriteFile(FileHandle,
NULL,
NULL,
NULL,
&IoStatus,
buffer,
nsize,
NULL,
NULL );
ZwClose(FileHandle);
DbgPrint ("Close file\r\n");
}
else
DbgPrint( "error ZwCreateFile %d\n", IoStatus.Status );
if(fileName1.Buffer)
ExFreePool(fileName1.Buffer);
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法