我hook了zwcreatefile，在newzwcreatefile里面调用WriteToFile来记录某个程序调用zwcreatefile的信息，但是调用oldzwcreatefile有时成功有时失败，导致记录信息不全，是什么原因呢？

NTSTATUS NewZwCreateFile(.....)
{
...........
rc = ((ZWCREATEFILE)(OldZwCreateFile))(....)
if(...)
WriteToFile(.....);
return rc
}

void WriteToFile(UNICODE_STRING pfl,PVOID buffer,ULONG nsize)
{
IO_STATUS_BLOCK  IoStatus;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE FileHandle = NULL;
UNICODE_STRING fileName1;
NTSTATUS status;

fileName1.Buffer = NULL;
fileName1.Length = 0;
fileName1.MaximumLength = MAXPATHLEN*2;

fileName1.Buffer = (unsigned short *)ExAllocatePool(NonPagedPool,
fileName1.MaximumLength);
RtlZeroMemory(fileName1.Buffer, fileName1.MaximumLength);
status = RtlAppendUnicodeStringToString(&fileName1, &pfl);
InitializeObjectAttributes (&objectAttributes,
  (PUNICODE_STRING)&fileName1,
  OBJ_CASE_INSENSITIVE,
  NULL,
  NULL );

   if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
        {
            status=KfRaiseIrql(PASSIVE_LEVEL);//ZwCreateFile必须运行在PASSIVE_LEVEL级别上
            DbgPrint("KfRaiseIrql st=0x%X",status);
        }

status = ((ZWCREATEFILE)(OldZwCreateFile))(&FileHandle,
  FILE_APPEND_DATA,
  &objectAttributes,
  &IoStatus,
  0,
  FILE_ATTRIBUTE_NORMAL,
  FILE_SHARE_WRITE,
  FILE_OPEN_IF,
  FILE_SYNCHRONOUS_IO_NONALERT,
  NULL,     
  0 );

if(NT_SUCCESS(status))
{

  ZwWriteFile(FileHandle,
   NULL,
   NULL,
   NULL,
   &IoStatus,
   buffer,
   nsize,
   NULL,
   NULL );

  ZwClose(FileHandle);
  DbgPrint ("Close file\r\n");
}
else
  DbgPrint( "error ZwCreateFile %d\n", IoStatus.Status );

if(fileName1.Buffer)
  ExFreePool(fileName1.Buffer);

}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课