关于zwcreatefile的问题

楼主^#

更多发布于：2008-08-22 17:26

我hook了zwcreatefile，在newzwcreatefile里面调用WriteToFile来记录某个程序调用zwcreatefile的信息，但是调用oldzwcreatefile有时成功有时失败，导致记录信息不全，是什么原因呢？

NTSTATUS NewZwCreateFile(.....)
{
...........
rc = ((ZWCREATEFILE)(OldZwCreateFile))(....)
if(...)
WriteToFile(.....);
return rc
}

void WriteToFile(UNICODE_STRING pfl,PVOID buffer,ULONG nsize)
{
IO_STATUS_BLOCK IoStatus;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE FileHandle = NULL;
UNICODE_STRING fileName1;
NTSTATUS status;

fileName1.Buffer = NULL;
fileName1.Length = 0;
fileName1.MaximumLength = MAXPATHLEN*2;

fileName1.Buffer = (unsigned short *)ExAllocatePool(NonPagedPool,
fileName1.MaximumLength);
RtlZeroMemory(fileName1.Buffer, fileName1.MaximumLength);
status = RtlAppendUnicodeStringToString(&fileName1, &pfl);
InitializeObjectAttributes (&objectAttributes,
  (PUNICODE_STRING)&fileName1,
  OBJ_CASE_INSENSITIVE,
  NULL,
  NULL );

   if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
   {
   status=KfRaiseIrql(PASSIVE_LEVEL);//ZwCreateFile必须运行在PASSIVE_LEVEL级别上
   DbgPrint("KfRaiseIrql st=0x%X",status);
   }

status = ((ZWCREATEFILE)(OldZwCreateFile))(&FileHandle,
  FILE_APPEND_DATA,
  &objectAttributes,
  &IoStatus,
  0,
  FILE_ATTRIBUTE_NORMAL,
  FILE_SHARE_WRITE,
  FILE_OPEN_IF,
  FILE_SYNCHRONOUS_IO_NONALERT,
  NULL,
  0 );

if(NT_SUCCESS(status))
{

  ZwWriteFile(FileHandle,
   NULL,
   NULL,
   NULL,
   &IoStatus,
   buffer,
   nsize,
   NULL,
   NULL );

  ZwClose(FileHandle);
  DbgPrint ("Close file\r\n");
}
else
  DbgPrint( "error ZwCreateFile %d\n", IoStatus.Status );

if(fileName1.Buffer)
  ExFreePool(fileName1.Buffer);

}

喜欢0

发帖回复

« 返回列表

您需要登录后才可以回帖，登录或者注册

返回顶部

关于zwcreatefile的问题

最新喜欢：