rain-13
Expert Cheater
![]() Reputation: 0
Joined: 18 Mar 2009
Posts: 110
|
 Posted: Tue Jul 07, 2015 1:25 pm Post subject: Hooking CreateFileW causes Invalid access to memory location |
 |
|
Hello.
Could anyone who has better knowledge and understanding than I do help me to solve this strange issue?
When I hook this x64 dll to notepad or any other application that has "Save As" I get "Invalid access to memory location." as soon as I enter file name that doesnt exist yet. However when I choose existing file from "Save As" dialog, I can overwrite it. The strange thing is that this problem only occurs when I use "Save As" to pick a name for the new file. If something else than "Save As" feeds the file name, it will successfully create it.
| Code: | #include <windows.h>
#include <stdio.h>
#include <io.h>
#include <fcntl.h>
#define SIZE 14
typedef HANDLE (WINAPI *pCreateFileW)(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
HANDLE WINAPI MyCreateFileW
(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
void BeginRedirect(LPVOID);
pCreateFileW pOrigMBAddress = NULL;
BYTE oldBytes[SIZE] = {0};
BYTE JMP[SIZE] = {0};
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;
HANDLE handle_out = NULL;
int hCrt = 0;
FILE* hf_out = NULL;
HANDLE handle_in = NULL;
FILE* hf_in = NULL;
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
//Create console window
AllocConsole();
handle_out = GetStdHandle(STD_OUTPUT_HANDLE);
hCrt = _open_osfhandle((long) handle_out, _O_TEXT);
hf_out = _fdopen(hCrt, "w");
setvbuf(hf_out, NULL, _IONBF, 1);
*stdout = *hf_out;
handle_in = GetStdHandle(STD_INPUT_HANDLE);
hCrt = _open_osfhandle((long) handle_in, _O_TEXT);
hf_in = _fdopen(hCrt, "r");
setvbuf(hf_in, NULL, _IONBF, 128);
*stdin = *hf_in;
//console window is now created, use it
printf("attached\n");
pOrigMBAddress = (pCreateFileW)
GetProcAddress(GetModuleHandle(L"Kernel32.dll"),
"CreateFileW");
if(pOrigMBAddress != NULL){
BeginRedirect(MyCreateFileW);
printf("Address: %llX %llX\n",MyCreateFileW, &MyCreateFileW);
}
break;
case DLL_PROCESS_DETACH:
//printf("de-attached\n");
memcpy(pOrigMBAddress, oldBytes, SIZE);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void BeginRedirect(LPVOID newFunction)
{
BYTE tempJMP[SIZE] = {0xff,0x25,0x00,0x00,0x00,0x00, 0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc }; //asm by dark byte
memcpy(JMP, tempJMP, SIZE);
//DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5);
VirtualProtect((LPVOID)pOrigMBAddress, SIZE,
PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(oldBytes, pOrigMBAddress, SIZE);
memcpy(&JMP[6], &newFunction, 8);
memcpy(pOrigMBAddress, JMP, SIZE);
VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);
}
HANDLE WINAPI MyCreateFileW
(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
)
{
VirtualProtect((LPVOID)pOrigMBAddress, SIZE, myProtect, NULL);
memcpy(pOrigMBAddress, oldBytes, SIZE);
wprintf(L"File: %s %x %x ",lpFileName, dwDesiredAccess, dwShareMode);
HANDLE retValue;
if(wcscmp(lpFileName,L"C:\\Windows\\System32\\drivers\\etc\\hosts") == 0 && //Deny access to this one specific file
dwDesiredAccess == 0xC0000000){
wprintf(L" Access denied ");
retValue = INVALID_HANDLE_VALUE;
}else{// For all other files use normal behaviour
wprintf(L" Access granted ");
retValue = CreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
printf(" >>> %d\n",retValue);
memcpy(pOrigMBAddress, JMP, SIZE);
VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);
return retValue;
}
|
This is what I see from console:
| Code: | File: C:\Users\rain\Desktop\doc\New.txt 80 7 Access granted >>> -1
File: C:\Users\rain\Desktop\doc\New Text Document.txt c0000000 3 Access granted >>> 1440 |
Access granted tells that actual CreateFileW is called but when I want to save into New.txt (which doesnt exist yet), it returns -1 but when I choose New Text Document.txt it returns handle (1440). With out that dll injected, New.txt would have worked as well.
Edit: is 80 (hex) valid dwDesiredAccess at all?
As you can see from console, if file exists, c0000000 gets passed as dwDesiredAccess. Just curious if it could be some datatype problem or is it supposed to be 80? Any ideas?
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 471
