Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help on hooking File.Exists and Directory.Exists #118

Open
mrapxs opened this issue Jan 14, 2025 · 1 comment
Open

Help on hooking File.Exists and Directory.Exists #118

mrapxs opened this issue Jan 14, 2025 · 1 comment

Comments

@mrapxs
Copy link

mrapxs commented Jan 14, 2025

Hey! If I could when you're not busy I'd like to ask for your help on hooking File.Exists and Directory.Exists, not sure what I'm doing wrong but I've tried hooking these functions

NtQueryAttributesFile
GetFileAttributesW
FindFirstFileW
GetFileAttributesExW

And none of them seem to affect either of those functions in C#. I know the hooks are installing correctly, and sometimes it even hangs when calling File.Exists with $77 at the beginning, but not hang when it's not. Maybe I'm returning it wrong? Would appreciate your help. Not too worried about maintenance at the moment. Here's my current code.

Hooks.c:

static NT_NTQUERYATTRIBUTESFILE OriginalNtQueryAttributesFile;
static NT_GETFILEATTRIBUTESW OriginalGetFileAttributesW;
static NT_FINDFIRSTFILEW OriginalFindFirstFileW;
static NT_GETFILEATTRIBUTESEXW OriginalGetFileAttributesExW;


InstallHook("ntdll.dll", "NtQueryAttributesFile", (LPVOID*)&OriginalNtQueryAttributesFile, HookedNtQueryAttributesFile);
InstallHook("kernel32.dll", "GetFileAttributesW", (LPVOID*)&OriginalGetFileAttributesW, HookedGetFileAttributesW);
InstallHook("kernel32.dll", "FindFirstFileW", (LPVOID*)&OriginalFindFirstFileW, HookedFindFirstFileW);
InstallHook("kernel32.dll", "GetFileAttributesExW", (LPVOID*)&OriginalGetFileAttributesExW, HookedGetFileAttributesExW);

UninstallHook(OriginalNtQueryAttributesFile, HookedNtQueryAttributesFile);
UninstallHook(OriginalGetFileAttributesW, HookedGetFileAttributesW);
UninstallHook(OriginalFindFirstFileW, HookedFindFirstFileW);
UninstallHook(OriginalGetFileAttributesExW, HookedGetFileAttributesExW);

static NTSTATUS NTAPI HookedNtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation)
{
	if (ObjectAttributes && ObjectAttributes->ObjectName && HasPrefix(ObjectAttributes->ObjectName->Buffer))
	{
		return STATUS_OBJECT_NAME_NOT_FOUND;
	}

	return OriginalNtQueryAttributesFile(ObjectAttributes, FileInformation);
}


static DWORD WINAPI HookedGetFileAttributesW(LPCWSTR lpFileName)
{
	if (HasPrefix(lpFileName))
	{
		SetLastError(ERROR_FILE_NOT_FOUND);
		return INVALID_FILE_ATTRIBUTES;
	}

	return OriginalGetFileAttributesW(lpFileName);
}

static HANDLE WINAPI HookedFindFirstFileW(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData)
{
	HANDLE hFind = OriginalFindFirstFileW(lpFileName, lpFindFileData);

	while (hFind != INVALID_HANDLE_VALUE && lpFindFileData && HasPrefix(lpFindFileData->cFileName))
	{
		if (!FindNextFileW(hFind, lpFindFileData))
		{
			FindClose(hFind);
			SetLastError(ERROR_NO_MORE_FILES);
			return INVALID_HANDLE_VALUE;
		}
	}

	return hFind;
}

static BOOL WINAPI HookedGetFileAttributesExW(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation)
{
	if (HasPrefix(lpFileName))
	{
		SetLastError(ERROR_FILE_NOT_FOUND);
		return FALSE;
	}

	return OriginalGetFileAttributesExW(lpFileName, fInfoLevelId, lpFileInformation);
}

Hooks.h:

static NTSTATUS NTAPI HookedNtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation);
static DWORD WINAPI HookedGetFileAttributesW(LPCWSTR lpFileName);
static HANDLE WINAPI HookedFindFirstFileW(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData);
static BOOL WINAPI HookedGetFileAttributesExW(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation);

ntdll.h:

#define STATUS_OBJECT_NAME_NOT_FOUND    0xC0000034L

typedef struct _FILE_BASIC_INFORMATION
{
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	ULONG FileAttributes;
} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;

typedef NTSTATUS(NTAPI *NT_NTENUMERATEVALUEKEY)(HANDLE key, ULONG index, NT_KEY_VALUE_INFORMATION_CLASS keyValueInformationClass, LPVOID keyValueInformation, ULONG keyValueInformationLength, PULONG resultLength);
typedef NTSTATUS(NTAPI* NT_NTQUERYATTRIBUTESFILE)(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation);
typedef DWORD(WINAPI* NT_GETFILEATTRIBUTESW)(LPCWSTR lpFileName);
typedef HANDLE(WINAPI* NT_FINDFIRSTFILEW)(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData);
typedef BOOL(WINAPI* NT_GETFILEATTRIBUTESEXW)(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation);
@bytecode77
Copy link
Owner

When I'm not sure what function to hook, I just hook everything that I can think of and then use windbg + OutputDebugString to see what functions are called with what parameters.

You shouldn't hook kernel32, but only ntdll functions. Try hook every syscall that has to do with file handling. Then create a C# app that calls File.Exists and inject it to see which hooks get triggered. Then you should know which ntdll function(s) is the right one(s) to hook.

Don't forget to try NtCreateFile and NtOpenFile. I just found this project, maybe you can get an idea from it which functions are the right ones.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bytecode77 @mrapxs