Help on hooking File.Exists and Directory.Exists

[mrapxs]

Hey! If I could when you're not busy I'd like to ask for your help on hooking File.Exists and Directory.Exists, not sure what I'm doing wrong but I've tried hooking these functions

NtQueryAttributesFile
GetFileAttributesW
FindFirstFileW
GetFileAttributesExW

And none of them seem to affect either of those functions in C#. I know the hooks are installing correctly, and sometimes it even hangs when calling File.Exists with $77 at the beginning, but not hang when it's not. Maybe I'm returning it wrong? Would appreciate your help. Not too worried about maintenance at the moment. Here's my current code.

Hooks.c:

static NT_NTQUERYATTRIBUTESFILE OriginalNtQueryAttributesFile;
static NT_GETFILEATTRIBUTESW OriginalGetFileAttributesW;
static NT_FINDFIRSTFILEW OriginalFindFirstFileW;
static NT_GETFILEATTRIBUTESEXW OriginalGetFileAttributesExW;


InstallHook("ntdll.dll", "NtQueryAttributesFile", (LPVOID*)&OriginalNtQueryAttributesFile, HookedNtQueryAttributesFile);
InstallHook("kernel32.dll", "GetFileAttributesW", (LPVOID*)&OriginalGetFileAttributesW, HookedGetFileAttributesW);
InstallHook("kernel32.dll", "FindFirstFileW", (LPVOID*)&OriginalFindFirstFileW, HookedFindFirstFileW);
InstallHook("kernel32.dll", "GetFileAttributesExW", (LPVOID*)&OriginalGetFileAttributesExW, HookedGetFileAttributesExW);

UninstallHook(OriginalNtQueryAttributesFile, HookedNtQueryAttributesFile);
UninstallHook(OriginalGetFileAttributesW, HookedGetFileAttributesW);
UninstallHook(OriginalFindFirstFileW, HookedFindFirstFileW);
UninstallHook(OriginalGetFileAttributesExW, HookedGetFileAttributesExW);

static NTSTATUS NTAPI HookedNtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation)
{
	if (ObjectAttributes && ObjectAttributes->ObjectName && HasPrefix(ObjectAttributes->ObjectName->Buffer))
	{
		return STATUS_OBJECT_NAME_NOT_FOUND;
	}

	return OriginalNtQueryAttributesFile(ObjectAttributes, FileInformation);
}


static DWORD WINAPI HookedGetFileAttributesW(LPCWSTR lpFileName)
{
	if (HasPrefix(lpFileName))
	{
		SetLastError(ERROR_FILE_NOT_FOUND);
		return INVALID_FILE_ATTRIBUTES;
	}

	return OriginalGetFileAttributesW(lpFileName);
}

static HANDLE WINAPI HookedFindFirstFileW(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData)
{
	HANDLE hFind = OriginalFindFirstFileW(lpFileName, lpFindFileData);

	while (hFind != INVALID_HANDLE_VALUE && lpFindFileData && HasPrefix(lpFindFileData->cFileName))
	{
		if (!FindNextFileW(hFind, lpFindFileData))
		{
			FindClose(hFind);
			SetLastError(ERROR_NO_MORE_FILES);
			return INVALID_HANDLE_VALUE;
		}
	}

	return hFind;
}

static BOOL WINAPI HookedGetFileAttributesExW(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation)
{
	if (HasPrefix(lpFileName))
	{
		SetLastError(ERROR_FILE_NOT_FOUND);
		return FALSE;
	}

	return OriginalGetFileAttributesExW(lpFileName, fInfoLevelId, lpFileInformation);
}

Hooks.h:

static NTSTATUS NTAPI HookedNtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation);
static DWORD WINAPI HookedGetFileAttributesW(LPCWSTR lpFileName);
static HANDLE WINAPI HookedFindFirstFileW(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData);
static BOOL WINAPI HookedGetFileAttributesExW(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation);

ntdll.h:

#define STATUS_OBJECT_NAME_NOT_FOUND    0xC0000034L

typedef struct _FILE_BASIC_INFORMATION
{
	LARGE_INTEGER CreationTime;
	LARGE_INTEGER LastAccessTime;
	LARGE_INTEGER LastWriteTime;
	LARGE_INTEGER ChangeTime;
	ULONG FileAttributes;
} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;

typedef NTSTATUS(NTAPI *NT_NTENUMERATEVALUEKEY)(HANDLE key, ULONG index, NT_KEY_VALUE_INFORMATION_CLASS keyValueInformationClass, LPVOID keyValueInformation, ULONG keyValueInformationLength, PULONG resultLength);
typedef NTSTATUS(NTAPI* NT_NTQUERYATTRIBUTESFILE)(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation);
typedef DWORD(WINAPI* NT_GETFILEATTRIBUTESW)(LPCWSTR lpFileName);
typedef HANDLE(WINAPI* NT_FINDFIRSTFILEW)(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData);
typedef BOOL(WINAPI* NT_GETFILEATTRIBUTESEXW)(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation);

[bytecode77]

When I'm not sure what function to hook, I just hook everything that I can think of and then use windbg + OutputDebugString to see what functions are called with what parameters.

You shouldn't hook kernel32, but only ntdll functions. Try hook every syscall that has to do with file handling. Then create a C# app that calls File.Exists and inject it to see which hooks get triggered. Then you should know which ntdll function(s) is the right one(s) to hook.

Don't forget to try NtCreateFile and NtOpenFile. I just found this project, maybe you can get an idea from it which functions are the right ones.

[calojohn806]

how to compile