In my NT system-call hooking driver, I want to hook several file system functions, such as
NtOpenFile. In my NewNtOpenFile function, I want to change opening file path to a special
path, but the buffer for original paremeter(in POBJECT_ATTRIBUTES ) is less.
So I allocated another OBJECT_ATTRIBUTES object, and only copy original data into my
object, but when I called old NtOpenFile, wrong status STATUS_ACCESS_VIOLATION
returned. what’s reason and how can I resolve this question???
NTSTATUS NewNtOpenFile( OUT PHANDLE phFile,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
IN ULONG ShareMode,
IN ULONG OpenMode )
{
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES oa;
oa = *ObjectAttributes;
status = OldNtOpenFile(phFile,
DesiredAccess,
//ObjectAttributes,
&oa, //my object
pIoStatusBlock,
ShareMode,
OpenMode);
return status; // STATUS_ACCESS_VIOLATION
}
b???.???????&?v?'?ׯj?.n?Qyȩf??]?:.?˛???m??֛???zf???%y?ޞ?^?˛??^r*Lzfެ? ???l??ܢ