hi all experts
I am facing a problem regarding saving an msword file in encrypted format
I have hooked all the required NTDLL APIs in my DLL.
Using this code, I can open a MS-Word document (which is already in
encyypted format) and applying decryption algortihm to view the
decrypted contents of the document. This all goes fine.
Now problem is : If I make any changes in the .doc file and try to
save the changes then my changes should be encrypted and then saved to
disk in the same .doc file. But this is not working, instead its
saving the normal contents, i.e. not the encrypted one. but there is a
call of encryption as well so can u help me in this
(Have a look at the code, as follows:)
NTSTATUS __stdcall hookNtCreateSection( OUT PHANDLE SectionHandle,
IN ACCESS_MASK
DesiredAccess,
IN
POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER
MaximumSize OPTIONAL,
IN ULONG
SectionPageProtection OPTIONAL,
IN ULONG
AllocationAttributes,
IN HANDLE
FileHandle OPTIONAL )
{
NTSTATUS returnValue = originalNtCreateSection(SectionHandle,
DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection,
AllocationAttributes, FileHandle);
CAtlStringW strPath;
g_mapHandleToPath.Lookup(FileHandle, strPath);
if(IsMyArea(strPath)) // check if its my file
{
//MessageBox(NULL, L"attach your process now",
L"hookNtCreateSection", 0);
//g_SectionHandle = *SectionHandle;
g_mapSectionHandleToPath.AddHandle(*SectionHandle, strPath);
SECURED_FILE = strPath; // keep the path of my file
}
if((strPath.Find(L"~WRL") != -1) || (strPath.Find(L"~wrl") != -1))
{
int k = 0;
g_mapSectionHandleToPath.AddHandle(*SectionHandle, strPath);
SECURED_FILE = strPath;
}
return returnValue;
}
NTSTATUS __stdcall hookNtMapViewOfSection(IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress OPTIONAL,
IN ULONG ZeroBits OPTIONAL,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PSIZE_T ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType OPTIONAL,
IN ULONG Protect )
{
unsigned long ulLength = *ViewSize;
CAtlStringW strPath;
NTSTATUS returnValue = originalNtMapViewOfSection(SectionHandle,
ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset,
ViewSize, InheritDisposition, AllocationType, Protect);
if(g_mapSectionHandleToPath.Lookup(SectionHandle, strPath) == TRUE)
{
BYTE* cDecryptBuffer = new BYTE[ulLength];
g_BaseAddress = new BYTE[ulLength];
CEncodeDecode encodeDecode;
encodeDecode.EncodeDecode((BYTE*) (*BaseAddress),
cDecryptBuffer,
ulLength); // encode the current data/buffer
// Keep the current BaseAddress in global variable which
will be
used
// later in hookNtUnmapViewOfSection to unmap the same
g_BaseAddress = *BaseAddress;
*BaseAddress = (LPVOID) cDecryptBuffer;
// update the old data/
buffer with our encoded data
}
return returnValue;
}
NTSTATUS __stdcall hookNtUnmapViewOfSection(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress )
{
NTSTATUS returnValue = originalNtUnmapViewOfSection(ProcessHandle,
BaseAddress);
if(returnValue != 0)
{
if(g_BaseAddress != NULL)
{
returnValue =
originalNtUnmapViewOfSection(ProcessHandle,
g_BaseAddress);
//g_mapSectionHandleToPath.RemoveHandle(ProcessHandle);
}
}
return returnValue;