How to Hook IoCreateFile?

OSR_Community_User · August 18, 2004, 3:26am

Hi ,
I want to hook IoCreateFile. How to do this? Is this available in Kernel’s
service descriptor table?
I know how to hook zwXXX, but its not working for IoCreateFile().Why?
Can I get any sample code for it?

Thanks & Regards,
Gaurav Waikar

OSR_Community_User · August 18, 2004, 6:18am

You must build a filter driver and intercept
IRP_MJ_CREATE request which is sent by
the file creating functions (except for
IoCreateFileSpecifyDeviceObjectHint).

L.

OSR_Community_User · August 18, 2004, 6:40am

thanx for reply. i know about filter drivers.but want to know how to hook
IoCreateFile? Why it is giving me problem?

>>
You must build a filter driver and intercept
IRP_MJ_CREATE request which is sent by
the file creating functions (except for
IoCreateFileSpecifyDeviceObjectHint).

OSR_Community_User · August 18, 2004, 6:56am

This is because IoCreateFile is internally called
by ZwCreateFile/NtCReateFile
and does not have an entry in the service table.
(although is exported by NT kernel, ntoskrnl.exe)

L.

Don_Burn_1 · August 18, 2004, 6:57am

Because hooking is a very bad thing. This has been discussed in this forum
many times, if you hook you are likely to crash. There is the blessed
approach of a filter driver, so trying to do this is stupid.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

“Gaurav Waikar” wrote in message
news:xxxxx@ntfsd…
> thanx for reply. i know about filter drivers.but want to know how to hook
> IoCreateFile? Why it is giving me problem?
>
>
>
> >>>
> You must build a filter driver and intercept
> IRP_MJ_CREATE request which is sent by
> the file creating functions (except for
> IoCreateFileSpecifyDeviceObjectHint).
>
>

OSR_Community_User · August 18, 2004, 6:58am

There is no “hooking” mechanism for arbitrary OS function calls. You
probably used the system service dispatch table for ZwCreateFile, but
IoCreateFile is just an ordinary function. For example, how would you
go about “hooking” an arbitrary function within the binary image of your
own driver? It is the same problem…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class October
18, 2004 in Silicon Valley!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gaurav Waikar
Sent: Wednesday, August 18, 2004 6:39 AM
To: ntfsd redirect
Subject: Re: [ntfsd] How to Hook IoCreateFile?

thanx for reply. i know about filter drivers.but want to know how to
hook
IoCreateFile? Why it is giving me problem?

>>
You must build a filter driver and intercept
IRP_MJ_CREATE request which is sent by
the file creating functions (except for
IoCreateFileSpecifyDeviceObjectHint).

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com