Hi all,
I am using the same technique as used in RegMon from SysInternals to hook
ZwCreateFile. I want to open a different file when my hooked version is
called.
NTSTATUS hookZwCreateFile(…)
{
OBJECT_ATTRIBUTES objAttr;
WCHAR logFileName = L"\??\C:\Log.txt";
UNICODE_STRING uniLogFile;
NTSTATUS status;
HANDLE hFile;
RtlInitUnicodeString(&uniLogFile, logFileName);
InitializeObjectAttribute(&objAttr, &uniLogFile, OBJ_CASE_INSENSITIVE,
NULL, NULL);
status = realZwCreateFile(&hFile, FILE_WRITE_DATA | SYNCHRONIZE,
&objAttr, …);
if (status == STATUS_SUCCESS) {
// faff with the file
ZwClose(hFile);
} else {
KdPrint((“Failed to open log file 0x%08x\n”, status));
}
// actually open the requested file
return realZwCreateFile(…);
}
so we can log which files get opened.
However, most of the time the status returned from trying to open the
logfile is 0xC0000005 (STATUS_ACCESS_VIOLATION). Occasionally, I get
STATUS_SUCCESS.
I have checked that my object attributes and unicode string are aligned on
a DWORD boundary. I have used MmIsAddressValid() to make sure that the
addresses are valid.
The call to open the requested file (at the bottom of the sample code)
always works.
I don’t get a blue screen, or anything useful like that. What am I doing
wrong? (It’s running on NT 4.0 Service pack 6).
Any and all suggestions gratefully received.
Richie