CreateFile API Hook [modified]

capricious_001

Hey guys, I'm having some issues with an import function hook. Basically when I inject my DLL into the address space of a certain process, and a hook is performed on CreateFile, the process ends up crashing. I am using Daniel Cavalcanti's DLL injection and API Hooking source found on: http://www.planet-source-code.com/vb...=7528&lngWId=3 I think many are familiar with this. The DLL injector works fine. Its properly attached to the process. However, when the program runs, it hooks onto CreateFile, and as you can see in the source below, it writes to a file the value of lpFileName then returns the handle of CreateFile. The filename is written to the text file and is correct, however I get an unhandled exception error after it is returned. You can also see that in Daniel Cavalcanti's API hooking source, he has a parameter for the HookImportedFunction where you have to supply the ordinal of the function. I didnt know what the ordinal of CreateFileA is so I removed that. I know these may be some stupid questions, but I've googled for hours to find some answers or a solution to my problem. 1) Is CreateFileA an import or export function of the Kernel32.dll Module? If its exported then I may have to change the code around a bit. 2) What is it that I could be doing wrong thats causing my program to crash? 3) What would be the ordinal of CreateFileA in Kernel32.dll? I included the source of my DLL for your perusal and hopefully someone can help me out because I have no idea how to fix this. Thanks in advance, Robbie #include <windows.h> #include <Dbghelp.h> #include <fstream> HANDLE hCreateFile(LPCTSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE); HANDLE htstCreateFile(LPCTSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE); PVOID HookImportedFunction(const char *Dll, const char *FuncName, void *Function); DWORD HookGeneralFunction(const char *Dll, const char *FuncName, void *Function, unsigned char *backup); void NumOut(char *format, ...); DWORD createFileAddr=0; BYTE backup[6]; ofstream fout("C:\\dll.txt"); BOOL APIENTRY DllMain( HMODULE hModule, DWORD fwReason, LPVOID lpReserved) { switch (fwReason) { case DLL_PROCESS_ATTACH: { DisableThreadLibraryCalls(hModule); //keeps it from being re-called fout << "In DLL process Attach" << endl; //HookImportedFunction("Kernel32.dll", "Creat

Stephen Hewitt

Why in god's name do you do the following? WriteProcessMemory(GetCurrentProcess(), (void*)createFileAddr, backup, 6, 0); A process can access its own memory without resorting to the WriteProcessMemory API. That code is an inefficient and obfuscated way of doing the following: memcpy((void*)createFileAddr, backup, sizeof(backup));

Steve