Problem With NtCreateFile Hook

Question

2.50/5 (2 votes)

See more:

I am Hooking to NtCreateFile Function but i am not because of some errors. my code is as below .am getting two errors that are:
1)unresolved external symbol _NtCreateFile and
2)1 unresolved externals . please help me

#include "stdafx.h"
#include "MinHook.h"
#include <Winternl.h>

#if defined _M_X64
#pragma comment(lib, "libMinHook.x64.lib")
#elif defined _M_IX86
#pragma comment(lib, "libMinHook.x86.lib")
#endif

typedef NTSTATUS(WINAPI *NtCreateFileNext)( PHANDLE FileHandle,ACCESS_MASK    DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock,PLARGE_INTEGER AllocationSize,ULONG FileAttributes,ULONG ShareAccess,ULONG CreateDisposition,ULONG CreateOptions,PVOID EaBuffer,ULONG EaLength );

NtCreateFileNext Real_NtCreateFileData = NULL;

NTSTATUS WINAPI NtCreateFileCallback (PHANDLE FileHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PIO_STATUS_BLOCK IoStatusBlock,PLARGE_INTEGER AllocationSize,ULONG FileAttributes,ULONG ShareAccess,ULONG CreateDisposition,ULONG CreateOptions,PVOID EaBuffer,ULONG EaLength)
{

   MessageBoxA(NULL,"NtCreateFile Called","Info",MB_OK);
   return(FileHandle, DesiredAccess, bjectAttributes,IoStatusBlock,AllocationSize, FileAttributes,ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}

BOOL APIENTRY DllMain(HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
                        if(MH_CreateHook(&NtCreateFile,&NtCreateFileCallback,reinterpret_cast<void**>(&Real_NtCreateFileData)) != MH_OK)
{
       MessageBoxW(NULL,L"FailedCreateHookNtCreateFile",L"Info!",MB_ICONWARNING|MB_OK);
}
if (MH_EnableHook(&NtCreateFile) != MH_OK)
{             MessageBoxW(NULL,L"FailedEnableHookNtCreateFile",L"Info!",MB_ICONWARNING|MB_OK);
}
 break;

case DLL_PROCESS_DETACH:
                        if (MH_Uninitialize() != MH_OK)
                        {               
                        }
                        if (MH_DisableHook(&NtCreateFile) != MH_OK)
                        {
                        }
                        break;
}
return TRUE;
}

Posted 2-Jul-12 21:44pm

Kantesh Nagaradder

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Answer 1 · 2012-07-02T22:09:00

Solution 1

Did you include NtDll in your project's linker section, as described here[^]?

Posted 2-Jul-12 22:09pm

Richard MacCutchan

Comments

Kantesh Nagaradder 3-Jul-12 5:11am

ya i included Richard but is showing error that is : cannot open file 'NtDll.lib

Richard MacCutchan 3-Jul-12 5:13am

Then you need to add its location to your library directories search path. It's no good just adding things in unless you understand why you need to do it and what effect it will have.

Richard MacCutchan 3-Jul-12 5:15am

Did you also read the link I gave you and the page it tells you to read first?

Kantesh Nagaradder 3-Jul-12 5:34am

ya i had gone through it and also add NtDll path in library directories but still show that two errors ...

Richard MacCutchan 3-Jul-12 5:42am

Go to the page I gave you a link for; read it carefully and also pay close attention to the paragraph:

Note Before using this function, please read Calling Internal APIs.

You should really spend a lot more time reading the documentation before trying to implement features that you are not experienced at using.

Kantesh Nagaradder 3-Jul-12 5:44am

Okay Richard ....thank you for your well guidelines ......