-2

I want to hook NtReadFile so that it can change text that is read from the file. But when I try to read a file, I get the message "This application has failed to start because the application configuration is incorrect".

Here's my code. What's wrong?

NTSTATUS HookNtReadFile (
    IN HANDLE FileHandle,
    IN HANDLE Event,
    IN PIO_APC_ROUTINE ApcRoutine,
    IN PVOID ApcContext,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    OUT PVOID Buffer,
    IN ULONG Length,
    IN PLARGE_INTEGER ByteOffset,
    IN PULONG Key) 
{
    NTSTATUS retstatus;

    retstatus = glRealNtReadFile (FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);

    IoStatusBlock->Information = 3;
    Length = 3;
    Buffer = ExAllocatePool(PagedPool, Length);
    Buffer = "hi";

    return retstatus;
}
Fiona P.
  • 35
  • 8
  • Did you try the [steps](https://support.microsoft.com/en-us/kb/948854) listed for that error message? – josh poley Oct 10 '16 at 19:33
  • Why are you trying to do this? – andlabs Oct 11 '16 at 04:01
  • @andlabs it's one of my assignments in uni. I did another hooks (NtCreateFile, NtOpenFile...), but with NtReadFile I have some problems. – Fiona P. Oct 11 '16 at 10:03
  • 2
    You should be careful with what you hook. It seems like you are replacing every file read with `"hi"`. That may get in the way of Windows reading your executable or supporting files like the manifest in this case. Try only changing the result of specific calls to specific files or by specific programs. – kichik Oct 11 '16 at 22:59

2 Answers2

1

This is clearly not going to work:

Buffer = ExAllocatePool(PagedPool, Length);
Buffer = "hi";

You're allocating memory, then immediately discarding that address. This is not how you copy strings in C. You need to use strcpy, or preferably one of the safer alternatives.

It's also worth pointing out that the Native API doesn't use ASCII characters. In general all strings are expected to be wide strings.

Lastly, you should only be changing the values if the return code indicates success, and (as others have pointed out in the comments) when the file handle is associated with the specific file you're trying to change.

MrEricSir
  • 7,486
  • 4
  • 25
  • 33
0

http://www.rohitab.com/discuss/topic/40492-my-first-kernel-mode-rootkit/

I know it looks like a dodgy link. But the answer you seek can be found at a click.

xvk3
  • 177
  • 8