Fiona P. Fiona P. - 1 month ago 15
C Question

Hook NtReadFile. Change text

I want to hook NtReadFile so that it can change text that is read from the file. But when I try to read a file, I get the message "This application has failed to start because the application configuration is incorrect".

Here's my code. What's wrong?

NTSTATUS HookNtReadFile (
IN HANDLE FileHandle,
IN HANDLE Event,
IN PIO_APC_ROUTINE ApcRoutine,
IN PVOID ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset,
IN PULONG Key)
{
NTSTATUS retstatus;

retstatus = glRealNtReadFile (FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, Buffer, Length, ByteOffset, Key);

IoStatusBlock->Information = 3;
Length = 3;
Buffer = ExAllocatePool(PagedPool, Length);
Buffer = "hi";

return retstatus;
}

Answer

This is clearly not going to work:

Buffer = ExAllocatePool(PagedPool, Length);
Buffer = "hi";

You're allocating memory, then immediately discarding that address. This is not how you copy strings in C. You need to use strcpy, or preferably one of the safer alternatives.

It's also worth pointing out that the Native API doesn't use ASCII characters. In general all strings are expected to be wide strings.

Lastly, you should only be changing the values if the return code indicates success, and (as others have pointed out in the comments) when the file handle is associated with the specific file you're trying to change.