PTE-Hook/rewrite.cpp at main · cxy128/PTE-Hook · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#include "rewrite.h"

extern "C" char* PsGetProcessImageFileName(PEPROCESS Process);

NTSTATUS fNtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock,
	ULONG ShareAccess, ULONG OpenOptions) {

	DbgPrintEx(77, 0, "xsubl NtOpenFile ---------------------------------> %s \n", PsGetProcessImageFileName(PsGetCurrentProcess()));

	if (MmIsAddressValid(ObjectAttributes) && MmIsAddressValid(ObjectAttributes->ObjectName) && ObjectAttributes->ObjectName->Length) {

		static UNICODE_STRING RealName = {};
		static UNICODE_STRING FakeName = {};
		if (!RealName.Length || !FakeName.Length) {
			RtlInitUnicodeString(&RealName, L"\\??\\C:\\Users\\15669\\Desktop\\RealName.txt");
			RtlInitUnicodeString(&FakeName, L"\\??\\C:\\Users\\15669\\Desktop\\FakeName.txt");
		}

		if (!RtlCompareUnicodeString(ObjectAttributes->ObjectName, &RealName, TRUE)) {

			UNICODE_STRING* FakeObjectName = nullptr;
			SIZE_T RegionSize = PAGE_SIZE;

			auto Status = ZwAllocateVirtualMemory(ZwCurrentProcess(), reinterpret_cast<void**>(&FakeObjectName), 0, &RegionSize, MEM_COMMIT, PAGE_READWRITE);
			if (NT_SUCCESS(Status) && FakeName.Buffer) {

				RtlZeroMemory(FakeObjectName, RegionSize);

				auto RealObjectName = ObjectAttributes->ObjectName;

				FakeObjectName->Length = FakeName.Length;
				FakeObjectName->MaximumLength = FakeName.MaximumLength;
				FakeObjectName->Buffer = reinterpret_cast<unsigned __int16*>(FakeObjectName + 1);

				RtlCopyMemory(FakeObjectName->Buffer, FakeName.Buffer, FakeName.Length);

				ObjectAttributes->ObjectName = FakeObjectName;

				Status = fNtOpenFileTrampoline(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);

				ObjectAttributes->ObjectName = RealObjectName;

				ZwFreeVirtualMemory(ZwCurrentProcess(), reinterpret_cast<void**>(&FakeObjectName), &RegionSize, MEM_RELEASE);

				return Status;
			}
		}
	}

	return fNtOpenFileTrampoline(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
}

NTSTATUS fNtCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock,
	PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength) {

	DbgPrintEx(77, 0, "xsubl NtCreateFile -------------------------------------------%s \n", PsGetProcessImageFileName(PsGetCurrentProcess()));

	if (MmIsAddressValid(ObjectAttributes) && MmIsAddressValid(ObjectAttributes->ObjectName) && ObjectAttributes->ObjectName->Length) {

		static UNICODE_STRING RealName = {};
		static UNICODE_STRING FakeName = {};
		if (!RealName.Length || !FakeName.Length) {
			RtlInitUnicodeString(&RealName, L"\\??\\C:\\Users\\15669\\Desktop\\RealName.txt");
			RtlInitUnicodeString(&FakeName, L"\\??\\C:\\Users\\15669\\Desktop\\FakeName.txt");
		}

		if (!RtlCompareUnicodeString(ObjectAttributes->ObjectName, &RealName, TRUE)) {

			UNICODE_STRING* FakeObjectName = nullptr;
			SIZE_T RegionSize = PAGE_SIZE;

			auto Status = ZwAllocateVirtualMemory(ZwCurrentProcess(), reinterpret_cast<void**>(&FakeObjectName), 0, &RegionSize, MEM_COMMIT, PAGE_READWRITE);
			if (NT_SUCCESS(Status) && FakeName.Buffer) {

				RtlZeroMemory(FakeObjectName, RegionSize);

				auto RealObjectName = ObjectAttributes->ObjectName;

				FakeObjectName->Length = FakeName.Length;
				FakeObjectName->MaximumLength = FakeName.MaximumLength;
				FakeObjectName->Buffer = reinterpret_cast<unsigned __int16*>(FakeObjectName + 1);

				RtlCopyMemory(FakeObjectName->Buffer, FakeName.Buffer, FakeName.Length);

				ObjectAttributes->ObjectName = FakeObjectName;

				Status = fNtCreateFileTrampoline(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes,
					ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);

				ObjectAttributes->ObjectName = RealObjectName;

				ZwFreeVirtualMemory(ZwCurrentProcess(), reinterpret_cast<void**>(&FakeObjectName), &RegionSize, MEM_RELEASE);

				return Status;
			}
		}
	}

	return fNtCreateFileTrampoline(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition,
		CreateOptions, EaBuffer, EaLength);
}