I am attempting to read ntdl.dll from disk using NTCreateFile, but it does not seem to be reading the file properly. The native call does not return a valid handle. Could someone who is more familiar with this native call point out what is wrong with this code? Thanks!
FORCEINLINE VOID RtlInitUnicodeString(
_Out_ PUNICODE_STRING DestinationString,
_In_opt_ PWSTR SourceString
)
{
if (SourceString)
DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) sizeof(WCHAR);
else
DestinationString->MaximumLength = DestinationString->Length = 0;
DestinationString->Buffer = SourceString;
}
#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN 0x00000001
#define FILE_DIRECTORY_FILE 0x00000001
#define InitializeObjectAttributes(p, n, a, r, s) { \
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
HANDLE file = NULL;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING f;
UNICODE_STRING fp;
IO_STATUS_BLOCK IoStatusBlock;
WCHAR ntdl[100] = L"\\??\\\\C:\\windows\\system32\\ntdll.dll";
RtlInitUnicodeString(&f, ntdl);
RtlInitUnicodeString(&fp, filepath);
InitializeObjectAttributes(&oa, &f, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtCreateFile(&file, FILE_GENERIC_READ, &oa, &IoStatusBlock, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_DIRECTORY_FILE, NULL, 0);
CodePudding user response:
- Path needs to be
L"\\??\\C:\\windows\\system32\\ntdll.dll" FILE_NON_DIRECTORY_FILE, notFILE_DIRECTORY_FILE.