1 files changed, 273 insertions, 0 deletions
diff --git a/file.h b/file.h
new file mode 100644
index 0000000..792a707
--- /dev/null
+++ b/file.h
@@ -0,0 +1,273 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              file.h
+ *
+ * Abstract:
+ *
+ *              This module defines various types used by file hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 19-Feb-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#ifndef __FILE_H__
+#define __FILE_H__
+/*
+ * ZwCreateFile creates or opens a file. [NAR]
+ */
+typedef NTSTATUS (*fpZwCreateFile) (
+    OUT PHANDLE FileHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN POBJECT_ATTRIBUTES ObjectAttributes,
+    OUT PIO_STATUS_BLOCK IoStatusBlock,
+    IN PLARGE_INTEGER AllocationSize OPTIONAL,
+    IN ULONG FileAttributes,
+    IN ULONG ShareAccess,
+    IN ULONG CreateDisposition,
+    IN ULONG CreateOptions,
+    IN PVOID EaBuffer OPTIONAL,
+    IN ULONG EaLength
+    );
+NTSTATUS
+NTAPI
+HookedNtCreateFile(
+        OUT PHANDLE FileHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN PLARGE_INTEGER AllocationSize OPTIONAL,
+        IN ULONG FileAttributes,
+        IN ULONG ShareAccess,
+        IN ULONG CreateDisposition,
+        IN ULONG CreateOptions,
+        IN PVOID EaBuffer OPTIONAL,
+        IN ULONG EaLength
+        );
+/*
+ * ZwOpenFile opens a file. [NAR]
+ */
+typedef NTSTATUS (*fpZwOpenFile) (
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  ShareAccess,
+    IN ULONG  OpenOptions
+    );
+NTSTATUS
+NTAPI
+HookedNtOpenFile(
+        OUT PHANDLE  FileHandle,
+        IN ACCESS_MASK  DesiredAccess,
+        IN POBJECT_ATTRIBUTES  ObjectAttributes,
+        OUT PIO_STATUS_BLOCK  IoStatusBlock,
+        IN ULONG  ShareAccess,
+        IN ULONG  OpenOptions
+        );
+/*
+ * ZwDeleteFile deletes a file. [NAR]
+ */
+typedef NTSTATUS (*fpZwDeleteFile) (
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+        );
+NTSTATUS
+NTAPI
+HookedNtDeleteFile(
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+        );
+/*
+ * ZwQueryDirectoryFile retrieves information about the contents of a directory. [NAR]
+ */
+typedef NTSTATUS (*fpZwQueryDirectoryFile) (
+        IN HANDLE FileHandle,
+        IN HANDLE Event OPTIONAL,
+        IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
+        IN PVOID ApcContext OPTIONAL,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        OUT PVOID FileInformation,
+        IN ULONG FileInformationLength,
+        IN FILE_INFORMATION_CLASS FileInformationClass,
+        IN BOOLEAN ReturnSingleEntry,
+        IN PUNICODE_STRING FileName OPTIONAL,
+        IN BOOLEAN RestartScan
+        );
+NTSTATUS
+NTAPI
+HookedNtQueryDirectoryFile(
+        IN HANDLE FileHandle,
+        IN HANDLE Event OPTIONAL,
+        IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
+        IN PVOID ApcContext OPTIONAL,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        OUT PVOID FileInformation,
+        IN ULONG FileInformationLength,
+        IN FILE_INFORMATION_CLASS FileInformationClass,
+        IN BOOLEAN ReturnSingleEntry,
+        IN PUNICODE_STRING FileName OPTIONAL,
+        IN BOOLEAN RestartScan
+        );
+/*
+ * ZwQueryAttributesFile retrieves basic information about a file object. [NAR]
+ */
+typedef NTSTATUS (*fpZwQueryAttributesFile) (
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PFILE_BASIC_INFORMATION FileInformation
+        );
+NTSTATUS
+NTAPI
+HookedNtQueryAttributesFile(
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PFILE_BASIC_INFORMATION FileInformation
+        );
+/*
+ * ZwQueryFullAttributesFile retrieves extended information about a file object. [NAR]
+ */
+typedef NTSTATUS (*fpZwQueryFullAttributesFile) (
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
+        );
+NTSTATUS
+NTAPI
+HookedNtQueryFullAttributesFile(
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
+        );
+/*
+ * ZwSetInformationFile sets information affecting a file object. [NAR]
+ */
+typedef NTSTATUS (*fpZwSetInformationFile) (
+        IN HANDLE FileHandle,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN PVOID FileInformation,
+        IN ULONG FileInformationLength,
+        IN FILE_INFORMATION_CLASS FileInformationClass
+        );
+NTSTATUS
+NTAPI
+HookedNtSetInformationFile(
+        IN HANDLE FileHandle,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN PVOID FileInformation,
+        IN ULONG FileInformationLength,
+        IN FILE_INFORMATION_CLASS FileInformationClass
+        );
+/*
+ * ZwCreateNamedPipeFile creates a named pipe. [NAR]
+ */
+typedef NTSTATUS (*fpZwCreateNamedPipeFile) (
+        OUT PHANDLE FileHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN ULONG ShareAccess,
+        IN ULONG CreateDisposition,
+        IN ULONG CreateOptions,
+/* The following 3 parameters listed in NAR are wrong
+        IN BOOLEAN TypeMessage,
+        IN BOOLEAN ReadmodeMessage,
+        IN BOOLEAN Nonblocking,
+*/
+        IN ULONG TypeMessage,
+        IN ULONG ReadmodeMessage,
+        IN ULONG Nonblocking,
+        IN ULONG MaxInstances,
+        IN ULONG InBufferSize,
+        IN ULONG OutBufferSize,
+        IN PLARGE_INTEGER DefaultTimeout OPTIONAL
+        );
+NTSTATUS
+NTAPI
+HookedNtCreateNamedPipeFile(
+        OUT PHANDLE FileHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN ULONG ShareAccess,
+        IN ULONG CreateDisposition,
+        IN ULONG CreateOptions,
+        IN ULONG TypeMessage,
+        IN ULONG ReadmodeMessage,
+        IN ULONG Nonblocking,
+        IN ULONG MaxInstances,
+        IN ULONG InBufferSize,
+        IN ULONG OutBufferSize,
+        IN PLARGE_INTEGER DefaultTimeout OPTIONAL
+        );
+/*
+ * ZwCreateMailslotFile creates a mailslot. [NAR]
+ */
+typedef NTSTATUS (*fpZwCreateMailslotFile) (
+        OUT PHANDLE FileHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN ULONG CreateOptions,
+        IN ULONG InBufferSize,
+        IN ULONG MaxMessageSize,
+        IN PLARGE_INTEGER ReadTimeout OPTIONAL
+        );
+NTSTATUS
+NTAPI
+HookedNtCreateMailslotFile(
+        OUT PHANDLE FileHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        OUT PIO_STATUS_BLOCK IoStatusBlock,
+        IN ULONG CreateOptions,
+        IN ULONG InBufferSize,
+        IN ULONG MaxMessageSize,
+        IN PLARGE_INTEGER ReadTimeout OPTIONAL
+        );
+BOOLEAN InitFileHooks();
+#endif  /* __FILE_H__ */

diff --git a/file.h b/file.h new file mode 100644 index 0000000..792a707 --- /dev/null +++ b/file.h
@@ -0,0 +1,273 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* file.h
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various types used by file hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 19-Feb-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#ifndef __FILE_H__
	23	#define __FILE_H__
	24
	25
	26	/*
	27	* ZwCreateFile creates or opens a file. [NAR]
	28	*/
	29
	30	typedef NTSTATUS (*fpZwCreateFile) (
	31	OUT PHANDLE FileHandle,
	32	IN ACCESS_MASK DesiredAccess,
	33	IN POBJECT_ATTRIBUTES ObjectAttributes,
	34	OUT PIO_STATUS_BLOCK IoStatusBlock,
	35	IN PLARGE_INTEGER AllocationSize OPTIONAL,
	36	IN ULONG FileAttributes,
	37	IN ULONG ShareAccess,
	38	IN ULONG CreateDisposition,
	39	IN ULONG CreateOptions,
	40	IN PVOID EaBuffer OPTIONAL,
	41	IN ULONG EaLength
	42	);
	43
	44	NTSTATUS
	45	NTAPI
	46	HookedNtCreateFile(
	47	OUT PHANDLE FileHandle,
	48	IN ACCESS_MASK DesiredAccess,
	49	IN POBJECT_ATTRIBUTES ObjectAttributes,
	50	OUT PIO_STATUS_BLOCK IoStatusBlock,
	51	IN PLARGE_INTEGER AllocationSize OPTIONAL,
	52	IN ULONG FileAttributes,
	53	IN ULONG ShareAccess,
	54	IN ULONG CreateDisposition,
	55	IN ULONG CreateOptions,
	56	IN PVOID EaBuffer OPTIONAL,
	57	IN ULONG EaLength
	58	);
	59
	60
	61	/*
	62	* ZwOpenFile opens a file. [NAR]
	63	*/
	64
	65	typedef NTSTATUS (*fpZwOpenFile) (
	66	OUT PHANDLE FileHandle,
	67	IN ACCESS_MASK DesiredAccess,
	68	IN POBJECT_ATTRIBUTES ObjectAttributes,
	69	OUT PIO_STATUS_BLOCK IoStatusBlock,
	70	IN ULONG ShareAccess,
	71	IN ULONG OpenOptions
	72	);
	73
	74	NTSTATUS
	75	NTAPI
	76	HookedNtOpenFile(
	77	OUT PHANDLE FileHandle,
	78	IN ACCESS_MASK DesiredAccess,
	79	IN POBJECT_ATTRIBUTES ObjectAttributes,
	80	OUT PIO_STATUS_BLOCK IoStatusBlock,
	81	IN ULONG ShareAccess,
	82	IN ULONG OpenOptions
	83	);
	84
	85
	86	/*
	87	* ZwDeleteFile deletes a file. [NAR]
	88	*/
	89
	90	typedef NTSTATUS (*fpZwDeleteFile) (
	91	IN POBJECT_ATTRIBUTES ObjectAttributes
	92	);
	93
	94	NTSTATUS
	95	NTAPI
	96	HookedNtDeleteFile(
	97	IN POBJECT_ATTRIBUTES ObjectAttributes
	98	);
	99
	100
	101	/*
	102	* ZwQueryDirectoryFile retrieves information about the contents of a directory. [NAR]
	103	*/
	104
	105	typedef NTSTATUS (*fpZwQueryDirectoryFile) (
	106	IN HANDLE FileHandle,
	107	IN HANDLE Event OPTIONAL,
	108	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	109	IN PVOID ApcContext OPTIONAL,
	110	OUT PIO_STATUS_BLOCK IoStatusBlock,
	111	OUT PVOID FileInformation,
	112	IN ULONG FileInformationLength,
	113	IN FILE_INFORMATION_CLASS FileInformationClass,
	114	IN BOOLEAN ReturnSingleEntry,
	115	IN PUNICODE_STRING FileName OPTIONAL,
	116	IN BOOLEAN RestartScan
	117	);
	118
	119	NTSTATUS
	120	NTAPI
	121	HookedNtQueryDirectoryFile(
	122	IN HANDLE FileHandle,
	123	IN HANDLE Event OPTIONAL,
	124	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	125	IN PVOID ApcContext OPTIONAL,
	126	OUT PIO_STATUS_BLOCK IoStatusBlock,
	127	OUT PVOID FileInformation,
	128	IN ULONG FileInformationLength,
	129	IN FILE_INFORMATION_CLASS FileInformationClass,
	130	IN BOOLEAN ReturnSingleEntry,
	131	IN PUNICODE_STRING FileName OPTIONAL,
	132	IN BOOLEAN RestartScan
	133	);
	134
	135
	136	/*
	137	* ZwQueryAttributesFile retrieves basic information about a file object. [NAR]
	138	*/
	139
	140	typedef NTSTATUS (*fpZwQueryAttributesFile) (
	141	IN POBJECT_ATTRIBUTES ObjectAttributes,
	142	OUT PFILE_BASIC_INFORMATION FileInformation
	143	);
	144
	145	NTSTATUS
	146	NTAPI
	147	HookedNtQueryAttributesFile(
	148	IN POBJECT_ATTRIBUTES ObjectAttributes,
	149	OUT PFILE_BASIC_INFORMATION FileInformation
	150	);
	151
	152
	153	/*
	154	* ZwQueryFullAttributesFile retrieves extended information about a file object. [NAR]
	155	*/
	156
	157	typedef NTSTATUS (*fpZwQueryFullAttributesFile) (
	158	IN POBJECT_ATTRIBUTES ObjectAttributes,
	159	OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
	160	);
	161
	162	NTSTATUS
	163	NTAPI
	164	HookedNtQueryFullAttributesFile(
	165	IN POBJECT_ATTRIBUTES ObjectAttributes,
	166	OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
	167	);
	168
	169
	170	/*
	171	* ZwSetInformationFile sets information affecting a file object. [NAR]
	172	*/
	173
	174	typedef NTSTATUS (*fpZwSetInformationFile) (
	175	IN HANDLE FileHandle,
	176	OUT PIO_STATUS_BLOCK IoStatusBlock,
	177	IN PVOID FileInformation,
	178	IN ULONG FileInformationLength,
	179	IN FILE_INFORMATION_CLASS FileInformationClass
	180	);
	181
	182	NTSTATUS
	183	NTAPI
	184	HookedNtSetInformationFile(
	185	IN HANDLE FileHandle,
	186	OUT PIO_STATUS_BLOCK IoStatusBlock,
	187	IN PVOID FileInformation,
	188	IN ULONG FileInformationLength,
	189	IN FILE_INFORMATION_CLASS FileInformationClass
	190	);
	191
	192
	193
	194	/*
	195	* ZwCreateNamedPipeFile creates a named pipe. [NAR]
	196	*/
	197
	198	typedef NTSTATUS (*fpZwCreateNamedPipeFile) (
	199	OUT PHANDLE FileHandle,
	200	IN ACCESS_MASK DesiredAccess,
	201	IN POBJECT_ATTRIBUTES ObjectAttributes,
	202	OUT PIO_STATUS_BLOCK IoStatusBlock,
	203	IN ULONG ShareAccess,
	204	IN ULONG CreateDisposition,
	205	IN ULONG CreateOptions,
	206	/* The following 3 parameters listed in NAR are wrong
	207	IN BOOLEAN TypeMessage,
	208	IN BOOLEAN ReadmodeMessage,
	209	IN BOOLEAN Nonblocking,
	210	*/
	211	IN ULONG TypeMessage,
	212	IN ULONG ReadmodeMessage,
	213	IN ULONG Nonblocking,
	214	IN ULONG MaxInstances,
	215	IN ULONG InBufferSize,
	216	IN ULONG OutBufferSize,
	217	IN PLARGE_INTEGER DefaultTimeout OPTIONAL
	218	);
	219
	220	NTSTATUS
	221	NTAPI
	222	HookedNtCreateNamedPipeFile(
	223	OUT PHANDLE FileHandle,
	224	IN ACCESS_MASK DesiredAccess,
	225	IN POBJECT_ATTRIBUTES ObjectAttributes,
	226	OUT PIO_STATUS_BLOCK IoStatusBlock,
	227	IN ULONG ShareAccess,
	228	IN ULONG CreateDisposition,
	229	IN ULONG CreateOptions,
	230	IN ULONG TypeMessage,
	231	IN ULONG ReadmodeMessage,
	232	IN ULONG Nonblocking,
	233	IN ULONG MaxInstances,
	234	IN ULONG InBufferSize,
	235	IN ULONG OutBufferSize,
	236	IN PLARGE_INTEGER DefaultTimeout OPTIONAL
	237	);
	238
	239
	240
	241	/*
	242	* ZwCreateMailslotFile creates a mailslot. [NAR]
	243	*/
	244
	245	typedef NTSTATUS (*fpZwCreateMailslotFile) (
	246	OUT PHANDLE FileHandle,
	247	IN ACCESS_MASK DesiredAccess,
	248	IN POBJECT_ATTRIBUTES ObjectAttributes,
	249	OUT PIO_STATUS_BLOCK IoStatusBlock,
	250	IN ULONG CreateOptions,
	251	IN ULONG InBufferSize,
	252	IN ULONG MaxMessageSize,
	253	IN PLARGE_INTEGER ReadTimeout OPTIONAL
	254	);
	255
	256	NTSTATUS
	257	NTAPI
	258	HookedNtCreateMailslotFile(
	259	OUT PHANDLE FileHandle,
	260	IN ACCESS_MASK DesiredAccess,
	261	IN POBJECT_ATTRIBUTES ObjectAttributes,
	262	OUT PIO_STATUS_BLOCK IoStatusBlock,
	263	IN ULONG CreateOptions,
	264	IN ULONG InBufferSize,
	265	IN ULONG MaxMessageSize,
	266	IN PLARGE_INTEGER ReadTimeout OPTIONAL
	267	);
	268
	269
	270	BOOLEAN InitFileHooks();
	271
	272
	273	#endif /* __FILE_H__ */