Sign in to follow this  
Followers 0
joakim

NtCreateFile returns STATUS_ACCESS_VIOLATION (again)

6 posts in this topic

This time I'm trying another native function called NtCreateFile. Have tried many variations of datatypes but all give the same ntstatus. Here is the sample code;

; NtCreateFile routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff566424(v=vs.85).aspx
; IO_STATUS_BLOCK structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff550671(v=vs.85).aspx
; OBJECT_ATTRIBUTES structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff557749(v=vs.85).aspx
; UNICODE_STRING structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
; InitializeObjectAttributes macro -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff547804(v=vs.85).aspx
; RtlInitUnicodeString routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff561934(v=vs.85).aspx
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $FILE_RANDOM_ACCESS = 0x00000800
Global Const $FILE_DIRECTORY_FILE = 0x00000002
Global Const $FILE_NON_DIRECTORY_FILE = 0x00000040
Global Const $tagIOSTATUSBLOCK = "ptr Status;ptr Information"
Global Const $tagOBJECTATTRIBUTES = "ulong Length;handle RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
Global Const $CREATE_NEW = 1
Global Const $TRUNCATE_EXISTING = 5
Global Const $GENERIC_ALL = 0x10000000
Global Const $FILE_SHARE_READ = 0x01
Global Const $FILE_ATTRIBUTE_NORMAL = 0x00000080
$hNTDLL = DllOpen("ntdll.dll")
$szName = DllStructCreate("wchar[260]")
$sUS = DllStructCreate($tagUNICODESTRING)
$sOA = DllStructCreate($tagOBJECTATTRIBUTES)
$sISB = DllStructCreate($tagIOSTATUSBLOCK)
$File = "\\C:\test\testfile.txt"
DllStructSetData($szName, 1, $File)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", 0)
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", 0)
DllStructSetData($sOA, "SecurityQualityOfService", 0)
$DesiredAccess = $GENERIC_ALL
$AllocationSize = 1024
$FileAttributes = $FILE_ATTRIBUTE_NORMAL
$ShareAccess = $FILE_SHARE_READ
$CreateDisposition = $CREATE_NEW;$CREATE_ALWAYS
$CreateOptions = $FILE_NON_DIRECTORY_FILE
$EaBuffer = 0
$EaLength = 0
$ret = DllCall($hNTDLL, "handle", "NtCreateFile", "handle*", "", "ulong", $DesiredAccess, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($sISB), "int64", $AllocationSize, "ulong", $FileAttributes, "ulong", $ShareAccess, _
"ulong", $CreateDisposition, "ulong", $CreateOptions, "ptr", $EaBuffer, "ulong", $EaLength)
ConsoleWrite("Ntstatus: 0x" & Hex($ret[0],8) & @CRLF)

I have a hunch the issue is with IO_STATUS_BLOCK...

Share this post


Link to post
Share on other sites



:unsure:

$hwndstruct = DllStructCreate("HWND")
$hwndptr = DllStructGetPtr($hwndstruct)
$ret = DllCall($hNTDLL, "handle", "NtCreateFile", "handle*", $hwndptr, "ulong", $DesiredAccess, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($sISB), "int64", $AllocationSize, "ulong", $FileAttributes, "ulong", $ShareAccess, _ "ulong", $CreateDisposition, "ulong", $CreateOptions, "ptr", $EaBuffer, "ulong", $EaLength)

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

I'm still getting 0xC0000005. Did you get a different result?

Share this post


Link to post
Share on other sites

AllocationSize parameter type is wrong. Put "int64*" there (notice asterisk). Also your file path is "??C:testtestfile.txt".


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

That works! So I guess the P in PLARGE_INTEGER was what made the requirement of the asteriks, and I missed that one.

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

I know it's a bit old topic, but did anyone get this API working?

; NtCreateFile routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff566424(v=vs.85).aspx
; IO_STATUS_BLOCK structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff550671(v=vs.85).aspx
; OBJECT_ATTRIBUTES structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff557749(v=vs.85).aspx
; UNICODE_STRING structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
; InitializeObjectAttributes macro -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff547804(v=vs.85).aspx
; RtlInitUnicodeString routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff561934(v=vs.85).aspx
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $FILE_RANDOM_ACCESS = 0x00000800
Global Const $FILE_DIRECTORY_FILE = 0x00000002
Global Const $FILE_NON_DIRECTORY_FILE = 0x00000040
Global Const $tagIOSTATUSBLOCK = "ptr Status;ptr Information"
Global Const $tagOBJECTATTRIBUTES = "ulong Length;handle RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
Global Const $CREATE_NEW = 1
Global Const $TRUNCATE_EXISTING = 5
Global Const $GENERIC_ALL = 0x10000000
Global Const $FILE_SHARE_READ = 0x01
Global Const $FILE_ATTRIBUTE_NORMAL = 0x00000080
$hNTDLL = DllOpen("ntdll.dll")
$szName = DllStructCreate("wchar[260]")
$sUS = DllStructCreate($tagUNICODESTRING)
$sOA = DllStructCreate($tagOBJECTATTRIBUTES)
$sISB = DllStructCreate($tagIOSTATUSBLOCK)
$File = "\??\C:\testfile.txt"
DllStructSetData($szName, 1, $File)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "struct*", $sUS, "struct*", $szName)
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", 0)
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", 0)
DllStructSetData($sOA, "SecurityQualityOfService", 0)
$DesiredAccess = $GENERIC_ALL
$AllocationSize = 1024
$FileAttributes = $FILE_ATTRIBUTE_NORMAL
$ShareAccess = $FILE_SHARE_READ
$CreateDisposition = $CREATE_NEW;$CREATE_ALWAYS
$CreateOptions = $FILE_NON_DIRECTORY_FILE
$EaBuffer = 0
$EaLength = 0
$ret = DllCall($hNTDLL, "handle", "NtCreateFile", _
    "handle*", 0, _
    "ulong", $DesiredAccess, _
    "struct*", $sOA, _
    "struct*", $sISB, _
    "int64*", $AllocationSize, _
    "ulong", $FileAttributes, _
    "ulong", $ShareAccess, _
    "ulong", $CreateDisposition, _
    "ulong", $CreateOptions, _
    "ptr", $EaBuffer, _
    "ulong", $EaLength)
ConsoleWrite("Ntstatus: 0x" & Hex($ret[0],8) & @CRLF)

I get "STATUS_OBJECT_NAME_NOT_FOUND" error, but why?

Edited by Mugen

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0