Jump to content
Sign in to follow this  
joakim

NtCreateFile returns STATUS_ACCESS_VIOLATION (again)

Recommended Posts

joakim

This time I'm trying another native function called NtCreateFile. Have tried many variations of datatypes but all give the same ntstatus. Here is the sample code;

; NtCreateFile routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff566424(v=vs.85).aspx
; IO_STATUS_BLOCK structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff550671(v=vs.85).aspx
; OBJECT_ATTRIBUTES structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff557749(v=vs.85).aspx
; UNICODE_STRING structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
; InitializeObjectAttributes macro -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff547804(v=vs.85).aspx
; RtlInitUnicodeString routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff561934(v=vs.85).aspx
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $FILE_RANDOM_ACCESS = 0x00000800
Global Const $FILE_DIRECTORY_FILE = 0x00000002
Global Const $FILE_NON_DIRECTORY_FILE = 0x00000040
Global Const $tagIOSTATUSBLOCK = "ptr Status;ptr Information"
Global Const $tagOBJECTATTRIBUTES = "ulong Length;handle RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
Global Const $CREATE_NEW = 1
Global Const $TRUNCATE_EXISTING = 5
Global Const $GENERIC_ALL = 0x10000000
Global Const $FILE_SHARE_READ = 0x01
Global Const $FILE_ATTRIBUTE_NORMAL = 0x00000080
$hNTDLL = DllOpen("ntdll.dll")
$szName = DllStructCreate("wchar[260]")
$sUS = DllStructCreate($tagUNICODESTRING)
$sOA = DllStructCreate($tagOBJECTATTRIBUTES)
$sISB = DllStructCreate($tagIOSTATUSBLOCK)
$File = "\\C:\test\testfile.txt"
DllStructSetData($szName, 1, $File)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", 0)
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", 0)
DllStructSetData($sOA, "SecurityQualityOfService", 0)
$DesiredAccess = $GENERIC_ALL
$AllocationSize = 1024
$FileAttributes = $FILE_ATTRIBUTE_NORMAL
$ShareAccess = $FILE_SHARE_READ
$CreateDisposition = $CREATE_NEW;$CREATE_ALWAYS
$CreateOptions = $FILE_NON_DIRECTORY_FILE
$EaBuffer = 0
$EaLength = 0
$ret = DllCall($hNTDLL, "handle", "NtCreateFile", "handle*", "", "ulong", $DesiredAccess, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($sISB), "int64", $AllocationSize, "ulong", $FileAttributes, "ulong", $ShareAccess, _
"ulong", $CreateDisposition, "ulong", $CreateOptions, "ptr", $EaBuffer, "ulong", $EaLength)
ConsoleWrite("Ntstatus: 0x" & Hex($ret[0],8) & @CRLF)

I have a hunch the issue is with IO_STATUS_BLOCK...

Share this post


Link to post
Share on other sites
JohnOne

:unsure:

$hwndstruct = DllStructCreate("HWND")
$hwndptr = DllStructGetPtr($hwndstruct)
$ret = DllCall($hNTDLL, "handle", "NtCreateFile", "handle*", $hwndptr, "ulong", $DesiredAccess, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($sISB), "int64", $AllocationSize, "ulong", $FileAttributes, "ulong", $ShareAccess, _ "ulong", $CreateDisposition, "ulong", $CreateOptions, "ptr", $EaBuffer, "ulong", $EaLength)

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
joakim

I'm still getting 0xC0000005. Did you get a different result?

Share this post


Link to post
Share on other sites
trancexx

AllocationSize parameter type is wrong. Put "int64*" there (notice asterisk). Also your file path is "??C:testtestfile.txt".


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
joakim

That works! So I guess the P in PLARGE_INTEGER was what made the requirement of the asteriks, and I missed that one.

Share this post


Link to post
Share on other sites
Mugen

I know it's a bit old topic, but did anyone get this API working?

; NtCreateFile routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff566424(v=vs.85).aspx
; IO_STATUS_BLOCK structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff550671(v=vs.85).aspx
; OBJECT_ATTRIBUTES structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff557749(v=vs.85).aspx
; UNICODE_STRING structure -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
; InitializeObjectAttributes macro -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff547804(v=vs.85).aspx
; RtlInitUnicodeString routine -> http://msdn.microsoft.com/en-us/library/windows/hardware/ff561934(v=vs.85).aspx
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $FILE_RANDOM_ACCESS = 0x00000800
Global Const $FILE_DIRECTORY_FILE = 0x00000002
Global Const $FILE_NON_DIRECTORY_FILE = 0x00000040
Global Const $tagIOSTATUSBLOCK = "ptr Status;ptr Information"
Global Const $tagOBJECTATTRIBUTES = "ulong Length;handle RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
Global Const $CREATE_NEW = 1
Global Const $TRUNCATE_EXISTING = 5
Global Const $GENERIC_ALL = 0x10000000
Global Const $FILE_SHARE_READ = 0x01
Global Const $FILE_ATTRIBUTE_NORMAL = 0x00000080
$hNTDLL = DllOpen("ntdll.dll")
$szName = DllStructCreate("wchar[260]")
$sUS = DllStructCreate($tagUNICODESTRING)
$sOA = DllStructCreate($tagOBJECTATTRIBUTES)
$sISB = DllStructCreate($tagIOSTATUSBLOCK)
$File = "\??\C:\testfile.txt"
DllStructSetData($szName, 1, $File)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "struct*", $sUS, "struct*", $szName)
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", 0)
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", 0)
DllStructSetData($sOA, "SecurityQualityOfService", 0)
$DesiredAccess = $GENERIC_ALL
$AllocationSize = 1024
$FileAttributes = $FILE_ATTRIBUTE_NORMAL
$ShareAccess = $FILE_SHARE_READ
$CreateDisposition = $CREATE_NEW;$CREATE_ALWAYS
$CreateOptions = $FILE_NON_DIRECTORY_FILE
$EaBuffer = 0
$EaLength = 0
$ret = DllCall($hNTDLL, "handle", "NtCreateFile", _
    "handle*", 0, _
    "ulong", $DesiredAccess, _
    "struct*", $sOA, _
    "struct*", $sISB, _
    "int64*", $AllocationSize, _
    "ulong", $FileAttributes, _
    "ulong", $ShareAccess, _
    "ulong", $CreateDisposition, _
    "ulong", $CreateOptions, _
    "ptr", $EaBuffer, _
    "ulong", $EaLength)
ConsoleWrite("Ntstatus: 0x" & Hex($ret[0],8) & @CRLF)

I get "STATUS_OBJECT_NAME_NOT_FOUND" error, but why?

Edited by Mugen

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×