Kernel Hook ZwCreateFile

[caion90]

pessoal, o que eu quero fazer é um PoC de redirecionamento de api, mas não sei nada, exatamente nada de C kkkk e mesmo assim estou tentando..

bom, o trecho que faz a checagem ta com erro, se não tiver mais que um, kkk

NTSTATUS FakeZwCreateFile(

                          OUT PHANDLE FileHandle,
                          IN ACCESS_MASK DesiredAccess,
                          IN POBJECT_ATTRIBUTES ObjectAttributes,
                          OUT PIO_STATUS_BLOCK IoStatusBlock,
                          IN PLARGE_INTEGER AllocationSize OPTIONAL,
                          IN ULONG FileAttributes,
                          IN ULONG ShareAccess,
                          IN ULONG CreateDisposition,
                          IN ULONG CreateOptions,
                          IN PVOID EaBuffer OPTIONAL,
                          IN ULONG EaLength) 
                          
{
                         
                        UNICODE_STRING Kernelname;
                        UNICODE_STRING UrlmonName;
                        UNICODE_STRING RKernelName;
                        UNICODE_STRING RUrlmonName;
                        
                        RtlInitUnicodeString(&KernelName, L"\\??\\C:\\windows\\system32\\lld.23lenrek");
                        RtlInitUnicodeString(&UrlmonName, L"\\??\\C:\\windows\\system32\\LLD.NOMLRU");
                        //fake API NAMES

                        RtlInitUnicodeString(&RKernelName, L"\\??\\C:\\windows\\system32\\kernel32.dll");
                        RtlInitUnicodeString(&RUrlmonName, L"\\??\\C:\\windows\\system32\\URLMON.DLL");
                        //real API NAMES
                        

                        
                        
                        if(RtlCompareUnicodeString(ObjectAttributes->ObjectName,&KernelName, TRUE)==0x00){
                        ObjectAttributes->ObjectName == &RKernelName;
                        return(((ZWCREATEFILE)(OrigZwCreateFile)) (
                        
                                                            FileHandle,
                                                            DesiredAccess,
                                                            ObjectAttributes,
                                                            IoStatusBlock,
                                                            AllocationSize,
                                                            FileAttributes,
                                                            ShareAccess,
                                                            CreateDisposition,
                                                            CreateOptions,
                                                            EaBuffer,
                                                            EaLength));                                                                                          

                        }

codigo com o erro http://pastebin.com/Qf2sChNA

é basicamente isso que quero fazer, hookar o ZwCreateFile/NtCreateFile e quando a API tentar ler um arquivo, ex. LLD.NOMLRU que é URLMON.DLL ao invés de retornar que o arquivo não existe ele retorne o verdadeiro urlmon.dll, mas como disse, o erro esta bem obvio e eu n consigo arrumar,

agradeço ao pessoal que me ajudar, vlw!

Editado Janeiro 9, 2012 por caion90