FindnextFile and Hide file

Iniciado por ntaryl, 2 Marzo 2009, 18:05 PM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

ntaryl

2 Marzo 2009, 18:05 PM
Good  afternoon
Try to hook the FindNextFileW to hide a filke from Explorer.
Hook sucessfully .
Try to build the Callback but not enough luck for it
There is someone to give me some help to find the way ?
Thanks for the time
Código [Seleccionar]


Public Function NowFindnextfile_call(ByVal hFindFile As Long, pFindFileData As WIN32_FIND_DATA) As Long
If (pFindFileData.cFileName) = "TEST.EXE" Then
NowFindnextfile_call = -1
End If
End Function

in my screenshot hook the W and A also
http://img168.imageshack.us/img168/2921/screen0wa.jpg


p.s Someone point me how to solve this 
thanks guys   




Dessa

#1
4 Marzo 2009, 00:06 AM
Good  afternoon las talopes... spanish please
Adrian Desanti

cobein

#2
4 Marzo 2009, 00:22 AM
mmm es griego asi que dudo que pueda hablar en español
http://www.advancevb.com.ar
Más Argentino que el morcipan
Aguante el Uvita tinto, Tigre, Ford y seba123neo
Karcrack es un capo.

Dessa

#3
4 Marzo 2009, 00:26 AM
Que le pregunte a "Zorba"  :D
Adrian Desanti

seba123neo

#4
4 Marzo 2009, 01:42 AM
Cita de: Dessa en  4 Marzo 2009, 00:26 AM
Que le pregunte a "Zorba"  :D

jaja buenisimo...
La característica extraordinaria de las leyes de la física es que se aplican en todos lados, sea que tú elijas o no creer en ellas. Lo bueno de las ciencias es que siempre tienen la verdad, quieras creerla o no.

Neil deGrasse Tyson

el_c0c0

#5
4 Marzo 2009, 03:05 AM
can you post the code?

anyway, that function is called from anywhere?
check that with OutputDebugString!

bye
'-     coco
"Te voy a romper el orto"- Las hemorroides

ntaryl

#6
4 Marzo 2009, 15:32 PM
Thanks for the replys 

This is the code from  my module 
Código [Seleccionar]

Option Explicit
Private Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" _
    (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileW" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
'Private Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileW" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
' The FindClose Win32 API function, which closes the search handle created by the FindFirstFile function
Private Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As Long

' The INVALID_HANDLE_VALUE is return value, which indicates that the FindFirstFile function failed
Private Const INVALID_HANDLE_VALUE As Long = -1

' File name is limited to MAX_PATH characters
Private Const MAX_PATH As Integer = 260

' The FILETIME structure is a 64-bit value representing date and time of file
Private Type FILETIME
    dwLowDateTime As Long
    dwHighDateTime As Long
End Type

' The WIN32_FIND_DATA structure that we need to receive the FindFirstFile and the FindNextFile functions output
Private Type WIN32_FIND_DATA
    dwFileAttributes As Long
    ftCreationTime As FILETIME
    ftLastAccessTime As FILETIME
    ftLastWriteTime As FILETIME
    nFileSizeHigh As Long
    nFileSizeLow As Long
    dwReserved0 As Long
    dwReserved1 As Long
    cFileName As String * MAX_PATH
    cAlternateFileName As String * 14
End Type

' The SYSTEMTIME structure represents a date and time
Private Type SYSTEMTIME
    wYear As Integer
    wMonth As Integer
    wDayOfWeek As Integer
    wDay As Integer
    wHour As Integer
    wMinute As Integer
    wSecond As Integer
    wMilliseconds As Integer
End Type

Private Const sbuff As String = "TEST.EXE"


Public Function Findnextfile_call(ByVal hFindFile As Long, pFindFileData As WIN32_FIND_DATA) As Long

Dim wfd As WIN32_FIND_DATA

If (wfd.cFileName) = "TEST.EXE" Then

Findnextfile_call = -1
end if
End Function


and  call my hook like this   
Código [Seleccionar]

Set Hookapis = New clsHookInfo
Process = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
         
          Hookapis.HookApi "kernel32", "FindNextFileA", GetFunAddr(AddressOf Findnextfile_call), Process

el_c0c0

#7
4 Marzo 2009, 17:17 PM
check 2 things: in Finnextfile_call make a OutputDebugString with wfd.dwFileAttributes.

if it works, then the pointer of WIN32_FIND_DATA isn't working good with the strings. so you must need copy 4 bytes to know the real pointer of the string.

bye
'-     coco
"Te voy a romper el orto"- Las hemorroides

ntaryl

#8
5 Marzo 2009, 18:33 PM
Good  evening   
make the same yesterday night   
this night is so long   
when inject the dll 
the hook load and call the callback .
my callback is empty   
nothis inside
Código [Seleccionar]


Public Function Findnextfile_call(ByVal hFindFile As Long, pFindFileData As WIN32_FIND_DATA) As Long
OutputDebugString "Debug string -Iam in callback"

End function 

please u  can be more specific   
thanks  for the reply

ntaryl

#9
6 Marzo 2009, 19:33 PM
Hi  again 
yesterday play again with this project 
remove all data from my callback again and rewritte again like this
CODE:
Public Function HookFindFirstfile(ByVal hFindFile As Long, ByRef ipFindFileData As WIN32_FIND_DATA) As Long
OutputDebugString "load callback   First file" & "...." & ipFindFileData.dwFileAttributes & "......" & "checdk this attributes ascoll"
End Function
CODE
compile sucessfuly and inject in explorer
my report from debugger is   :
http://img246.imageshack.us/img246/56/debug.jpg
Think my problem still in WIN32_FIND_DATA
thanks for the time
Imprimir
Ir Arriba Páginas1
Acciones del Usuario