3

Following code tries to spawn a file handle using NtOpenFile :

HANDLE spawnFileHandle(){
HANDLE ret;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
ObjectAttributes.SecurityDescriptor=0;
ObjectAttributes.SecurityQualityOfService=0;
ObjectAttributes.RootDirectory=0;
ObjectAttributes.Attributes=0;
ObjectAttributes.Length=sizeof(OBJECT_ATTRIBUTES);

WCHAR stringBuffer[5048];
UNICODE_STRING  string;
string.Buffer = stringBuffer;
lstrcpyW(stringBuffer, L"\\??\\");
lstrcatW(stringBuffer, EXEPath);
string.Length = lstrlenW(stringBuffer)*2; // Edit after comment.
string.MaximumLength = 5048;
ObjectAttributes.ObjectName=&string;
NTSTATUS error=origZwOpenFile(&ret, FILE_READ_DATA, &ObjectAttributes, &IoStatusBlock, FILE_SHARE_READ, 0);
printf("huh %ls %x", stringBuffer, error);
return ret;
}

but it allways returns STATUS_OBJECT_NAME_INVALID, example :

Edit : [HBIP] - Hidden Because Im Paranoid -.-

EXE path : C:\Users\n00b\Desktop\[HBIP]\Debug\[HBIP].exe
huh \??\C:\Users\n00b\Desktop\[HBIP]\Debug\[HBIP].exe c0000033
Spawned Handle : cccccccc

What could be the reason ?

n00b
  • 5,642
  • 2
  • 30
  • 48
  • 1
    Well, asterisk is not a valid filename character. Also, `UNICODE_STRING::Length` is in bytes, not characters. Also, you generally should set `OBJ_CASE_INSENSITIVE` in OBJECT_ATTRIBUTES::Attributes. – avakar Aug 11 '13 at 19:57
  • the asterisks are for masking the path ;)) but the second one i just assumed its the __string__ length o0 however changing it to bytes changes nothing, still same error. I think thats not the problem cause it would return "file not found" not "name invalid"... – n00b Aug 11 '13 at 20:01
  • Correction, second is the answer :) i multied by 4 not 2 thanks, please post as answer. – n00b Aug 11 '13 at 20:14
  • I'm guessing there are invalid characters in `EXEPath`. If it's not an asterisk, then it's `\n` or something (a forgotten backslash?). Replace `EXEPath` with a literal. – avakar Aug 11 '13 at 20:17
  • Ah, an odd-length string, huh? :) – avakar Aug 11 '13 at 20:20

1 Answers1

3

The UNICODE_STRING structure expects both Length and MaximumLength to be in bytes. Note that these values will always be even.

You're getting STATUS_OBJECT_NAME_INVALID because your Length is an odd number, therefore invalid.

avakar
  • 32,009
  • 9
  • 68
  • 103
  • Also beware that sizeof() will *not* work to get the length in bytes because it includes the null terminator and the Length member doesn't want it. Good: `lstrlenW(path) * sizeof(wchar_t)` Bad: `sizeof(path)` – Nathan Kidd Sep 22 '17 at 21:22
  • UNICODE_STRING details https://msdn.microsoft.com/en-us/library/windows/desktop/aa380518(v=vs.85).aspx – Nathan Kidd Sep 22 '17 at 21:32
  • `RtlInitUnicodeString()` is in fact designed to initialize this struct for you: https://msdn.microsoft.com/en-us/library/ms648420(v=vs.85).aspx – Nathan Kidd Sep 23 '17 at 00:24