-1

I set a global hook on ZwWriteFile to encryption all write files. It's my new instance of ZwWriteFile :

function New_ZwWriteFile(FileHandle: HANDLE; Event: HANDLE;
  ApcRoutine: PIO_APC_ROUTINE; ApcContext: PVOID;
  IoStatusBlock: PIO_STATUS_BLOCK; Buffer: PVOID; Length: ULONG;
  ByteOffset: PLARGE_INTEGER; Key: PULONG): THandle; stdcall;
Begin
///
End;

When i call the original ZwWriteFile in New_ZwWriteFile the file was corrupted because the buffer is null !

function New_ZwWriteFile(FileHandle: HANDLE; Event: HANDLE;
  ApcRoutine: PIO_APC_ROUTINE; ApcContext: PVOID;
  IoStatusBlock: PIO_STATUS_BLOCK; Buffer: PVOID; Length: ULONG;
  ByteOffset: PLARGE_INTEGER; Key: PULONG): THandle; stdcall;
Begin
  result := Old_ZwWriteFile(FileHandle, Event, ApcRoutine, ApcContext,
        IoStatusBlock, Buffer, Length, ByteOffset, Key);
End;

I test @Buffer also but get same result !

  result := Old_ZwWriteFile(FileHandle, Event, ApcRoutine, ApcContext,
        IoStatusBlock, @Buffer, Length, ByteOffset, Key);

, the buffer data type is Pointer ,How can i retrieve the content of it and write it to file. Any idea???

tshepang
  • 12,111
  • 21
  • 91
  • 136
Kamran
  • 387
  • 1
  • 3
  • 19
  • Return value is `NTSTATUS` rather than `THandle`. Why do you keep asking questions and then ignoring the answers. For instance here: http://stackoverflow.com/questions/24675603/get-size-of-a-pointer-buffer-in-delphi and here http://stackoverflow.com/questions/24798988/get-file-name-from-ishellitem-in-ifileoperation-getdisplayname – David Heffernan Jul 21 '14 at 09:35
  • Why would `@Buffer` be correct? Trial and error is not a good policy. – David Heffernan Jul 21 '14 at 09:38
  • 1
    FWIW, your entire project (http://stackoverflow.com/questions/24220382/windows-file-copy-internals-on-the-fly-encryption) is flawed. If you change the meaning of file copy you will render the machine unusable. – David Heffernan Jul 21 '14 at 09:55
  • @DavidHeffernan I know it, but i have to prevent any copy on my system using this tool. – Kamran Jul 21 '14 at 10:13
  • 2
    Who is forcing you to attempt this exercise in futility? At the very least you should have realistic expectations. No. 1, don't expect to be able to determine a buffer size when all you have is a pointer. No. 2, don't expect that all file copying routes through `IFileOperation`. No. 3, don't accept answers that are clearly wrong. I don't think I can offer you any more advice than that. – David Heffernan Jul 21 '14 at 10:15
  • Which OS on the machine? – MartynA Jul 21 '14 at 10:21
  • @MartynA Windows 8.1 x64. – Kamran Jul 21 '14 at 10:48

1 Answers1

2

First of all we must assume that HANDLE is correctly defined as an alias to THandle. Or at least to be a type that is pointer sized. And also that the other types in the code in the question are correctly translated. If these translations are incorrect then clearly that could explain your problems.

Beyond that, the only thing wrong with the code in the question is the type of the return value. It should be NTSTATUS rather than THandle. That will have an impact on x64 because NTSTATUS is 32 bits wide, and THandle is pointer sized.

Using @Buffer instead of Buffer is a gross error. Don't do that.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490