Inline_NtQueryDirectoryFile_New proc FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,FileInformationLength,FileInformationClass,ReturnSingleEntry,FileName,RestartScan
push RestartScan
push FileName
push ReturnSingleEntry
push FileInformationClass
push FileInformationLength
push FileInformation
push IoStatusBlock
push ApcContext
push ApcRoutine
push Event
push FileHandle
call Inline_NtQueryDirectoryFile_HookZone
ret
Inline_NtQueryDirectoryFile_New endp
OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE
Inline_NtQueryDirectoryFile_HookZone proc
db 10 dup (90h)
jmp NtQueryDirectoryFile_JmpBack
Inline_NtQueryDirectoryFile_HookZone endp
OPTION PROLOGUE:PROLOGUEDEF
OPTION EPILOGUE:EPILOGUEDEF
as you see above,
i pushed some args and call Inline_NtQueryDirectoryFile_HookZone.
is there a way to use invoke instead ?
regards.
If you want to hide a system folder (C example here (http://stackoverflow.com/questions/14036164/how-to-hide-folder-using-ntquerydirectoryfile-function-hook)), why programmatically? You can do that easily in Explorer, just right-click on the folder and check the "hidden" box...
Thanks jj, i know macro can implement it , but i never wrote macros, don't know how to do it...
you need a PROTOtype to use INVOKE
we usually place them very near the beginning of source, perhaps in an INClude file
but, here is a simple example...
;assemble as a console app
;###############################################################################################
.XCREF
.NoList
INCLUDE \Masm32\Include\Masm32rt.inc
.List
;###############################################################################################
GetStrLen PROTO :LPSTR
;###############################################################################################
.DATA
szSomeStr db 'Some String',0
;***********************************************************************************************
.DATA?
;###############################################################################################
.CODE
;***********************************************************************************************
_main PROC
INVOKE GetStrLen,offset szSomeStr
print ustr$(eax)
print chr$(13,10)
inkey
INVOKE ExitProcess,0
_main ENDP
;***********************************************************************************************
GetStrLen PROC USES EDI lpszString:LPSTR
xor eax,eax
mov edi,lpszString
or ecx,-1
repnz scasb
or eax,-2
sub eax,ecx
ret
GetStrLen ENDP
;###############################################################################################
END _main
Quote from: dedndave on August 30, 2013, 10:21:23 PM
you need a PROTOtype to use INVOKE
we usually place them very near the beginning of source, perhaps in an INClude file
but, here is a simple example...
;assemble as a console app
;###############################################################################################
.XCREF
.NoList
INCLUDE \Masm32\Include\Masm32rt.inc
.List
;###############################################################################################
GetStrLen PROTO :LPSTR
;###############################################################################################
.DATA
szSomeStr db 'Some String',0
;***********************************************************************************************
.DATA?
;###############################################################################################
.CODE
;***********************************************************************************************
_main PROC
INVOKE GetStrLen,offset szSomeStr
print ustr$(eax)
print chr$(13,10)
inkey
INVOKE ExitProcess,0
_main ENDP
;***********************************************************************************************
GetStrLen PROC USES EDI lpszString:LPSTR
xor eax,eax
mov edi,lpszString
or ecx,-1
repnz scasb
or eax,-2
sub eax,ecx
ret
GetStrLen ENDP
;###############################################################################################
END _main
Thanks, i know must have a proto type for invoke . but what i need is to invoke a 'label' , not a proc.
for example , in c ,we can :
typedef NTSTATUS (*NtQueryDirectoryFile)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
NtQueryDirectoryFile OldNtQueryDirectoryFile;
OldNtQueryDirectoryFile = (NtQueryDirectoryFile)NtQueryDirectoryFileHookZone;
status = OldNtQueryDirectoryFile(FileHandle,\
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan);
OldNtQueryDirectoryFile is a dword saved an address . how can i do this in asm using invoke or macro ?
i got this method from qWord (forum member)
lpfnGetStrLen is now a variable of the type PGETSTRLEN that can be directly INVOKE'd
you could create a half dozen or so and reuse the types
so, you'd have types with 1, 2, 3, 4, 5, 6 parms, etc
;assemble as a console app
;###############################################################################################
.XCREF
.NoList
INCLUDE \Masm32\Include\Masm32rt.inc
.List
;###############################################################################################
GETSTRLEN TYPEDEF PROTO :LPSTR
PGETSTRLEN TYPEDEF Ptr GETSTRLEN
;###############################################################################################
.DATA
ALIGN 4
lpfnGetStrLen PGETSTRLEN GetStrLen
szSomeStr db 'Some String',0
;***********************************************************************************************
.DATA?
;###############################################################################################
.CODE
;***********************************************************************************************
_main PROC
INVOKE lpfnGetStrLen,offset szSomeStr
print ustr$(eax)
print chr$(13,10)
inkey
INVOKE ExitProcess,0
_main ENDP
;***********************************************************************************************
GetStrLen PROC USES EDI lpszString:LPSTR
xor eax,eax
mov edi,lpszString
or ecx,-1
repnz scasb
or eax,-2
sub eax,ecx
ret
GetStrLen ENDP
;###############################################################################################
END _main
Quote from: dedndave on August 30, 2013, 11:30:10 PM
i got this method from qWord (forum member)
lpfnGetStrLen is now a variable of the type PGETSTRLEN that can be directly INVOKE'd
you could create a half dozen or so and reuse the types
so, you'd have types with 1, 2, 3, 4, 5, 6 parms, etc
;assemble as a console app
;###############################################################################################
.XCREF
.NoList
INCLUDE \Masm32\Include\Masm32rt.inc
.List
;###############################################################################################
GETSTRLEN TYPEDEF PROTO :LPSTR
PGETSTRLEN TYPEDEF Ptr GETSTRLEN
;###############################################################################################
.DATA
ALIGN 4
lpfnGetStrLen PGETSTRLEN GetStrLen
szSomeStr db 'Some String',0
;***********************************************************************************************
.DATA?
;###############################################################################################
.CODE
;***********************************************************************************************
_main PROC
INVOKE lpfnGetStrLen,offset szSomeStr
print ustr$(eax)
print chr$(13,10)
inkey
INVOKE ExitProcess,0
_main ENDP
;***********************************************************************************************
GetStrLen PROC USES EDI lpszString:LPSTR
xor eax,eax
mov edi,lpszString
or ecx,-1
repnz scasb
or eax,-2
sub eax,ecx
ret
GetStrLen ENDP
;###############################################################################################
END _main
That's Great! Thanks! using the method i did it ! :greenclp:
_NtQueryDirectoryFile typedef proto :dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword
PNtQueryDirectoryFile TYPEDEF Ptr _NtQueryDirectoryFile
Inline_NtQueryDirectoryFile_New proc FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,FileInformationLength,FileInformationClass,ReturnSingleEntry,FileName,RestartScan
LOCAL @status ,@name_offset,@name_size_offset ,@curr ,@prev
LOCAL @oldFunc:PNtQueryDirectoryFile
mov @oldFunc,Inline_NtQueryDirectoryFile_HookZone
invoke @oldFunc,FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,FileInformationLength,FileInformationClass,ReturnSingleEntry,FileName,RestartScan