HOOK the ZwDeleteFile is Not Work -> How to?? [펌 www.rohitab.com]

Original Question

Hello guys!!

I'm trying to hook the ZwDeleteFile. I coded a Kernel module and it can hook the ZwDeleteFunction. I see in a "SSDT hook viewer" that the function is hooked correctly, but when I use the DeleteFile API I don't get the "Hello World from a Hooked Function" string in the DebugView

Thanks for posting your code!
The problem doesn't lie with your (Hoglund's) code, as far as I can tell.

Try running your working driver alongside DbgView 4.74, making sure kernel output is captured and with the tool's verbose kernel output option turned on (Capture -> Enable Verbose Kernel Output). Tweaking DbgView worked for me, and I am guessing that you will now see output too.
Seems to be a bug in the dbgv code.

CODE
#include "ntddk.h"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
        unsigned int *ServiceTableBase;
        unsigned int *ServiceCounterTableBase;
        unsigned int NumberOfServices;
        unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]

PMDL  g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )  \
       _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Function, _Hook, _Orig )  \
       InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

NTSYSAPI
NTSTATUS
NTAPI ZwDeleteFile(IN POBJECT_ATTRIBUTES  ObjectAttributes);

typedef NTSTATUS (*typeZwDeleteFile)(IN POBJECT_ATTRIBUTES  ObjectAttributes);
typeZwDeleteFile ZwDeleteFileIni;

NTSTATUS ZwDeleteFileRep(IN POBJECT_ATTRIBUTES  ObjectAttributes)
{

   NTSTATUS ntStatus;
   ANSI_STRING strf;

   DbgPrint("Hello World from a Hooked Function");
   ntStatus = ((typeZwDeleteFile)(ZwDeleteFileIni)) (ObjectAttributes);
   if (ntStatus!=STATUS_SUCCESS) return ntStatus;

   RtlUnicodeStringToAnsiString(&strf,ObjectAttributes->ObjectName,TRUE);
   DbgPrint(strf.Buffer);

   return ntStatus;
}

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   DbgPrint("Driver Unloaded");

   UNHOOK_SYSCALL(ZwDeleteFile, ZwDeleteFileIni, ZwDeleteFileRep);

   if(g_pmdlSystemCall)
   {
      MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
      IoFreeMdl(g_pmdlSystemCall);
   }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{

   theDriverObject->DriverUnload  = OnUnload;

    DbgPrint("Driver Loaded");

   ZwDeleteFileIni =(typeZwDeleteFile)(SYSTEMSERVICE(ZwDeleteFile));

   DbgPrint("Old Address: 0x%x", ZwDeleteFileIni);
   DbgPrint("Hook Address: 0x%x", ZwDeleteFileRep);

   g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
   if(!g_pmdlSystemCall)
      return STATUS_UNSUCCESSFUL;

   MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

   g_pmdlSystemCall->MdlFlags =
                        g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

   MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);

   HOOK_SYSCALL(ZwDeleteFile, ZwDeleteFileRep, ZwDeleteFileIni);

   return STATUS_SUCCESS;

}

Can anyone help me?

The Answer

Well, I found the problem many days ago, the problem was that the API ZwDeleteFile is only in the NT Windows (is a new API) and the programs that use the DeleteFile API don't call the ZwDeleteFile API, they call the ZwOpenFile and ZwSetInformationFile API. Now I try to hook the ZwOpenFile with this code and it work perfectly. The problem are solved