m417z
commented
4 months ago On your screenshot, file access doesn't go through kernel32.CreateFileW, kernelbase.CreateFileW is called directly.
Try hooking kernelbase.CreateFileW directly, like this:
HMODULE kernelBaseModule = GetModuleHandle(L"kernelbase.dll");
void* pCreateFileW = (void*)GetProcAddress(kernelBaseModule, "CreateFileW");
SetHook(pCreateFileW, (void*)CreateFileW_Hook, (void**)&CreateFileW_Original);
GuBuChang
i use global inject demo want to hook some func, such as CreateFile i exec cl.exe compile a test file test.cpp cl.exe run must open test.cpp file by CreateFile. form ProcessMonitor can indicate it.
but global inject demo can not hook this func,
i add a hook func like MessageBoxHook. you can see from my exec screenshot, i add CreateFile hook is success, because i create named pipline func, but i can not hook CreateFile in read test.cpp file operator.
i make same test,but can not fix this issue. please help me.