A forum for reverse engineering, OS internals and malware analysis 

 #32755  by hackr8
 Wed Mar 27, 2019 8:32 pm
One of my friends and I have been trying to learn more about API calls. At first, we successfully used DeleteFileW to delete files. Then, we tried to call CreateFile and WriteFile from kernel32.dll to overwrite a file. We were trying for a long time, to no avail. We looked for more information on this topic in websites like the microsoft page https://docs.microsoft.com/en-us/dotnet ... ndows-apis
and pinvoke.net , but we got confused. Can somebody say how it's done and help us understand it? Thanks in advance.
 #32756  by EP_X0FF
 Thu Mar 28, 2019 4:38 am
It depends on how you open this file with CreateFile, dwDesiredAccess, dwShareMode and dwCreationDisposition parameters. Show your code.
 #32757  by hackr8
 Thu Mar 28, 2019 1:54 pm
Please remember that I want to replace the bytes of the file with null (basically overwrite the file)
I tried the following code with a bit of modification:
Code: Select all
Imports System.IO
Imports System
Imports System.Runtime.InteropServices
Public Class Form
    Private Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
                     Dim b(*numberofbytestooverwrite) As Byte
                    Dim H1 As Microsoft.Win32.SafeHandles.SafeFileHandle = CreateFileW("*filepathhere", "GENERIC_ALL", "FILE_SHARE_READ | FILE_SHARE_WRITE", "NULL", "OPEN_EXISTING", "NULL", "NULL")
                    Dim Retval As Boolean = WriteFile(H1, b, *numberofbytestooverwrite, "NULL", "NULL")
                End Sub
    <DllImport("KERNEL32.DLL", EntryPoint:="CreateFileW", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True, CallingConvention:=CallingConvention.StdCall)> _
    Public Shared Function CreateFileW(ByVal name , ByVal dwDesiredAccess , ByVal dwShareMode , ByVal lpSecurityAttributes , ByVal dwCreationDisposition , ByVal dwFlagsAndAttributes , ByVal hTemplateFile) As Microsoft.Win32.SafeHandles.SafeFileHandle
    End Function
    <DllImport("KERNEL32.DLL", EntryPoint:="WriteFile", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True, CallingConvention:=CallingConvention.StdCall)> _
    Public Shared Function WriteFile(ByVal hFile As Microsoft.Win32.SafeHandles.SafeFileHandle, ByVal lpBuffer, ByVal nNumberOfBytesToWrite, ByVal lpNumberOfBytesWritten, ByVal lpOverlapped) As Boolean
        End Function
End Class
 #32758  by EP_X0FF
 Thu Mar 28, 2019 2:12 pm
CreateFileW("*filepathhere", "GENERIC_ALL", "FILE_SHARE_READ | FILE_SHARE_WRITE", "NULL", "OPEN_EXISTING", "NULL", "NULL")

Repalce GENERIC_ALL with GENERIC_WRITE
FILE_SHARE_READ | FILE_SHARE_WRITE with 0


or if
want to replace the bytes of the file with null (basically overwrite the file)
simple use
CreateFile(FilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);

WriteFile is not required because file will be always recreated with 0 size.
 #32761  by hackr8
 Thu Mar 28, 2019 2:50 pm
I didn't quite work. Am I doing something wrong? Please help.
I tried it like this:
Code: Select all
Imports System.IO
Imports System
Imports System.Runtime.InteropServices
Public Class Form
    Private Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        If CheckBox1.Checked = True Then
            Dim H1 As Microsoft.Win32.SafeHandles.SafeFileHandle =  _ 
            CreateFileW("C:\Users\User\Desktop\dummy.txt", _
             "GENERIC_WRITE", 0, "NULL", "CREATE_ALWAYS", 0, "NULL")
        End If
    End Sub
    <DllImport("KERNEL32.DLL", EntryPoint:="CreateFileW", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True, CallingConvention:=CallingConvention.StdCall)> _
    Public Shared Function CreateFileW(ByVal name, ByVal dwDesiredAccess, ByVal dwShareMode, ByVal lpSecurityAttributes, ByVal dwCreationDisposition, ByVal dwFlagsAndAttributes, ByVal hTemplateFile) As Microsoft.Win32.SafeHandles.SafeFileHandle
    End Function
End Class
 #32762  by EP_X0FF
 Thu Mar 28, 2019 3:17 pm
Your VB prototypes are wrong I guess.

Try this one (it is also not 100% correct, but enough for example). Set path to your file.
Code: Select all
    <DllImport("KERNEL32.DLL", EntryPoint:="CreateFileW", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True, CallingConvention:=CallingConvention.StdCall)>
    Public Shared Function CreateFileW(
                                      ByVal lpFileName As String,
                                      ByVal dwDesiredAccess As Integer,
                                      ByVal dwShareMode As Integer,
                                      ByVal lpSecurityAttributes As IntPtr,
                                      ByVal dwCreationDisposition As Integer,
                                      ByVal dwFlagsAndAttributes As Integer,
                                      ByVal hTemplateFile As Integer) As Microsoft.Win32.SafeHandles.SafeFileHandle
    End Function
Code: Select all
        Dim H1 As Microsoft.Win32.SafeHandles.SafeFileHandle =
            CreateFileW("C:\Test\dummy.txt",
            &H40000000,
            0,
            IntPtr.Zero,
            2,
            0,
            0)
 #32764  by EP_X0FF
 Thu Mar 28, 2019 3:31 pm
hackr8 wrote: Thu Mar 28, 2019 3:30 pm Oh, I see what you did there. I never thought of that.
how does &H40000000 work as an integer, though?
BTW, Thanks for the help.
It is hexademical representation of GENERIC_WRITE constant (0x40000000).
https://docs.microsoft.com/en-us/dotnet ... characters