I'm trying to build a tool that hooks into the Windows Native API and monitors/denies filesystem access by various applications. I am using the easyhook library. I have chosen to only hook the lower level NTAPI functions because I found a lot of programs that call them directly and go completely over the WinApi hook that I previously wrote.
In order to perform it's function, my program intercepts the following functions:
NtCreateFile
NtCreateIoCompletion
NtCreateSymbolicLinkObject
NtDeleteFile
NtOpenDirectoryObject
NtOpenFile
NtOpenIoCompletion
NtOpenSymbolicLinkObject
NtQueryAttributesFile
NtQueryFullAttributesFile
I used to think that those are all the functions that actually take paths. The other functions use handles that are generated by the above functions so there's no need to hook them. The parameter that contains the path is POBJECT_ATTRIBUTES ObjectAttributes. However, I'm pretty sure that I'm missing some functions since theres some uncaught filesystem activity that goes around my hooks. Do you know of any other NtApi functions that take POBJECT_ATTRIBUTES or some other kind of filesystem reference?
I am asking this because I found some other ones like NtCreateProcess and NtCreateSection and I really need to find all of them but don't know where to look and the Nt functions are very badly documented. Thank you.