+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 130
Latest: REEG
New This Month: 1
New This Week: 0
New Today: 0
Stats
Total Posts: 319
Total Topics: 160
Most Online Today: 2
Most Online Ever: 159
(June 29, 2021, 10:20:55 pm)
Users Online
Members: 0
Guests: 1
Total: 1

Author Topic: Remove annoying warnings  (Read 233 times)

zwclose7

  • Administrator
  • Full Member
  • *****
  • Posts: 155
  • I love anime and science!
    • View Profile
    • My blog
Remove annoying warnings
« on: March 12, 2016, 06:26:56 pm »
If you download a file from the Internet with Internet Explorer or other Windows based browsers, and then try to open the downloaded file, you will see a warning message that says the file is downloaded from Internet. This can be very annoying. How to remove these warnings?

When you download a file, the browser create an alternate data stream (ADS) called Zone.Identifier in the downloaded file. When you opens the file, the system checks for the ADS. If the it exists, the system will show a warning.

What we can do is prevent the browser from creating the ADS, so the system will not show the warning when you open the downloaded file. We can do this by hooking the NtCreateFile function. When the function is called, the hook checks the file name, and if it contains Zone.Identifier, the hook will deny the call, thus preventing the creation of the ADS.

To make this work, the hook DLL need to be injected into the browser. This can be done using the AppInit_DLLs registry value. It can be found at:

Code: [Select]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Copy the path of the hook DLL into this value. When a process loads user32.dll, the DLL will be loaded. To enable AppInit_DLLs, the LoadAppInit_DLLs value need to be set.

Code: [Select]
#include <Windows.h>
#include "ntdll.h"
#include "CometHook.h"

typedef NTSTATUS (NTAPI *pNtCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength);

COMET_HOOK Hook;

NTSTATUS NTAPI HookNtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength)
{
pNtCreateFile fnNtCreateFile=(pNtCreateFile)Hook.OrigFunction;

if(ObjectAttributes)
{
if(ObjectAttributes->ObjectName)
{
if(ObjectAttributes->ObjectName->Buffer)
{
if(wcsstr(ObjectAttributes->ObjectName->Buffer,L"Zone.Identifier"))
{
OutputDebugString(L"Zone.Identifier blocked!");
return 0xC0000022;
}
}
}
}

return fnNtCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}

BOOL WINAPI DllMain(HMODULE hModule,ULONG Reason,PVOID Context)
{
switch(Reason)
{
    case DLL_PROCESS_ATTACH:

CmtInitHook(&Hook,L"ntdll.dll","NtCreateFile",HookNtCreateFile);
CmtStartHook(&Hook);

break;

case DLL_PROCESS_DETACH:

CmtUnhook(&Hook);
CmtRemoveHook(&Hook);

break;

default:
break;
}

return TRUE;
}

References

NTFS streams:
http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx

AppInit_DLLs:
https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx

 

+-Recent Topics

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am

Reaction CX-7 (Experimental) by zwclose7
October 02, 2018, 12:46:47 am