Email Password Remember me?  Lost your password?

• Download demo project - 55.3 Kb
• Download source - 74 Kb

Introduction

API calls interception is the task that allows to get access to some parts of other's programs. Lots of programmers spend time on developing and describing various methods which allow that access. Such methods are used in many anti-viruses and anti-spyware. Besides, sometimes, intercepting can help you to find errors in your application. However, it is not a secret that some viruses use it too. I spent much time to find and understand the technique of interception. I would like to describe here the results of my research.

Method description

First of all, you need to read the following article to understand the basics of the interception mechanism: HookSys (written by Ivo Ivanov). It was very helpful for me, and I used the sample code from it. However, it does not solve all my problems because Ivo's samples sometimes miss very important API calls. It happens when the application starts up too fast and the intercepting service has no time to inject the DLL. After some research, I found the actual problem, and it was related to using the kernel mode function, SetCreateProcessNotificationRoutine. This function is used to receive notification events about any new process creation. Such a notification is often fired when the process has already been started. Therefore, I needed to find a way to improve Ivo's code.

As far as I know, the execution of all Windows processes consists of the following steps:

• initial process loading;
• creating the main thread for the process in the suspended state;
• mapping of the NT.DLL into the address space of the process;
• mapping all needed DLLs, and calling their DllMain with the DLL_PROCESS_ATTACH reason;
• resuming the main process' thread.

The step right before the main thread resuming looks like the most comfortable for injection because the process is in suspended state and none of its instructions have been executed yet.

Most of the work on the process creation is done in the kernel mode, so to change this algorithm, you need to intercept the kernel mode functions NtCreateProcess() and NtCreateThread(). The CONTEXT structure, the pointer to which is passed to the function NtCreateThread(), contains a member called EAX. I found that it equals to the process' start address in user mode, so if you can change it, then you can get the control right after process creation and before starting. To solve this task, I wrote a kernel mode driver. It starts while the system starts up.

There are some initialization steps:

1. starting;
2. receiving configuration from the user mode;
3. intercepting kernel mode functions such as: NtCreateProcess(), NtCreateThread(), NtTerminateProcess(), NewNtCreateProcessEx() - for Windows 2003 Server.

A handler to the NtCreateThread() function contains code that will do most of the interesting jobs. Here is a brief description of its algorithm:

1. allow access to the creating process by calling ObReferenceObjectByHandle();
2. remember the main thread start address (ThreadContext->EAX);
3. "jump" to the context of the creating process by calling KeAttachProcess();
4. allocate memory for my code by calling ZwAllocateVirtualMemory(), similar to the well known technique for CreateRemoteThread() in user mode;
5. copy the small code to the allocated memory that will load my DLL. This code looks like:

   push pszDllName
   mov  ebx, LoadLibraryAddr
   call [ebx]
   mov  eax, Win32StartAddr
   push eax
   ret
   pszDllName: db 'example.dll';

6. "jump" to the initial process;
7. change the thread start address (ThreadContext->EAX) so it will point to the allocated memory.

That is all. You can download and compile the complete source code for this article. Note: the sample is fully functional and quite enough for basic understanding, but for real usage, it might be rewritten.

Compiling the code

You need the NTDDK to be installed on your computer. I'm using MSVS 6.0 for compiling NtProcDrv, and MSVS 7.1 for the rest of the projects.

History

• 2006-03-06 - Submitted.
• 2006-05-31 - Source codes and binaries are updated.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Problem in Release Build noumantariq 0:49 29 Oct '09   Hi, I checked out your demo and it works fine. I downloaded the code and it turned out that When I compile the source in Debug Mode, it works fine. But when I make a release build and try running HookDemo.exe, it just pops a cmd screen and shuts down. If I then go to cmd and ask "sc query ntprocdrv", it shows that the service was created, current status is STOPPED and WIN32_EXIT_CODE is 127. Turns out the error 127 is "ERROR_PROC_NOT_FOUND". No immediate reasons for this come to mind. I may be missing something very basic but I'd appreciate if you could shed some light on why I may be getting this Error?? P.S. I placed the tunew20.dll in windows\system32 and it also has a copy in the same folder as HookDemo. Though that didn't make any difference in Debug build because it worked fine, I just though I'd state it just to be clear. Thanx, Numan Sign In·View Thread·PermaLink Correction in assembly code [modified] MattsUserName 16:04 27 Jul '09   The instruction: call [ebx] should actually be call ebx I didn't think about it at first, and just assumed this was correct to do dereference ebx (which are what the the brackets mean "[]") But when doing some testing in a VB6 app using the code bytes, it kept crashing. BTW, if you are curious... I am using the code bytes in VB6 because I am testing out a hook Dll I am creating by hooking NtCreateThread, and then inject my Dll by changing this ThreadContext->Eax register) After my VB6 app kept crashing, I finally realized that when doing: mov ebx, pLoadLib ... that is like saying ebx = pLoadLib. So really ebx is not a pointer to LoadLibrary's address, but is its actual address, so therefore we do NOT want to dereference it with the "[]" Note: The follow are just some assembly tips, if you are new to it (like me :P) If you are an assembly noob like me, then Visual Studio is your friend (I used VS2005) You can use its debugger window (Hotkey = Alt+6, when in Debug mode) to translate C++ assembly instructions to its equivalent in assembly, and also its code bytes. Example of using VS to translate these instructions to Asm code and Bytes: _asm{ push 0x10000000 mov ebx, 0x2000000 call ebx mov eax, 0x3000000 push eax ret } 1. Set a break point on the first instruction (or before it starts executing, to prevent any crashing) 2. Run app in debug mode (F5) 3. Open up the Disassembly window tab using the hotkey: Alt+8 4. Right click --> Check: Show Code Bytes Note: The underscore "_" is required on the "asm" keyword. A double underscore also works "__" but it seems to do the same thing. Now it shows the current addresses there this data currently has been placed in memory, the original source code, the assembly equivalent, and the hex byte values(AKA opcodes) that those instructions translate to Visual studio can also do the reverse and take byte codes and translate them to assembly instructions (This trick was a little harder to find) To do so you have to use the _emit (Technically the keyword is called "_asm _emit") Ex: _asm{ _emit 0xFF _emit 0xD3 } Notice how that translates to "call ebx"... Unfortunately it isn't easy to place these on the same line (well it wasn't easy to figure out at least)... and no semicolons dont work at all. Here is a mov eax, 10000000 instruction: _asm _emit 0xB8 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x10 Yikes! But here is a way to make it less long for each instruction: #define bt _asm _emit bt 0xB8 bt 0x00 bt 0x00 bt 0x00 bt 0x10 Now you can just use the custom defined "bt" keyword. Yay! Last Tip... To see the bytes in a linear format: (Exactly how they appear in memory) 1. From the Disassembly, under each instruction there is an address to the far left side. - Copy it 2. Open up the memory window: Hotkey = Alt+8 (When in debug mode) 3. Type in 0x (for hex) and then paste in the address. Ex: 0x00411A1E Hopefully this is helpful to someone out there, and also it shows the author and author that that instruction should be: call ebx, not call [ebx] modified on Monday, October 5, 2009 9:28 PM Sign In·View Thread·PermaLink Vista compatibility? Amit Vilas Shinde 2:36 7 Mar '08   Is this driver Vista compatible? I am asking this question because I can not see NtCreateThreadEx hooked. Sign In·View Thread·PermaLink Hi, tezm. I ran into the same question as yours. mybayern1974 23:02 2 Aug '07   Hi, I also ran into the "0x431" problem. Could you please possibly tell me your solution? Thanks in advance! Sign In·View Thread·PermaLink Re: Hi, tezm. I ran into the same question as yours. tezm 7:55 4 Aug '07   It's pretty simple - I've just found the registry hive responsible for services (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) and deleted the key matching our kernel-intercepting service (I don't remember it's name, but it's inside the code of NTProcDrv). Then it works totally fine. Sign In·View Thread·PermaLink Re: Hi, tezm. I ran into the same question as yours. mjmim 13:34 10 Oct '08   Hey Guys, I also am receiving the same error . i am trying to understand your solution but can't.... What exactly did you do to solve the problem. Michael Sign In·View Thread·PermaLink Error installing service, how to solve it? tezm 9:29 27 Jul '07   Hi Every time I run your demo, I receive the following error: Cannot create service. ErrorCode = 0x431 I've built the demo from source code (using Visual C++ Express Codename Orcas), both Release and Debug, but the error still appears, every time. I executed the app step by step with VC++ debugger, but it doesn't show me any satisfying results. How do I deal with this problem? Thanks in Advance. Sign In·View Thread·PermaLink Re: Error installing service, how to solve it? tezm 2:28 28 Jul '07   I must have had an error in my Registry - I've removed the wrong entry, and now the app works fine. BTW, did you forget to close a handle to the Service Manager? Sign In·View Thread·PermaLink 2.00/5 I want to support vista O.S., please help me Hsiao, Tsu Tair 17:46 25 Jul '07   I want to modify source code for Vista O.S., a handler to NtCreateThreadEx() function, I don't know the parameter type of this function. Please help me, thanks!!! Sign In·View Thread·PermaLink 1.00/5 Injection works fine, but impossible to subclass using this method? [modified] ehaerim 12:05 5 Jan '07   I've modified the dllhookapi.cpp to see 1) if I can subclass Notepad.exe successfully within DllMain. 2) if I can subclass multiple instances of Notepad.exe successfully. The code works this way: 1) Call EnumProcesses to find out all the running processes. 2) Call Subclass with the process id array obtained above and the name of notepad for subclassing. 3) For each process id, Subclass will call EnumProcessModules and GetModuleFileNameEx to get the full module name and repeat this until we find notepad. 4) Now if we have found notepad, call EnumThreadWindows with current thread id to find out the main window to subclass. Here the problem rises. EnumThreadWindows returns successfully, but EnumThreadWindowsProc NEVER get called. I couldn't understand why. Now I guess it is because somehow the current thread did not create any windows yet. So EnumThreadWindows return TRUE but no EnumThreadWindowsProc call! But then, how can I subclass notepad right after the creation? haerim // dllhookapi.cpp : Defines the entry point for the DLL application. // /////////////////////////////////////////////////////// // Andriy Oriekhov. 2006. Toleron Sofware. // www.toleron.com /////////////////////////////////////////////////////// #include "stdafx.h" #include "windows.h" #include HWND g_hwnd = NULL; BOOL CALLBACK EnumThreadWindowsProc(HWND hwnd, LPARAM lParam); // New & old window procedure of the subclassed window WNDPROC OldProc = NULL; LRESULT CALLBACK NewProc(HWND, UINT, WPARAM, LPARAM); void Subclass(DWORD* paProcess, DWORD nCount, LPCTSTR pName); BOOL WINAPI DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { WriteLogDebug("Before starting process."); // Get the list of process identifiers. DWORD aProcesses[1024], cbNeeded, cProcesses; if (EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded) == 0) { DWORD dwErr = GetLastError(); WriteLogDebug("DllMain: dwErr=%d", dwErr); return TRUE; } // Find the matching process and subclass it. cProcesses = cbNeeded / sizeof(DWORD); Subclass(aProcesses, cProcesses, "C:\\Windows\\System32\\notepad.exe"); break; } case DLL_PROCESS_DETACH: { WriteLogDebug("Before ending process."); if (::SetWindowLongPtr(g_hwnd, GWL_WNDPROC, (long)OldProc) == 0) { WriteLogDebug("Failed to unsubclass back from NewProc(0x%X) to OldProc(0x%X)", GetWindowLongPtr(g_hwnd, GWL_WNDPROC), (long)OldProc); } break; }} return TRUE; } void Subclass(DWORD* paProcess, DWORD nCount, LPCTSTR pName) { WriteLogDebug("Subclass: nCount=%d, pName=%s", nCount, pName); char szProcessName[MAX_PATH] = ""; unsigned int i; for (i = 0; i < nCount; i++) { // Get a handle to the process. DWORD dwPID = paProcess[i]; HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); if (NULL == hProcess) { WriteLogDebug("Subclass: dwPID=0x%X(%d), OpenProcess failed!", dwPID, dwPID); CloseHandle(hProcess); continue; } // Get modules for this process DWORD cbNeeded = 0; HMODULE hMod; if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded) == 0) // { WriteLogDebug("Subclass: hProcess=0x%X, EnumProcessModules failed!", hProcess); continue; } DWORD nModCount = cbNeeded / sizeof(HMODULE); WriteLogDebug("Subclass: nModCount=%d", nModCount); // Get the process name. GetModuleFileNameEx(hProcess, hMod, szProcessName, sizeof(szProcessName)); WriteLogDebug("Subclass: dwPID=0x%X(%u), cbNeeded=%d, %s\n", dwPID, dwPID, cbNeeded, szProcessName); if (strcmpi(szProcessName, pName) != 0) { CloseHandle(hProcess); continue; } /* // Go through with all the windows for the current thread // => There is no windows for dwPID yet. So, EnumWindowsProc will NEVER be called for dwPID. EnumWindows(EnumWindowsProc, (LPARAM)dwPID); */ DWORD dwTID = GetCurrentThreadId(); WriteLogDebug("Subclass: dwTID=0x%X", dwTID); // Now, let's subclass the main window. => This seems not working. See comments below. // The below EnumThreadWindows seems to NEVER call EnumThreadWindowsProc because there is no windows for the current thread created yet. // So, EnumThreadWindows call succeeds returning TRUE but no EnumThreadWindowsProc gets called at all. // Then how can I subclass the main window of this thread? I don't know the answer yet. if (EnumThreadWindows(dwTID, EnumThreadWindowsProc, (LPARAM)dwPID) == 0) { DWORD dwErr = GetLastError(); WriteLogDebug("Subclass: dwTID=0x%X, dwErr=%d, EnumThreadWindows failed!", dwTID, dwErr); CloseHandle(hProcess); continue; } CloseHandle(hProcess); } } BOOL CALLBACK EnumThreadWindowsProc(HWND hwnd, LPARAM lParam) { WriteLogDebug("EnumThreadWindowsProc(0x%X, %d)", hwnd, lParam); // Let's find hwnd's process is the same as DllMain's calling process DWORD dwPID_hwnd = 0, dwTID_hwnd = 0; dwTID_hwnd = GetWindowThreadProcessId(hwnd, &dwPID_hwnd); TCHAR wmfn[MAX_PATH + 1] = {0}; UINT nLen = GetWindowModuleFileName(hwnd, wmfn, MAX_PATH); // Huh, this does not work for other processes, but only for the calling process!!! WriteLogDebug("EnumThreadWindowsProc: hwnd=0x%X, dwPID_hwnd =0x%X(%d), dwTID_hwnd=0x%X(%d)\n" " nLen=%d, wmfn=%s", hwnd, dwPID_hwnd, dwPID_hwnd, dwTID_hwnd, dwTID_hwnd, nLen, wmfn); return TRUE; // // Finally, let's subclass hwnd // WNDPROC OldProc = (WNDPROC)::SetWindowLongPtr(hwnd, GWL_WNDPROC, (long)NewProc); // if (OldProc == 0) // WriteLogDebug("EnumThreadWindowsProc: Failed to subclass hwnd(0x%X)", hwnd); // else // WriteLogDebug("EnumThreadWindowsProc: Succeeded in subclassing hwnd(0x%X)'s OldProc(0x%X) to NewProc(0x%X)", // hwnd, (long)OldProc, (long)NewProc); // // return FALSE; } //------------------------------------------------------------- // NewProc // Notice: - new window procedure for the START button; // - it just swaps the left & right muse clicks; // LRESULT CALLBACK NewProc( HWND hwnd, // handle to window UINT uMsg, // message identifier WPARAM wParam, // first message parameter LPARAM lParam // second message parameter ) { // WriteLogDebug("wParam=%d, lParam)=%d", wParam, lParam); switch (uMsg) { //WM_COMMAND nNotifyCode:0 (Menu) wID:34795 case WM_COMMAND: WriteLogDebug("wParam=%d, lParam, HIWORD(wParam)(nNotifyCode)=%d, LOWORD(lParam)(id)=%d=%d", wParam, lParam, HIWORD(wParam), LOWORD(lParam)); if (HIWORD(wParam) == 0) { // WriteLogDebug("2,HIWORD(wParam)(nNotifyCode)=%d, LOWORD(lParam)(id)=%d", HIWORD(wParam), LOWORD(lParam)); switch(LOWORD(wParam)) { case 34795: // display main dialog ::MessageBox(NULL,"NULL","hStart",MB_OK); return S_OK; case 34796: return S_OK; case 34797: return S_OK; default: break; } } } return CallWindowProc(OldProc,hwnd,uMsg,wParam,lParam); } // Usage //WriteLog("int value=%d \n str value=%s", 19, "test"); #include void inline WriteLog(char *ch, ...) { char buf[1024]; va_list arg_list; va_start( arg_list, ch ); wvsprintf( buf, ch, arg_list ); va_end( arg_list ); FILE *file; file = fopen("dllhookapi.log", "a+"); fprintf(file, "%s", buf); fclose(file); } void inline WriteLogDebug(char *ch, ...) { char buf[1024]; va_list arg_list; va_start( arg_list, ch ); wvsprintf( buf, ch, arg_list ); va_end( arg_list ); OutputDebugString(buf); } -- modified at 17:11 Friday 5th January, 2007 Sign In·View Thread·PermaLink How to inject dll into specific processes, not all the processes? [modified] ehaerim 22:28 30 Dec '06   There is an executable, A.exe. It can be run multiple times resulting in multiple processes shown in TaskManager's process list. I care about those processes created by running A.exe only and need to inject dll into them. No other processes should be injected. The problem is how to filter those processes? Since NewNtCreateThread is given as NTSTATUS NewNtCreateThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended); and there is ProcessHandle, somehow we should be able to get necessary information about the current process and filter out unwanted ones. ObjectAttributes parameter is always passed as NULL, so ObjectAttributes->ObjectName can't be used at all. This is the first time in kernel programming, and it is too hard for me to find how. Please someone help me on this. haerim -- modified at 14:07 Sunday 31st December, 2006 Sign In·View Thread·PermaLink Re: How to inject dll into specific processes, not all the processes? ehaerim 11:35 5 Jan '07   The code below works for WinXP or later to find out the name of full process image name. typedef NTSTATUS (*QUERY_INFO_PROCESS) ( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength ); QUERY_INFO_PROCESS ZwQueryInformationProcess; NTSTATUS GetProcessImageName(PUNICODE_STRING ProcessImageName) { NTSTATUS status; ULONG returnedLength; ULONG bufferLength; PVOID buffer; PUNICODE_STRING imageName; PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process if (NULL == ZwQueryInformationProcess) { UNICODE_STRING routineName; RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess"); ZwQueryInformationProcess = (QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName); if (NULL == ZwQueryInformationProcess) { DbgPrint("Cannot resolve ZwQueryInformationProcess\n"); } } // // Step one - get the size we need // status = ZwQueryInformationProcess( NtCurrentProcess(), ProcessImageFileName, NULL, // buffer 0, // buffer size &returnedLength); if (STATUS_INFO_LENGTH_MISMATCH != status) { return status; } // // Is the passed-in buffer going to be big enough for us? // This function returns a single contguous buffer model... // bufferLength = returnedLength - sizeof(UNICODE_STRING); if (ProcessImageName->MaximumLength < bufferLength) { ProcessImageName->Length = (USHORT) bufferLength; return STATUS_BUFFER_OVERFLOW; } // // If we get here, the buffer IS going to be big enough for us, so // let's allocate some storage. // buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD'); if (NULL == buffer) { return STATUS_INSUFFICIENT_RESOURCES; } // // Now lets go get the data // status = ZwQueryInformationProcess( NtCurrentProcess(), ProcessImageFileName, buffer, returnedLength, &returnedLength); if (NT_SUCCESS(status)) { // // Ah, we got what we needed // imageName = (PUNICODE_STRING) buffer; RtlCopyUnicodeString(ProcessImageName, imageName); } // // free our buffer // ExFreePool(buffer); // // And tell the caller what happened. // return status; } Sign In·View Thread·PermaLink NewNtTerminateProcess called with NULL as the value of ProcessHandle. Why? ehaerim 21:59 30 Dec '06   The below is log after hooking. As you see, ProcessHandle was 0x240 when it was created by NtCreateProcessEx. But, when it was terminated by NtTerminateProcess it was NULL. Why? and How does the kernel terminate a process with a NULL handle? Can anyone explain? haerim ========= Log by DBGPRINT =================== In DriverEntry Memory for Pool successfully initialized receiving IOCTL_NTPROCDRV_SET_ADDRNFO ok! Trying to hook srvices Setting hook on SSTIndexNtCreateProcess = 0x0000002F Setting hook on SSTIndexNtCreateThread = 0x00000035 Setting hook on SSTIndexNtTerminateProcess = 0x00000101 Setting hook on pfnLoadLibrary = 0x7C80AE4B Setting hook on SSTIndexNtCreateProcessEx = 0x00000030 In NtCreateProcessEx Kernel successfully create NtCreateProcessEx. ----->ProcessHandle = 0x240 Successfully added process handle to Queue ObjectAttributes = 0x00000000Kernel trying to CreateThread(from User Mode) for ProcessHandle = 0x240 Address of LoadLibraryW = 0x7C80AE4B ---------------Memory allocation OK! BaseAddr = 0x80000 ---------------Old EAX Value = 0x0100739d Kernel sucessfully create new thread. ----->ThreadHandle = 0x1fch for ProcessHandle = 0x240 Called NtTerminateProcess, ProcessHandle=0x00000000 Kernel sucessfully terminate Process. ----->ProcessHandle = 0x00000000 Called NtTerminateProcess, ProcessHandle=0x00000000 ObjectAttributes = 0x00000000 Kernel sucessfully create new thread. ----->ThreadHandle = 0x2d4h for ProcessHandle = 0xffffffff ObjectAttributes = 0x00000000 Kernel sucessfully create new thread. ----->ThreadHandle = 0x1e0h for ProcessHandle = 0xffffffff In NtCreateProcessEx Kernel successfully create NtCreateProcessEx. ----->ProcessHandle = 0x14c Successfully added process handle to Queue ObjectAttributes = 0x00000000 Kernel trying to CreateThread(from User Mode) for ProcessHandle = 0x14C Address of LoadLibraryW = 0x7C80AE4B ---------------Memory allocation OK! BaseAddr = 0x130000 ---------------Old EAX Value = 0x004034af Kernel sucessfully create new thread. ----->ThreadHandle = 0x150h for ProcessHandle = 0x14c ObjectAttributes = 0x00000000 Kernel sucessfully create new thread. ----->ThreadHandle = 0x470h for ProcessHandle = 0xffffffff ObjectAttributes = 0x00000000 Kernel sucessfully create new thread. ----->ThreadHandle = 0x470h for ProcessHandle = 0xffffffff Sign In·View Thread·PermaLink Second MessageBox does not show up when process termination but only sound. ehaerim 15:56 2 Dec '06   BOOL WINAPI DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL,"Before starting process.","Hello",0); break; case DLL_PROCESS_DETACH: MessageBox(NULL,"Before ending.","Hello",0); break; } return TRUE; } When a Notepad process is created there certaily a "Hello" messagebox saying "Before starting process." shows up along with a bell sound. I have to press OK to continue. And, when it is terminated, I expected to see another "Hello" messagebox saying "Before ending." along with a bell sound, too. When I close NotePad.exe, however, no messagebox was shown but only a bell sound. Why didn't the second messagebox show up but only a bell sound? How did it disappear without me pressing OK button at all? haerim Sign In·View Thread·PermaLink Re: Second MessageBox does not show up when process termination but only sound. tezm 2:25 28 Jul '07   I have the same problem. Sign In·View Thread·PermaLink VC++ 6.0 Version available? ehaerim 11:52 2 Dec '06   You need the NTDDK to be installed on your computer. I'm using MSVS 6.0 for compiling NtProcDrv, and MSVS 7.1 for the rest of the projects. Sign In·View Thread·PermaLink How to hook multiple instances of Notepad? [modified] ehaerim 16:10 30 Nov '06   I've been playing around with HookInjEx(http://www.codeproject.com/threads/winspy.asp?df=100&forumid=16291&select=1784407&msg=1784407[^]) which worked fine for a single instance of Notepad.exe. However, when I run two Notepad instances, the injection worked for only one instance and not for the other one. Is there any nice and clean way to make hooking work for all the instances? One possible way is to use PsSetCreateProcessNotifyRoutine mentioned in this article. Please provide a good working example if possible. haerim -- modified at 12:37 Friday 1st December, 2006 Sign In·View Thread·PermaLink 5.00/5 Where can I get info about SetCreateProcessNotificationRoutine? [modified] ehaerim 14:42 30 Nov '06   I searched SetCreateProcessNotificationRoutine but failed. Where is that function documented? haerim I found it myself and it was PsSetCreateProcessNotifyRoutine, not SetCreateProcessNotificationRoutine as mentioned in this article. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k108_6ae7797a-ecbe-4665-85d5-e199f13613cd.xml.asp[^] -- modified at 9:47 Friday 1st December, 2006 Sign In·View Thread·PermaLink starting programs by clicking on document icons richardmoss 6:43 15 Nov '06   Hi Andriy, Thanks for this usefull information. I've been trying it since this morning. The hookdemo.exe is running in the background and I get start and end messages for applications. However I encountered some problems with some programs. Excel: Whenever I try to open an Excel document by double-clicking on the file, Excel cannot open the document. It starts with an empty screen. Visual studio: Try to open a *.cs file by double clicking. It shows process start messagebox. Just after this another messagebox pops up saying that it could not find the file. However I didn't click on the first messagebox coming from the hooking dll and theoretically there is no way that the application continues before I press OK on the first messagebox. How does this happen? Adobe Acrobat reader: Open a pdf file by double clicking. Acrobat reader gives a memory error on exit. There seems to be a problem in starting programs with parameters. Do you have any idea? Thanks in advance oky Sign In·View Thread·PermaLink Re: starting programs by clicking on document icons Andriy Oriekhov 1:25 23 Nov '06   I haven't had time for exploring the problem. Try to change MessageBoxes in DLL with some kind of logging. In that case sample code will work fine. Sign In·View Thread·PermaLink How to get the executable name from the created process?? girm 2:41 13 Sep '06   Awesome article !! I am trying to figure out how to adapt it to the "API Hooking revealed" from Mr Ivanov ... and since I am very new to kernel driver programing ... its ... well .. painfull. I need to be able to know the executable name in order to know if I need to inject a dll in it or not. I guess this information is to be grabbed from the process handle ... but since all this is in the driver code all my attemps failed. Could you help me thxs Sign In·View Thread·PermaLink 5.00/5 Re: How to get the executable name from the created process?? Andriy Oriekhov 3:53 14 Sep '06   You can simply do it in DLL. Just get process name (in DllMain) and do nothing if it is not your target. Sign In·View Thread·PermaLink Re: How to get the executable name from the created process?? girm 21:40 24 Oct '06   Thanks for your answer, Yes I did think about doing it in DLLMain (I did it in fact it works fine) But this is not an answer to my original question : I need to know the process name before injecting the dll ... otherwhile it means that I will inject the DLL in any process that starts : and this is what i would like avoid. thanks in advance Marc PS: I've previously forgotten to rate you a deserved 5, now its done , PPS: didn't get notified of your answer by CP, sorry it tooks so much time to post again Sign In·View Thread·PermaLink Re: How to get the executable name from the created process?? Andriy Oriekhov 12:32 25 Oct '06   Unfortunately I don't know the answer and I have no time to find it. Sign In·View Thread·PermaLink Re: How to get the executable name from the created process?? ehaerim 11:32 5 Jan '07   The code below will give you the process name within the NtProcDrv driver. But this will work only on Win XP or later. I haven't found an answer for Win2K. If you have found, let me know. haerim typedef NTSTATUS (*QUERY_INFO_PROCESS) ( __in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength ); QUERY_INFO_PROCESS ZwQueryInformationProcess; NTSTATUS GetProcessImageName(PUNICODE_STRING ProcessImageName) { NTSTATUS status; ULONG returnedLength; ULONG bufferLength; PVOID buffer; PUNICODE_STRING imageName; PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process if (NULL == ZwQueryInformationProcess) { UNICODE_STRING routineName; RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess"); ZwQueryInformationProcess = (QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName); if (NULL == ZwQueryInformationProcess) { DbgPrint("Cannot resolve ZwQueryInformationProcess\n"); } } // // Step one - get the size we need // status = ZwQueryInformationProcess( NtCurrentProcess(), ProcessImageFileName, NULL, // buffer 0, // buffer size &returnedLength); if (STATUS_INFO_LENGTH_MISMATCH != status) { return status; } // // Is the passed-in buffer going to be big enough for us? // This function returns a single contguous buffer model... // bufferLength = returnedLength - sizeof(UNICODE_STRING); if (ProcessImageName->MaximumLength < bufferLength) { ProcessImageName->Length = (USHORT) bufferLength; return STATUS_BUFFER_OVERFLOW; } // // If we get here, the buffer IS going to be big enough for us, so // let's allocate some storage. // buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD'); if (NULL == buffer) { return STATUS_INSUFFICIENT_RESOURCES; } // // Now lets go get the data // status = ZwQueryInformationProcess( NtCurrentProcess(), ProcessImageFileName, buffer, returnedLength, &returnedLength); if (NT_SUCCESS(status)) { // // Ah, we got what we needed // imageName = (PUNICODE_STRING) buffer; RtlCopyUnicodeString(ProcessImageName, imageName); } // // free our buffer // ExFreePool(buffer); // // And tell the caller what happened. // return status; } Sign In·View Thread·PermaLink

Last Visit: 2:36 14 Nov '09     Last Update: 2:36 14 Nov '09 12 Next »