CodeProject: Intercepting WinAPI calls. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

27 votes for this article.

Popularity: 6.68 Rating: 4.67 out of 5

Introduction

API calls interception is the task that allows to get access to some parts of other's programs. Lots of programmers spend time on developing and describing various methods which allow that access. Such methods are used in many anti-viruses and anti-spyware. Besides, sometimes, intercepting can help you to find errors in your application. However, it is not a secret that some viruses use it too. I spent much time to find and understand the technique of interception. I would like to describe here the results of my research.

Method description

First of all, you need to read the following article to understand the basics of the interception mechanism: HookSys (written by Ivo Ivanov). It was very helpful for me, and I used the sample code from it. However, it does not solve all my problems because Ivo's samples sometimes miss very important API calls. It happens when the application starts up too fast and the intercepting service has no time to inject the DLL. After some research, I found the actual problem, and it was related to using the kernel mode function, SetCreateProcessNotificationRoutine. This function is used to receive notification events about any new process creation. Such a notification is often fired when the process has already been started. Therefore, I needed to find a way to improve Ivo's code.

As far as I know, the execution of all Windows processes consists of the following steps:

initial process loading;
creating the main thread for the process in the suspended state;
mapping of the NT.DLL into the address space of the process;
mapping all needed DLLs, and calling their DllMain with the DLL_PROCESS_ATTACH reason;
resuming the main process' thread.

The step right before the main thread resuming looks like the most comfortable for injection because the process is in suspended state and none of its instructions have been executed yet.

Most of the work on the process creation is done in the kernel mode, so to change this algorithm, you need to intercept the kernel mode functions NtCreateProcess() and NtCreateThread(). The CONTEXT structure, the pointer to which is passed to the function NtCreateThread(), contains a member called EAX. I found that it equals to the process' start address in user mode, so if you can change it, then you can get the control right after process creation and before starting. To solve this task, I wrote a kernel mode driver. It starts while the system starts up.

There are some initialization steps:

starting;
receiving configuration from the user mode;
intercepting kernel mode functions such as: NtCreateProcess(), NtCreateThread(), NtTerminateProcess(), NewNtCreateProcessEx() - for Windows 2003 Server.

A handler to the NtCreateThread() function contains code that will do most of the interesting jobs. Here is a brief description of its algorithm:

allow access to the creating process by calling ObReferenceObjectByHandle();
remember the main thread start address (ThreadContext->EAX);
"jump" to the context of the creating process by calling KeAttachProcess();
allocate memory for my code by calling ZwAllocateVirtualMemory(), similar to the well known technique for CreateRemoteThread() in user mode;

copy the small code to the allocated memory that will load my DLL. This code looks like:

push pszDllName
mov  ebx, LoadLibraryAddr
call [ebx]
mov  eax, Win32StartAddr
push eax
ret
pszDllName: db 'example.dll';

"jump" to the initial process;
change the thread start address (ThreadContext->EAX) so it will point to the allocated memory.

That is all. You can download and compile the complete source code for this article. Note: the sample is fully functional and quite enough for basic understanding, but for real usage, it might be rewritten.

Compiling the code

You need the NTDDK to be installed on your computer. I'm using MSVS 6.0 for compiling NtProcDrv, and MSVS 7.1 for the rest of the projects.

History

2006-03-06 - Submitted.
2006-05-31 - Source codes and binaries are updated.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Andriy Oriekhov

Member

Occupation:	Chief Technology Officer
Location:	Ukraine

Other popular Hardware & System articles:

Start Your Windows Programs From An NT Service
Make your MFC, VB and other Windows programs behave like NT services.
Serial library for C++
A high-performance, complete and compact serial library for C++
Driver Development Part 1: Introduction to Drivers
This article will go into the basics of creating a simple driver.
API hooking revealed
The article demonstrates how to build a user mode Win32 API spying system
Eliminating Explorer's delay when deleting an in-use file
How to track down and patch an annoyance in Windows Explorer's code.

Article Top

You must Sign In to use this message board.

FAQ
Noise Tolerance Layout Per page

Msgs 1 to 25 of 42 (Total in Forum: 42) (Refresh)

FirstPrevNext

Problem in Release Build

noumantariq

0:49 29 Oct '09

Hi,

I checked out your demo and it works fine. I downloaded the code and it turned out that When I compile the source in Debug Mode, it works fine. But when I make a release build and try running HookDemo.exe, it just pops a cmd screen and shuts down. If I then go to cmd and ask "sc query ntprocdrv", it shows that the service was created, current status is STOPPED and WIN32_EXIT_CODE is 127. Turns out the error 127 is "ERROR_PROC_NOT_FOUND". No immediate reasons for this come to mind. I may be missing something very basic but I'd appreciate if you could shed some light on why I may be getting this Error??

P.S. I placed the tunew20.dll in windows\system32 and it also has a copy in the same folder as HookDemo. Though that didn't make any difference in Debug build because it worked fine, I just though I'd state it just to be clear.

Thanx,
Numan

Correction in assembly code [modified]

MattsUserName

16:04 27 Jul '09

The instruction:
call [ebx]
should actually be
call ebx

I didn't think about it at first, and just assumed this was correct to do dereference ebx (which are what the the brackets mean "[]")
But when doing some testing in a VB6 app using the code bytes, it kept crashing.

BTW, if you are curious... I am using the code bytes in VB6 because I am testing out a hook Dll I am creating by hooking NtCreateThread, and then inject my Dll by changing this ThreadContext->Eax register)

After my VB6 app kept crashing, I finally realized that when doing: mov ebx, pLoadLib ... that is like saying ebx = pLoadLib. So really ebx is not a pointer to LoadLibrary's address, but is its actual address, so therefore we do NOT want to dereference it with the "[]"

Note: The follow are just some assembly tips, if you are new to it (like me :P)

If you are an assembly noob like me, then Visual Studio is your friend (I used VS2005)
You can use its debugger window (Hotkey = Alt+6, when in Debug mode) to translate C++ assembly instructions to its equivalent in assembly, and also its code bytes.

Example of using VS to translate these instructions to Asm code and Bytes:


_asm{
	push 0x10000000
	mov  ebx, 0x2000000
	call ebx
	mov  eax, 0x3000000
	push eax
	ret
}

1. Set a break point on the first instruction (or before it starts executing, to prevent any crashing)
2. Run app in debug mode (F5)
3. Open up the Disassembly window tab using the hotkey: Alt+8
4. Right click --> Check: Show Code Bytes
Note: The underscore "_" is required on the "asm" keyword. A double underscore also works "__" but it seems to do the same thing.

Now it shows the current addresses there this data currently has been placed in memory, the original source code, the assembly equivalent, and the hex byte values(AKA opcodes) that those instructions translate to

Visual studio can also do the reverse and take byte codes and translate them to assembly instructions (This trick was a little harder to find)
To do so you have to use the _emit (Technically the keyword is called "_asm _emit")
Ex:


_asm{
	_emit 0xFF
	_emit 0xD3
}

Notice how that translates to "call ebx"...

Unfortunately it isn't easy to place these on the same line (well it wasn't easy to figure out at least)... and no semicolons dont work at all.
Here is a mov eax, 10000000 instruction:


_asm _emit 0xB8 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x00 _asm _emit 0x10

Yikes!

But here is a way to make it less long for each instruction:


#define bt _asm _emit
bt 0xB8 bt 0x00 bt 0x00 bt 0x00 bt 0x10

Now you can just use the custom defined "bt" keyword.
Yay!

Last Tip...
To see the bytes in a linear format: (Exactly how they appear in memory)
1. From the Disassembly, under each instruction there is an address to the far left side. - Copy it
2. Open up the memory window: Hotkey = Alt+8 (When in debug mode)
3. Type in 0x (for hex) and then paste in the address. Ex: 0x00411A1E

Hopefully this is helpful to someone out there, and also it shows the author and author that that instruction should be:
call ebx, not call [ebx]

modified on Monday, October 5, 2009 9:28 PM

Vista compatibility?

Amit Vilas Shinde

2:36 7 Mar '08

Is this driver Vista compatible? I am asking this question because I can not see NtCreateThreadEx hooked.
Sign In·View Thread·PermaLink

Hi, tezm. I ran into the same question as yours.

mybayern1974

23:02 2 Aug '07

Hi, I also ran into the "0x431" problem. Could you please possibly tell me your solution? Thanks in advance!
Sign In·View Thread·PermaLink

Re: Hi, tezm. I ran into the same question as yours.

tezm

7:55 4 Aug '07

It's pretty simple - I've just found the registry hive responsible for services (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) and deleted the key matching our kernel-intercepting service (I don't remember it's name, but it's inside the code of NTProcDrv). Then it works totally fine.
Sign In·View Thread·PermaLink

Re: Hi, tezm. I ran into the same question as yours.

mjmim

13:34 10 Oct '08

Hey Guys, I also am receiving the same error . i am trying to understand your solution but can't.... What exactly did you do to solve the problem. Michael
Sign In·View Thread·PermaLink

Error installing service, how to solve it?

tezm

9:29 27 Jul '07

Hi

Every time I run your demo, I receive the following error:
Cannot create service. ErrorCode = 0x431
I've built the demo from source code (using Visual C++ Express Codename Orcas), both Release and Debug, but the error still appears, every time. I executed the app step by step with VC++ debugger, but it doesn't show me any satisfying results. How do I deal with this problem?

Thanks in Advance.

Re: Error installing service, how to solve it?

tezm

2:28 28 Jul '07

I must have had an error in my Registry - I've removed the wrong entry, and now the app works fine. BTW, did you forget to close a handle to the Service Manager?
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

I want to support vista O.S., please help me

Hsiao, Tsu Tair

17:46 25 Jul '07

I want to modify source code for Vista O.S., a handler to NtCreateThreadEx() function, I don't know the parameter type of this function. Please help me, thanks!!!
Sign In·View Thread·PermaLink	1.00/5 (3 votes)

Injection works fine, but impossible to subclass using this method? [modified]

ehaerim

12:05 5 Jan '07

I've modified the dllhookapi.cpp to see
1) if I can subclass Notepad.exe successfully within DllMain.
2) if I can subclass multiple instances of Notepad.exe successfully.

The code works this way:
1) Call EnumProcesses to find out all the running processes.
2) Call Subclass with the process id array obtained above and the name of notepad for subclassing.
3) For each process id, Subclass will call EnumProcessModules and GetModuleFileNameEx to get the full module name and repeat this until we find notepad.
4) Now if we have found notepad, call EnumThreadWindows with current thread id to find out the main window to subclass.

Here the problem rises. EnumThreadWindows returns successfully, but EnumThreadWindowsProc NEVER get called. I couldn't understand why. Now I guess it is because somehow the current thread did not create any windows yet. So EnumThreadWindows return TRUE but no EnumThreadWindowsProc call!

But then, how can I subclass notepad right after the creation?

haerim


// dllhookapi.cpp : Defines the entry point for the DLL application.
//
///////////////////////////////////////////////////////
// Andriy Oriekhov. 2006. Toleron Sofware.
// www.toleron.com
///////////////////////////////////////////////////////

#include "stdafx.h"
#include "windows.h"

#include 



HWND g_hwnd = NULL;
BOOL CALLBACK EnumThreadWindowsProc(HWND hwnd, LPARAM lParam);
// New & old window procedure of the subclassed window
WNDPROC OldProc = NULL;	
LRESULT CALLBACK NewProc(HWND, UINT, WPARAM, LPARAM);


void Subclass(DWORD* paProcess, DWORD nCount, LPCTSTR pName);


BOOL WINAPI DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call) {
	case DLL_PROCESS_ATTACH:
	{
		WriteLogDebug("Before starting process.");

		// Get the list of process identifiers.
		DWORD aProcesses[1024], cbNeeded, cProcesses;
		if (EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded) == 0)
		{
			DWORD dwErr = GetLastError();
			WriteLogDebug("DllMain: dwErr=%d", dwErr);
			return TRUE;
		}

		// Find the matching process and subclass it.
		cProcesses = cbNeeded / sizeof(DWORD);
		Subclass(aProcesses, cProcesses, "C:\\Windows\\System32\\notepad.exe");

		break;
	}
	case DLL_PROCESS_DETACH:
	{
		WriteLogDebug("Before ending process.");
		if (::SetWindowLongPtr(g_hwnd, GWL_WNDPROC, (long)OldProc) == 0)
		{
			WriteLogDebug("Failed to unsubclass back from NewProc(0x%X) to OldProc(0x%X)", GetWindowLongPtr(g_hwnd, GWL_WNDPROC), (long)OldProc);
		}
		
		break;
	}}

	return TRUE;
}

void Subclass(DWORD* paProcess, DWORD nCount, LPCTSTR pName)
{
	WriteLogDebug("Subclass: nCount=%d, pName=%s", nCount, pName);
	char szProcessName[MAX_PATH] = "";
	
	unsigned int i;
	for (i = 0; i < nCount; i++)
	{
		// Get a handle to the process.
		DWORD dwPID = paProcess[i];
		HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID);

		if (NULL == hProcess)
		{
			WriteLogDebug("Subclass: dwPID=0x%X(%d), OpenProcess failed!", dwPID, dwPID);
			CloseHandle(hProcess);
			continue;
		}
		
		// Get modules for this process
		DWORD cbNeeded = 0;
		HMODULE hMod;
		if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded) == 0)	// 
		{
			WriteLogDebug("Subclass: hProcess=0x%X, EnumProcessModules failed!", hProcess);
			continue;
		}
		DWORD nModCount = cbNeeded / sizeof(HMODULE);
		WriteLogDebug("Subclass: nModCount=%d", nModCount);

		// Get the process name.
		GetModuleFileNameEx(hProcess, hMod, szProcessName, sizeof(szProcessName));
		WriteLogDebug("Subclass: dwPID=0x%X(%u), cbNeeded=%d, %s\n", dwPID, dwPID, cbNeeded, szProcessName);
		if (strcmpi(szProcessName, pName) != 0)
		{
			CloseHandle(hProcess);
			continue;
		}
/*
		// Go through with all the windows for the current thread
		// => There is no windows for dwPID yet. So, EnumWindowsProc will NEVER be called for dwPID.
		EnumWindows(EnumWindowsProc, (LPARAM)dwPID);
*/
		DWORD dwTID = GetCurrentThreadId();
		WriteLogDebug("Subclass: dwTID=0x%X", dwTID);
		// Now, let's subclass the main window. => This seems not working.  See comments below.
		// The below EnumThreadWindows seems to NEVER call EnumThreadWindowsProc because there is no windows for the current thread created yet.
		// So, EnumThreadWindows call succeeds returning TRUE but no EnumThreadWindowsProc gets called at all.
		// Then how can I subclass the main window of this thread?  I don't know the answer yet.
		if (EnumThreadWindows(dwTID, EnumThreadWindowsProc, (LPARAM)dwPID) == 0)
		{
			DWORD dwErr = GetLastError();
			WriteLogDebug("Subclass: dwTID=0x%X, dwErr=%d, EnumThreadWindows failed!", dwTID, dwErr);
			CloseHandle(hProcess);
			continue;
		}

		CloseHandle(hProcess);
	}
}

BOOL CALLBACK EnumThreadWindowsProc(HWND hwnd, LPARAM lParam)
{
	WriteLogDebug("EnumThreadWindowsProc(0x%X, %d)", hwnd, lParam);

	// Let's find hwnd's process is the same as DllMain's calling process
	DWORD dwPID_hwnd = 0, dwTID_hwnd = 0;
	dwTID_hwnd = GetWindowThreadProcessId(hwnd, &dwPID_hwnd);

	TCHAR wmfn[MAX_PATH + 1] = {0};
	UINT nLen = GetWindowModuleFileName(hwnd, wmfn, MAX_PATH);	// Huh, this does not work for other processes, but only for the calling process!!!
	WriteLogDebug("EnumThreadWindowsProc: hwnd=0x%X, dwPID_hwnd =0x%X(%d), dwTID_hwnd=0x%X(%d)\n"
								"                       nLen=%d, wmfn=%s",
																				hwnd,	dwPID_hwnd, dwPID_hwnd, dwTID_hwnd, dwTID_hwnd,
																				nLen, wmfn);
	return TRUE;
//	// Finally, let's subclass hwnd
//	WNDPROC OldProc = (WNDPROC)::SetWindowLongPtr(hwnd, GWL_WNDPROC, (long)NewProc);
//	if (OldProc == 0)
//		WriteLogDebug("EnumThreadWindowsProc: Failed to subclass hwnd(0x%X)", hwnd);
//	else
//		WriteLogDebug("EnumThreadWindowsProc: Succeeded in subclassing hwnd(0x%X)'s OldProc(0x%X) to NewProc(0x%X)",
//									hwnd, (long)OldProc, (long)NewProc);
//
//	return FALSE;
}

//-------------------------------------------------------------
// NewProc
// Notice:	- new window procedure for the START button;
//			- it just swaps the left & right muse clicks;
//	
LRESULT CALLBACK NewProc(
													HWND hwnd,      // handle to window
													UINT uMsg,      // message identifier
													WPARAM wParam,  // first message parameter
													LPARAM lParam   // second message parameter
												)
{
//	WriteLogDebug("wParam=%d, lParam)=%d", wParam, lParam);
	switch (uMsg) 
	{
		//WM_COMMAND nNotifyCode:0 (Menu) wID:34795 
		case WM_COMMAND:
			WriteLogDebug("wParam=%d, lParam, HIWORD(wParam)(nNotifyCode)=%d, LOWORD(lParam)(id)=%d=%d", wParam, lParam, HIWORD(wParam), LOWORD(lParam));
			if (HIWORD(wParam) == 0)
			{
//				WriteLogDebug("2,HIWORD(wParam)(nNotifyCode)=%d, LOWORD(lParam)(id)=%d", HIWORD(wParam), LOWORD(lParam));
				switch(LOWORD(wParam))
				{
				case 34795:
					// display main dialog 
					::MessageBox(NULL,"NULL","hStart",MB_OK);
					return S_OK;
				case 34796:
					return S_OK;
				case 34797:
					return S_OK;
				default:
					break;
				}
			}
	}
	
	return CallWindowProc(OldProc,hwnd,uMsg,wParam,lParam);
}


// Usage
//WriteLog("int value=%d \n str value=%s", 19, "test");
#include 
void inline WriteLog(char *ch, ...)
{
    char buf[1024]; 
    va_list arg_list;
 
    va_start( arg_list, ch );
    wvsprintf( buf, ch, arg_list );
    va_end( arg_list );
 
    FILE *file;
    file = fopen("dllhookapi.log", "a+");
    fprintf(file, "%s", buf);
    fclose(file);
}

void inline WriteLogDebug(char *ch, ...)
{
    char buf[1024]; 
    va_list arg_list;
 
    va_start( arg_list, ch );
    wvsprintf( buf, ch, arg_list );
    va_end( arg_list );
 
		OutputDebugString(buf);
}

-- modified at 17:11 Friday 5th January, 2007

How to inject dll into specific processes, not all the processes? [modified]

ehaerim

22:28 30 Dec '06

There is an executable, A.exe. It can be run multiple times resulting in multiple processes shown in TaskManager's process list.

I care about those processes created by running A.exe only and need to inject dll into them. No other processes should be injected.

The problem is how to filter those processes?

Since NewNtCreateThread is given as

NTSTATUS NewNtCreateThread(
    OUT PHANDLE ThreadHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
    IN HANDLE ProcessHandle,
    OUT PCLIENT_ID ClientId,
    IN PCONTEXT ThreadContext,
    IN PINITIAL_TEB InitialTeb,
    IN BOOLEAN CreateSuspended);

and there is ProcessHandle, somehow we should be able to get necessary information about the current process and filter out unwanted ones.

ObjectAttributes parameter is always passed as NULL, so ObjectAttributes->ObjectName can't be used at all.

This is the first time in kernel programming, and it is too hard for me to find how.

Please someone help me on this.

haerim

-- modified at 14:07 Sunday 31st December, 2006

Re: How to inject dll into specific processes, not all the processes?

ehaerim

11:35 5 Jan '07

The code below works for WinXP or later to find out the name of full process image name.

typedef NTSTATUS (*QUERY_INFO_PROCESS) (
    __in HANDLE ProcessHandle,
    __in PROCESSINFOCLASS ProcessInformationClass,
    __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
    __in ULONG ProcessInformationLength,
    __out_opt PULONG ReturnLength
    );

QUERY_INFO_PROCESS ZwQueryInformationProcess;

NTSTATUS GetProcessImageName(PUNICODE_STRING ProcessImageName)
{
    NTSTATUS status;
    ULONG returnedLength;
    ULONG bufferLength;
    PVOID buffer;
    PUNICODE_STRING imageName;
    
    PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

    if (NULL == ZwQueryInformationProcess) {

        UNICODE_STRING routineName;

        RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");

        ZwQueryInformationProcess = 
               (QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);

        if (NULL == ZwQueryInformationProcess) {
            DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
        }
    }
    //
    // Step one - get the size we need
    //
    status = ZwQueryInformationProcess( NtCurrentProcess(), 
                                        ProcessImageFileName,
                                        NULL, // buffer
                                        0, // buffer size
                                        &returnedLength);

    if (STATUS_INFO_LENGTH_MISMATCH != status) {

        return status;

    }

    //
    // Is the passed-in buffer going to be big enough for us?  
    // This function returns a single contguous buffer model...
    //
    bufferLength = returnedLength - sizeof(UNICODE_STRING);
    
    if (ProcessImageName->MaximumLength < bufferLength) {

        ProcessImageName->Length = (USHORT) bufferLength;

        return STATUS_BUFFER_OVERFLOW;
        
    }

    //
    // If we get here, the buffer IS going to be big enough for us, so 
    // let's allocate some storage.
    //
    buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD');

    if (NULL == buffer) {

        return STATUS_INSUFFICIENT_RESOURCES;
        
    }

    //
    // Now lets go get the data
    //
    status = ZwQueryInformationProcess( NtCurrentProcess(), 
                                        ProcessImageFileName,
                                        buffer,
                                        returnedLength,
                                        &returnedLength);

    if (NT_SUCCESS(status)) {
        //
        // Ah, we got what we needed
        //
        imageName = (PUNICODE_STRING) buffer;

        RtlCopyUnicodeString(ProcessImageName, imageName);
        
    }

    //
    // free our buffer
    //
    ExFreePool(buffer);

    //
    // And tell the caller what happened.
    //    
    return status;
    
}

NewNtTerminateProcess called with NULL as the value of ProcessHandle. Why?

ehaerim

21:59 30 Dec '06

The below is log after hooking.

As you see, ProcessHandle was 0x240 when it was created by NtCreateProcessEx.
But, when it was terminated by NtTerminateProcess it was NULL. Why? and How does the kernel terminate a process with a NULL handle?

Can anyone explain?

haerim

========= Log by DBGPRINT ===================

In DriverEntry
Memory for Pool successfully initialized
receiving IOCTL_NTPROCDRV_SET_ADDRNFO ok!
Trying to hook srvices
Setting hook on SSTIndexNtCreateProcess = 0x0000002F
Setting hook on SSTIndexNtCreateThread = 0x00000035
Setting hook on SSTIndexNtTerminateProcess = 0x00000101
Setting hook on pfnLoadLibrary = 0x7C80AE4B
Setting hook on SSTIndexNtCreateProcessEx = 0x00000030
In NtCreateProcessEx
Kernel successfully create NtCreateProcessEx.
----->ProcessHandle = 0x240
Successfully added process handle to Queue
ObjectAttributes = 0x00000000Kernel trying to CreateThread(from User Mode) for ProcessHandle = 0x240
Address of LoadLibraryW = 0x7C80AE4B
---------------Memory allocation OK! BaseAddr = 0x80000
---------------Old EAX Value = 0x0100739d
Kernel sucessfully create new thread.
----->ThreadHandle = 0x1fch for ProcessHandle = 0x240
Called NtTerminateProcess, ProcessHandle=0x00000000
Kernel sucessfully terminate Process.
----->ProcessHandle = 0x00000000
Called NtTerminateProcess, ProcessHandle=0x00000000
ObjectAttributes = 0x00000000
Kernel sucessfully create new thread.
----->ThreadHandle = 0x2d4h for ProcessHandle = 0xffffffff
ObjectAttributes = 0x00000000
Kernel sucessfully create new thread.
----->ThreadHandle = 0x1e0h for ProcessHandle = 0xffffffff
In NtCreateProcessEx
Kernel successfully create NtCreateProcessEx.
----->ProcessHandle = 0x14c
Successfully added process handle to Queue
ObjectAttributes = 0x00000000
Kernel trying to CreateThread(from User Mode) for ProcessHandle = 0x14C
Address of LoadLibraryW = 0x7C80AE4B
---------------Memory allocation OK! BaseAddr = 0x130000
---------------Old EAX Value = 0x004034af
Kernel sucessfully create new thread.
----->ThreadHandle = 0x150h for ProcessHandle = 0x14c
ObjectAttributes = 0x00000000
Kernel sucessfully create new thread.
----->ThreadHandle = 0x470h for ProcessHandle = 0xffffffff
ObjectAttributes = 0x00000000
Kernel sucessfully create new thread.
----->ThreadHandle = 0x470h for ProcessHandle = 0xffffffff

Second MessageBox does not show up when process termination but only sound.

ehaerim

15:56 2 Dec '06

BOOL WINAPI DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		MessageBox(NULL,"Before starting process.","Hello",0);
		break;
	case DLL_PROCESS_DETACH:
		MessageBox(NULL,"Before ending.","Hello",0);
		break;
	}

	return TRUE;
}

When a Notepad process is created there certaily a "Hello" messagebox saying "Before starting process." shows up along with a bell sound. I have to press OK to continue. And, when it is terminated, I expected to see another "Hello" messagebox saying "Before ending." along with a bell sound, too. When I close NotePad.exe, however, no messagebox was shown but only a bell sound.

Why didn't the second messagebox show up but only a bell sound? How did it disappear without me pressing OK button at all?

haerim

Re: Second MessageBox does not show up when process termination but only sound.

tezm

2:25 28 Jul '07

I have the same problem.
Sign In·View Thread·PermaLink

VC++ 6.0 Version available?

ehaerim

11:52 2 Dec '06

You need the NTDDK to be installed on your computer. I'm using MSVS 6.0 for compiling NtProcDrv, and MSVS 7.1 for the rest of the projects.
Sign In·View Thread·PermaLink

How to hook multiple instances of Notepad? [modified]

ehaerim

16:10 30 Nov '06

I've been playing around with HookInjEx(http://www.codeproject.com/threads/winspy.asp?df=100&forumid=16291&select=1784407&msg=1784407[^]) which worked fine for a single instance of Notepad.exe.
However, when I run two Notepad instances, the injection worked for only one instance and not for the other one.

Is there any nice and clean way to make hooking work for all the instances?

One possible way is to use PsSetCreateProcessNotifyRoutine mentioned in this article.

Please provide a good working example if possible.

haerim

-- modified at 12:37 Friday 1st December, 2006

5.00/5 (1 vote)

Where can I get info about SetCreateProcessNotificationRoutine? [modified]

ehaerim

14:42 30 Nov '06

I searched SetCreateProcessNotificationRoutine but failed.

Where is that function documented?

haerim

I found it myself and it was PsSetCreateProcessNotifyRoutine, not SetCreateProcessNotificationRoutine as mentioned in this article.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k108_6ae7797a-ecbe-4665-85d5-e199f13613cd.xml.asp[^]

-- modified at 9:47 Friday 1st December, 2006

starting programs by clicking on document icons

richardmoss

6:43 15 Nov '06

Hi Andriy,

Thanks for this usefull information. I've been trying it since this morning. The hookdemo.exe is running in the background and I get start and end messages for applications.

However I encountered some problems with some programs.

Excel: Whenever I try to open an Excel document by double-clicking on the file, Excel cannot open the document. It starts with an empty screen.

Visual studio: Try to open a *.cs file by double clicking. It shows process start messagebox. Just after this another messagebox pops up saying that it could not find the file. However I didn't click on the first messagebox coming from the hooking dll and theoretically there is no way that the application continues before I press OK on the first messagebox. How does this happen?

Adobe Acrobat reader: Open a pdf file by double clicking. Acrobat reader gives a memory error on exit.

There seems to be a problem in starting programs with parameters. Do you have any idea?

Thanks in advance

oky

Re: starting programs by clicking on document icons

Andriy Oriekhov

1:25 23 Nov '06

I haven't had time for exploring the problem. Try to change MessageBoxes in DLL with some kind of logging. In that case sample code will work fine.
Sign In·View Thread·PermaLink

How to get the executable name from the created process??

girm

2:41 13 Sep '06

Awesome article !!

I am trying to figure out how to adapt it to the "API Hooking revealed" from Mr Ivanov ...
and since I am very new to kernel driver programing ... its ... well .. painfull.

I need to be able to know the executable name in order to know if I need to inject a dll in it or not.

I guess this information is to be grabbed from the process handle ... but since all this is in the driver code all my attemps failed.

Could you help me

thxs

5.00/5 (1 vote)

Re: How to get the executable name from the created process??

Andriy Oriekhov

3:53 14 Sep '06

You can simply do it in DLL. Just get process name (in DllMain) and do nothing if it is not your target.
Sign In·View Thread·PermaLink

Re: How to get the executable name from the created process??

girm

21:40 24 Oct '06

Thanks for your answer,
Yes I did think about doing it in DLLMain (I did it in fact it works fine)

But this is not an answer to my original question : I need to know the process name before injecting the dll ... otherwhile it means that I will inject the DLL in any process that starts : and this is what i would like avoid.

thanks in advance
Marc

PS: I've previously forgotten to rate you a deserved 5, now its done Cool

,
PPS: didn't get notified of your answer by CP Frown

, sorry it tooks so much time to post again

Re: How to get the executable name from the created process??

Andriy Oriekhov

12:32 25 Oct '06

Unfortunately I don't know the answer and I have no time to find it.
Sign In·View Thread·PermaLink

Re: How to get the executable name from the created process??

ehaerim

11:32 5 Jan '07

The code below will give you the process name within the NtProcDrv driver. But this will work only on Win XP or later.

I haven't found an answer for Win2K. If you have found, let me know.

haerim

typedef NTSTATUS (*QUERY_INFO_PROCESS) (
    __in HANDLE ProcessHandle,
    __in PROCESSINFOCLASS ProcessInformationClass,
    __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
    __in ULONG ProcessInformationLength,
    __out_opt PULONG ReturnLength
    );

QUERY_INFO_PROCESS ZwQueryInformationProcess;

NTSTATUS GetProcessImageName(PUNICODE_STRING ProcessImageName)
{
    NTSTATUS status;
    ULONG returnedLength;
    ULONG bufferLength;
    PVOID buffer;
    PUNICODE_STRING imageName;
    
    PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

    if (NULL == ZwQueryInformationProcess) {

        UNICODE_STRING routineName;

        RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");

        ZwQueryInformationProcess = 
               (QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);

        if (NULL == ZwQueryInformationProcess) {
            DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
        }
    }
    //
    // Step one - get the size we need
    //
    status = ZwQueryInformationProcess( NtCurrentProcess(), 
                                        ProcessImageFileName,
                                        NULL, // buffer
                                        0, // buffer size
                                        &returnedLength);

    if (STATUS_INFO_LENGTH_MISMATCH != status) {

        return status;

    }

    //
    // Is the passed-in buffer going to be big enough for us?  
    // This function returns a single contguous buffer model...
    //
    bufferLength = returnedLength - sizeof(UNICODE_STRING);
    
    if (ProcessImageName->MaximumLength < bufferLength) {

        ProcessImageName->Length = (USHORT) bufferLength;

        return STATUS_BUFFER_OVERFLOW;
        
    }

    //
    // If we get here, the buffer IS going to be big enough for us, so 
    // let's allocate some storage.
    //
    buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, 'ipgD');

    if (NULL == buffer) {

        return STATUS_INSUFFICIENT_RESOURCES;
        
    }

    //
    // Now lets go get the data
    //
    status = ZwQueryInformationProcess( NtCurrentProcess(), 
                                        ProcessImageFileName,
                                        buffer,
                                        returnedLength,
                                        &returnedLength);

    if (NT_SUCCESS(status)) {
        //
        // Ah, we got what we needed
        //
        imageName = (PUNICODE_STRING) buffer;

        RtlCopyUnicodeString(ProcessImageName, imageName);
        
    }

    //
    // free our buffer
    //
    ExFreePool(buffer);

    //
    // And tell the caller what happened.
    //    
    return status;
    
}

Last Visit: 20:33 22 Nov '09 Last Update: 20:33 22 Nov '09

12 Next »

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 31 May 2006
Editor: Smitha Vijayan