madshi.net

Is there any way without a driver (I am using Delphi and cannot write driver) to prevent that the process hang when ZwQueryObject retrieves the filename based on a handle which is thehandle of a named pipe? I am enumerating hndles to get the filenames of open files, which works fine, but soon I reac...

Try this dll code and inject it. When running ANY program after that which need elevation, the terminate callback is called before even the UAC popup... library HookProcessCreation; {$IMAGEBASE $57800000} uses Windows, madCodeHook,madStrings; var NtTerminateProcessNext : function (processHandle, exi...

How do I figure out that terminateprocess will terminate my own process?
I ONLY want to prevent that my own process gets terminated, not any other process. This will be a part to protect my own application

You don't need hooking. You just need to inject a dll into the target process and call "CloseHandle" in there with the right handle value. That's all. No hooks necessary at all. You could even use RemoteExecute instead of going the dll way... Hell... you are right. Sometimes, people "...

You want me to tell you how to bypass madCodeHook hooks? That's not a topic valid for this forum. I have many customers who write security software based on madCodeHook (or based on a combination of kernel mode stuff + madCodeHook) and so discussing how to bypass hooks is not what I really like to ...

The problem is caused by the call to "GetModuleFileName" in the hook dll. For whatever reason this causes problems. I've replaced that by "ProcessIdToFileName" now and that fixes the problem. I just removed all the getmodulfilename etc, so the callback in the demo is JUST a mess...

How can I terminate any running process?
Some processes are hooking the terminateprocess api and disallow to be terminated. Any example?

When I run the demo (with admin rights), and run AFTER that any process, I get immediately the message where it ask me if it is allowed to terminate the process. Even before the program runs. When I click YES, nothing happen, just an endless hourglass. Wen I do not try to run a new process, and just...

I know, I bother again... I want to write a small tool, which inject a dll into all processes and hook some file api functions. I want to figure out when a file (exe file tobe exact) is about to be modified. I want to know which process is about to modify which exe file. What api;s would I need to h...

First of all you need to find a way to enumerate the open handles to find out which process has that file open you're talking about. Then in the next step you can inject a dll into that process and call "CloseHandle" to close the handle. Should work just fine. Of course there can be side ...

Is there a way to use mch to unlock a file in use, without killing the process which open the file?
I think of something like enumerating the handles, to find out which process uses the file, then close the handle. Can this anyway be done with MCH?

I think you didn't really understand my alternative suggestion. I believe it would work just fine without any need of notification. Please read my suggestion again and try to understand it. I understand what you mean. I should call that "CheckForNewMemoryMap" inside the callback function,...

madshi wrote:No need to hook CreateProcess etc, madCodeHook automatically takes care of injecting your hook dll into newly created processes...

Ahhh... I did not know that, I thought I have to monitor new process creations and would have to call injectlibrary as soon a new process was created.

Anybody has a delphi code, which inject a dll into all running processes, and also in all new created processes? I cannot get it to work... What I want to do it to hook access to a file, to prevent access from anything except my own application. To do this, I have to hook CreateFile and OpenFile I t...

Does each DLL copy really need its own event? Does the global memory block differ for each DLL copy / process? If possible, I'd recommend to use a different approach: Write the DLL so that it doesn't require any notification from the application. You can do so by writing one global function named &...