madshi.net

[XanSama]

hey again, i've hooked WriteProcessMemory with madCodeHook and i'm trying to get the program to show me what processes it's writing to, so i'm using madRemote's EnumProcesses and it keeps returning "[System Process]" is there anything i can do about that?

this is my code:

Code: Select all

library XGBR;

{$R 'RSRC.res' 'RSRC.RC'}

Uses
  Windows, madCHook, madRemote;

var
  realWriteProcessMemory: function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;

function GetProcessFileName(hProcess: THandle) : string;
var i1 : integer;
    pl : TDAProcess;
    processId: dword;
begin
  processId := ProcessHandleToId(hProcess);
  result := '';
  pl := EnumProcesses;
  for i1 := 0 to high(pl) do
    if pl[i1].id = processId then begin
      result := pl[i1].exeFile;
      break;
    end;
end;

function hookWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
  FileName: string;
begin
      FileName := GetProcessFileName(hProcess);
      MessageBoxA(0, pchar(FileName), 'Debug', MB_OK);
      Result := realWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
end;

begin
  if (HookApi('kernel32.dll', 'WriteProcessMemory', @hookWriteProcessMemory, @realWriteProcessMemory, MIXTURE_MODE) = False) then MessageBoxA(0, 'HookApi(WriteProcessMemory Failed.', 'Error.', MB_OK);
end.


[madshi]

Why don't you use "ProcessIdToFileName"?

Anyway, you should check for "GetCurrentProcess". If hProcess is "GetCurrentProcess", then ProcessHandleToId will probably fail and return 0. And the system process has the ID 0. That's why you're getting the system process name back.

[XanSama]

I couldn't seem to make ProcessIdToFileName work. but the issue isnt that it's getting it's own handle, not quite sure what was up really, but i've just decided to use a toolhelp32 snapshot.

here's my final working code:

Code: Select all

library XGBR;

{$R 'RSRC.res' 'RSRC.RC'}

Uses
  Windows, TlHelp32, madCHook;

var
  realWriteProcessMemory: function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;

function GetProcessID(hProcess: THandle): dword; stdcall; external 'kernel32.dll' name 'GetProcessId';

function GetProcessFileName(hProcess: THandle) : string;
label
  lbEnd;
var
  Snapshot: dword;
  ProcessEntry32: TProcessEntry32;
  bContinue: bool;
  PID: dword;
begin
  Result:= '';
  bContinue:= True;
  PID := GetProcessID(hProcess);
  ProcessEntry32.dwSize := SizeOf(TProcessEntry32);
  Snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if (Snapshot = INVALID_HANDLE_VALUE) then goto lbEnd;
  Process32First(Snapshot, ProcessEntry32);
  repeat
    if (ProcessEntry32.th32ProcessID = PID) then
      begin
        Result := ProcessEntry32.szExeFile;
        goto lbEnd;

      end
    else
      begin
        bContinue:= Process32Next(Snapshot, ProcessEntry32);
      end
  until bContinue = False;
  lbEnd:
end;

function hookWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
  FileName: string;
begin
  FileName := GetProcessFileName(hProcess);
  MessageBoxA(0, pchar(FileName), 'Process:', MB_OK);
  Result := realWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
end;

begin
  if (HookApi('kernel32.dll', 'WriteProcessMemory', @hookWriteProcessMemory, @realWriteProcessMemory, MIXTURE_MODE) = False) then MessageBoxA(0, 'HookApi(WriteProcessMemory Failed.', 'Error.', MB_OK);
end.