EnumProcesses help? :/

delphi package - getting into other processes

EnumProcesses help? :/

Postby XanSama » Wed Mar 08, 2006 10:39 am

hey again, i've hooked WriteProcessMemory with madCodeHook and i'm trying to get the program to show me what processes it's writing to, so i'm using madRemote's EnumProcesses and it keeps returning "[System Process]" is there anything i can do about that?

this is my code:
Code: Select all
library XGBR;

{$R 'RSRC.res' 'RSRC.RC'}

Uses
  Windows, madCHook, madRemote;

var
  realWriteProcessMemory: function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;

function GetProcessFileName(hProcess: THandle) : string;
var i1 : integer;
    pl : TDAProcess;
    processId: dword;
begin
  processId := ProcessHandleToId(hProcess);
  result := '';
  pl := EnumProcesses;
  for i1 := 0 to high(pl) do
    if pl[i1].id = processId then begin
      result := pl[i1].exeFile;
      break;
    end;
end;

function hookWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
  FileName: string;
begin
      FileName := GetProcessFileName(hProcess);
      MessageBoxA(0, pchar(FileName), 'Debug', MB_OK);
      Result := realWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
end;

begin
  if (HookApi('kernel32.dll', 'WriteProcessMemory', @hookWriteProcessMemory, @realWriteProcessMemory, MIXTURE_MODE) = False) then MessageBoxA(0, 'HookApi(WriteProcessMemory Failed.', 'Error.', MB_OK);
end.
XanSama
 
Posts: 15
Joined: Sat Mar 04, 2006 11:19 am

Postby madshi » Wed Mar 08, 2006 11:42 am

Why don't you use "ProcessIdToFileName"?

Anyway, you should check for "GetCurrentProcess". If hProcess is "GetCurrentProcess", then ProcessHandleToId will probably fail and return 0. And the system process has the ID 0. That's why you're getting the system process name back.
madshi
Site Admin
 
Posts: 9338
Joined: Sun Mar 21, 2004 5:25 pm

Postby XanSama » Wed Mar 08, 2006 12:19 pm

I couldn't seem to make ProcessIdToFileName work. but the issue isnt that it's getting it's own handle, not quite sure what was up really, but i've just decided to use a toolhelp32 snapshot.

here's my final working code:
Code: Select all
library XGBR;

{$R 'RSRC.res' 'RSRC.RC'}

Uses
  Windows, TlHelp32, madCHook;

var
  realWriteProcessMemory: function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;

function GetProcessID(hProcess: THandle): dword; stdcall; external 'kernel32.dll' name 'GetProcessId';

function GetProcessFileName(hProcess: THandle) : string;
label
  lbEnd;
var
  Snapshot: dword;
  ProcessEntry32: TProcessEntry32;
  bContinue: bool;
  PID: dword;
begin
  Result:= '';
  bContinue:= True;
  PID := GetProcessID(hProcess);
  ProcessEntry32.dwSize := SizeOf(TProcessEntry32);
  Snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if (Snapshot = INVALID_HANDLE_VALUE) then goto lbEnd;
  Process32First(Snapshot, ProcessEntry32);
  repeat
    if (ProcessEntry32.th32ProcessID = PID) then
      begin
        Result := ProcessEntry32.szExeFile;
        goto lbEnd;

      end
    else
      begin
        bContinue:= Process32Next(Snapshot, ProcessEntry32);
      end
  until bContinue = False;
  lbEnd:
end;

function hookWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
  FileName: string;
begin
  FileName := GetProcessFileName(hProcess);
  MessageBoxA(0, pchar(FileName), 'Process:', MB_OK);
  Result := realWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
end;

begin
  if (HookApi('kernel32.dll', 'WriteProcessMemory', @hookWriteProcessMemory, @realWriteProcessMemory, MIXTURE_MODE) = False) then MessageBoxA(0, 'HookApi(WriteProcessMemory Failed.', 'Error.', MB_OK);
end.
XanSama
 
Posts: 15
Joined: Sat Mar 04, 2006 11:19 am


Return to madRemote

Who is online

Users browsing this forum: No registered users and 1 guest

cron