Error on hook api ZwOpenProcess on WinXP

c++ / delphi package - dll injection and api hooking
Post Reply
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Error on hook api ZwOpenProcess on WinXP

Post by pambol »

I'm receiving a blue screen of death when hook api ZwOpenProcess on windows xp, why it occour?
Other question is, why some windows hook some apis and others no? like send from ws2_32.dll.

Thanks.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by iconic »

Without seeing your ZwOpenProcess callback we'd be guessing at why you're BSODing. We simply need to see some code. What do you mean why are some APIs hooked like ws2_32.dll!send() and not others? If you load Winsock v1 (winsock.dll) it automatically forwards socket functions to Winsock v2 so hooking ws2_32.dll is all you need from XP forward. I assume that is what you meant?

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by pambol »

Follow the code:

Code: Select all

type
  NTStatus = cardinal;
  PObjectAttributes = ^TObjectAttributes;
  TObjectAttributes = packed record
  Length: DWORD;
  RootDirectory: THandle;
  ObjectName: PUnicodeString;
  Attributes: DWORD;
  SecurityDescriptor: Pointer;
  SecurityQualityOfService: Pointer;
end;

type
  PClientID = ^TClientID;
  TClientID = packed record
  UniqueProcess:cardinal;
  UniqueThread:cardinal;
end;

var
  TrampolineZwOpenProcess           : function(phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes; ClientID:PClientID): NTStatus; stdcall;// external 'ntdll.dll' name 'NtOpenProcess';

function InterceptZwOpenProcess(phProcess:PDWORD;AccessMask:DWORD;ObjectAttributes:PObjectAttributes; ClientID:PClientID):NTStatus;stdcall;
begin
  if AmSystemProcess then begin
    Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
  end
  else
  begin
    if (ClientID <> nil) and Bloqueado(ClientID.UniqueProcess) then begin
      Result := NTStatus(nil);
      SetLastError(ERROR_ACCESS_DENIED);
    end
    else
    begin
      Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
    end;
  end;
end;
And how i hook it:

Code: Select all

HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess);
Something wrong?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by iconic »

Let's see the code for your Bloqueado (Block PID checking code). Your structs are incorrectly defined if you expect to have this working on 64-bit you'll have issues. There is a 64-bit XP version.
Use the corrected ones below

Code: Select all

type
NTSTATUS = LongInt;

POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
                   Length: ULONG;
            RootDirectory: THandle;
               ObjectName: PUNICODE_STRING;
               Attributes: ULONG;
       SecurityDescriptor: PVOID;
 SecurityQualityOfService: PVOID;
end;

type
 PCLIENT_ID = ^CLIENT_ID;
 CLIENT_ID = record
         UniqueProcess: THandle;
         UniqueThread: THandle;
end;

ZwOpenProcess: function(ProcessHandle: PHANDLE;
                                       DesiredAccess: ACCESS_MASK;
                                   ObjectAttributes: POBJECT_ATTRIBUTES;
                                                ClientId: PCLIENT_ID): NTSTATUS; stdcall; 
You shouldn't be returning 0 (meaning STATUS_SUCCESS) then setting the last error value to ACCESS_DENIED. The error meaning is the opposite of a successful function call return! You need to return STATUS_ACCESS_DENIED which is NTSTATUS($C0000022) and not 0/NIL when you want to block

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by pambol »

Bloqueado function it's just a loop on a .ini who check if the PID exists or no.

How i should call a result from:

Code: Select all

function InterceptZwWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: ULONG; var lpNumberOfBytesWritten: PULONG): NTStatus; stdcall;
to deny? because i'm using the same code as from OpenProcess:

Code: Select all

Result := NTStatus(nil);
      SetLastError(ERROR_ACCESS_DENIED);
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by iconic »

There is no ZwWriteProcessMemory, there is ZwWriteVirtualMemory. Correct API prototype is below

Code: Select all

function ZwWriteVirtualMemory(ProcessHandle: THandle;
                                BaseAddress: Pointer;
                                     Buffer: Pointer;
                       NumberOfBytesToWrite: DWORD;
              NumberOfBytesWritten: PULONG): NTSTATUS; stdcall;
I've explained in my previous post you need to have the function return an NTSTATUS error code to indicate failure, not success. All you need to do is set Result := STATUS_ACCESS_DENIED; to achieve this. Wrappers like WriteProcessMemory() which call NtWriteVirtualMemory() check the return and if < STATUS_SUCCESS will call BaseSetLastNTError() which does a SetLastError(RtlNtStatusToDosError(Nt_Status)); and exits. Therefore you do not need to explicitly set any error code yourself, only set the appropriate return code in Result.


--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by pambol »

So WriteProcessMemory don't call NtWriteProcessMemory who call ZwWriteProcessMemory?

Other question, what InjectLibraryW use, WriteProcessMemory or WriteVirtualMemory?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by iconic »

ZwWriteVirtualMemory() and NtWriteVirtualMemory() thunk to the same address in usermode's ntdll - meaning they're the exact same API in usermode with the same virtual address. WriteProcessMemory just wraps the lower level native API, as well as takes care of page protection for the writing and cache flushing after.

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Error on hook api ZwOpenProcess on WinXP

Post by madshi »

Pambol, whenever you have problems with blue screens or similar, the first step would be to empty your hook callback functions and do nothing but "return TrampolineZwOpenProcess(original parameters)", so basically a pure passthrough. If you do that, does the blue screen go away? If so, put your code back in step by step to find out which part of your code is causing the blue screen.
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by pambol »

@madshi

What functions InjectLibraryW use? i mean WriteProcessMemory or WriteVirtualMemory?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Error on hook api ZwOpenProcess on WinXP

Post by madshi »

WriteProcessMemory. I don't know any API named WriteVirtualMemory.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by iconic »

Pambol,

The only thing you need to know is that any high-level wrapper in usermode for writing to a target address space will eventually call the native API Nt/ZwWriteVirtualMemory inside ntdll somewhere down the call chain. This includes WriteProcessMemory, so all you need to do is hook Nt/ZwWriteVirtualMemory inside ntdll.


--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Post by pambol »

Iconic,
Yes i only hook these apis, i asked for what api are used on injection since they try inject something on my application so i call a restore before inject.
Post Reply