Error on hook api ZwOpenProcess on WinXP
Error on hook api ZwOpenProcess on WinXP
I'm receiving a blue screen of death when hook api ZwOpenProcess on windows xp, why it occour?
Other question is, why some windows hook some apis and others no? like send from ws2_32.dll.
Thanks.
Other question is, why some windows hook some apis and others no? like send from ws2_32.dll.
Thanks.
Re: Error on hook api ZwOpenProcess on WinXP
Without seeing your ZwOpenProcess callback we'd be guessing at why you're BSODing. We simply need to see some code. What do you mean why are some APIs hooked like ws2_32.dll!send() and not others? If you load Winsock v1 (winsock.dll) it automatically forwards socket functions to Winsock v2 so hooking ws2_32.dll is all you need from XP forward. I assume that is what you meant?
--Iconic
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Follow the code:
And how i hook it:
Something wrong?
Code: Select all
type
NTStatus = cardinal;
PObjectAttributes = ^TObjectAttributes;
TObjectAttributes = packed record
Length: DWORD;
RootDirectory: THandle;
ObjectName: PUnicodeString;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;
type
PClientID = ^TClientID;
TClientID = packed record
UniqueProcess:cardinal;
UniqueThread:cardinal;
end;
var
TrampolineZwOpenProcess : function(phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes; ClientID:PClientID): NTStatus; stdcall;// external 'ntdll.dll' name 'NtOpenProcess';
function InterceptZwOpenProcess(phProcess:PDWORD;AccessMask:DWORD;ObjectAttributes:PObjectAttributes; ClientID:PClientID):NTStatus;stdcall;
begin
if AmSystemProcess then begin
Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
end
else
begin
if (ClientID <> nil) and Bloqueado(ClientID.UniqueProcess) then begin
Result := NTStatus(nil);
SetLastError(ERROR_ACCESS_DENIED);
end
else
begin
Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
end;
end;
end;
Code: Select all
HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess);
Re: Error on hook api ZwOpenProcess on WinXP
Let's see the code for your Bloqueado (Block PID checking code). Your structs are incorrectly defined if you expect to have this working on 64-bit you'll have issues. There is a 64-bit XP version.
Use the corrected ones below
You shouldn't be returning 0 (meaning STATUS_SUCCESS) then setting the last error value to ACCESS_DENIED. The error meaning is the opposite of a successful function call return! You need to return STATUS_ACCESS_DENIED which is NTSTATUS($C0000022) and not 0/NIL when you want to block
--Iconic
Use the corrected ones below
Code: Select all
type
NTSTATUS = LongInt;
POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: ULONG;
RootDirectory: THandle;
ObjectName: PUNICODE_STRING;
Attributes: ULONG;
SecurityDescriptor: PVOID;
SecurityQualityOfService: PVOID;
end;
type
PCLIENT_ID = ^CLIENT_ID;
CLIENT_ID = record
UniqueProcess: THandle;
UniqueThread: THandle;
end;
ZwOpenProcess: function(ProcessHandle: PHANDLE;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES;
ClientId: PCLIENT_ID): NTSTATUS; stdcall;
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Bloqueado function it's just a loop on a .ini who check if the PID exists or no.
How i should call a result from:
to deny? because i'm using the same code as from OpenProcess:
How i should call a result from:
Code: Select all
function InterceptZwWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: ULONG; var lpNumberOfBytesWritten: PULONG): NTStatus; stdcall;
Code: Select all
Result := NTStatus(nil);
SetLastError(ERROR_ACCESS_DENIED);
Re: Error on hook api ZwOpenProcess on WinXP
There is no ZwWriteProcessMemory, there is ZwWriteVirtualMemory. Correct API prototype is below
I've explained in my previous post you need to have the function return an NTSTATUS error code to indicate failure, not success. All you need to do is set Result := STATUS_ACCESS_DENIED; to achieve this. Wrappers like WriteProcessMemory() which call NtWriteVirtualMemory() check the return and if < STATUS_SUCCESS will call BaseSetLastNTError() which does a SetLastError(RtlNtStatusToDosError(Nt_Status)); and exits. Therefore you do not need to explicitly set any error code yourself, only set the appropriate return code in Result.
--Iconic
Code: Select all
function ZwWriteVirtualMemory(ProcessHandle: THandle;
BaseAddress: Pointer;
Buffer: Pointer;
NumberOfBytesToWrite: DWORD;
NumberOfBytesWritten: PULONG): NTSTATUS; stdcall;
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
So WriteProcessMemory don't call NtWriteProcessMemory who call ZwWriteProcessMemory?
Other question, what InjectLibraryW use, WriteProcessMemory or WriteVirtualMemory?
Other question, what InjectLibraryW use, WriteProcessMemory or WriteVirtualMemory?
Re: Error on hook api ZwOpenProcess on WinXP
ZwWriteVirtualMemory() and NtWriteVirtualMemory() thunk to the same address in usermode's ntdll - meaning they're the exact same API in usermode with the same virtual address. WriteProcessMemory just wraps the lower level native API, as well as takes care of page protection for the writing and cache flushing after.
--Iconic
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Pambol, whenever you have problems with blue screens or similar, the first step would be to empty your hook callback functions and do nothing but "return TrampolineZwOpenProcess(original parameters)", so basically a pure passthrough. If you do that, does the blue screen go away? If so, put your code back in step by step to find out which part of your code is causing the blue screen.
Re: Error on hook api ZwOpenProcess on WinXP
@madshi
What functions InjectLibraryW use? i mean WriteProcessMemory or WriteVirtualMemory?
What functions InjectLibraryW use? i mean WriteProcessMemory or WriteVirtualMemory?
Re: Error on hook api ZwOpenProcess on WinXP
WriteProcessMemory. I don't know any API named WriteVirtualMemory.
Re: Error on hook api ZwOpenProcess on WinXP
Pambol,
The only thing you need to know is that any high-level wrapper in usermode for writing to a target address space will eventually call the native API Nt/ZwWriteVirtualMemory inside ntdll somewhere down the call chain. This includes WriteProcessMemory, so all you need to do is hook Nt/ZwWriteVirtualMemory inside ntdll.
--Iconic
The only thing you need to know is that any high-level wrapper in usermode for writing to a target address space will eventually call the native API Nt/ZwWriteVirtualMemory inside ntdll somewhere down the call chain. This includes WriteProcessMemory, so all you need to do is hook Nt/ZwWriteVirtualMemory inside ntdll.
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Iconic,
Yes i only hook these apis, i asked for what api are used on injection since they try inject something on my application so i call a restore before inject.
Yes i only hook these apis, i asked for what api are used on injection since they try inject something on my application so i call a restore before inject.