Unlocker

c++ / delphi package - dll injection and api hooking
Post Reply
LeVuHoang
Posts: 131
Joined: Fri Oct 22, 2004 8:37 am

Unlocker

Post by LeVuHoang »

hello,
I don't know where can I post but I think it will be ok here.

I tried to write a clone of Unlocker, my code below:

Code: Select all

type
PSYSTEM_HANDLE_INFORMATION = ^SYSTEM_HANDLE_INFORMATION;
SYSTEM_HANDLE_INFORMATION = packed record
   ProcessId: dword;
   ObjectTypeNumber: byte;
   Flags: byte;
   Handle: word;
   pObject: pointer;
   GrantedAccess: dword;
end;
PSYSTEM_HANDLE_INFORMATION_EX = ^SYSTEM_HANDLE_INFORMATION_EX;
SYSTEM_HANDLE_INFORMATION_EX = packed record
   NumberOfHandles: dword;
   Information: array [0..0] of SYSTEM_HANDLE_INFORMATION;
end;
PUnicodeString = ^TUnicodeString;
  TUnicodeString = packed record
    Length: Word;
    MaximumLength: Word;
    Buffer: PWideChar;
end;
const OB_TYPE_FILE             =  28;
      SystemHandleInformation  =    16;
function ZwQueryObject(ObjectHandle: THandle;
  ObjectInformationClass: integer; ObjectInformation:Pointer;
  Length: ULONG; ReturnLength: PULONG): cardinal; stdcall;
  external 'ntdll.dll';
Function ZwQuerySystemInformation(ASystemInformationClass: dword;
                                  ASystemInformation: Pointer;
                                  ASystemInformationLength: dword;
                                  AReturnLength:PCardinal): cardinal;
                                  stdcall;external 'ntdll.dll';
Function GetInfoTable(ATableType:dword):Pointer;
var
 mSize: dword;
 mPtr: pointer;
 St: cardinal;
begin
 Result := nil;
 mSize := $4000;
 repeat
   mPtr := VirtualAlloc(nil, mSize, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE);
   if mPtr = nil then Exit;
   St := ZwQuerySystemInformation(ATableType, mPtr, mSize, nil);
   if St = cardinal($C0000004) then
      begin
        VirtualFree(mPtr, 0, MEM_RELEASE);
        mSize := mSize * 2;
      end;
 until St <> cardinal($C0000004);
 if St = 0
   then Result := mPtr
   else VirtualFree(mPtr, 0, MEM_RELEASE);
end;
function Unlock(FileName:string):boolean;
var inf:PSYSTEM_HANDLE_INFORMATION_EX;
    i:integer;
    process,h:cardinal;
    p:pointer;
    buf:array[0..max_path] of char;
    s:string;
begin
result:=false;
p:=GetMemory(max_path);
ZeroMemory(p,max_path);
QueryDosDevice(PChar(ExtractFileDrive('c:\1.txt')),@buf,SizeOf(buf));
s:=FileName;
Delete(s,1,2);
s:=buf+s;
inf:=GetInfoTable(SystemHandleInformation);
for i:=0 to inf.NumberOfHandles-1 do begin
if inf.Information[i].ObjectTypeNumber=OB_TYPE_FILE then begin
process:=OpenProcess(PROCESS_DUP_HANDLE,false,inf.Information[i].ProcessId);
DuplicateHandle(process,inf.Information[i].Handle,getcurrentprocess,
                                  @h,0,false,DUPLICATE_SAME_ACCESS);
ZwQueryObject(h,1,p,max_path,nil);
if s=WideCharToString(TUnicodeString(p^).Buffer) then
  begin
   CloseHandle(h);
   if DuplicateHandle(process,inf.Information[i].Handle,GetCurrentProcess,
                    @h,0,false,DUPLICATE_CLOSE_SOURCE) then result:=true;
  end;
ZeroMemory(p,max_path);
CloseHandle(h);
CloseHandle(process);
end;
end;
end;
But, while the program is running, It is stopped (frozen) at ZwQueryObject:

Code: Select all

ZwQueryObject(h,1,p,max_path,nil);
I don't know why ?
Is there anybody help me ?

Thank you
Top
Post Reply

Return to “madCodeHook”