ZwCreateSection hook code

c++ / delphi package - dll injection and api hooking
Post Reply
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Edit: But you only catch exe files. I was catching also .bat .com and other wanabe executables.
This example will also definitely work with any executable file type i.e* .bat, .com, .dll, .cpl, .drv, .sys etc...

Just remove the isExe() check and modify it as you see fit :D

--Iconic
Top
Runner
Posts: 90
Joined: Tue Dec 14, 2004 1:04 pm

Post by Runner »

Yeah I know. Just shared my 2 cents :D
Top
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Your 2 cents are always welcome :D

By the way, I was scanning the forum last week and I noticed a few people wondered how to get the logical driver letter from a symbolic link (dos device name) and I've had success with an example I wrote for someone quite awhile ago. I think you also needed to do this? If you still need to know how the code is below, that's the only way I know of.

Code: Select all

Procedure MapSymbolicLinks(const LV: TListView);
const mem_sz = 16000;
var
     p: PChar;
 sz, i: cardinal;
   buf: array [0..MAX_PATH] of char;
    sl: TStringList;
begin
   sl := TStringList.Create();
   try
    GetMem(p, mem_sz);
    ZeroMemory(@buf, sizeof(buf));
    sz := QueryDosDevice(nil, @p^, mem_sz);
    for i := 1 to sz do
    if p[i] = #0 then
    p[i] := #10;
    sl.CommaText := p;
    lv.Items.BeginUpdate();
   for i := 0 to sl.count-1 do
   begin
   with
    Lv.Items.Add() do
    begin
    Caption := sl[i];
    QueryDosDevice(@PChar(sl[i])^, @buf, sizeof(buf));
      with Subitems do
      Add(buf);
     end;
   end;
   finally
    FreeMem(p);
    sl.Free;
    Lv.Items.EndUpdate();
   end;
end;
--Iconic
Top
rionroc
Posts: 6
Joined: Sun May 24, 2009 7:19 pm
Contact:
Contact rionroc

Post by rionroc »

hi
s:=WideCharToString(ObjectAttributes^.ObjectName^.Buffer); //gets the filename?
Top
Post Reply

Return to “madCodeHook”