Hooking Question

[alex-izumi]

Hi all...

I´ve started using madcodehook ( its way too great! ) and i need to make a program that protects some process...

ive writed it so its protecting from "terminateprocess" "exitprocess" i tested it and its working...

Now i need to give this process readonly access, like if some other process tries to write or restart or do whatever to it, it hook and wont let it write... i dont know if i explained it well since my english sux.

is it possible? if so, can you point me with advices?

ty

[madshi]

read only access to what? don't let it write to what?

[alex-izumi]

To a process like

EXPLORER.exe


i dont want nothing to write to it, or restart it or do whatever, i just want to give readonly access

do i need to hook writeprocessmemory ? if so can you give me an example?

[madshi]

Well, you have to define what you mean with write access exactly. There is no real definition for "write access to a process" in Windows. I guess you mean you want to stop manipulation of another process somehow? Then you will have to hook a whole bunch of APIs. E.g. WriteProcessMemory, CreateRemoteThread, TerminateProcess, TerminateThread, maybe even Send/PostMessage...

Perhaps you should just hook OpenProcess and don't let it succeed under the wanted circumstances. Then you could probably forget about hooking TerminateProcess and CreateRemoteThread and WriteProcessMemory.

[alex-izumi]

Wow, nice sugestion. if it wont open it wont close it lol.

I saw this on the site

function OpenProcessCallback(access : dword;
inheritHandles : bool;
processHandle : dword) : dword; stdcall;
begin

###### what i need to put here? how do i kill it so it wont open the process?

end;


then i hook it
HookAPI('kernel32.dll', 'OpenProcessCall', @openprocesscallback, @openprocesscallbacknext);

ps. sorry im very new to this. thanks for your help and patience.

[madshi]

>> what i need to put here? how do i kill it so it wont open the process?

Well, I can't do all the work for you. Generally I'm refusing to do that. Mainly for one reason: If I do all the work, you'll come back with every little question again and again in the future and I simply don't have the time for that. You need to dig into this yourself.

What I can say is this: Look up the documentation of OpenProcess and read how the caller of OpenProcess can find out whether the call succeeded or not. Your Callback must behave so that the caller of OpenProcess can properly detect that his OpenProcess call failed. And the caller should also be able to ask why.

HookAPI('kernel32.dll', 'OpenProcessCall', @openprocesscallback, @openprocesscallbacknext);

That's incorrect. Check out Windows.pas to see how OpenProcess is defined and which dll exports it with which name.

[alex-izumi]

madshi

I do understand what you told, and i agree, im being too lazy.

i was trying to do the proggie work last night and i came out with this pice of code:

Code: Select all

function OpenProcessCallback(access         : dword;
                             inheritHandles : bool;
                             processHandle  : dword) : dword; stdcall;
begin
if ThisIsOurProcess(processHandle) then  // checks if the process is the process im hooking
    begin
        result := null;
        SetLastError(ERROR_ACCESS_DENIED)
    end
  else
  result :=  OpenProcessNext(access, inheritHandles, processHandle);

the hook part you told me
>> HookAPI('kernel32.dll', 'OpenProcessCall', @openprocesscallback, @openprocesscallbacknext);

i changed to

HookAPI('kernel32.dll', 'OpenProcess', @openprocesscallback, @openprocesscallbacknext);

i have tried it and seens to work now

[madshi]

Looks just fine to me, well done. Just one little thing: I wouldn't use "null". That's a C++ term. In Delphi that's something with Variants. Just use "0" instead.