Help with writeprocessmemory

c++ / delphi package - dll injection and api hooking

Help with writeprocessmemory

Postby alex-izumi » Wed Sep 15, 2004 1:31 pm

Hi all.

i've wrote a program that injects a dll to hook writeprocessmemory on a single process (explorer.exe)

the hook works fine but the problem is this:

there is im my system a process that i dont know ( i think i know, i m not sure) that calls writeprocessmemory to write something to the process im hooking... so the hook dont work, since im hooking explorer.exe and the caller of the process is another one...

1.) i dont know if im thinking the right way but do i need to hook the process that calls the writeprocess?

2.) if i hook the hole system (ALL_SESSIONS or SYSTEM_PROCESSES) is there a way to find wich process called and then dropit to protect the process?

3.) or if i hook the openprocess, changing the access right to PROCESS_VM_READ is this going to work?

thanks!!!

ps. special thanks to madshi who helped me with tips and this great tool.
alex-izumi
 
Posts: 5
Joined: Sun Sep 12, 2004 12:33 am

Postby madshi » Wed Sep 15, 2004 9:40 pm

You need to hook the process which calls WriteProcessMemory or you need to hook all processes system wide. You can either let OpenProcess fail or try to limit the access rights to not include PROCESS_VM_READ, however, limiting the access rights only works in the NT family. It doesn't work in win9x. If you do system wide hooking, you can simply call GetCurrentProcessID inside of the hook callback function to find out which process called the hooked API. Or you can call GetModuleFileName(0) to get the name of the process which called the hooked API.
madshi
Site Admin
 
Posts: 9810
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider], Exabot [Bot] and 5 guests

cron