I've just been working on a KiFastSystemCall hook using madCodeHook and since it was a bit harder than I would have hoped, I figured I'd share my code (incase someone cares
).Code: Select all
program KiFastSystemCall;
uses
Windows, madCodeHook, SysUtils;
var
realKiFastSystemCall: procedure;
dwIndexPVM: DWORD;
function hookZwProtectVirtualMemory(hProcess: THandle; lpAddress: Pointer; dwSize, flNewProtect: DWORD; lpflOldProtect: Pointer): DWORD; stdcall;
var
Stack1, Stack2: DWORD;
begin
Result := 0;
MessageBoxA(0, PChar(IntToHex(DWORD(lpAddress), 8)), 'ZwProtectVirtualMemory', 0);
asm
pop eax
mov [Stack1], eax
pop eax
mov [Stack2], eax
mov eax, [dwIndexPVM]
call realKiFastSystemCall
mov [Result], eax
push [Stack2]
push [Stack1]
end;
end;
procedure hookKiFastSystemCall; assembler;
label
CallPVM;
begin
asm
cmp eax, [dwIndexPVM]
je @CallPVM
jmp realKiFastSystemCall
@CallPVM:
pop eax
jmp hookZwProtectVirtualMemory
end;
end;
begin
MessageBoxA(0, 'You need to call me once before you install the hook, otherwise I don''t initialize properly.', 'MessageBoxA Bug Fix', 0);
dwIndexPVM := PDWORD(DWORD(GetProcAddress(GetModuleHandle('ntdll.dll'), 'ZwProtectVirtualMemory'))+1)^;
HookAPI('ntdll.dll', 'KiFastSystemCall', @hookKiFastSystemCall, @realKiFastSystemCall);
end.@madshi
While I don't think it's a big issue (at all), I do think it might be neat if you could add some form of support/automation to make hooking KiFastSystemCall simpler
Edit: Just a note, I probably could have made this code substantialy more modular in terms of being able to hook more than one system function, but I haven't looked into wether I can use the same return code for all of the functions yet.