[Question] Replace FileName Handle by Mutant

c++ / delphi package - dll injection and api hooking
Post Reply
ruined
Posts: 2
Joined: Mon Jul 29, 2013 4:01 pm

[Question] Replace FileName Handle by Mutant

Post by ruined »

Hi. i have a question, can somebody share code like my title post in Delphi language?
here is my mean (example) :

Image

that picture the Name is "\BaseNamedObject\LOADERF_MUTEX", here is my question.
i inject my dll into the process and how code to change the name "\BaseNamedObject\LOADERF_MUTEX" with "\BaseNamedObject\MUTEX" ?

Thanks a lot for answer my question, i need the code for my program :D
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [Question] Replace FileName Handle by Mutant

Post by madshi »

I doubt that this is possible to do with documented APIs. I don't know how to do it with undocumented means, either...
ruined
Posts: 2
Joined: Mon Jul 29, 2013 4:01 pm

Re: [Question] Replace FileName Handle by Mutant

Post by ruined »

madshi wrote:I doubt that this is possible to do with documented APIs. I don't know how to do it with undocumented means, either...
thx for reply sir, and can you give a sample code?
this is my sample code for CloseHandle the handled by mutant

Code: Select all

procedure Test;
var
 sDummy      : string;
 hProcess    : THandle;
 hObject     : THandle;
 ResultLength: DWORD;
 aBufferSize : DWORD;
 aIndex      : Integer;
 pHandleInfo : PSYSTEM_HANDLE_INFORMATION;
 HDummy      : THandle;
 lpwsName    : PWideChar;
 lpwsType    : PWideChar;
 lpszProcess : PAnsiChar;
begin
  try
    NTQueryObject            := GetProcAddress(GetModuleHandle('NTDLL.DLL'), 'NtQueryObject');
    NTQuerySystemInformation := GetProcAddress(GetModuleHandle('NTDLL.DLL'), 'NtQuerySystemInformation');
   if (@NTQuerySystemInformation<>nil) and (@NTQuerySystemInformation<>nil) then
    AbufferSize      := DefaulBUFFERSIZE;
  pHandleInfo      := AllocMem(AbufferSize);
  HDummy           := NTQuerySystemInformation(DWORD(SystemHandleInformation), pHandleInfo,AbufferSize, @ResultLength);  //Get the list of handles

  if(HDummy = STATUS_SUCCESS) then  //If no error continue
    begin

      for aIndex:=0 to pHandleInfo^.uCount-1 do   //iterate the list
      begin
    hProcess := OpenProcess(PROCESS_DUP_HANDLE or PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, FALSE, pHandleInfo.Handles[aIndex].uIdProcess);  //open the process to get aditional info
    if(hProcess <> INVALID_HANDLE_VALUE) then  //Check valid handle
        begin
     hObject := 0;
     if DuplicateHandle(hProcess, pHandleInfo.Handles[aIndex].Handle,GetCurrentProcess(), @hObject, STANDARD_RIGHTS_REQUIRED,FALSE, 0) then  //Get  a copy of the original handle
          begin
      lpwsName := GetObjectInfo(hObject, ObjectNameInformation); //Get the filename linked to the handle
      if (lpwsName <> nil)  then
            begin
       lpwsType    := GetObjectInfo(hObject, ObjectTypeInformation);
       lpszProcess := AllocMem(MAX_PATH);

       if GetModuleFileNameEx(hProcess, 0,lpszProcess, MAX_PATH)<>0 then  //get the name of the process
            sDummy:=ExtractFileName(lpszProcess)
          else
            sDummy:= 'System Process';
            if lpwsName = '\BaseNamedObjects\LOADPERF_MUTEX' then
            begin
              ShowMessage('Found And Killed');
              CloseHandle(pHandleInfo.Handles[aIndex].Handle);
            end;

              FreeMem(lpwsName);
              FreeMem(lpwsType);
              FreeMem(lpszProcess);
      end;
      CloseHandle(hObject);
     end;
     CloseHandle(hProcess);
    end;
   end;
  end;
  finally
  FreeMem(pHandleInfo);
  end;
end;
thats code for close handle, and how i can modified to change file name?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [Question] Replace FileName Handle by Mutant

Post by madshi »

As I said, I don't know how. Of course you can create a new handle, but it's luck if it gets the same handle value, and I don't really know if that achieves what you want.
Post Reply