Error on hook api ZwOpenProcess on WinXP

c++ / delphi package - dll injection and api hooking

Error on hook api ZwOpenProcess on WinXP

Postby pambol » Wed Sep 19, 2018 12:05 pm

I'm receiving a blue screen of death when hook api ZwOpenProcess on windows xp, why it occour?
Other question is, why some windows hook some apis and others no? like send from ws2_32.dll.

Thanks.
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby iconic » Wed Sep 19, 2018 4:34 pm

Without seeing your ZwOpenProcess callback we'd be guessing at why you're BSODing. We simply need to see some code. What do you mean why are some APIs hooked like ws2_32.dll!send() and not others? If you load Winsock v1 (winsock.dll) it automatically forwards socket functions to Winsock v2 so hooking ws2_32.dll is all you need from XP forward. I assume that is what you meant?

--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby pambol » Thu Sep 20, 2018 1:01 am

Follow the code:

Code: Select all
type
  NTStatus = cardinal;
  PObjectAttributes = ^TObjectAttributes;
  TObjectAttributes = packed record
  Length: DWORD;
  RootDirectory: THandle;
  ObjectName: PUnicodeString;
  Attributes: DWORD;
  SecurityDescriptor: Pointer;
  SecurityQualityOfService: Pointer;
end;

type
  PClientID = ^TClientID;
  TClientID = packed record
  UniqueProcess:cardinal;
  UniqueThread:cardinal;
end;

var
  TrampolineZwOpenProcess           : function(phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes; ClientID:PClientID): NTStatus; stdcall;// external 'ntdll.dll' name 'NtOpenProcess';

function InterceptZwOpenProcess(phProcess:PDWORD;AccessMask:DWORD;ObjectAttributes:PObjectAttributes; ClientID:PClientID):NTStatus;stdcall;
begin
  if AmSystemProcess then begin
    Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
  end
  else
  begin
    if (ClientID <> nil) and Bloqueado(ClientID.UniqueProcess) then begin
      Result := NTStatus(nil);
      SetLastError(ERROR_ACCESS_DENIED);
    end
    else
    begin
      Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
    end;
  end;
end;


And how i hook it:

Code: Select all
HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess);


Something wrong?
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby iconic » Thu Sep 20, 2018 11:43 pm

Let's see the code for your Bloqueado (Block PID checking code). Your structs are incorrectly defined if you expect to have this working on 64-bit you'll have issues. There is a 64-bit XP version.
Use the corrected ones below

Code: Select all
type
NTSTATUS = LongInt;

POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
                   Length: ULONG;
            RootDirectory: THandle;
               ObjectName: PUNICODE_STRING;
               Attributes: ULONG;
       SecurityDescriptor: PVOID;
 SecurityQualityOfService: PVOID;
end;

type
 PCLIENT_ID = ^CLIENT_ID;
 CLIENT_ID = record
         UniqueProcess: THandle;
         UniqueThread: THandle;
end;

ZwOpenProcess: function(ProcessHandle: PHANDLE;
                                       DesiredAccess: ACCESS_MASK;
                                   ObjectAttributes: POBJECT_ATTRIBUTES;
                                                ClientId: PCLIENT_ID): NTSTATUS; stdcall;


You shouldn't be returning 0 (meaning STATUS_SUCCESS) then setting the last error value to ACCESS_DENIED. The error meaning is the opposite of a successful function call return! You need to return STATUS_ACCESS_DENIED which is NTSTATUS($C0000022) and not 0/NIL when you want to block

--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby pambol » Fri Sep 21, 2018 2:07 am

Bloqueado function it's just a loop on a .ini who check if the PID exists or no.

How i should call a result from:
Code: Select all
function InterceptZwWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: ULONG; var lpNumberOfBytesWritten: PULONG): NTStatus; stdcall;


to deny? because i'm using the same code as from OpenProcess:

Code: Select all
Result := NTStatus(nil);
      SetLastError(ERROR_ACCESS_DENIED);
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby iconic » Fri Sep 21, 2018 2:14 pm

There is no ZwWriteProcessMemory, there is ZwWriteVirtualMemory. Correct API prototype is below

Code: Select all
function ZwWriteVirtualMemory(ProcessHandle: THandle;
                                BaseAddress: Pointer;
                                     Buffer: Pointer;
                       NumberOfBytesToWrite: DWORD;
              NumberOfBytesWritten: PULONG): NTSTATUS; stdcall;


I've explained in my previous post you need to have the function return an NTSTATUS error code to indicate failure, not success. All you need to do is set Result := STATUS_ACCESS_DENIED; to achieve this. Wrappers like WriteProcessMemory() which call NtWriteVirtualMemory() check the return and if < STATUS_SUCCESS will call BaseSetLastNTError() which does a SetLastError(RtlNtStatusToDosError(Nt_Status)); and exits. Therefore you do not need to explicitly set any error code yourself, only set the appropriate return code in Result.


--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby pambol » Fri Sep 21, 2018 10:27 pm

So WriteProcessMemory don't call NtWriteProcessMemory who call ZwWriteProcessMemory?

Other question, what InjectLibraryW use, WriteProcessMemory or WriteVirtualMemory?
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby iconic » Fri Sep 21, 2018 11:30 pm

ZwWriteVirtualMemory() and NtWriteVirtualMemory() thunk to the same address in usermode's ntdll - meaning they're the exact same API in usermode with the same virtual address. WriteProcessMemory just wraps the lower level native API, as well as takes care of page protection for the writing and cache flushing after.

--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby madshi » Tue Sep 25, 2018 8:33 am

Pambol, whenever you have problems with blue screens or similar, the first step would be to empty your hook callback functions and do nothing but "return TrampolineZwOpenProcess(original parameters)", so basically a pure passthrough. If you do that, does the blue screen go away? If so, put your code back in step by step to find out which part of your code is causing the blue screen.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Error on hook api ZwOpenProcess on WinXP

Postby pambol » Wed Sep 26, 2018 11:06 pm

@madshi

What functions InjectLibraryW use? i mean WriteProcessMemory or WriteVirtualMemory?
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby madshi » Thu Sep 27, 2018 6:56 am

WriteProcessMemory. I don't know any API named WriteVirtualMemory.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Error on hook api ZwOpenProcess on WinXP

Postby iconic » Fri Sep 28, 2018 5:27 pm

Pambol,

The only thing you need to know is that any high-level wrapper in usermode for writing to a target address space will eventually call the native API Nt/ZwWriteVirtualMemory inside ntdll somewhere down the call chain. This includes WriteProcessMemory, so all you need to do is hook Nt/ZwWriteVirtualMemory inside ntdll.


--Iconic
iconic
 
Posts: 847
Joined: Wed Jun 08, 2005 5:08 am

Re: Error on hook api ZwOpenProcess on WinXP

Postby pambol » Sun Sep 30, 2018 4:32 am

Iconic,
Yes i only hook these apis, i asked for what api are used on injection since they try inject something on my application so i call a restore before inject.
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests