Page 1 of 1

Error on hook api ZwOpenProcess on WinXP

Posted: Wed Sep 19, 2018 12:05 pm
by pambol
I'm receiving a blue screen of death when hook api ZwOpenProcess on windows xp, why it occour?
Other question is, why some windows hook some apis and others no? like send from ws2_32.dll.

Thanks.

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Wed Sep 19, 2018 4:34 pm
by iconic
Without seeing your ZwOpenProcess callback we'd be guessing at why you're BSODing. We simply need to see some code. What do you mean why are some APIs hooked like ws2_32.dll!send() and not others? If you load Winsock v1 (winsock.dll) it automatically forwards socket functions to Winsock v2 so hooking ws2_32.dll is all you need from XP forward. I assume that is what you meant?

--Iconic

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Thu Sep 20, 2018 1:01 am
by pambol
Follow the code:

Code: Select all

type
  NTStatus = cardinal;
  PObjectAttributes = ^TObjectAttributes;
  TObjectAttributes = packed record
  Length: DWORD;
  RootDirectory: THandle;
  ObjectName: PUnicodeString;
  Attributes: DWORD;
  SecurityDescriptor: Pointer;
  SecurityQualityOfService: Pointer;
end;

type
  PClientID = ^TClientID;
  TClientID = packed record
  UniqueProcess:cardinal;
  UniqueThread:cardinal;
end;

var
  TrampolineZwOpenProcess           : function(phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes; ClientID:PClientID): NTStatus; stdcall;// external 'ntdll.dll' name 'NtOpenProcess';

function InterceptZwOpenProcess(phProcess:PDWORD;AccessMask:DWORD;ObjectAttributes:PObjectAttributes; ClientID:PClientID):NTStatus;stdcall;
begin
  if AmSystemProcess then begin
    Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
  end
  else
  begin
    if (ClientID <> nil) and Bloqueado(ClientID.UniqueProcess) then begin
      Result := NTStatus(nil);
      SetLastError(ERROR_ACCESS_DENIED);
    end
    else
    begin
      Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
    end;
  end;
end;
And how i hook it:

Code: Select all

HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess);
Something wrong?

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Thu Sep 20, 2018 11:43 pm
by iconic
Let's see the code for your Bloqueado (Block PID checking code). Your structs are incorrectly defined if you expect to have this working on 64-bit you'll have issues. There is a 64-bit XP version.
Use the corrected ones below

Code: Select all

type
NTSTATUS = LongInt;

POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
                   Length: ULONG;
            RootDirectory: THandle;
               ObjectName: PUNICODE_STRING;
               Attributes: ULONG;
       SecurityDescriptor: PVOID;
 SecurityQualityOfService: PVOID;
end;

type
 PCLIENT_ID = ^CLIENT_ID;
 CLIENT_ID = record
         UniqueProcess: THandle;
         UniqueThread: THandle;
end;

ZwOpenProcess: function(ProcessHandle: PHANDLE;
                                       DesiredAccess: ACCESS_MASK;
                                   ObjectAttributes: POBJECT_ATTRIBUTES;
                                                ClientId: PCLIENT_ID): NTSTATUS; stdcall; 
You shouldn't be returning 0 (meaning STATUS_SUCCESS) then setting the last error value to ACCESS_DENIED. The error meaning is the opposite of a successful function call return! You need to return STATUS_ACCESS_DENIED which is NTSTATUS($C0000022) and not 0/NIL when you want to block

--Iconic

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Fri Sep 21, 2018 2:07 am
by pambol
Bloqueado function it's just a loop on a .ini who check if the PID exists or no.

How i should call a result from:

Code: Select all

function InterceptZwWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: ULONG; var lpNumberOfBytesWritten: PULONG): NTStatus; stdcall;
to deny? because i'm using the same code as from OpenProcess:

Code: Select all

Result := NTStatus(nil);
      SetLastError(ERROR_ACCESS_DENIED);

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Fri Sep 21, 2018 2:14 pm
by iconic
There is no ZwWriteProcessMemory, there is ZwWriteVirtualMemory. Correct API prototype is below

Code: Select all

function ZwWriteVirtualMemory(ProcessHandle: THandle;
                                BaseAddress: Pointer;
                                     Buffer: Pointer;
                       NumberOfBytesToWrite: DWORD;
              NumberOfBytesWritten: PULONG): NTSTATUS; stdcall;
I've explained in my previous post you need to have the function return an NTSTATUS error code to indicate failure, not success. All you need to do is set Result := STATUS_ACCESS_DENIED; to achieve this. Wrappers like WriteProcessMemory() which call NtWriteVirtualMemory() check the return and if < STATUS_SUCCESS will call BaseSetLastNTError() which does a SetLastError(RtlNtStatusToDosError(Nt_Status)); and exits. Therefore you do not need to explicitly set any error code yourself, only set the appropriate return code in Result.


--Iconic

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Fri Sep 21, 2018 10:27 pm
by pambol
So WriteProcessMemory don't call NtWriteProcessMemory who call ZwWriteProcessMemory?

Other question, what InjectLibraryW use, WriteProcessMemory or WriteVirtualMemory?

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Fri Sep 21, 2018 11:30 pm
by iconic
ZwWriteVirtualMemory() and NtWriteVirtualMemory() thunk to the same address in usermode's ntdll - meaning they're the exact same API in usermode with the same virtual address. WriteProcessMemory just wraps the lower level native API, as well as takes care of page protection for the writing and cache flushing after.

--Iconic

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Tue Sep 25, 2018 8:33 am
by madshi
Pambol, whenever you have problems with blue screens or similar, the first step would be to empty your hook callback functions and do nothing but "return TrampolineZwOpenProcess(original parameters)", so basically a pure passthrough. If you do that, does the blue screen go away? If so, put your code back in step by step to find out which part of your code is causing the blue screen.

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Wed Sep 26, 2018 11:06 pm
by pambol
@madshi

What functions InjectLibraryW use? i mean WriteProcessMemory or WriteVirtualMemory?

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Thu Sep 27, 2018 6:56 am
by madshi
WriteProcessMemory. I don't know any API named WriteVirtualMemory.

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Fri Sep 28, 2018 5:27 pm
by iconic
Pambol,

The only thing you need to know is that any high-level wrapper in usermode for writing to a target address space will eventually call the native API Nt/ZwWriteVirtualMemory inside ntdll somewhere down the call chain. This includes WriteProcessMemory, so all you need to do is hook Nt/ZwWriteVirtualMemory inside ntdll.


--Iconic

Re: Error on hook api ZwOpenProcess on WinXP

Posted: Sun Sep 30, 2018 4:32 am
by pambol
Iconic,
Yes i only hook these apis, i asked for what api are used on injection since they try inject something on my application so i call a restore before inject.