Page 1 of 1
Error on hook api ZwOpenProcess on WinXP
Posted: Wed Sep 19, 2018 12:05 pm
by pambol
I'm receiving a blue screen of death when hook api ZwOpenProcess on windows xp, why it occour?
Other question is, why some windows hook some apis and others no? like send from ws2_32.dll.
Thanks.
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Wed Sep 19, 2018 4:34 pm
by iconic
Without seeing your ZwOpenProcess callback we'd be guessing at why you're BSODing. We simply need to see some code. What do you mean why are some APIs hooked like ws2_32.dll!send() and not others? If you load Winsock v1 (winsock.dll) it automatically forwards socket functions to Winsock v2 so hooking ws2_32.dll is all you need from XP forward. I assume that is what you meant?
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Thu Sep 20, 2018 1:01 am
by pambol
Follow the code:
Code: Select all
type
NTStatus = cardinal;
PObjectAttributes = ^TObjectAttributes;
TObjectAttributes = packed record
Length: DWORD;
RootDirectory: THandle;
ObjectName: PUnicodeString;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;
type
PClientID = ^TClientID;
TClientID = packed record
UniqueProcess:cardinal;
UniqueThread:cardinal;
end;
var
TrampolineZwOpenProcess : function(phProcess:PDWORD; AccessMask:DWORD; ObjectAttributes:PObjectAttributes; ClientID:PClientID): NTStatus; stdcall;// external 'ntdll.dll' name 'NtOpenProcess';
function InterceptZwOpenProcess(phProcess:PDWORD;AccessMask:DWORD;ObjectAttributes:PObjectAttributes; ClientID:PClientID):NTStatus;stdcall;
begin
if AmSystemProcess then begin
Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
end
else
begin
if (ClientID <> nil) and Bloqueado(ClientID.UniqueProcess) then begin
Result := NTStatus(nil);
SetLastError(ERROR_ACCESS_DENIED);
end
else
begin
Result := TrampolineZwOpenProcess(phProcess,AccessMask,ObjectAttributes,ClientID);
end;
end;
end;
And how i hook it:
Code: Select all
HookApi('ntdll.dll', 'ZwOpenProcess', @InterceptZwOpenProcess, @TrampolineZwOpenProcess);
Something wrong?
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Thu Sep 20, 2018 11:43 pm
by iconic
Let's see the code for your Bloqueado (Block PID checking code). Your structs are incorrectly defined if you expect to have this working on 64-bit you'll have issues. There is a 64-bit XP version.
Use the corrected ones below
Code: Select all
type
NTSTATUS = LongInt;
POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: ULONG;
RootDirectory: THandle;
ObjectName: PUNICODE_STRING;
Attributes: ULONG;
SecurityDescriptor: PVOID;
SecurityQualityOfService: PVOID;
end;
type
PCLIENT_ID = ^CLIENT_ID;
CLIENT_ID = record
UniqueProcess: THandle;
UniqueThread: THandle;
end;
ZwOpenProcess: function(ProcessHandle: PHANDLE;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES;
ClientId: PCLIENT_ID): NTSTATUS; stdcall;
You shouldn't be returning 0 (meaning STATUS_SUCCESS) then setting the last error value to ACCESS_DENIED. The error meaning is the opposite of a successful function call return! You need to return STATUS_ACCESS_DENIED which is NTSTATUS($C0000022) and not 0/NIL when you want to block
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Fri Sep 21, 2018 2:07 am
by pambol
Bloqueado function it's just a loop on a .ini who check if the PID exists or no.
How i should call a result from:
Code: Select all
function InterceptZwWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: ULONG; var lpNumberOfBytesWritten: PULONG): NTStatus; stdcall;
to deny? because i'm using the same code as from OpenProcess:
Code: Select all
Result := NTStatus(nil);
SetLastError(ERROR_ACCESS_DENIED);
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Fri Sep 21, 2018 2:14 pm
by iconic
There is no ZwWriteProcessMemory, there is ZwWriteVirtualMemory. Correct API prototype is below
Code: Select all
function ZwWriteVirtualMemory(ProcessHandle: THandle;
BaseAddress: Pointer;
Buffer: Pointer;
NumberOfBytesToWrite: DWORD;
NumberOfBytesWritten: PULONG): NTSTATUS; stdcall;
I've explained in my previous post you need to have the function return an NTSTATUS error code to indicate failure, not success. All you need to do is set Result := STATUS_ACCESS_DENIED; to achieve this. Wrappers like WriteProcessMemory() which call NtWriteVirtualMemory() check the return and if < STATUS_SUCCESS will call BaseSetLastNTError() which does a SetLastError(RtlNtStatusToDosError(Nt_Status)); and exits. Therefore you do not need to explicitly set any error code yourself, only set the appropriate return code in Result.
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Fri Sep 21, 2018 10:27 pm
by pambol
So WriteProcessMemory don't call NtWriteProcessMemory who call ZwWriteProcessMemory?
Other question, what InjectLibraryW use, WriteProcessMemory or WriteVirtualMemory?
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Fri Sep 21, 2018 11:30 pm
by iconic
ZwWriteVirtualMemory() and NtWriteVirtualMemory() thunk to the same address in usermode's ntdll - meaning they're the exact same API in usermode with the same virtual address. WriteProcessMemory just wraps the lower level native API, as well as takes care of page protection for the writing and cache flushing after.
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Tue Sep 25, 2018 8:33 am
by madshi
Pambol, whenever you have problems with blue screens or similar, the first step would be to empty your hook callback functions and do nothing but "return TrampolineZwOpenProcess(original parameters)", so basically a pure passthrough. If you do that, does the blue screen go away? If so, put your code back in step by step to find out which part of your code is causing the blue screen.
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Wed Sep 26, 2018 11:06 pm
by pambol
@madshi
What functions InjectLibraryW use? i mean WriteProcessMemory or WriteVirtualMemory?
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Thu Sep 27, 2018 6:56 am
by madshi
WriteProcessMemory. I don't know any API named WriteVirtualMemory.
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Fri Sep 28, 2018 5:27 pm
by iconic
Pambol,
The only thing you need to know is that any high-level wrapper in usermode for writing to a target address space will eventually call the native API Nt/ZwWriteVirtualMemory inside ntdll somewhere down the call chain. This includes WriteProcessMemory, so all you need to do is hook Nt/ZwWriteVirtualMemory inside ntdll.
--Iconic
Re: Error on hook api ZwOpenProcess on WinXP
Posted: Sun Sep 30, 2018 4:32 am
by pambol
Iconic,
Yes i only hook these apis, i asked for what api are used on injection since they try inject something on my application so i call a restore before inject.