delphi package - getting into other processes
XanSama
Posts: 15 Joined: Sat Mar 04, 2006 11:19 am
Post
by XanSama » Wed Mar 08, 2006 10:39 am
hey again, i've hooked WriteProcessMemory with madCodeHook and i'm trying to get the program to show me what processes it's writing to, so i'm using madRemote's EnumProcesses and it keeps returning "[System Process]" is there anything i can do about that?
this is my code:
Code: Select all
library XGBR;
{$R 'RSRC.res' 'RSRC.RC'}
Uses
Windows, madCHook, madRemote;
var
realWriteProcessMemory: function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
function GetProcessFileName(hProcess: THandle) : string;
var i1 : integer;
pl : TDAProcess;
processId: dword;
begin
processId := ProcessHandleToId(hProcess);
result := '';
pl := EnumProcesses;
for i1 := 0 to high(pl) do
if pl[i1].id = processId then begin
result := pl[i1].exeFile;
break;
end;
end;
function hookWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
FileName: string;
begin
FileName := GetProcessFileName(hProcess);
MessageBoxA(0, pchar(FileName), 'Debug', MB_OK);
Result := realWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
end;
begin
if (HookApi('kernel32.dll', 'WriteProcessMemory', @hookWriteProcessMemory, @realWriteProcessMemory, MIXTURE_MODE) = False) then MessageBoxA(0, 'HookApi(WriteProcessMemory Failed.', 'Error.', MB_OK);
end.
madshi
Site Admin
Posts: 10754 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Wed Mar 08, 2006 11:42 am
Why don't you use "ProcessIdToFileName"?
Anyway, you should check for "GetCurrentProcess". If hProcess is "GetCurrentProcess", then ProcessHandleToId will probably fail and return 0. And the system process has the ID 0. That's why you're getting the system process name back.
XanSama
Posts: 15 Joined: Sat Mar 04, 2006 11:19 am
Post
by XanSama » Wed Mar 08, 2006 12:19 pm
I couldn't seem to make ProcessIdToFileName work. but the issue isnt that it's getting it's own handle, not quite sure what was up really, but i've just decided to use a toolhelp32 snapshot.
here's my final working code:
Code: Select all
library XGBR;
{$R 'RSRC.res' 'RSRC.RC'}
Uses
Windows, TlHelp32, madCHook;
var
realWriteProcessMemory: function(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
function GetProcessID(hProcess: THandle): dword; stdcall; external 'kernel32.dll' name 'GetProcessId';
function GetProcessFileName(hProcess: THandle) : string;
label
lbEnd;
var
Snapshot: dword;
ProcessEntry32: TProcessEntry32;
bContinue: bool;
PID: dword;
begin
Result:= '';
bContinue:= True;
PID := GetProcessID(hProcess);
ProcessEntry32.dwSize := SizeOf(TProcessEntry32);
Snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (Snapshot = INVALID_HANDLE_VALUE) then goto lbEnd;
Process32First(Snapshot, ProcessEntry32);
repeat
if (ProcessEntry32.th32ProcessID = PID) then
begin
Result := ProcessEntry32.szExeFile;
goto lbEnd;
end
else
begin
bContinue:= Process32Next(Snapshot, ProcessEntry32);
end
until bContinue = False;
lbEnd:
end;
function hookWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
FileName: string;
begin
FileName := GetProcessFileName(hProcess);
MessageBoxA(0, pchar(FileName), 'Process:', MB_OK);
Result := realWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
end;
begin
if (HookApi('kernel32.dll', 'WriteProcessMemory', @hookWriteProcessMemory, @realWriteProcessMemory, MIXTURE_MODE) = False) then MessageBoxA(0, 'HookApi(WriteProcessMemory Failed.', 'Error.', MB_OK);
end.