Omorphia Productions Homepage
Project Omorphia Foren-Übersicht  >  uallCollection
Autor Nachricht
<  Hooking NtCreateProcess/NtCreateProcessEx
LukaszPaciorkowski
BeitragVerfasst am: Di Aug 08, 2006 23:55  Antworten mit Zitat



Anmeldungsdatum: 20.07.2006
Beiträge: 11
Wohnort: Poland

I heard that hooking NtCreateProcess/NtCreateProcessEx catch each process. So, I have written library:
Delphi-Code:
  1. library HookProcessCreation;
  2.  
  3. {$IMAGEBASE $57000000}
  4.  
  5. uses
  6.   Windows,
  7.   SysUtils,
  8.   JWaWinBase,
  9.   JwaWinNT,
  10.   JwaWinType,
  11.   uallDisasm,
  12.   uallDisasmEx,
  13.   uallHook,
  14.   uallKernel,
  15.   uallProcess,
  16.   uallUtil;
  17.  
  18. var
  19. newNtCreateProcess: function(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; InheritFromProcessHandle: HANDLE; InheritHandles: ByteBool; SectionHandle: HANDLE; DebugPort: HANDLE; ExceptionPort: HANDLE): NTSTATUS; stdcall;
  20.  
  21. origNtCreateProcess: function(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; InheritFromProcessHandle: HANDLE; InheritHandles: ByteBool; SectionHandle: HANDLE; DebugPort: HANDLE; ExceptionPort: HANDLE): NTSTATUS; stdcall;
  22.  
  23. newNtCreateProcessEx: function(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; InheritFromProcessHandle: HANDLE; InheritHandles: ByteBool; SectionHandle: HANDLE; DebugPort: HANDLE; ExceptionPort: HANDLE): NTSTATUS; stdcall;
  24.  
  25. origNtCreateProcessEx: function(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; InheritFromProcessHandle: HANDLE; InheritHandles: ByteBool; SectionHandle: HANDLE; DebugPort: HANDLE; ExceptionPort: HANDLE): NTSTATUS; stdcall;
  26.  
  27.  
  28.  
  29.  
  30. function NtCreateProcessCallbackProc(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; InheritFromProcessHandle: HANDLE; InheritHandles: ByteBool; SectionHandle: HANDLE; DebugPort: HANDLE; ExceptionPort: HANDLE): NTSTATUS; stdcall;
  31. begin
  32.    Result := newNtCreateProcess(ProcessHandle, DesiredAccess, ObjectAttributes, InheritFromProcessHandle, InheritHandles, SectionHandle, DebugPort, ExceptionPort);
  33.    MessageBox(0,'Hooked','Hooked',MB_OK);
  34. end;
  35.  
  36.  
  37. function NtCreateProcessExCallbackProc(ProcessHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; InheritFromProcessHandle: HANDLE; InheritHandles: ByteBool; SectionHandle: HANDLE; DebugPort: HANDLE; ExceptionPort: HANDLE): NTSTATUS; stdcall;
  38. begin
  39.    Result := newNtCreateProcess(ProcessHandle, DesiredAccess, ObjectAttributes, InheritFromProcessHandle, InheritHandles, SectionHandle, DebugPort, ExceptionPort);
  40.    MessageBox(0,'Hooked','Hooked',MB_OK);
  41. end;
  42.  
  43.  
  44. begin
  45.   @origNtCreateProcess := GetProcAddress(LoadLibrary('ntdll.dll'),'NtCreateProcess');
  46.   uallHook.HookCodeNt(@origNtCreateProcess,@NtCreateProcessCallbackProc,@newNtCreateProcess);
  47.  
  48.   @origNtCreateProcessEx := GetProcAddress(LoadLibrary('ntdll.dll'),'NtCreateProcessEx');
  49.   uallHook.HookCodeNt(@origNtCreateProcessEx,@NtCreateProcessExCallbackProc,@newNtCreateProcessEx);
  50. end.


JwaNt from uses is here: http://rapidshare.de/files/28701687/JwaNt.rar.html
After iniection into explorer.exe it works fine but... it cant catch processes which starting up from cmd and cant catch process taskmgr.exe (CTRL+ALT+DEL). Any suggestions?

//Mod by BenBE: Replaced Code by Delphi Tags
Nach oben
Benutzer-Profile anzeigen Private Nachricht senden
BenBE
BeitragVerfasst am: Fr Aug 11, 2006 15:18  Antworten mit Zitat
Hauptcoder


Anmeldungsdatum: 21.08.2004
Beiträge: 838
Wohnort: Jahnsdorf (Chemnitz)

Unlike on Windows 9x where every DLL above 80000000h is visible to all processes you have to inject your hook DLL into every process that might call NtCreateProcess (direct or indirect). Thus injecting the DLL in only one process does not change the code in other processes scopes thus leaving the handling of the function there just as if nothing was done with it.

To install a global hook as you wish to you need to load your library into all processes. Please note that there are two ways to do this:
1. Use uall's functions for DLL Injection (to do this on-the-fly
2. Use NTs automatic DLL loading feature using the registry (App Init settings)
_________________
Das Problem ist die Entscheidung!
Delphi-Code:
  1. Matrix.System.HLT;

Nach oben
Benutzer-Profile anzeigen Private Nachricht senden Website dieses Benutzers besuchen AIM-Name Yahoo Messenger MSN Messenger
LukaszPaciorkowski
BeitragVerfasst am: Fr Aug 11, 2006 23:40  Antworten mit Zitat



Anmeldungsdatum: 20.07.2006
Beiträge: 11
Wohnort: Poland

I use uall's functions for DLL Injection:
Code:

dwProcessID := uallProcess.FindProcess('explorer.exe');
uallHook.InjectLibrary(dwProcessID,PChar(uallUtil.GetExeDirectory+'HookProcessCreation.dll'));

And still dont work... Sad
Nach oben
Benutzer-Profile anzeigen Private Nachricht senden
Beiträge der letzten Zeit anzeigen:   
Alle Zeiten sind GMT + 1 Stunde

Nächstes Thema anzeigen
Vorheriges Thema anzeigen
Seite 1 von 1
Project Omorphia Foren-Übersicht  >  uallCollection

Neues Thema eröffnen   Neue Antwort erstellen


 
Gehe zu:  
Du kannst keine Beiträge in dieses Forum schreiben.
Du kannst auf Beiträge in diesem Forum nicht antworten.
Du kannst deine Beiträge in diesem Forum nicht bearbeiten.
Du kannst deine Beiträge in diesem Forum nicht löschen.
Du kannst an Umfragen in diesem Forum nicht mitmachen.




Powered by phpBB 2.0.17 and NoseBleed v1.05