[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
12/29/2008 at 07:34AM PST, ID: 24013230 | Points: 500
[x]
Attachment Details

ntCreateProcessEx (UserMode) Hook

Asked by phoenixisborn in Delphi Programming

Tags: createprocessex, madshicodehook, delphi

Hello, I need only help on getting the path with the filename of the new created processes when i hook createprocessex with MadshiCodeHook component, i have attached the code and the problem is that the variable "NameBuffer" is always empty :(
Can someone help me to get the path with the filename in the variable NameBuffer ?
thank you 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:

var NtCreateProcessExNextHook: function(ProcessHandle : PHANDLE;
                                   DesiredAccess: ACCESS_MASK;
                                   ObjectAttributes: POBJECT_ATTRIBUTES;
                                   InheritFromProcessHandle: DWORD;
                                   InheritHandles: DWORD;
                                   SectionHandle: DWORD;
                                   DebugPort: DWORD;
                                   ExceptionPort: DWORD;
                                   dwSaferFlags: DWORD): NTSTATUS; stdcall;
 
function _NtCreateProcessExCallback(var ProcessHandle : PHANDLE;
                                   DesiredAccess: ACCESS_MASK;
                                   ObjectAttributes: POBJECT_ATTRIBUTES;
                                   InheritFromProcessHandle: DWORD;
                                   InheritHandles: DWORD;
                                   SectionHandle: DWORD;
                                   DebugPort: DWORD;
                                   ExceptionPort: DWORD;
                                   dwSaferFlags: DWORD): NTSTATUS; stdcall;
var
 FileName : pchar; NameBuffer: array [0..MAX_PATH] of Char;
begin
  if Assigned(ObjectAttributes) = true  then
  WideToAnsi(ObjectAttributes^.ObjectName^.Buffer, NameBuffer);
  ShowMessage(pchar(NameBuffer));
  Result := NtCreateProcessExNextHook(ProcessHandle, DesiredAccess, ObjectAttributes,
                                        InheritFromProcessHandle, InheritHandles, SectionHandle,
                                        DebugPort, ExceptionPort, dwSaferFlags);
  RenewHook(@NtCreateProcessExNextHook);
end;
 
 
begin
  HookAPI('ntdll.dll', 'NtCreateProcessEx', @NtCreateProcessExCallbackProc, @NtCreateProcessExNextHook);
end.
[+][-]01/08/09 04:12 PM, ID: 23331615

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/15/09 07:58 AM, ID: 23384642

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/17/09 01:30 AM, ID: 23400097

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20090824-EE-VQP-74 - Hierarchy / EE_QW_3_20080625