Solved

Application Process Path 2

Posted on 2010-08-23
18
1,032 Views
Last Modified: 2013-11-23
This was Aflarin's comment on Application Process Path 1
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_26413438.html#33496630


I have research a code regarding to "ZwOpenFile"
And,  as I look at the code, it seems to get the way I want,  to get the application path and name with or without a window or a console.

2 questions only to answer.
a. Is this the code that Aflarin is talking about in his number 3 comment?  Yes or NO
b. And where I could find NativeAPI.pas?
library x;

uses
  Windows,
  sysUtils,
  NativeAPI; //I can't find this

type
 OldCode = packed record
  One: dword;
  two: word;
 end;


far_jmp = packed record
  PuhsOp: byte;
  PushArg: pointer;
  RetOp: byte;
 end;

var
 JmpZwq: far_jmp;
 OldZwq: OldCode;
 PtrZwq: pointer;

function ZwOpenFile(OUT FileHandle:PHANDLE;
    const DesiredAccess:ACCESS_MASK;
    const ObjectAttributes:PObjectAttributes;
    OUT IoStatusBlock:PIO_STATUS_BLOCK;
    const ShareAccess,
          OpenOptions:ULONG):NTStatus;
    stdcall; external 'ntdll.dll';

function TrueZwOpenFile(OUT FileHandle:PHANDLE;
    const DesiredAccess:ACCESS_MASK;
    const ObjectAttributes:PObjectAttributes;
    OUT IoStatusBlock:PIO_STATUS_BLOCK;
    const ShareAccess,
          OpenOptions:ULONG):NTStatus;
    stdcall;

var
 Written: dword;
 begin
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
                     @OldZwq, SizeOf(OldCode), Written);

  Result := ZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);

  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
                     @JmpZwq, SizeOf(far_jmp), Written);
end;


function NewZwOpenFile(OUT FileHandle:PHANDLE;
    const DesiredAccess:ACCESS_MASK;
    const ObjectAttributes:PObjectAttributes;
    OUT IoStatusBlock:PIO_STATUS_BLOCK;
    const ShareAccess,
          OpenOptions:ULONG):NTStatus;
    stdcall;
var
    s:string;
begin
 s:=WideCharToString(ObjectAttributes^.ObjectName^.Buffer);


 if uppercase(s)='\??\C:\XSB.TXT' then
 begin
  result:=STATUS_ACCESS_DENIED;
  exit;
 end


 else
 result:=TrueZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);
end;

Procedure SetHook();
var
 Bytes: dword;
begin
  PtrZwq  := GetProcAddress(GetModuleHandle('ntdll.dll'),'ZwOpenFile');
  ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
  JmpZwq.PuhsOp  := $68;
  JmpZwq.PushArg := @NewZwOpenFile;
  JmpZwq.RetOp   := $C3;
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);
end;

Procedure Unhook();
var
 Bytes: dword;
begin
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
end;

// ??????
Function MessageProc(code : integer; wParam : word;
                    lParam : longint) : longint; stdcall;
begin
 CallNextHookEx(0, Code, wParam, lparam);
 Result := 0;
end;

Procedure SetGlobalHookProc();
begin
 SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);
 Sleep(INFINITE);
end;
//

Procedure SetGlobalHook();
var
 hMutex: dword;
 TrId: dword;
begin
 hMutex := CreateMutex(nil, false, 'ScanerHook');
 if GetLastError = 0 then
 CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else
 CloseHandle(hMutex);
end;

procedure DLLEntryPoint(dwReason: DWord);
begin
  case dwReason of
    DLL_PROCESS_ATTACH: begin
                          SetGlobalHook();
                          SetHook();
                        end;
    DLL_PROCESS_DETACH: begin
                          Unhook();
                        end;
  end;
end;


begin
 DllProc := @DLLEntryPoint;
 DLLEntryPoint(DLL_PROCESS_ATTACH);
end.

Open in new window

0
Comment
Question by:systan
  • 11
  • 5
  • 2
18 Comments
 
LVL 14

Expert Comment

by:DragonSlayer
ID: 33508545
0
 
LVL 14

Author Comment

by:systan
ID: 33508734
DragonSlayer;
Your pointing to me about a dll injection, which I have from ThievingSix.
Instead, would you answer a and b

Thanks
0
 
LVL 14

Assisted Solution

by:DragonSlayer
DragonSlayer earned 100 total points
ID: 33508757
You asked for NativeAPI.pas, the link to the file is in the .7z file attached at the bottom of that page ;-)
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 14

Author Comment

by:systan
ID: 33508897
Ok;
I'll try to look for it, but what about question a?
0
 
LVL 14

Author Comment

by:systan
ID: 33508947
I have compiled the library, but what about question a?
0
 
LVL 13

Expert Comment

by:aflarin
ID: 33509053
You are not afraid of hard work, aren't you? ;)

your dll is working in the user-mode, so you intercept only stub of ZwOpenFile in ntdll. To intercept real ZwOpenFile you have to do it in the kernel mode driver.

0
 
LVL 14

Author Comment

by:systan
ID: 33509478
>>You are not afraid of hard work, aren't you? ;)
lol, lol, lol
Talking about hardwork,  I can do computer stuff without a compensation for the whole month just to learn only,  its my personal project anyway.

OK;
>>your dll is working in the user-mode,  >>so you intercept only stub of ZwOpenFile in ntdll. To intercept real ZwOpenFile you have to do it in the kernel mode driver.

huh!, what a deep programming language. lol
So,
a. Is this the code that Aflarin is talking about in his number 3 comment?  Yes or NO
question a answers NO?
Is that you want to say Aflarin? NO!
0
 
LVL 14

Author Comment

by:systan
ID: 33510070
Ok,
question b has answered by DragonSlayer.

question a, is not clearly answered by Aflarin;
>>your dll is working in the user-mode, so you intercept only stub of ZwOpenFile in ntdll.
Are you talking about the code snippet I attached?   The Library x?

>>To intercept REALl ZwOpenFile you have to do it in the kernel mode driver.
So, you see the code snippet its not a real ZwOpenFile?,  then your answer is NO?
0
 
LVL 13

Accepted Solution

by:
aflarin earned 400 total points
ID: 33513690
>> Is this the code that Aflarin is talking about in his number 3 comment? Is that you want to say Aflarin?

I'm afraid the answer is no. I really talked about hooking ZwOpenFile, but it must be within kernel mode driver. Your library x is working in user mode. So, it can only hook the user-mode proxy of ZwOpenFile. It means your code will intercept the ZwOpenFile calls only if they come from user-mode app/dll.
I guess when app calls CreateProcess (or something like that), it goes to NtCreateProcess into kernel mode and then ZwOpenFile is called by NtCreateProcess from the kernel mode. So this call will pass by your hook.

I suggest you to read corresponding article from my post (and examine the article's code). For example, you can find that there are some reasons to hook NtCreateSection instead of ZwOpenFile :)


0
 
LVL 14

Author Closing Comment

by:systan
ID: 33517150
Aflarin;
Your really good in delphi, I expect your in wizard rank in this september.

Thanks a lot

DragonSlayer?  Thank you also, I'll drop by malayasia soon to drink some beer with you.    I was there last year.
0
 
LVL 14

Author Comment

by:systan
ID: 33517190
Oh, one thing, if your listening..
But the code is BETTER than the "library MatHook;" earlier post in application processs path 1?  
Isn't it better because it also catch console and non-window app?
0
 
LVL 13

Expert Comment

by:aflarin
ID: 33518212
>> But the code is BETTER than the "library MatHook;" earlier post in application processs path 1?  

The more you understand your code the better your code is.
I more understand my code (library MatHook) from earlier post. It works, except console and non-window app. I know how it works and can predict its behavior.

This code... Is it work? I haven't checked it yet. Ok, let's assume it doesn't hang the system. But does it really work? does it intercept CreateProcess? CreateProcessAsUser? WinExec? ShellExecute? etc.. I don't know, because you intercept ZwOpenFile in the user mode. I have no idea which process functions use ZwOpenFile in the user mode and which ones use ZwOpenFile in the kernel mode. So I can't predict how this code will work. Therefore I cannot consider this code as better

In the other hand, if you'll read some documentation (btw there is a good book about the windows inside http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174) and do some tests to check all process functions and prove that this code works with all process function... Well, I'll admit that it is better then
0
 
LVL 14

Author Comment

by:systan
ID: 33520226
Aflarin;
Sorry if you feel bad to my comments,  but I just want to let you know that I am a fresh delphian, that do some delphi code's,  that is hard to understand.    If you ask me about how is my standing in delphi programming?  I'm not sure, I just know how to debug code's that I can understand,  about advance programming with delphi?  I am learning it from you and to the other experts here like Geert.   Excuse me if your offended with my question.   But I have nothing to stand without the experts here, you keep me alive learning delphi.

Thank you
0
 
LVL 13

Expert Comment

by:aflarin
ID: 33520354
?? No way. Just misunderstanding.
I was too emotional? Sorry, I just tried to explain my opinion.

I'm ok. And your comment was ok. And you're ok :)

Good luck in the learning!
0
 
LVL 13

Expert Comment

by:aflarin
ID: 33520419
btw, I'll be glad if you learn Delphi and Win32 deeply to intercept function in the kernel mode driver. And then I can frankly say that your code is much better, because... and say why.

So don't worry and continue to learn. Maybe this moment happens soon.
0
 
LVL 14

Author Comment

by:systan
ID: 33524378
Aflarin;
The Library x is not my code, I just google it.
That's why I ask you,   anyway I've tested the library,    it works,   it informs me all the process on my cpu,   I just called the LoadLibrary('x.dll'),    but the problem is how to manage only the apps and dlls only,    i guess i have to use the extractfilename, and delete string.    Other problem is how to pause it while im reading the file.      Do you think if I open another question with this you can help again?   Forgive me, but I think your the best here in delphi zone,   generally im not sure,    there are 3 of them, epasquier and Geert, thievingSix.   Do you think you can upgrade the library x code with pause and terminate?
0
 
LVL 14

Author Comment

by:systan
ID: 33524401
And oh,
Im a new member of
http://www.rootkit.com/board.php?thread=14096&did=edge0&disp=14096&closed=1
Asking about ZwXxx Routines
But Im not serious of the site, just asking.   E-E is the best of all.
0
 
LVL 14

Author Comment

by:systan
ID: 33562023
Found it about zwcreateSection, and I'm using it right now for test; ;)
http://www.ntcore.com/files/winmpi.htm#Figure2
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question