Solved

Application Process Path 2

Posted on 2010-08-23
18
1,023 Views
Last Modified: 2013-11-23
This was Aflarin's comment on Application Process Path 1
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_26413438.html#33496630


I have research a code regarding to "ZwOpenFile"
And,  as I look at the code, it seems to get the way I want,  to get the application path and name with or without a window or a console.

2 questions only to answer.
a. Is this the code that Aflarin is talking about in his number 3 comment?  Yes or NO
b. And where I could find NativeAPI.pas?
library x;



uses

  Windows,

  sysUtils,

  NativeAPI; //I can't find this



type

 OldCode = packed record

  One: dword;

  two: word;

 end;





far_jmp = packed record

  PuhsOp: byte;

  PushArg: pointer;

  RetOp: byte;

 end;



var

 JmpZwq: far_jmp;

 OldZwq: OldCode;

 PtrZwq: pointer;



function ZwOpenFile(OUT FileHandle:PHANDLE;

    const DesiredAccess:ACCESS_MASK;

    const ObjectAttributes:PObjectAttributes;

    OUT IoStatusBlock:PIO_STATUS_BLOCK;

    const ShareAccess,

          OpenOptions:ULONG):NTStatus;

    stdcall; external 'ntdll.dll';



function TrueZwOpenFile(OUT FileHandle:PHANDLE;

    const DesiredAccess:ACCESS_MASK;

    const ObjectAttributes:PObjectAttributes;

    OUT IoStatusBlock:PIO_STATUS_BLOCK;

    const ShareAccess,

          OpenOptions:ULONG):NTStatus;

    stdcall;



var

 Written: dword;

 begin

  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,

                     @OldZwq, SizeOf(OldCode), Written);



  Result := ZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);



  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,

                     @JmpZwq, SizeOf(far_jmp), Written);

end;





function NewZwOpenFile(OUT FileHandle:PHANDLE;

    const DesiredAccess:ACCESS_MASK;

    const ObjectAttributes:PObjectAttributes;

    OUT IoStatusBlock:PIO_STATUS_BLOCK;

    const ShareAccess,

          OpenOptions:ULONG):NTStatus;

    stdcall;

var

    s:string;

begin

 s:=WideCharToString(ObjectAttributes^.ObjectName^.Buffer);





 if uppercase(s)='\??\C:\XSB.TXT' then

 begin

  result:=STATUS_ACCESS_DENIED;

  exit;

 end





 else

 result:=TrueZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);

end;



Procedure SetHook();

var

 Bytes: dword;

begin

  PtrZwq  := GetProcAddress(GetModuleHandle('ntdll.dll'),'ZwOpenFile');

  ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);

  JmpZwq.PuhsOp  := $68;

  JmpZwq.PushArg := @NewZwOpenFile;

  JmpZwq.RetOp   := $C3;

  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);

end;



Procedure Unhook();

var

 Bytes: dword;

begin

  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);

end;



// ??????

Function MessageProc(code : integer; wParam : word;

                    lParam : longint) : longint; stdcall;

begin

 CallNextHookEx(0, Code, wParam, lparam);

 Result := 0;

end;



Procedure SetGlobalHookProc();

begin

 SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);

 Sleep(INFINITE);

end;

//



Procedure SetGlobalHook();

var

 hMutex: dword;

 TrId: dword;

begin

 hMutex := CreateMutex(nil, false, 'ScanerHook');

 if GetLastError = 0 then

 CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else

 CloseHandle(hMutex);

end;



procedure DLLEntryPoint(dwReason: DWord);

begin

  case dwReason of

    DLL_PROCESS_ATTACH: begin

                          SetGlobalHook();

                          SetHook();

                        end;

    DLL_PROCESS_DETACH: begin

                          Unhook();

                        end;

  end;

end;





begin

 DllProc := @DLLEntryPoint;

 DLLEntryPoint(DLL_PROCESS_ATTACH);

end.

Open in new window

0
Comment
Question by:systan
  • 11
  • 5
  • 2
18 Comments
 
LVL 14

Expert Comment

by:DragonSlayer
Comment Utility
0
 
LVL 14

Author Comment

by:systan
Comment Utility
DragonSlayer;
Your pointing to me about a dll injection, which I have from ThievingSix.
Instead, would you answer a and b

Thanks
0
 
LVL 14

Assisted Solution

by:DragonSlayer
DragonSlayer earned 100 total points
Comment Utility
You asked for NativeAPI.pas, the link to the file is in the .7z file attached at the bottom of that page ;-)
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Ok;
I'll try to look for it, but what about question a?
0
 
LVL 14

Author Comment

by:systan
Comment Utility
I have compiled the library, but what about question a?
0
 
LVL 13

Expert Comment

by:aflarin
Comment Utility
You are not afraid of hard work, aren't you? ;)

your dll is working in the user-mode, so you intercept only stub of ZwOpenFile in ntdll. To intercept real ZwOpenFile you have to do it in the kernel mode driver.

0
 
LVL 14

Author Comment

by:systan
Comment Utility
>>You are not afraid of hard work, aren't you? ;)
lol, lol, lol
Talking about hardwork,  I can do computer stuff without a compensation for the whole month just to learn only,  its my personal project anyway.

OK;
>>your dll is working in the user-mode,  >>so you intercept only stub of ZwOpenFile in ntdll. To intercept real ZwOpenFile you have to do it in the kernel mode driver.

huh!, what a deep programming language. lol
So,
a. Is this the code that Aflarin is talking about in his number 3 comment?  Yes or NO
question a answers NO?
Is that you want to say Aflarin? NO!
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Ok,
question b has answered by DragonSlayer.

question a, is not clearly answered by Aflarin;
>>your dll is working in the user-mode, so you intercept only stub of ZwOpenFile in ntdll.
Are you talking about the code snippet I attached?   The Library x?

>>To intercept REALl ZwOpenFile you have to do it in the kernel mode driver.
So, you see the code snippet its not a real ZwOpenFile?,  then your answer is NO?
0
 
LVL 13

Accepted Solution

by:
aflarin earned 400 total points
Comment Utility
>> Is this the code that Aflarin is talking about in his number 3 comment? Is that you want to say Aflarin?

I'm afraid the answer is no. I really talked about hooking ZwOpenFile, but it must be within kernel mode driver. Your library x is working in user mode. So, it can only hook the user-mode proxy of ZwOpenFile. It means your code will intercept the ZwOpenFile calls only if they come from user-mode app/dll.
I guess when app calls CreateProcess (or something like that), it goes to NtCreateProcess into kernel mode and then ZwOpenFile is called by NtCreateProcess from the kernel mode. So this call will pass by your hook.

I suggest you to read corresponding article from my post (and examine the article's code). For example, you can find that there are some reasons to hook NtCreateSection instead of ZwOpenFile :)


0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 14

Author Closing Comment

by:systan
Comment Utility
Aflarin;
Your really good in delphi, I expect your in wizard rank in this september.

Thanks a lot

DragonSlayer?  Thank you also, I'll drop by malayasia soon to drink some beer with you.    I was there last year.
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Oh, one thing, if your listening..
But the code is BETTER than the "library MatHook;" earlier post in application processs path 1?  
Isn't it better because it also catch console and non-window app?
0
 
LVL 13

Expert Comment

by:aflarin
Comment Utility
>> But the code is BETTER than the "library MatHook;" earlier post in application processs path 1?  

The more you understand your code the better your code is.
I more understand my code (library MatHook) from earlier post. It works, except console and non-window app. I know how it works and can predict its behavior.

This code... Is it work? I haven't checked it yet. Ok, let's assume it doesn't hang the system. But does it really work? does it intercept CreateProcess? CreateProcessAsUser? WinExec? ShellExecute? etc.. I don't know, because you intercept ZwOpenFile in the user mode. I have no idea which process functions use ZwOpenFile in the user mode and which ones use ZwOpenFile in the kernel mode. So I can't predict how this code will work. Therefore I cannot consider this code as better

In the other hand, if you'll read some documentation (btw there is a good book about the windows inside http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174) and do some tests to check all process functions and prove that this code works with all process function... Well, I'll admit that it is better then
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Aflarin;
Sorry if you feel bad to my comments,  but I just want to let you know that I am a fresh delphian, that do some delphi code's,  that is hard to understand.    If you ask me about how is my standing in delphi programming?  I'm not sure, I just know how to debug code's that I can understand,  about advance programming with delphi?  I am learning it from you and to the other experts here like Geert.   Excuse me if your offended with my question.   But I have nothing to stand without the experts here, you keep me alive learning delphi.

Thank you
0
 
LVL 13

Expert Comment

by:aflarin
Comment Utility
?? No way. Just misunderstanding.
I was too emotional? Sorry, I just tried to explain my opinion.

I'm ok. And your comment was ok. And you're ok :)

Good luck in the learning!
0
 
LVL 13

Expert Comment

by:aflarin
Comment Utility
btw, I'll be glad if you learn Delphi and Win32 deeply to intercept function in the kernel mode driver. And then I can frankly say that your code is much better, because... and say why.

So don't worry and continue to learn. Maybe this moment happens soon.
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Aflarin;
The Library x is not my code, I just google it.
That's why I ask you,   anyway I've tested the library,    it works,   it informs me all the process on my cpu,   I just called the LoadLibrary('x.dll'),    but the problem is how to manage only the apps and dlls only,    i guess i have to use the extractfilename, and delete string.    Other problem is how to pause it while im reading the file.      Do you think if I open another question with this you can help again?   Forgive me, but I think your the best here in delphi zone,   generally im not sure,    there are 3 of them, epasquier and Geert, thievingSix.   Do you think you can upgrade the library x code with pause and terminate?
0
 
LVL 14

Author Comment

by:systan
Comment Utility
And oh,
Im a new member of
http://www.rootkit.com/board.php?thread=14096&did=edge0&disp=14096&closed=1
Asking about ZwXxx Routines
But Im not serious of the site, just asking.   E-E is the best of all.
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Found it about zwcreateSection, and I'm using it right now for test; ;)
http://www.ntcore.com/files/winmpi.htm#Figure2
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Here is a helpful source code for C++ Builder programmers that allows you to manage and manipulate HTML content from C++ code, while also handling HTML events like onclick, onmouseover, ... Some objects defined and used in this source include: …
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
The viewer will learn how to use and create new code templates in NetBeans IDE 8.0 for Windows.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now