flashcoder Newbie cheater Reputation: 0
Joined: 29 Jan 2017 Posts: 14
|
Posted: Mon Dec 18, 2017 6:35 am Post subject: How call original function after hook? |
|
|
On following code, i'm receiving a fail where target application crashes.
The fails is here:
Code: |
else Result := LdrLoadDll(szcwPath, dwFlags, pUniModuleName, pResultInstance);
|
How fix this?
Code: |
library mydll;
uses
Windows,
SysUtils;
{$R *.res}
const
Strgs: array [0 .. 1] of string = ('Folder1', 'Folder2');
/// /////////////////////////////////////////////////////////////////////////////
type
NTSTATUS = UINT;
const
STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
type
PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
type
TLdrLoadDll = function(szcwPath: PWideChar; dwFlags: DWORD;
pUniModuleName: PUNICODE_STRING; pResultInstance: PPointer)
: NTSTATUS; stdcall;
PJmpCode = ^TJmpCode;
TJmpCode = packed record
JmpCode: BYTE;
Address: TLdrLoadDll;
MovEAX: Array [0 .. 2] of BYTE;
end;
var
OldLdrLoadDll: TLdrLoadDll;
JmpCode: TJmpCode;
OldProc: array [0..1] of TJmpCode;
AddLdrLoadDll: pointer;
function LdrLoadDll(szcwPath: PWideChar; dwFlags: DWORD; pUniModuleName:
PUNICODE_STRING; pResultInstance: PPointer): NTSTATUS; stdcall;
begin
Result := OldLdrLoadDll(szcwPath, dwFlags, pUniModuleName, pResultInstance);
end;
function NewLdrLoadDll(szcwPath: PWideChar; dwFlags: DWORD;
pUniModuleName: PUNICODE_STRING; pResultInstance: PPointer)
: NTSTATUS; stdcall;
var
i: Integer;
begin
/// ///////////////////////////////////////////////////////////////////////////
for i := Low(Strgs) to High(Strgs) do
if (Pos(szcwPath, Strgs[i]) > 0) then
Result := STATUS_ACCESS_DENIED
else
Result := LdrLoadDll(szcwPath, dwFlags, pUniModuleName,
pResultInstance);
/// ///////////////////////////////////////////////////////////////////////////
end;
procedure HookAPI;
var
DLLModule: THandle;
dwSize: SIZE_T;
begin
DLLModule := LoadLibrary('ntdll.dll');
AddLdrLoadDll := GetProcAddress(DLLModule, 'LdrLoadDll');
JmpCode.JmpCode := $B8;
JmpCode.MovEAX[0] := $FF;
JmpCode.MovEAX[1] := $E0;
JmpCode.MovEAX[2] := 0;
ReadProcessMemory(GetCurrentProcess, AddLdrLoadDll, @OldProc[0], 8, dwSize);
JmpCode.Address := @NewLdrLoadDll;
WriteProcessMemory(GetCurrentProcess, AddLdrLoadDll, @JmpCode, 8, dwSize);
OldLdrLoadDll := AddLdrLoadDll;
end;
procedure UnHookAPI;
var
dwSize: SIZE_T;
begin
WriteProcessMemory(GetCurrentProcess, AddLdrLoadDll, @OldProc[0], 8, dwSize);
end;
procedure DllEntryPoint(Reason: Integer); stdcall;
begin
case Reason of
DLL_PROCESS_ATTACH:
begin
DisableThreadLibraryCalls(HInstance);
HookAPI;
end;
DLL_THREAD_ATTACH:
; //
DLL_THREAD_DETACH:
; //
DLL_PROCESS_DETACH:
begin
UnHookAPI;
end;
end;
end;
begin
DllProc := @DllEntryPoint;
DllEntryPoint(DLL_PROCESS_ATTACH);
end.
|
|
|