| View previous topic :: View next topic |
| Author |
Message |
sylvanus
Advanced Cheater
![]() Reputation: 0
Joined: 09 May 2006
Posts: 68
|
 Posted: Thu Sep 18, 2008 9:49 pm Post subject: how bypass NtUserSendInput in Kernel Mode? |
 |
|
anyone have an source code sample,
or reference?
this is relative ?
http://forum.cheatengine.org/viewtopic.php?t=18062
but, what is the System Call for NtUserSendInput ?
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri Sep 19, 2008 1:23 am Post subject: |
|
|
| Did you mean what is the service ID for that API ? I actually used to think the service ID was the same across all systems until recently so it is probably not a good idea to hardcode it but to fetch it dynamically if that is what you are looking to do.
|
|
| Back to top |
|
|
sylvanus
Advanced Cheater
![]() Reputation: 0
Joined: 09 May 2006
Posts: 68
|
| Posted: Fri Sep 19, 2008 3:07 pm Post subject: |
|
|
question?
this is a example of hook in kernel mode of ZwTerminateProcess
i can use this method for hook SendInput in kernel mode, or needed more info?
| Quote: |
#include <ntddk.h>
#include <ntifs.h>
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable->ServiceTable[*(DWORD*)((unsigned char *)_function + 1)]
typedef (*ZWTERMPROCESS)(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitProcess
);
ZWTERMPROCESS TheOldZwTerminateProcess;
extern ZWTERMPROCESS TheOldZwTerminateProcess;
NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitCode) {
NTSTATUS status = (NTSTATUS)NULL;
(ZWTERMPROCESS)(TheOldZwTerminateProcess)(ProcessHandle, ExitCode);
// comment out the above line to stop TerminateProcess from being called
DbgPrint("ExtremeCoder: TerminateProcess Called\n");
return status;
}
VOID HookAPI() {
TheOldZwTerminateProcess = (ZWTERMPROCESS)(SYSTEMSERVICE(ZwTerminateProcess));
(ZWTERMPROCESS)(SYSTEMSERVICE(ZwTerminateProcess)) = NewZwTerminateProcess;
DbgPrint("ExtremeCoder: Hooking ZwTerminateProcess...\n");
}
VOID UnHookAPI() {
(ZWTERMPROCESS)(SYSTEMSERVICE(ZwTerminateProcess)) = TheOldZwTerminateProcess;
DbgPrint("ExtremeCoder: Unhooking ZwTerminateProcess...\n");
}
VOID Unload_Driver(IN PDRIVER_OBJECT DriverObject) {
UnHookAPI();
DbgPrint("ExtremeCoder: Unloading Driver...\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
DriverObject->DriverUnload = Unload_Driver;
DbgPrint("ExtremeCoder: Loading Driver...\n");
HookAPI();
return(STATUS_SUCCESS);
}
|
|
|
| Back to top |
|
|
smartz993
I post too much
 Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
| Posted: Fri Sep 19, 2008 3:44 pm Post subject: |
|
|
| He just wants the system call so he can try SDT hooking..its not gonna work (on GG, they load their own copy).
|
|
| Back to top |
|
|
sylvanus
Advanced Cheater
![]() Reputation: 0
Joined: 09 May 2006
Posts: 68
|
| Posted: Fri Sep 19, 2008 3:56 pm Post subject: |
|
|
| then what is the path? please help
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Sat Sep 20, 2008 8:51 am Post subject: |
|
|
www . woodmann . com/forum/archive/index.php/t-11383.html
post by blabber
has most of the Win32k.sys call table (or the KeServiceDescriptTableShadow).. ;]
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
