 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Zerith
Master Cheater
 Reputation: 1
Joined: 07 Oct 2007
Posts: 468
|
 Posted: Fri Jan 16, 2009 11:20 am Post subject: [Question] ZwOpenProcess Hook |
 |
|
I'm posting this for a friend of mine (his account is invisible), so don't try to help me on msn.
Hi, I'm new to driver programming and I'm trying to hook ZwOpenProcess.
I've seen this topic and I've got a few questions:
1. What's CR0? is it like page protection which you have to remove?
2. Is there any driver development environment, where there's a popup menu with possible function calls, variables and such? or I just write it with a notepad or something..?
3. I tried hooking ZwOpenProcess like blankrider did for NtCreateFile, but for some reason it doesn't work, here's what I've done:
| Code: | #include <ntddk.h>
#include <ntifs.h>
unsigned char* OPOriginal;
unsigned int i;
void __declspec(naked) OPTrampoline(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
__asm
{
nop
nop
nop
nop
nop
jmp [OPOriginal]
}
}
void __stdcall OPFilter(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
DbgPrint("OPFilter called!");
DbgPrint("pID: %u", *(unsigned int*)ClientId);
OPTrampoline(ProcessHandle, AccessMask, ObjectAttributes, ClientId);
}
void disableCR0()
{
__asm
{
push eax
mov eax, CR0
and eax, 0x0FFFEFFFF
mov CR0, eax
pop eax
cli
}
}
void enableCR0()
{
__asm
{
push eax
mov eax, CR0
or eax, NOT 0x0FFFEFFFF
mov CR0, eax
pop eax
sti
}
}
void Hook()
{
UNICODE_STRING FunctionName;
RtlInitUnicodeString(&FunctionName, L"ZwOpenProcess");
//What's the value of FunctionName now?
OPOriginal = MmGetSystemRoutineAddress(&FunctionName);
if (OPOriginal == 0)
DbgPrint("OPOriginal == 0");
else
{
disableCR0(); //Why is this nessecary?
for (i = 0; i < 5; i++)
*(((unsigned char*)OPTrampoline)+i) = *(OPOriginal+i);
if (*OPOriginal != 0xE9)
{
*OPOriginal++ = 0xE9;
*(unsigned int*)OPOriginal = ((unsigned int)OPFilter) - ((unsigned int)OPOriginal) - 5;
DbgPrint("Successfuly hooked ZwOpenProcess! (0x%02X 0x%08X)", *(unsigned char*)(OPOriginal-1), *(unsigned int*)OPOriginal);
OPOriginal += 4;
}
else DbgPrint("ZwOpenProcess is already hooked!");
enableCR0();
}
}
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("zwDriver.sys Unloading...");
if (OPOriginal != 0)
{
OPOriginal -= 5;
disableCR0();
for (i = 0; i < 5; i++)
*(OPOriginal+i) = *(((unsigned char*)OPTrampoline)+i);
enableCR0();
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("zwDriver.sys Loaded");
pDriverObject->DriverUnload = DriverUnload;
Hook();
return STATUS_SUCCESS;
} |
It says it hooked the function but it never calls OPFilter...
And does anyone know any good driver programming tutorials and information about kernel hooks?
|
|
| Back to top |
|
 |
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Fri Jan 16, 2009 12:28 pm Post subject: |
|
|
| Code: |
#include <ntddk.h>
#include <ntifs.h>
unsigned char* OPOriginal;
unsigned char* buffer;
unsigned int i;
void __declspec(naked) OPTrampoline(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
__asm
{
nop
nop
nop
nop
nop
__emit 0xe9
nop
nop
nop
nop
retn
}
}
void __stdcall OPFilter(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)
{
DbgPrint("OPFilter called!");
DbgPrint("pID: %u", *(unsigned int*)ClientId);
OPTrampoline(ProcessHandle, AccessMask, ObjectAttributes, ClientId);
}
void disableCR0()
{
__asm
{
push eax
mov eax, CR0
and eax, 0x0FFFEFFFF
mov CR0, eax
pop eax
cli
}
}
void enableCR0()
{
__asm
{
push eax
mov eax, CR0
or eax, NOT 0x0FFFEFFFF
mov CR0, eax
pop eax
sti
}
}
void Hook()
{
UNICODE_STRING FunctionName;
RtlInitUnicodeString(&FunctionName, L"ZwOpenProcess");
//What's the value of FunctionName now?
OPOriginal = MmGetSystemRoutineAddress(&FunctionName);
if (OPOriginal == 0)
DbgPrint("OPOriginal == 0");
else
{
disableCR0(); //Why is this nessecary?
// it is necessary to disable write protection so that one can write to kernel memory
memcpy((void*)buffer,(void*)OPOriginal,5);
memmove(void*)OPTrampoline,(void*)buffer,5);
*(DWORD*)OPTrampoline+7 = (DWORD)OPOriginal+5;
*OPOriginal = 0xe9;
*(DWORD*)OPOriginal *(DWORD*)OPFilter;
enableCR0();
}
}
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("zwDriver.sys Unloading...");
if (OPOriginal != 0)
{
OPOriginal -= 5;
disableCR0();
for (i = 0; i < 5; i++)
*(OPOriginal+i) = *(((unsigned char*)OPTrampoline)+i);
enableCR0();
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("zwDriver.sys Loaded");
pDriverObject->DriverUnload = DriverUnload;
Hook();
return STATUS_SUCCESS;
}
|
Last edited by BanMe on Fri Jan 16, 2009 3:22 pm; edited 2 times in total |
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Fri Jan 16, 2009 12:35 pm Post subject: |
|
|
Dunno about the code, haven't read the entire post but for BanMe's post, The asm in the OPTrampoline won't work. You have to use __emit to directly write bites.
like:
| Code: | __asm
{
NOP
NOP
NOP
NOP
NOP
__EMIT 0xE9
NOP
NOP
NOP
NOP
RETN
} |
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
