// JP opened flex table
PDA

Click to See Complete Forum and Search --> : ZwTerminateProcess hook

arman2
October 28th, 2004, 02:31 AM
Hi,

I want to write a hook for ZwTerminateProcess.
I have no problem writing the hooking function but the only problem is that i don't know how I can get the name of the process that the zwterminateprocess called for. i mean, I only have a handle to the process, I just search for several days and just find NtQueryInformationProcess for querying information for the process handle and getting the image file name. but after some tests i find that i need to have a user-mode buffer in order to get information from NtQueryInformationProcess. But i can't find a way to allocate a user-mode nor i can find another method for getting the file path from this handle.

please help me solve this problem!

thanks
minsikzzang
November 1st, 2004, 09:01 PM
Wtih this code, you may obtain the process name from its process handle.
However, a process handle obtained from API hooked 'terminateprocess' function has only PROCESS_TERMINATE access right, thus will not return a process name.

You may try following steps:
1. Try to API hook 'OpenProcess'
2. Use access right at least above 'PROCESS_QUERY_INFORMATION' and 'PROCESS_VM_READ'.
3. Refer to the attached sample code
4. Then you may go to Starbucks, and get some White mocha frappucino.
Sit back and relax before you go bald!


BOOL
CNTDLLWrapper::QueryInformationProcess(
HANDLE hProcess,
PROCESSINFOCLASS pic,
LPVOID pBuffer,
DWORD cbBuffer
)
{
assert(pBuffer != NULL);
assert(cbBuffer != 0);
if ((pBuffer == NULL) || (cbBuffer == 0))
return FALSE;

if (!IsValid())
return FALSE;

LONG iReturn = -1;
try
{
DWORD dwLen;
ZeroMemory(pBuffer, cbBuffer);
iReturn = m_pfnNtQueryInformationProcess(
hProcess,
pic,
pBuffer,
cbBuffer,
&dwLen
);
}
catch(...)
{
assert(FALSE);
}

return (iReturn >= 0);
}

BOOL
CNTDLLWrapper::GetProcessCmdLine(
HANDLE hProcess,
LPTSTR szCmdLine,
DWORD dwSize
)
{
assert(hProcess != NULL);
assert(szCmdLine != NULL);
assert(dwSize > 0);

if ((hProcess == NULL) || (szCmdLine == NULL) || (dwSize == NULL))
return FALSE;

int iResult = 1;
DWORD dwBytesRead;

PROCESS_BASIC_INFORMATION pbi;
pbi.PebBaseAddress = (_PEB*)0x7ffdf000;

iResult = QueryInformationProcess(
hProcess,
ProcessBasicInformation,
&pbi,
sizeof(pbi)
);

if (iResult >= 0)
{
__PEB PEB;
if (!::ReadProcessMemory(
hProcess,
pbi.PebBaseAddress,
&PEB,
sizeof(PEB),
&dwBytesRead
))
return FALSE;

__INFOBLOCK Block;
if (!::ReadProcessMemory(
hProcess,
(LPVOID)PEB.InfoBlockAddress,
&Block,
sizeof(Block),
&dwBytesRead))
return FALSE;

wchar_t wszCmdLine[MAX_PATH];
if (!::ReadProcessMemory(
hProcess,
(LPVOID)Block.wszCmdLineAddress,
wszCmdLine,
MAX_PATH * sizeof(wchar_t),
&dwBytesRead
))
return FALSE;

if (!UnicodeToAnsi(
wszCmdLine,
szCmdLine,
dwSize
))
return FALSE;
}

return TRUE
}





Korea BOMB~!!!!!
arman2
November 2nd, 2004, 02:01 AM
that's right! my process handle doesn't have enough rights!

thanks minsikzzang!
//JP added flex table