From: joemango on

HI all, I am currently writing a kernel level hooking engine for my
dissertation. I have been using the source code and book titled
Professional.Rootkits by Rick Vieler, (great book) , and hooking
source code from rohitab.com so far my engine runs in kernel mode and
hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no
issues. I need your help in getting the name of the process that is
calling the Zw... function. I need to know for every hooked api that
is called the name and full path of the process calling it. I will
probably have some other question soon as i progress through
completion, but for now I need this urgently to go to the next step.
Im not sure if this will help but im pasting below the code for my
hooked zwopenfile function in case its needed for my solution.

thanks, joemango

///BEGIN ZWOPENFILE - JAM
NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK
DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT
PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG
OpenOptions){

NTSTATUS ntStatus;
ANSI_STRING ansiFileName;

RtlInitAnsiString(&ansiFileName, "NULL");
ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess,
ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);

if( NT_SUCCESS(ntStatus)) {
DbgPrint("NewZwOpenFile called!.\n");
if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName,
ObjectAttributes->ObjectName, TRUE))){
DbgPrint(" Filepath: %s\n", ansiFileName.Buffer);
DbgPrint(" Desired Access:\n");
if(DesiredAccess & GENERIC_WRITE) DbgPrint("
GENERIC_WRITE\n");
if(DesiredAccess & GENERIC_READ) DbgPrint("
GENERIC_READ\n");
if(DesiredAccess & GENERIC_EXECUTE) DbgPrint("
GENERIC_EXECUTE\n");
if(DesiredAccess & GENERIC_ALL) DbgPrint("
GENERIC_ALL\n");
if(DesiredAccess & FILE_READ_DATA) DbgPrint("
FILE_READ_DATA\n");
if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint("
FILE_READ_ATTRIBUTES\n");
if(DesiredAccess & FILE_READ_EA) DbgPrint("
FILE_READ_EA\n");
if(DesiredAccess & FILE_WRITE_DATA) DbgPrint("
FILE_WRITE_DATA\n");
if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint("
FILE_WRITE_ATTRIBUTES\n");
if(DesiredAccess & FILE_WRITE_EA) DbgPrint("
FILE_WRITE_EA\n");
if(DesiredAccess & FILE_APPEND_DATA) DbgPrint("
FILE_APPEND_DATA\n");
if(DesiredAccess & FILE_EXECUTE) DbgPrint("
FILE_EXECUTE\n");
DbgPrint(" Share Access:\n");
if(ShareAccess & FILE_SHARE_READ) DbgPrint("
FILE_SHARE_READ");
if(ShareAccess & FILE_SHARE_WRITE) DbgPrint("
FILE_SHARE_WRITE");
if(ShareAccess & FILE_SHARE_DELETE) DbgPrint("
FILE_SHARE_DELETE");
RtlFreeAnsiString(&ansiFileName);
}else{
DbgPrint("RtlUnicodeStringToAnsiString failed!\n");
}

}
return ntStatus;
}
From: Don Burn on
Since what you are doing can be done without hooking and since most hookers
are creating MALWARE why do you expect any help. Get a brain and do this
in a standard way.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply


"joemango" <joseandremorales(a)gmail.com> wrote in message
news:f998bd4c-4b24-407a-b551-d4bde48f8a9e(a)b2g2000hsg.googlegroups.com...
>
> HI all, I am currently writing a kernel level hooking engine for my
> dissertation. I have been using the source code and book titled
> Professional.Rootkits by Rick Vieler, (great book) , and hooking
> source code from rohitab.com so far my engine runs in kernel mode and
> hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no
> issues. I need your help in getting the name of the process that is
> calling the Zw... function. I need to know for every hooked api that
> is called the name and full path of the process calling it. I will
> probably have some other question soon as i progress through
> completion, but for now I need this urgently to go to the next step.
> Im not sure if this will help but im pasting below the code for my
> hooked zwopenfile function in case its needed for my solution.
>
> thanks, joemango
>
> ///BEGIN ZWOPENFILE - JAM
> NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK
> DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT
> PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG
> OpenOptions){
>
> NTSTATUS ntStatus;
> ANSI_STRING ansiFileName;
>
> RtlInitAnsiString(&ansiFileName, "NULL");
> ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess,
> ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
>
> if( NT_SUCCESS(ntStatus)) {
> DbgPrint("NewZwOpenFile called!.\n");
> if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName,
> ObjectAttributes->ObjectName, TRUE))){
> DbgPrint(" Filepath: %s\n", ansiFileName.Buffer);
> DbgPrint(" Desired Access:\n");
> if(DesiredAccess & GENERIC_WRITE) DbgPrint("
> GENERIC_WRITE\n");
> if(DesiredAccess & GENERIC_READ) DbgPrint("
> GENERIC_READ\n");
> if(DesiredAccess & GENERIC_EXECUTE) DbgPrint("
> GENERIC_EXECUTE\n");
> if(DesiredAccess & GENERIC_ALL) DbgPrint("
> GENERIC_ALL\n");
> if(DesiredAccess & FILE_READ_DATA) DbgPrint("
> FILE_READ_DATA\n");
> if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint("
> FILE_READ_ATTRIBUTES\n");
> if(DesiredAccess & FILE_READ_EA) DbgPrint("
> FILE_READ_EA\n");
> if(DesiredAccess & FILE_WRITE_DATA) DbgPrint("
> FILE_WRITE_DATA\n");
> if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint("
> FILE_WRITE_ATTRIBUTES\n");
> if(DesiredAccess & FILE_WRITE_EA) DbgPrint("
> FILE_WRITE_EA\n");
> if(DesiredAccess & FILE_APPEND_DATA) DbgPrint("
> FILE_APPEND_DATA\n");
> if(DesiredAccess & FILE_EXECUTE) DbgPrint("
> FILE_EXECUTE\n");
> DbgPrint(" Share Access:\n");
> if(ShareAccess & FILE_SHARE_READ) DbgPrint("
> FILE_SHARE_READ");
> if(ShareAccess & FILE_SHARE_WRITE) DbgPrint("
> FILE_SHARE_WRITE");
> if(ShareAccess & FILE_SHARE_DELETE) DbgPrint("
> FILE_SHARE_DELETE");
> RtlFreeAnsiString(&ansiFileName);
> }else{
> DbgPrint("RtlUnicodeStringToAnsiString failed!\n");
> }
>
> }
> return ntStatus;
> }


From: joemango on
On Jan 30, 6:17 pm, "Don Burn" <b...(a)stopspam.windrvr.com> wrote:
> Since what you are doing can be done without hooking and since most hookers
> are creating MALWARE why do you expect any help.   Get a brain and do this
> in a standard way.
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website:http://www.windrvr.com
> Blog:http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> "joemango" <joseandremora...(a)gmail.com> wrote in message
>
> news:f998bd4c-4b24-407a-b551-d4bde48f8a9e(a)b2g2000hsg.googlegroups.com...
>
>
>
>
>
> > HI all, I am currently writing a kernel level hooking engine for my
> > dissertation.  I have been using the source code and book titled
> > Professional.Rootkits by Rick Vieler, (great book) , and hooking
> > source code from rohitab.com  so far my engine runs in kernel mode and
> > hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no
> > issues.  I need your help in getting the name of the process that is
> > calling the Zw... function.  I need to know for every hooked api that
> > is called the name and full path of the process calling it.  I will
> > probably have some other question soon as i progress through
> > completion, but for now I need this urgently to go to the next step.
> > Im not sure if this will help but im pasting below the code for my
> > hooked zwopenfile function in case its needed for my solution.
>
> > thanks, joemango
>
> > ///BEGIN ZWOPENFILE - JAM
> > NTSTATUS NewZwOpenFile(OUT PHANDLE  FileHandle, IN ACCESS_MASK
> > DesiredAccess, IN POBJECT_ATTRIBUTES  ObjectAttributes, OUT
> > PIO_STATUS_BLOCK  IoStatusBlock, IN ULONG  ShareAccess, IN ULONG
> > OpenOptions){
>
> > NTSTATUS ntStatus;
> > ANSI_STRING ansiFileName;
>
> > RtlInitAnsiString(&ansiFileName, "NULL");
> > ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess,
> > ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
>
> > if( NT_SUCCESS(ntStatus)) {
> > DbgPrint("NewZwOpenFile called!.\n");
> > if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName,
> > ObjectAttributes->ObjectName, TRUE))){
> > DbgPrint("    Filepath: %s\n", ansiFileName.Buffer);
> > DbgPrint("    Desired Access:\n");
> > if(DesiredAccess & GENERIC_WRITE)        DbgPrint("
> > GENERIC_WRITE\n");
> > if(DesiredAccess & GENERIC_READ)         DbgPrint("
> > GENERIC_READ\n");
> > if(DesiredAccess & GENERIC_EXECUTE)      DbgPrint("
> > GENERIC_EXECUTE\n");
> > if(DesiredAccess & GENERIC_ALL)          DbgPrint("
> > GENERIC_ALL\n");
> > if(DesiredAccess & FILE_READ_DATA)       DbgPrint("
> > FILE_READ_DATA\n");
> > if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint("
> > FILE_READ_ATTRIBUTES\n");
> > if(DesiredAccess & FILE_READ_EA)         DbgPrint("
> > FILE_READ_EA\n");
> > if(DesiredAccess & FILE_WRITE_DATA)      DbgPrint("
> > FILE_WRITE_DATA\n");
> > if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint("
> > FILE_WRITE_ATTRIBUTES\n");
> > if(DesiredAccess & FILE_WRITE_EA)        DbgPrint("
> > FILE_WRITE_EA\n");
> > if(DesiredAccess & FILE_APPEND_DATA)     DbgPrint("
> > FILE_APPEND_DATA\n");
> > if(DesiredAccess & FILE_EXECUTE)         DbgPrint("
> > FILE_EXECUTE\n");
> > DbgPrint("    Share Access:\n");
> > if(ShareAccess & FILE_SHARE_READ) DbgPrint("
> > FILE_SHARE_READ");
> > if(ShareAccess & FILE_SHARE_WRITE) DbgPrint("
> > FILE_SHARE_WRITE");
> > if(ShareAccess & FILE_SHARE_DELETE) DbgPrint("
> > FILE_SHARE_DELETE");
> > RtlFreeAnsiString(&ansiFileName);
> > }else{
> > DbgPrint("RtlUnicodeStringToAnsiString failed!\n");
> > }
>
> > }
> > return ntStatus;
> > }- Hide quoted text -
>
> - Show quoted text -

Im actually not doing MALWARE i am a virus researcher and this is to
detect viruses, DONT JUMP TO CONCLUSIONS. I do need help on this
though so your input would be good. as further proof I invite you to
visit my research website http://www.cis.fiu.edu/~jmora009 now maybe
ill get some help, thanks in advance.
From: Volodymyr Shcherbyna on
You can get the id of process which called hooked function using
PsGetCurrentProcessId(...).

If you need more information, then take a look into direction of setting
"process creation" callback by PsSetLoadImageNotifyRoutine, and building a
table <process id> :: <process name>. Once hooked function is called, you
will be able to map process id into process name.

--
V
This posting is provided "AS IS" with no warranties, and confers no
rights.
"joemango" <joseandremorales(a)gmail.com> wrote in message
news:f998bd4c-4b24-407a-b551-d4bde48f8a9e(a)b2g2000hsg.googlegroups.com...
>
> HI all, I am currently writing a kernel level hooking engine for my
> dissertation. I have been using the source code and book titled
> Professional.Rootkits by Rick Vieler, (great book) , and hooking
> source code from rohitab.com so far my engine runs in kernel mode and
> hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no
> issues. I need your help in getting the name of the process that is
> calling the Zw... function. I need to know for every hooked api that
> is called the name and full path of the process calling it. I will
> probably have some other question soon as i progress through
> completion, but for now I need this urgently to go to the next step.
> Im not sure if this will help but im pasting below the code for my
> hooked zwopenfile function in case its needed for my solution.
>
> thanks, joemango
>
> ///BEGIN ZWOPENFILE - JAM
> NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK
> DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT
> PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG
> OpenOptions){
>
> NTSTATUS ntStatus;
> ANSI_STRING ansiFileName;
>
> RtlInitAnsiString(&ansiFileName, "NULL");
> ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess,
> ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
>
> if( NT_SUCCESS(ntStatus)) {
> DbgPrint("NewZwOpenFile called!.\n");
> if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName,
> ObjectAttributes->ObjectName, TRUE))){
> DbgPrint(" Filepath: %s\n", ansiFileName.Buffer);
> DbgPrint(" Desired Access:\n");
> if(DesiredAccess & GENERIC_WRITE) DbgPrint("
> GENERIC_WRITE\n");
> if(DesiredAccess & GENERIC_READ) DbgPrint("
> GENERIC_READ\n");
> if(DesiredAccess & GENERIC_EXECUTE) DbgPrint("
> GENERIC_EXECUTE\n");
> if(DesiredAccess & GENERIC_ALL) DbgPrint("
> GENERIC_ALL\n");
> if(DesiredAccess & FILE_READ_DATA) DbgPrint("
> FILE_READ_DATA\n");
> if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint("
> FILE_READ_ATTRIBUTES\n");
> if(DesiredAccess & FILE_READ_EA) DbgPrint("
> FILE_READ_EA\n");
> if(DesiredAccess & FILE_WRITE_DATA) DbgPrint("
> FILE_WRITE_DATA\n");
> if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint("
> FILE_WRITE_ATTRIBUTES\n");
> if(DesiredAccess & FILE_WRITE_EA) DbgPrint("
> FILE_WRITE_EA\n");
> if(DesiredAccess & FILE_APPEND_DATA) DbgPrint("
> FILE_APPEND_DATA\n");
> if(DesiredAccess & FILE_EXECUTE) DbgPrint("
> FILE_EXECUTE\n");
> DbgPrint(" Share Access:\n");
> if(ShareAccess & FILE_SHARE_READ) DbgPrint("
> FILE_SHARE_READ");
> if(ShareAccess & FILE_SHARE_WRITE) DbgPrint("
> FILE_SHARE_WRITE");
> if(ShareAccess & FILE_SHARE_DELETE) DbgPrint("
> FILE_SHARE_DELETE");
> RtlFreeAnsiString(&ansiFileName);
> }else{
> DbgPrint("RtlUnicodeStringToAnsiString failed!\n");
> }
>
> }
> return ntStatus;
> }


From: Uv on
On Jan 30, 2:57 pm, joemango <joseandremora...(a)gmail.com> wrote:
<a lot>

Investigate NtQueryInformationProcess (..., ProcessImageFileName, ... )