From: joemango on 31 Jan 2008 17:57 HI all, I am currently writing a kernel level hooking engine for my dissertation. I have been using the source code and book titled Professional.Rootkits by Rick Vieler, (great book) , and hooking source code from rohitab.com so far my engine runs in kernel mode and hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no issues. I need your help in getting the name of the process that is calling the Zw... function. I need to know for every hooked api that is called the name and full path of the process calling it. I will probably have some other question soon as i progress through completion, but for now I need this urgently to go to the next step. Im not sure if this will help but im pasting below the code for my hooked zwopenfile function in case its needed for my solution. thanks, joemango ///BEGIN ZWOPENFILE - JAM NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions){ NTSTATUS ntStatus; ANSI_STRING ansiFileName; RtlInitAnsiString(&ansiFileName, "NULL"); ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); if( NT_SUCCESS(ntStatus)) { DbgPrint("NewZwOpenFile called!.\n"); if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName, ObjectAttributes->ObjectName, TRUE))){ DbgPrint(" Filepath: %s\n", ansiFileName.Buffer); DbgPrint(" Desired Access:\n"); if(DesiredAccess & GENERIC_WRITE) DbgPrint(" GENERIC_WRITE\n"); if(DesiredAccess & GENERIC_READ) DbgPrint(" GENERIC_READ\n"); if(DesiredAccess & GENERIC_EXECUTE) DbgPrint(" GENERIC_EXECUTE\n"); if(DesiredAccess & GENERIC_ALL) DbgPrint(" GENERIC_ALL\n"); if(DesiredAccess & FILE_READ_DATA) DbgPrint(" FILE_READ_DATA\n"); if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint(" FILE_READ_ATTRIBUTES\n"); if(DesiredAccess & FILE_READ_EA) DbgPrint(" FILE_READ_EA\n"); if(DesiredAccess & FILE_WRITE_DATA) DbgPrint(" FILE_WRITE_DATA\n"); if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint(" FILE_WRITE_ATTRIBUTES\n"); if(DesiredAccess & FILE_WRITE_EA) DbgPrint(" FILE_WRITE_EA\n"); if(DesiredAccess & FILE_APPEND_DATA) DbgPrint(" FILE_APPEND_DATA\n"); if(DesiredAccess & FILE_EXECUTE) DbgPrint(" FILE_EXECUTE\n"); DbgPrint(" Share Access:\n"); if(ShareAccess & FILE_SHARE_READ) DbgPrint(" FILE_SHARE_READ"); if(ShareAccess & FILE_SHARE_WRITE) DbgPrint(" FILE_SHARE_WRITE"); if(ShareAccess & FILE_SHARE_DELETE) DbgPrint(" FILE_SHARE_DELETE"); RtlFreeAnsiString(&ansiFileName); }else{ DbgPrint("RtlUnicodeStringToAnsiString failed!\n"); } } return ntStatus; }
From: Don Burn on 31 Jan 2008 18:17 Since what you are doing can be done without hooking and since most hookers are creating MALWARE why do you expect any help. Get a brain and do this in a standard way. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "joemango" <joseandremorales(a)gmail.com> wrote in message news:f998bd4c-4b24-407a-b551-d4bde48f8a9e(a)b2g2000hsg.googlegroups.com... > > HI all, I am currently writing a kernel level hooking engine for my > dissertation. I have been using the source code and book titled > Professional.Rootkits by Rick Vieler, (great book) , and hooking > source code from rohitab.com so far my engine runs in kernel mode and > hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no > issues. I need your help in getting the name of the process that is > calling the Zw... function. I need to know for every hooked api that > is called the name and full path of the process calling it. I will > probably have some other question soon as i progress through > completion, but for now I need this urgently to go to the next step. > Im not sure if this will help but im pasting below the code for my > hooked zwopenfile function in case its needed for my solution. > > thanks, joemango > > ///BEGIN ZWOPENFILE - JAM > NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK > DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT > PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG > OpenOptions){ > > NTSTATUS ntStatus; > ANSI_STRING ansiFileName; > > RtlInitAnsiString(&ansiFileName, "NULL"); > ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess, > ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); > > if( NT_SUCCESS(ntStatus)) { > DbgPrint("NewZwOpenFile called!.\n"); > if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName, > ObjectAttributes->ObjectName, TRUE))){ > DbgPrint(" Filepath: %s\n", ansiFileName.Buffer); > DbgPrint(" Desired Access:\n"); > if(DesiredAccess & GENERIC_WRITE) DbgPrint(" > GENERIC_WRITE\n"); > if(DesiredAccess & GENERIC_READ) DbgPrint(" > GENERIC_READ\n"); > if(DesiredAccess & GENERIC_EXECUTE) DbgPrint(" > GENERIC_EXECUTE\n"); > if(DesiredAccess & GENERIC_ALL) DbgPrint(" > GENERIC_ALL\n"); > if(DesiredAccess & FILE_READ_DATA) DbgPrint(" > FILE_READ_DATA\n"); > if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint(" > FILE_READ_ATTRIBUTES\n"); > if(DesiredAccess & FILE_READ_EA) DbgPrint(" > FILE_READ_EA\n"); > if(DesiredAccess & FILE_WRITE_DATA) DbgPrint(" > FILE_WRITE_DATA\n"); > if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint(" > FILE_WRITE_ATTRIBUTES\n"); > if(DesiredAccess & FILE_WRITE_EA) DbgPrint(" > FILE_WRITE_EA\n"); > if(DesiredAccess & FILE_APPEND_DATA) DbgPrint(" > FILE_APPEND_DATA\n"); > if(DesiredAccess & FILE_EXECUTE) DbgPrint(" > FILE_EXECUTE\n"); > DbgPrint(" Share Access:\n"); > if(ShareAccess & FILE_SHARE_READ) DbgPrint(" > FILE_SHARE_READ"); > if(ShareAccess & FILE_SHARE_WRITE) DbgPrint(" > FILE_SHARE_WRITE"); > if(ShareAccess & FILE_SHARE_DELETE) DbgPrint(" > FILE_SHARE_DELETE"); > RtlFreeAnsiString(&ansiFileName); > }else{ > DbgPrint("RtlUnicodeStringToAnsiString failed!\n"); > } > > } > return ntStatus; > }
From: joemango on 31 Jan 2008 18:34 On Jan 30, 6:17 pm, "Don Burn" <b...(a)stopspam.windrvr.com> wrote: > Since what you are doing can be done without hooking and since most hookers > are creating MALWARE why do you expect any help. Get a brain and do this > in a standard way. > > -- > Don Burn (MVP, Windows DDK) > Windows 2k/XP/2k3 Filesystem and Driver Consulting > Website:http://www.windrvr.com > Blog:http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > "joemango" <joseandremora...(a)gmail.com> wrote in message > > news:f998bd4c-4b24-407a-b551-d4bde48f8a9e(a)b2g2000hsg.googlegroups.com... > > > > > > > HI all, I am currently writing a kernel level hooking engine for my > > dissertation. I have been using the source code and book titled > > Professional.Rootkits by Rick Vieler, (great book) , and hooking > > source code from rohitab.com so far my engine runs in kernel mode and > > hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no > > issues. I need your help in getting the name of the process that is > > calling the Zw... function. I need to know for every hooked api that > > is called the name and full path of the process calling it. I will > > probably have some other question soon as i progress through > > completion, but for now I need this urgently to go to the next step. > > Im not sure if this will help but im pasting below the code for my > > hooked zwopenfile function in case its needed for my solution. > > > thanks, joemango > > > ///BEGIN ZWOPENFILE - JAM > > NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK > > DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT > > PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG > > OpenOptions){ > > > NTSTATUS ntStatus; > > ANSI_STRING ansiFileName; > > > RtlInitAnsiString(&ansiFileName, "NULL"); > > ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess, > > ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); > > > if( NT_SUCCESS(ntStatus)) { > > DbgPrint("NewZwOpenFile called!.\n"); > > if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName, > > ObjectAttributes->ObjectName, TRUE))){ > > DbgPrint(" Filepath: %s\n", ansiFileName.Buffer); > > DbgPrint(" Desired Access:\n"); > > if(DesiredAccess & GENERIC_WRITE) DbgPrint(" > > GENERIC_WRITE\n"); > > if(DesiredAccess & GENERIC_READ) DbgPrint(" > > GENERIC_READ\n"); > > if(DesiredAccess & GENERIC_EXECUTE) DbgPrint(" > > GENERIC_EXECUTE\n"); > > if(DesiredAccess & GENERIC_ALL) DbgPrint(" > > GENERIC_ALL\n"); > > if(DesiredAccess & FILE_READ_DATA) DbgPrint(" > > FILE_READ_DATA\n"); > > if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint(" > > FILE_READ_ATTRIBUTES\n"); > > if(DesiredAccess & FILE_READ_EA) DbgPrint(" > > FILE_READ_EA\n"); > > if(DesiredAccess & FILE_WRITE_DATA) DbgPrint(" > > FILE_WRITE_DATA\n"); > > if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint(" > > FILE_WRITE_ATTRIBUTES\n"); > > if(DesiredAccess & FILE_WRITE_EA) DbgPrint(" > > FILE_WRITE_EA\n"); > > if(DesiredAccess & FILE_APPEND_DATA) DbgPrint(" > > FILE_APPEND_DATA\n"); > > if(DesiredAccess & FILE_EXECUTE) DbgPrint(" > > FILE_EXECUTE\n"); > > DbgPrint(" Share Access:\n"); > > if(ShareAccess & FILE_SHARE_READ) DbgPrint(" > > FILE_SHARE_READ"); > > if(ShareAccess & FILE_SHARE_WRITE) DbgPrint(" > > FILE_SHARE_WRITE"); > > if(ShareAccess & FILE_SHARE_DELETE) DbgPrint(" > > FILE_SHARE_DELETE"); > > RtlFreeAnsiString(&ansiFileName); > > }else{ > > DbgPrint("RtlUnicodeStringToAnsiString failed!\n"); > > } > > > } > > return ntStatus; > > }- Hide quoted text - > > - Show quoted text - Im actually not doing MALWARE i am a virus researcher and this is to detect viruses, DONT JUMP TO CONCLUSIONS. I do need help on this though so your input would be good. as further proof I invite you to visit my research website http://www.cis.fiu.edu/~jmora009 now maybe ill get some help, thanks in advance.
From: Volodymyr Shcherbyna on 1 Feb 2008 10:48 You can get the id of process which called hooked function using PsGetCurrentProcessId(...). If you need more information, then take a look into direction of setting "process creation" callback by PsSetLoadImageNotifyRoutine, and building a table <process id> :: <process name>. Once hooked function is called, you will be able to map process id into process name. -- V This posting is provided "AS IS" with no warranties, and confers no rights. "joemango" <joseandremorales(a)gmail.com> wrote in message news:f998bd4c-4b24-407a-b551-d4bde48f8a9e(a)b2g2000hsg.googlegroups.com... > > HI all, I am currently writing a kernel level hooking engine for my > dissertation. I have been using the source code and book titled > Professional.Rootkits by Rick Vieler, (great book) , and hooking > source code from rohitab.com so far my engine runs in kernel mode and > hooks zwopenfile, zwcreatefile, zwreadfile adn zwwritefile with no > issues. I need your help in getting the name of the process that is > calling the Zw... function. I need to know for every hooked api that > is called the name and full path of the process calling it. I will > probably have some other question soon as i progress through > completion, but for now I need this urgently to go to the next step. > Im not sure if this will help but im pasting below the code for my > hooked zwopenfile function in case its needed for my solution. > > thanks, joemango > > ///BEGIN ZWOPENFILE - JAM > NTSTATUS NewZwOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK > DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT > PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG > OpenOptions){ > > NTSTATUS ntStatus; > ANSI_STRING ansiFileName; > > RtlInitAnsiString(&ansiFileName, "NULL"); > ntStatus = ((ZWOPENFILE)(OldZwOpenFile)) (FileHandle, DesiredAccess, > ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); > > if( NT_SUCCESS(ntStatus)) { > DbgPrint("NewZwOpenFile called!.\n"); > if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&ansiFileName, > ObjectAttributes->ObjectName, TRUE))){ > DbgPrint(" Filepath: %s\n", ansiFileName.Buffer); > DbgPrint(" Desired Access:\n"); > if(DesiredAccess & GENERIC_WRITE) DbgPrint(" > GENERIC_WRITE\n"); > if(DesiredAccess & GENERIC_READ) DbgPrint(" > GENERIC_READ\n"); > if(DesiredAccess & GENERIC_EXECUTE) DbgPrint(" > GENERIC_EXECUTE\n"); > if(DesiredAccess & GENERIC_ALL) DbgPrint(" > GENERIC_ALL\n"); > if(DesiredAccess & FILE_READ_DATA) DbgPrint(" > FILE_READ_DATA\n"); > if(DesiredAccess & FILE_READ_ATTRIBUTES) DbgPrint(" > FILE_READ_ATTRIBUTES\n"); > if(DesiredAccess & FILE_READ_EA) DbgPrint(" > FILE_READ_EA\n"); > if(DesiredAccess & FILE_WRITE_DATA) DbgPrint(" > FILE_WRITE_DATA\n"); > if(DesiredAccess & FILE_WRITE_ATTRIBUTES)DbgPrint(" > FILE_WRITE_ATTRIBUTES\n"); > if(DesiredAccess & FILE_WRITE_EA) DbgPrint(" > FILE_WRITE_EA\n"); > if(DesiredAccess & FILE_APPEND_DATA) DbgPrint(" > FILE_APPEND_DATA\n"); > if(DesiredAccess & FILE_EXECUTE) DbgPrint(" > FILE_EXECUTE\n"); > DbgPrint(" Share Access:\n"); > if(ShareAccess & FILE_SHARE_READ) DbgPrint(" > FILE_SHARE_READ"); > if(ShareAccess & FILE_SHARE_WRITE) DbgPrint(" > FILE_SHARE_WRITE"); > if(ShareAccess & FILE_SHARE_DELETE) DbgPrint(" > FILE_SHARE_DELETE"); > RtlFreeAnsiString(&ansiFileName); > }else{ > DbgPrint("RtlUnicodeStringToAnsiString failed!\n"); > } > > } > return ntStatus; > }
From: Uv on 1 Feb 2008 10:59
On Jan 30, 2:57 pm, joemango <joseandremora...(a)gmail.com> wrote: <a lot> Investigate NtQueryInformationProcess (..., ProcessImageFileName, ... ) |