ZwReadVirtualMemory

NTFSD
1

i m trying to hook this one but i couldnt do. when i use zw or ntreadvirtualmemory. it giving driver couldnt load err. but i can hook zwcreatefile or some apis. but i couldnt this one. i need help. its my code

#include <ntddk.h>

#define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]

typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;

typedef struct ServiceDescriptorEntry {
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDT;

typedef NTSTATUS (*ZWREADVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

__declspec(dllimport) SDT KeServiceDescriptorTable;

VOID HookAPI(PDWORD API, PDWORD NewAPI);
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API);
VOID OnUnload(PDRIVER_OBJECT pDriverObj);

NTSYSAPI NTSTATUS NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

NTSTATUS NtReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

PDWORD OriginalAPI;

NTSTATUS NtReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
)
{
NTSTATUS ret;
ZWREADVIRTUALMEMORY OriginalFunc = (ZWREADVIRTUALMEMORY)OriginalAPI;

DbgPrint(“\nProcessHandle:0x%X\nBaseAddress:0x%X\nBufferAddress:0x%X\nNumberOfBytesToRead:%d\nNumberOfBytesReaded:%d\n”,
(ULONG) ProcessHandle,(ULONG)BaseAddress,(ULONG)Buffer,(ULONG)NumberOfBytesToRead,(ULONG) NumberOfBytesReaded);
ret = OriginalFunc(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded);
return ret;
}

VOID HookAPI(PDWORD API, PDWORD NewAPI)
{
DWORD nOldProtect;
OriginalAPI = (PDWORD) (SYSTEMSERVICE(API));
DbgPrint(“\nAPI Address : 0x%x”, SYSTEMSERVICE(API));
DbgPrint(“\nHooking API…”);
__asm
{
cli
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
(PDWORD) (SYSTEMSERVICE(API)) = NewAPI;
__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti
}

}
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API)
{
DWORD nOldProtect;

DbgPrint(“\nUnhooking API…\n”);
__asm
{
cli
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
(PDWORD)(SYSTEMSERVICE(API)) = OriginalAPI;
__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti
}

}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegisteryPath)
{

DbgPrint(“SSDT Address: 0x%x\nNtReadVirtualMemory Address: 0x%x\n”, KeServiceDescriptorTable.ServiceTable,(ULONG)NtReadVirtualMemory);

HookAPI((PDWORD)NtReadVirtualMemory, (PDWORD)NtReadVirtualMemoryOwned);

pDriverObj->DriverUnload = OnUnload;

return STATUS_SUCCESS;
}
VOID OnUnload(PDRIVER_OBJECT pDriverObj)
{

UnHookAPI(OriginalAPI, (PDWORD)ZwCreateFile);
DbgPrint(“\nDriver Unload\n”);
}

ty for all.</ntddk.h>

2

What you’re trying to do here is unsupported and unsustainable. What problem are you trying to solve by hooking system calls like this?

  • S (Msft)

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of xxxxx@gmail.com [xxxxx@gmail.com]
Sent: Sunday, August 21, 2011 12:03 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ZwReadVirtualMemory

i m trying to hook this one but i couldnt do. when i use zw or ntreadvirtualmemory. it giving driver couldnt load err. but i can hook zwcreatefile or some apis. but i couldnt this one. i need help. its my code

#include <ntddk.h>

#define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[*(DWORD *) ((unsigned char *)_name + 1)]

typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;

typedef struct ServiceDescriptorEntry {
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDT;

typedef NTSTATUS (*ZWREADVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

__declspec(dllimport) SDT KeServiceDescriptorTable;

VOID HookAPI(PDWORD API, PDWORD NewAPI);
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API);
VOID OnUnload(PDRIVER_OBJECT pDriverObj);

NTSYSAPI NTSTATUS NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

NTSTATUS NtReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

PDWORD OriginalAPI;

NTSTATUS NtReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
)
{
NTSTATUS ret;
ZWREADVIRTUALMEMORY OriginalFunc = (ZWREADVIRTUALMEMORY)OriginalAPI;

DbgPrint(“\nProcessHandle:0x%X\nBaseAddress:0x%X\nBufferAddress:0x%X\nNumberOfBytesToRead:%d\nNumberOfBytesReaded:%d\n”,
(ULONG) ProcessHandle,(ULONG)BaseAddress,(ULONG)Buffer,(ULONG)NumberOfBytesToRead,(ULONG) NumberOfBytesReaded);
ret = OriginalFunc(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded);
return ret;
}

VOID HookAPI(PDWORD API, PDWORD NewAPI)
{
DWORD nOldProtect;
OriginalAPI = (PDWORD) (SYSTEMSERVICE(API));
DbgPrint(“\nAPI Address : 0x%x”, SYSTEMSERVICE(API));
DbgPrint(“\nHooking API…”);
__asm
{
cli
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
(PDWORD) (SYSTEMSERVICE(API)) = NewAPI;
__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti
}

}
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API)
{
DWORD nOldProtect;

DbgPrint(“\nUnhooking API…\n”);
__asm
{
cli
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
(PDWORD)(SYSTEMSERVICE(API)) = OriginalAPI;
__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti
}

}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegisteryPath)
{

DbgPrint(“SSDT Address: 0x%x\nNtReadVirtualMemory Address: 0x%x\n”, KeServiceDescriptorTable.ServiceTable,(ULONG)NtReadVirtualMemory);

HookAPI((PDWORD)NtReadVirtualMemory, (PDWORD)NtReadVirtualMemoryOwned);

pDriverObj->DriverUnload = OnUnload;

return STATUS_SUCCESS;
}
VOID OnUnload(PDRIVER_OBJECT pDriverObj)
{

UnHookAPI(OriginalAPI, (PDWORD)ZwCreateFile);
DbgPrint(“\nDriver Unload\n”);
}

ty for all.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</ntddk.h>

3

Why do you think you need to do this? This is very discouraged these days,
and won’t work at all on x64 systems, Vista+

Also, on any version and architecture of Windows, you’re code has several
problems, the most notable of which is that it will break on
multiprocessors.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, August 21, 2011 3:03 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ZwReadVirtualMemory

i m trying to hook this one but i couldnt do. when i use zw or
ntreadvirtualmemory. it giving driver couldnt load err. but i can hook
zwcreatefile or some apis. but i couldnt this one. i need help. its my code

#include <ntddk.h>

#define SYSTEMSERVICE(_name) KeServiceDescriptorTable.ServiceTable[(DWORD
) ((unsigned char *)_name + 1)]

typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE;

typedef struct ServiceDescriptorEntry {
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PBYTE ArgumentTable;
} SDT;

typedef NTSTATUS (*ZWREADVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

__declspec(dllimport) SDT KeServiceDescriptorTable;

VOID HookAPI(PDWORD API, PDWORD NewAPI); VOID UnHookAPI(PDWORD OriginalAPI,
PDWORD API); VOID OnUnload(PDRIVER_OBJECT pDriverObj);

NTSYSAPI NTSTATUS NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

NTSTATUS NtReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
);

PDWORD OriginalAPI;

NTSTATUS NtReadVirtualMemoryOwned(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
)
{
NTSTATUS ret;
ZWREADVIRTUALMEMORY OriginalFunc = (ZWREADVIRTUALMEMORY)OriginalAPI;

DbgPrint(“\nProcessHandle:0x%X\nBaseAddress:0x%X\nBufferAddress:0x%X\nNumber
OfBytesToRead:%d\nNumberOfBytesReaded:%d\n”,
(ULONG)
ProcessHandle,(ULONG)BaseAddress,(ULONG)Buffer,(ULONG)NumberOfBytesToRead,(U
LONG) NumberOfBytesReaded);
ret =
OriginalFunc(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBy
tesReaded);
return ret;
}

VOID HookAPI(PDWORD API, PDWORD NewAPI)
{
DWORD nOldProtect;
OriginalAPI = (PDWORD) (SYSTEMSERVICE(API));
DbgPrint(“\nAPI Address : 0x%x”, SYSTEMSERVICE(API));
DbgPrint(“\nHooking API…”);
__asm
{
cli
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
(PDWORD) (SYSTEMSERVICE(API)) = NewAPI;
__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti
}

}
VOID UnHookAPI(PDWORD OriginalAPI, PDWORD API) {
DWORD nOldProtect;

DbgPrint(“\nUnhooking API…\n”);
__asm
{
cli
push eax
mov eax, cr0
mov nOldProtect, eax
and eax, 0xFFFEFFFF
mov cr0, eax
pop eax
}
(PDWORD)(SYSTEMSERVICE(API)) = OriginalAPI;
__asm
{
push eax
mov eax, nOldProtect
mov cr0, eax
pop eax
sti
}

}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING
pRegisteryPath)
{

DbgPrint(“SSDT Address: 0x%x\nNtReadVirtualMemory Address:
0x%x\n”, KeServiceDescriptorTable.ServiceTable,(ULONG)NtReadVirtualMemory);

HookAPI((PDWORD)NtReadVirtualMemory,
(PDWORD)NtReadVirtualMemoryOwned);

pDriverObj->DriverUnload = OnUnload;

return STATUS_SUCCESS;
}
VOID OnUnload(PDRIVER_OBJECT pDriverObj) {

UnHookAPI(OriginalAPI, (PDWORD)ZwCreateFile);
DbgPrint(“\nDriver Unload\n”);
}

ty for all.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</ntddk.h>

4

i need the learn something on kernel hooking. because im trying mini anti rootkit, and mini antihacking.

5

and i know it wont work on x64 systems.

6

There’s a ton of projects out there that have attempted this. None of them
work. As expressed, it’s a Halting problem, in my opinion. Without some
sort of hardware support/out of band execution capability (or emulation)
there’s no way to ensure that you get there first before the system has been
compromised, nor is there a way to ensure that you don’t get replaced. Even
with said support, it’s not necessarily possible in all cases, depending on
how you define the problem /goal (among other things).

If you wish to proceed, try Googling to find one of those projects.

It’s not like I think that what you’re doing is necessarily evil or
anything, but it’s also not really what this list is about, either (IMO).

Good luck,

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, August 21, 2011 3:16 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] ZwReadVirtualMemory

i need the learn something on kernel hooking. because im trying mini anti
rootkit, and mini antihacking.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

okey ty.!