[ C ] NtOpenProcess hook.

A ‘Crude’ method of preventing access to a program is by hooking NtOpenProcess and denying any request for a handle. Simple. The screenshot below shows what happens when I tried to terminate notepad, which at the time was ‘protected’ by this hook. A detour hook would be preferable to an SSDT pointer change as it is less detectable, but I’ll cover that some other time.

[ C - Source ] Driver.c
[ C++ - Source ] DriverControll.cpp
Download the compiled executable.
ntifs.h
NEW post regarding NtOpenProcess hooks

Operation:  Once the executable has been run and you’ve entered your target process name (with the .exe!) and you are presented with an arrow (–>), you have three commands. HOOK, UNHOOK, EXIT. They’re fairly explanatory. Unhook before you exit. Make sure you’ve spelt the process name correctly.

Ok, as with many previous things this is XP only. The call number would need to be changed for other OS’s or SP’s. Look here for different call numbers.

Advertisement

~ by Rhys M. on October 4, 2008.

Posted in Programming

18 Responses to “[ C ] NtOpenProcess hook.”

  1. Marvellous, I wanted this desperately.

    BNC said this on January 11, 2009 at 10:24 am

  2. Hi. I cant compile driver.c. I want create a new driver file. I want change drivername. please help me…

    Nizamettin AVCI said this on February 25, 2009 at 6:45 am

  3. Hey Rhys,

    Thank you for the code. I tested the binaries with notepad and it returned the result as you’ve mentioned above.
    I would like to know more about such techniques. Could you pleas help me in this? Also you’ve mentioned to changed the call number ( which I assume is NtOpenProcess_callnumber variable in the driver code ). How could I know the call number of the function in different operating systems? Did you mean the entry point? Can I open ntdll in DependencyWalker and get the entry point from there? Waiting eagerly for your help.

    Regards

    Anil

    Anil said this on August 12, 2009 at 12:02 pm

  4. Rhys,
    I tried to build the driver. In my machine, I’ve got WDK installed, latest ofcourse. I got 15 error while building using check build environement. Below is the complete build log.

    BUILD: Computing Include file dependencies:
    BUILD: Examining d:\openprocesshook\driver directory for files to compile.
    before AssemblyIdentity_AfterReadAllSources
    after AssemblyIdentity_AfterReadAllSources
    skipping post pass 0 command
    Compiling and Linking d:\openprocesshook\driver *************
    ‘nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR= MAKEDIR_LOWERCASE=d:\openprocesshook\driver’
    d:\openprocesshook\driver: TARGETPATH is obj
    BUILDMSG: _NT_TARGET_VERSION SET TO WINXP
    cl.exe @d:\openprocesshook\driver\objchk_wxp_x86\i386\cl.rsp
    Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.220 for 80×86
    Copyright (C) Microsoft Corporation. All rights reserved.

    cl /Fo”d:\openprocesshook\driver\objchk_wxp_x86\i386/”
    /FC

    /Ii386
    /I.
    /I%BUILD%\inc
    /Id:\openprocesshook\driver\objchk_wxp_x86\i386
    /ID:\WinDDK\6000\inc\api
    /ID:\WinDDK\6000\inc\api
    /ID:\WinDDK\6000\inc\ddk
    /ID:\WinDDK\6000\inc\ddk
    /ID:\WinDDK\6000\inc\crt
    /D_X86_=1
    /Di386=1

    /DSTD_CALL
    /DCONDITION_HANDLING=1

    /DNT_INST=0
    /DWIN32=100
    /D_NT1X_=100
    /DWINNT=1
    /D_WIN32_WINNT=0×0501
    /DWINVER=0×0501
    /D_WIN32_IE=0×0603

    /DWIN32_LEAN_AND_MEAN=1
    /DDEVL=1
    /DDBG=1
    /D__BUILDMACHINE__=WinDDK
    /DFPO=0

    /D_DLL=1
    /DNDEBUG

    /DDEPRECATE_DDK_FUNCTIONS=1
    /DMSC_NOOPT
    /DNTDDI_VERSION=0×05010200

    /c
    /Zc:wchar_t-
    /Zl
    /Zp8
    /Gy
    /Gm-
    -cbstring
    /W3

    /Gz

    /hotpatch
    /EHs-c-

    /GR-
    /GF
    /GS
    /Zi
    /Od
    /Oi

    /Oy-
    /Zi
    /Fdd:\openprocesshook\driver\objchk_wxp_x86\i386\

    -DKMDF_MAJOR_VERSION=01
    -DKMDF_MINOR_VERSION=005
    /FID:\WinDDK\6000\inc\api\warning.h

    .\cntopenprocessdrver.c

    cntopenprocessdrver.c
    d:\openprocesshook\driver\cntopenprocessdrver.c(74) : error C2065: ‘KeServiceDescriptorTable’ : undeclared identifier
    errors in directory d:\openprocesshook\driver
    d:\openprocesshook\driver\cntopenprocessdrver.c(74) : error C2065: ‘KeServiceDescriptorTable’ : undeclared identifier
    d:\openprocesshook\driver\cntopenprocessdrver.c(74) : error C2223: left of ‘->ServiceTable’ must point to struct/union
    d:\openprocesshook\driver\cntopenprocessdrver.c(74) : error C2223: left of ‘->ServiceTable’ must point to struct/union
    d:\openprocesshook\driver\cntopenprocessdrver.c(81) : error C2223: left of ‘->ServiceTable’ must point to struct/union
    d:\openprocesshook\driver\cntopenprocessdrver.c(81) : error C2223: left of ‘->ServiceTable’ must point to struct/union
    d:\openprocesshook\driver\cntopenprocessdrver.c(84) : error C2223: left of ‘->ServiceTable’ must point to struct/union
    d:\openprocesshook\driver\cntopenprocessdrver.c(84) : error C2223: left of ‘->ServiceTable’ must point to struct/union
    d:\openprocesshook\driver\cntopenprocessdrver.c(98) : error C2037: left of ‘ActiveProcessLinks’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(98) : error C2037: left of ‘ActiveProcessLinks’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(98) : error C2198: ‘IsListEmpty’ : too few arguments for call
    d:\openprocesshook\driver\cntopenprocessdrver.c(98) : error C2198: ‘IsListEmpty’ : too few arguments for call
    d:\openprocesshook\driver\cntopenprocessdrver.c(102) : error C2037: left of ‘ActiveProcessLinks’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(102) : error C2037: left of ‘ActiveProcessLinks’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(106) : error C2065: ‘EPROCESS’ : undeclared identifier
    d:\openprocesshook\driver\cntopenprocessdrver.c(106) : error C2065: ‘EPROCESS’ : undeclared identifier
    d:\openprocesshook\driver\cntopenprocessdrver.c(106) : error C2059: syntax error : ‘)’
    d:\openprocesshook\driver\cntopenprocessdrver.c(106) : error C2059: syntax error : ‘)’
    d:\openprocesshook\driver\cntopenprocessdrver.c(107) : error C2037: left of ‘ActiveThreads’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(107) : error C2037: left of ‘ActiveThreads’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(108) : error C2037: left of ‘ThreadListHead’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(108) : error C2037: left of ‘ThreadListHead’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(108) : error C2198: ‘IsListEmpty’ : too few arguments for call
    d:\openprocesshook\driver\cntopenprocessdrver.c(108) : error C2198: ‘IsListEmpty’ : too few arguments for call
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : error C2037: left of ‘ImageFileName’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : error C2037: left of ‘ImageFileName’ specifies undefined struct/union ‘_EPROCESS’
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : warning C4047: ‘function’ : ‘const char *’ differs in levels of indirection from ‘size_t’
    warnings in directory d:\openprocesshook\driver
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : warning C4047: ‘function’ : ‘const char *’ differs in levels of indirection from ‘size_t’
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : warning C4024: ‘_strnicmp’ : different types for formal and actual parameter 2
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : warning C4024: ‘_strnicmp’ : different types for formal and actual parameter 2
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : error C2198: ‘_strnicmp’ : too few arguments for call
    d:\openprocesshook\driver\cntopenprocessdrver.c(109) : error C2198: ‘_strnicmp’ : too few arguments for call
    d:\openprocesshook\driver\cntopenprocessdrver.c(118) : error C2143: syntax error : missing ‘{‘ before ‘__stdcall’
    d:\openprocesshook\driver\cntopenprocessdrver.c(118) : error C2143: syntax error : missing ‘{‘ before ‘__stdcall’
    d:\openprocesshook\driver\cntopenprocessdrver.c(119) : warning C4142: benign redefinition of type
    d:\openprocesshook\driver\cntopenprocessdrver.c(119) : warning C4142: benign redefinition of type
    link.exe /out:objchk_wxp_x86\i386\UndeadRootKit.sys /machine:ix86 @C:\DOCUME~1\Anil\LOCALS~1\Temp\nmBB.tmp
    Microsoft (R) Incremental Linker Version 8.00.50727.220
    Copyright (C) Microsoft Corporation. All rights reserved.

    /MERGE:_PAGE=PAGE
    /MERGE:_TEXT=.text
    /SECTION:INIT,d
    /OPT:REF
    /OPT:ICF
    /IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221
    /INCREMENTAL:NO
    /FULLBUILD
    /release
    /NODEFAULTLIB
    /WX
    /debug
    /debugtype:cv
    /version:6.0
    /osversion:6.0
    /functionpadmin:5
    /safeseh
    /debug
    /debugtype:cv,fixup
    /pdbcompress
    /STACK:0×40000,0×1000
    /driver
    /base:0×10000
    /align:0×80 /stub:d:\winddk\6000\lib\wxp\stub512.com
    /subsystem:native,5.01
    /entry:GsDriverEntry@8
    /out:objchk_wxp_x86\i386\UndeadRootKit.sys
    objchk_wxp_x86\i386\cntopenprocessdrver.obj
    d:\winddk\6000\lib\wxp\i386\BufferOverflowK.lib
    d:\winddk\6000\lib\wxp\i386\ntoskrnl.lib
    d:\winddk\6000\lib\wxp\i386\hal.lib
    d:\winddk\6000\lib\wxp\i386\wmilib.lib
    d:\winddk\6000\lib\wxp\i386\sehupd.lib
    LINK : fatal error LNK1181: cannot open input file ‘objchk_wxp_x86\i386\cntopenprocessdrver.obj’
    link : error LNK1181: cannot open input file ‘objchk_wxp_x86\i386\cntopenprocessdrver.obj’

    Could you please help me out?

    Regards
    Anil

    Anil said this on August 12, 2009 at 12:41 pm

  5. Rhys,

    I was able to build the cpp file in a sample project with character code set to mulitbyte and some minor changes in the code. When I tried running the exe, it asked for the executable for which I gave notepad.exe and gave HOOK. Message hooked showed up, but nothing happened. I tried with the executables which you’d provided in the site, which are working fine. What all could be the reasons?

    Regards
    Anil

    Anil said this on August 13, 2009 at 1:12 pm

  6. Rhys,

    In my immediate previous message, I’d mentioned some difficulty in running the exe from the project. I rebuild the project in Release mode(earlier it was debug), used the driver (sys file) which you provide and now its working. So thats solved. Now the earlier and the most important one is still there. I can’t build the driver on my own. Could you please help?

    Regards
    Anil

    Anil said this on August 13, 2009 at 1:27 pm

  7. You’re WDK doesnt seem to include the definitions.
    Check on msdn for the structure definitions of KeServiceDescriptorTable and try narrow it down. Their error messages are a pain and I tend to blank over to them. Sorry about my lack of replies, I’ve been living elsewhere for the past while without access to internet.
    Rhys

    Rhys M. said this on October 6, 2009 at 12:57 pm

  8. Hello all
    any one can tell me which WDK or DDK he used to build the driver ?

    thanks for all

    Ramiz said this on November 1, 2009 at 8:05 pm

  9. i add this to ntifs.h ver 7600
    #ifdef _X86_
    #define HARDWARE_PTE HARDWARE_PTE_X86
    #define PHARDWARE_PTE PHARDWARE_PTE_X86
    #else
    #define HARDWARE_PTE ULONG
    #define PHARDWARE_PTE PULONG
    #endif

    #ifndef FlagOn
    #define FlagOn(_F,_SF) ((_F) & (_SF))
    #endif

    #ifndef BooleanFlagOn
    #define BooleanFlagOn(F,SF) ((BOOLEAN)(((F) & (SF)) != 0))
    #endif

    #ifndef SetFlag
    #define SetFlag(_F,_SF) ((_F) |= (_SF))
    #endif

    #ifndef ClearFlag
    #define ClearFlag(_F,_SF) ((_F) &= ~(_SF))
    #endif

    //
    // Define types that are not exported.
    //

    typedef struct _BUS_HANDLER *PBUS_HANDLER;
    typedef struct _CALLBACK_OBJECT *PCALLBACK_OBJECT;
    typedef struct _DEVICE_HANDLER_OBJECT *PDEVICE_HANDLER_OBJECT;
    typedef struct _IO_TIMER *PIO_TIMER;
    typedef struct _KINTERRUPT *PKINTERRUPT;
    typedef struct _KPROCESS *PKPROCESS ,*PRKPROCESS; //*PEPROCESS;
    typedef struct _KTHREAD *PKTHREAD, *PRKTHREAD; //*PETHREAD;
    typedef struct _OBJECT_TYPE *POBJECT_TYPE;
    typedef struct _PEB *PPEB;
    typedef struct _ACL *PACL;

    typedef struct _CACHE_MANAGER_CALLBACKS *PCACHE_MANAGER_CALLBACKS;
    typedef struct _FILE_GET_QUOTA_INFORMATION *PFILE_GET_QUOTA_INFORMATION;
    typedef struct _HANDLE_TABLE *PHANDLE_TABLE;
    typedef struct _KEVENT_PAIR *PKEVENT_PAIR;
    typedef struct _KPROCESS *PKPROCESS;
    typedef struct _KQUEUE *PKQUEUE;
    typedef struct _KTRAP_FRAME *PKTRAP_FRAME;
    typedef struct _LPC_MESSAGE *PLPC_MESSAGE;
    typedef struct _MAILSLOT_CREATE_PARAMETERS *PMAILSLOT_CREATE_PARAMETERS;
    typedef struct _MMWSL *PMMWSL;
    typedef struct _NAMED_PIPE_CREATE_PARAMETERS *PNAMED_PIPE_CREATE_PARAMETERS;
    typedef struct _OBJECT_DIRECTORY *POBJECT_DIRECTORY;
    typedef struct _PEB *PPEB;
    typedef struct _PS_IMPERSONATION_INFORMATION *PPS_IMPERSONATION_INFORMATION;
    typedef struct _SHARED_CACHE_MAP *PSHARED_CACHE_MAP;
    typedef struct _TERMINATION_PORT *PTERMINATION_PORT;
    typedef struct _VACB *PVACB;
    typedef struct _VAD_HEADER *PVAD_HEADER;
    typedef struct _PAGEFAULT_HISTORY *PPAGEFAULT_HISTORY;
    typedef struct _EPROCESS_QUOTA_BLOCK *PEPROCESS_QUOTA_BLOCK;
    typedef struct _SECTION_OBJECT *PSECTION_OBJECT;
    typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;

    typedef struct _KPROCESS *PKPROCESS;
    typedef struct _HANDLE_TABLE *PHANDLE_TABLE;

    extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;

    typedef PVOID PEJOB;

    typedef struct _SERVICE_DESCRIPTOR_TABLE {
    /*
    * Table containing cServices elements of pointers to service handler
    * functions, indexed by service ID.
    */
    PVOID *ServiceTable;
    /*
    * Table that counts how many times each service is used. This table
    * is only updated in checked builds.
    */
    PULONG CounterTable;
    /*
    * Number of services contained in this table.
    */
    ULONG TableSize;
    /*
    * Table containing the number of bytes of parameters the handler
    * function takes.
    */
    PUCHAR ArgumentTable;
    } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

    typedef struct _KGDTENTRY {
    USHORT LimitLow;
    USHORT BaseLow;
    union {
    struct {
    UCHAR BaseMid;
    UCHAR Flags1;
    UCHAR Flags2;
    UCHAR BaseHi;
    } Bytes;
    struct {
    ULONG BaseMid : 8;
    ULONG Type : 5;
    ULONG Dpl : 2;
    ULONG Pres : 1;
    ULONG LimitHi : 4;
    ULONG Sys : 1;
    ULONG Reserved_0 : 1;
    ULONG Default_Big : 1;
    ULONG Granularity : 1;
    ULONG BaseHi : 8;
    } Bits;
    } HighWord;
    } KGDTENTRY, *PKGDTENTRY;

    typedef struct _KIDTENTRY {
    USHORT Offset;
    USHORT Selector;
    USHORT Access;
    USHORT ExtendedOffset;
    } KIDTENTRY, *PKIDTENTRY;

    typedef struct _KPROCESS {
    DISPATCHER_HEADER Header;
    LIST_ENTRY ProfileListHead;
    ULONG DirectoryTableBase[2];
    KGDTENTRY LdtDescriptor;
    KIDTENTRY Int21Descriptor;
    USHORT IopmOffset;
    UCHAR Iopl;
    UCHAR Unused;
    ULONG ActiveProcessors;
    ULONG KernelTime;
    ULONG UserTime;
    LIST_ENTRY ReadyListHead;
    SINGLE_LIST_ENTRY SwapListEntry;
    PVOID VdmTrapcHandler;
    LIST_ENTRY ThreadListHead;
    KSPIN_LOCK ProcessLock;
    KAFFINITY Affinity;
    USHORT StackCount;
    CHAR BasePriority;
    CHAR ThreadQuantum;
    BOOLEAN AutoAlignment;
    UCHAR State;
    UCHAR ThreadSeed;
    BOOLEAN DisableBoost;
    UCHAR PowerState;
    BOOLEAN DisableQuantum;
    UCHAR IdealNode;
    UCHAR Spare;
    } KPROCESS, *PKPROCESS;

    typedef struct _HARDWARE_PTE_X86 {
    ULONG Valid : 1;
    ULONG Write : 1;
    ULONG Owner : 1;
    ULONG WriteThrough : 1;
    ULONG CacheDisable : 1;
    ULONG Accessed : 1;
    ULONG Dirty : 1;
    ULONG LargePage : 1;
    ULONG Global : 1;
    ULONG CopyOnWrite : 1;
    ULONG Prototype : 1;
    ULONG reserved : 1;
    ULONG PageFrameNumber : 20;
    } HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;

    typedef struct _EX_FAST_REF {
    union {
    PVOID Object;
    ULONG RefCnt : 3;
    ULONG Value;
    };
    } EX_FAST_REF, *PEX_FAST_REF;

    typedef struct _EX_PUSH_LOCK {
    union {
    struct {
    ULONG Waiting : 1;
    ULONG Exclusive : 1;
    ULONG Shared : 30;
    };
    ULONG Value;
    PVOID Ptr;
    };
    } EX_PUSH_LOCK, *PEX_PUSH_LOCK;

    typedef struct _DEVICE_MAP {
    POBJECT_DIRECTORY DosDevicesDirectory;
    POBJECT_DIRECTORY GlobalDosDevicesDirectory;
    ULONG ReferenceCount;
    ULONG DriveMap;
    UCHAR DriveType[32];
    } DEVICE_MAP, *PDEVICE_MAP;

    typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
    POBJECT_NAME_INFORMATION ImageFileName;
    } SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;

    typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace : 1;
    ULONG BeingTrimmed : 1;
    ULONG SessionLeader : 1;
    ULONG TrimHard : 1;
    ULONG MaximumWorkingSetHard : 1;
    ULONG ForceTrim : 1;
    ULONG MinimumWorkingSetHard : 1;
    ULONG Available0 : 1;
    ULONG MemoryPriority : 8;
    ULONG GrowWsleHash : 1;
    ULONG AcquiredUnsafe : 1;
    ULONG Available : 14;
    } MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

    typedef struct _MMSUPPORT {
    LIST_ENTRY WorkingSetExpansionLinks;
    LARGE_INTEGER LastTrimTime; // 0×8
    MMSUPPORT_FLAGS Flags; // 0×10
    ULONG PageFaultCount; // 0×14
    ULONG PeakWorkingSetSize; // 0×18
    ULONG GrowthSinceLastEstimate; // 0x1c
    ULONG MinimumWorkingSetSize; // 0×20
    ULONG MaximumWorkingSetSize; // 0×24
    PMMWSL VmWorkingSetList; // 0×28
    ULONG Claim; // 0x2c
    ULONG NextEstimationSlot; // 0×30
    ULONG NextAgingSlot; // 0×34
    ULONG EstimatedAvailable; // 0×38
    ULONG WorkingSetSize; //0x3c
    KGUARDED_MUTEX Mutex; // 0×40
    } MMSUPPORT, *PMMSUPPORT;

    typedef struct _EPROCESS
    {
    KPROCESS Pcb;
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    EX_RUNDOWN_REF RundownProtect;
    PVOID UniqueProcessId;
    LIST_ENTRY ActiveProcessLinks;
    ULONG QuotaUsage[3];
    ULONG QuotaPeak[3];
    ULONG CommitCharge;
    ULONG PeakVirtualSize;
    ULONG VirtualSize;
    LIST_ENTRY SessionProcessLinks;
    PVOID DebugPort;
    PVOID ExceptionPort;
    PHANDLE_TABLE ObjectTable;
    EX_FAST_REF Token;
    FAST_MUTEX WorkingSetLock;
    ULONG WorkingSetPage;
    FAST_MUTEX AddressCreationLock;
    KSPIN_LOCK HyperSpaceLock;
    PETHREAD ForkInProgress;
    ULONG HardwareTrigger;
    PVOID VadRoot;
    PVOID VadHint;
    PVOID CloneRoot;
    ULONG NumberOfPrivatePages;
    ULONG NumberOfLockedPages;
    PVOID Win32Process;
    PEJOB Job;
    PSECTION_OBJECT SectionObject;
    PVOID SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK QuotaBlock;
    PPAGEFAULT_HISTORY WorkingSetWatch;
    PVOID Win32WindowStation;
    PVOID InheritedFromUniqueProcessId;
    PVOID LdtInformation;
    PVOID VadFreeHint;
    PVOID VdmObjects;
    PDEVICE_MAP DeviceMap;
    LIST_ENTRY PhysicalVadList;
    union
    {
    HARDWARE_PTE PageDirectoryPte;
    ULONGLONG Filler;
    };
    PVOID Session;
    UCHAR ImageFileName[16];
    LIST_ENTRY JobLinks;
    PVOID LockedPageList;
    LIST_ENTRY ThreadListHead;
    PVOID SecurityPort;
    PVOID PaeTop;
    ULONG ActiveThreads;
    ULONG GrantedAccess;
    ULONG DefaultHardErrorProcessing;
    NTSTATUS LastThreadExitStatus;
    PPEB Peb;
    EX_FAST_REF PrefetchTrace;
    LARGE_INTEGER ReadOperationCount;
    LARGE_INTEGER WriteOperationCount;
    LARGE_INTEGER OtherOperationCount;
    LARGE_INTEGER ReadTransferCount;
    LARGE_INTEGER WriteTransferCount;
    LARGE_INTEGER OtherTransferCount;
    ULONG CommitChargeLimit;
    ULONG CommitChargePeek;
    PVOID AweInfo;
    SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
    MMSUPPORT Vm;
    ULONG LastFaultCount;
    ULONG ModifiedPageCount;
    ULONG NumberOfVads;
    ULONG JobStatus;
    union
    {
    ULONG Flags;
    struct
    {
    ULONG CreateReported : 1;
    ULONG NoDebugInherit : 1;
    ULONG ProcessExiting : 1;
    ULONG ProcessDelete : 1;
    ULONG Wow64SplitPages : 1;
    ULONG VmDeleted : 1;
    ULONG OutswapEnabled : 1;
    ULONG Outswapped : 1;
    ULONG ForkFailed : 1;
    ULONG HasPhysicalVad : 1;
    ULONG AddressSpaceInitialized : 2;
    ULONG SetTimerResolution : 1;
    ULONG BreakOnTermination : 1;
    ULONG SessionCreationUnderway : 1;
    ULONG WriteWatch : 1;
    ULONG ProcessInSession : 1;
    ULONG OverrideAddressSpace : 1;
    ULONG HasAddressSpace : 1;
    ULONG LaunchPrefetched : 1;
    ULONG InjectInpageErrors : 1;
    ULONG Unused : 11;
    };
    };
    NTSTATUS ExitStatus;
    USHORT NextPageColor;
    union
    {
    struct
    {
    UCHAR SubSystemMinorVersion;
    UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
    };
    UCHAR PriorityClass;
    BOOLEAN WorkingSetAcquiredUnsafe;
    } EPROCESS, *PEPROCESS;

    the driver compile good but my computer make restart when i try use ur exe with the driver i compiled
    if u can tell me what is the wrong here it will be great from u
    thanks

    Ramiz said this on November 1, 2009 at 8:19 pm

  10. My installed version of WDK is 6001.18001.

    Rhys M. said this on November 2, 2009 at 9:26 am

  11. hello
    thanks for ur replay
    but i want to know what is EPROCESS structure u used or from where u get it ?

    Ramiz said this on November 2, 2009 at 2:06 pm

  12. [...] have attached an updated version of my NtOpenProcessHook below with the fix. The hack (this is too crude to be a fix!) lies in the RetrievePID() function. [...]

    [ General Problem ] EPROCESS-ImageFileName + NtOpenProcessHook « said this on November 21, 2009 at 10:01 pm

  13. Hi,

    I can’t seem to download the sources, is the link broken?

    moo0 said this on December 30, 2009 at 3:59 pm

  14. Can you give me the content of Makefile Plz … I cant compile driver.c

    @Sorry for my english

    gianghoplus said this on March 8, 2010 at 9:53 am

  15. Hi !
    gianghoplus my MAKEFILE has this text on it:

    !INCLUDE $(NTMAKEENV)\makefile.def

    just that line

    Mr Rhys Awesome code XD
    and that ntifs.h helped a lot
    Good Luck

    JosexD said this on March 14, 2010 at 7:20 am

  16. Hi Mr Rhys;

    Sorry! because i’m spupid.

    I try build by WinDDK but falure.

    Can you give me full project (makefile, makefile.def, source … ect…) -> zip

    Thanks so much!

    ————-
    @Sorry for my english

    gianghoplus said this on March 18, 2010 at 11:05 am

  17. My error:

    Microsoft (R) Program Maintenance Utility Version 9.00.30729.207
    Copyright (C) Microsoft Corporation. All rights reserved.

    BUILDMSG: _NT_TARGET_VERSION SET TO WINXP
    C:\WinDDK\7600.16385.1\bin\makefile.new(7117) : fatal error U1087: cannot have :
    and :: dependents for same target
    Stop.

    C:\Documents and Settings\Nghiatd\Desktop\DriverHook\myDriv>

    gianghoplus said this on March 18, 2010 at 11:14 am

  18. Hi,
    Is there Any way we can hook the same function without using the or knowing the call_number

    Neha said this on October 7, 2010 at 10:53 am

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.