Path: news.mitre.org!blanket.mitre.org!philabs!newsjunkie.ans.net!newsfeeds.ans.net!news-was.dfn.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!dispose.news.demon.net!demon!bullseye.news.demon.net!demon!sun4nl!Utrecht.NL.net!not-for-mail
From: pweerd@medialab.nl (Peter v/d Weerd)
Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode,comp.os.ms-windows.programmer.win32
Subject: Hook native NT-api's
Date: Tue, 13 Jan 1998 16:41:07 GMT
Organization: Knoware B.V.
Message-ID: <884709198.365034@news.knoware.nl>
Reply-To: pweerd@medialab.nl
NNTP-Posting-Host: news.knoware.nl
X-Newsreader: Forte Agent .99b.112
Cache-Post-Path: news.knoware.nl!unknown@193.78.125.57
Lines: 40
Xref: news.mitre.org comp.os.ms-windows.programmer.nt.kernel-mode:6385 comp.os.ms-windows.programmer.win32:96116

Hi,

I'm trying to hook native NT-calls, exported from the NTDLL. It seems
that importing functions from the NTDLL is done in the same way as
"normal" imports, and so hooking could be done by patching the
function-table in the client-executable (the module using NTDLL).

I used the method from Mat Pietrek for patching the import-table,
which method works for non-NTDLL imports. The method finds the entry
in the import-table, but patching with WriteProcessMemory fails:
invalid memory access.

Code snippet:

        for (; pThunk->u1.Function; pThunk++)
        {
            if (IsRequestedProc (pThunk->u1.Function, pOldProc))
            {
                cnt++;
                DWORD cBytesMoved;

                // Bash the import thunk.  We have to use
WriteProcessMemory,
                // since the import table may be in a code section
(courtesy
                // of the NT 3.51 team!)

             WriteProcessMemory( GetCurrentProcess(),
                                &pThunk->u1.Function,
                                &pNewProc, sizeof(pNewProc),
&BytesMoved );
  
        }
    }

Any idea why this failure is? Any idea's how to hook a native NT api
otherwise?

Peter