Path: news.mitre.org!blanket.mitre.org!nntprelay.mathworks.com!news-peer-east.sprintlink.net!news-peer.sprintlink.net!news.sprintlink.net!Sprint!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news.mindspring.com!usenet From: jmadsen@rci.rutgers.edu (John Madsen) Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode,comp.os.ms-windows.programmer.win32 Subject: Re: Hook native NT-api's Date: Wed, 28 Jan 1998 16:02:14 GMT Organization: Rutgers Univ. Lines: 57 Message-ID: <34d05680.51773526@news.mindspring.com> References: <884709198.365034@news.knoware.nl> NNTP-Posting-Host: user-38lcf5c.dialup.mindspring.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Server-Date: 28 Jan 1998 13:03:34 GMT X-Newsreader: Forte Agent 1.5/32.450 Xref: news.mitre.org comp.os.ms-windows.programmer.nt.kernel-mode:6743 comp.os.ms-windows.programmer.win32:97448 pweerd@medialab.nl (Peter v/d Weerd) wrote: >Hi, > >I'm trying to hook native NT-calls, exported from the NTDLL. It seems >that importing functions from the NTDLL is done in the same way as >"normal" imports, and so hooking could be done by patching the >function-table in the client-executable (the module using NTDLL). > >I used the method from Mat Pietrek for patching the import-table, >which method works for non-NTDLL imports. The method finds the entry >in the import-table, but patching with WriteProcessMemory fails: >invalid memory access. > >Code snippet: > > for (; pThunk->u1.Function; pThunk++) > { > if (IsRequestedProc (pThunk->u1.Function, pOldProc)) > { > cnt++; > DWORD cBytesMoved; > > // Bash the import thunk. We have to use >WriteProcessMemory, > // since the import table may be in a code section >(courtesy > // of the NT 3.51 team!) > > WriteProcessMemory( GetCurrentProcess(), > &pThunk->u1.Function, > &pNewProc, sizeof(pNewProc), >&BytesMoved ); > > } > } > >Any idea why this failure is? Any idea's how to hook a native NT api >otherwise? > >Peter Here are three thoughts that might or might not be on target: 1. Are you set up as a debugger of the process? If not, WPM may fail when writing to read only memory. I'd guess you are debugging if you're using Pietrek's method. 2. Try using VirtualProtectEx to set the relevant pages to read/write, call WPM, and set the pages back to their original state. 3. MS put some evil anti-hacking code somewhere into NT to prevent this sort of thing. Hope this helps. John Madsen jmadsen@rci.rutgers.edu