Pastebin PRO Accounts February SPECIAL! For a limited time only get 40% discount on a LIFETIME PRO account!

NtQueryVirtualMemory hook [MemorySectionName]

ahcript

Feb 7th, 2016 (edited)

115

When this paste gets automatically deleted

Never

raw download clone embed report print C++ 4.02 KB

#define CLOG_FILENAME "ntlog.log"
#define NTDLL GetModuleHandle(TEXT("ntdll.dll"))
// NtQueryVirtualMemory
typedef
NTSTATUS
(NTAPI *NtQueryVirtualMemory)(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_ PVOID MemoryInformation,
_In_ ULONG MemoryInformationLength,
_Out_ PULONG ReturnLength OPTIONAL
);
// NtQueryInformationProcess
typedef
NTSTATUS
(NTAPI *NtQueryInformationProcess)(
_In_ HANDLE ProcessHandle,
_In_ PROCESS_INFORMATION_CLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
static NtQueryVirtualMemory _NtQueryVirtualMemory = reinterpret_cast<NtQueryVirtualMemory>(GetProcAddress(NTDLL, "NtQueryVirtualMemory"));
static NtQueryInformationProcess _NtQueryInformationProcess = reinterpret_cast<NtQueryInformationProcess>(GetProcAddress(NTDLL, "NtQueryInformationProcess"));
void LogOutputW(CONST TCHAR* lpwszFormat, ...)
{
va_list list;
FILE *f;
static TCHAR lpwszBuffer[1024];
va_start(list, lpwszFormat);
DWORD ulLength = wvsprintf(lpwszBuffer, lpwszFormat, list);
WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE), lpwszBuffer, ulLength, new DWORD, nullptr);
if (!firstInit)
DeleteFile(TEXT(CLOG_FILENAME));
if (fopen_s(&f, CLOG_FILENAME, "a+") == 0)
{
firstInit = true;
vfwprintf(f, lpwszFormat, list);
fflush(f);
fclose(f);
}
va_end(list);
}
DWORD HandleToProcessID(HANDLE hProcess)
{
PROCESS_BASIC_INFORMATION pbi;
ZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION));
NTSTATUS ntStatus = _NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL);
if (NT_SUCCESS(ntStatus))
return pbi.UniqueProcessId;
else
return (DWORD)-1;
}
void DeviceNameToPathName(_Out_ WCHAR* szPathName, _In_ const WCHAR* szDeviceName)
{
memset(szPathName, 0, MAX_PATH * 2);
wstring strDeviceName = szDeviceName;
size_t pos = strDeviceName.find(L'\\', 9);
wstring strTemp1 = strDeviceName.substr(0, pos);
wstring strTemp2 = strDeviceName.substr(pos + 1);
wstring strDriverLetter = g_mapDevice2Path[strTemp1];
wstring strPathName = strDriverLetter + strTemp2;
wcscpy_s(szPathName, MAX_PATH, strPathName.c_str());
}
VOID Detour_o_o()
{
static DWORD currentPID = GetCurrentProcessId();
NtQueryVirtualMemory NtQueryVirtualMemory__Hook = [](
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_ PVOID MemoryInformation,
_In_ ULONG MemoryInformationLength,
_Out_ PULONG ReturnLength OPTIONAL) -> NTSTATUS
{
BYTE szBuffer[MAX_PATH * 2 + 4];
TCHAR szModuleName[MAX_PATH];
TCHAR szPathName[MAX_PATH];
if (MemoryInformationClass == MemorySectionName)
{
NTSTATUS ntStatus1 = _NtQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryInformationClass, &szBuffer, sizeof(szBuffer), ReturnLength);
if (NT_SUCCESS(ntStatus1))
{
PUNICODE_STRING pSectionName = (PUNICODE_STRING)szBuffer;
if (_wcsnicmp(szModuleName, pSectionName->Buffer, pSectionName->Length / sizeof(WCHAR)))
{
wcsncpy_s(szModuleName, pSectionName->Buffer, pSectionName->Length / sizeof(WCHAR));
szModuleName[pSectionName->Length / sizeof(WCHAR)] = UNICODE_NULL;
DeviceNameToPathName(szPathName, szModuleName);
if (HandleToProcessID(ProcessHandle) == currentPID)
{
LogOutputW(L"[0x%.8x]\t%s\n", (DWORD)BaseAddress, szPathName);
}
else
{
LogOutputW(L"[PID:%d]\t[0x%.8x]\t%s\n", HandleToProcessID(ProcessHandle), (DWORD)BaseAddress, szPathName);
}
}
}
}
return _NtQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
};
DetourFunction(TRUE, reinterpret_cast<LPVOID*>(&_NtQueryVirtualMemory), NtQueryVirtualMemory__Hook);
}

RAW Paste Data

#define CLOG_FILENAME "ntlog.log"
#define NTDLL GetModuleHandle(TEXT("ntdll.dll"))

// NtQueryVirtualMemory
typedef
NTSTATUS
(NTAPI *NtQueryVirtualMemory)(
	_In_  HANDLE				   ProcessHandle,
	_In_  PVOID					   BaseAddress,
	_In_  MEMORY_INFORMATION_CLASS MemoryInformationClass,
	_Out_ PVOID					   MemoryInformation,
	_In_  ULONG					   MemoryInformationLength,
	_Out_ PULONG				   ReturnLength OPTIONAL
	);


// NtQueryInformationProcess
typedef
NTSTATUS
(NTAPI *NtQueryInformationProcess)(
	_In_      HANDLE					ProcessHandle,
	_In_      PROCESS_INFORMATION_CLASS ProcessInformationClass,
	_Out_     PVOID						ProcessInformation,
	_In_      ULONG						ProcessInformationLength,
	_Out_opt_ PULONG					ReturnLength
	);

static NtQueryVirtualMemory _NtQueryVirtualMemory = reinterpret_cast<NtQueryVirtualMemory>(GetProcAddress(NTDLL, "NtQueryVirtualMemory"));
static NtQueryInformationProcess _NtQueryInformationProcess = reinterpret_cast<NtQueryInformationProcess>(GetProcAddress(NTDLL, "NtQueryInformationProcess"));



void LogOutputW(CONST TCHAR* lpwszFormat, ...)
{
	va_list list;
	FILE *f;
	static TCHAR lpwszBuffer[1024];

	va_start(list, lpwszFormat);

	DWORD ulLength = wvsprintf(lpwszBuffer, lpwszFormat, list);
	WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE), lpwszBuffer, ulLength, new DWORD, nullptr);

	if (!firstInit)
		DeleteFile(TEXT(CLOG_FILENAME));

	if (fopen_s(&f, CLOG_FILENAME, "a+") == 0)
	{
		firstInit = true;
		vfwprintf(f, lpwszFormat, list);
		fflush(f);
		fclose(f);
	}

	va_end(list);
}

DWORD HandleToProcessID(HANDLE hProcess)
{
	PROCESS_BASIC_INFORMATION pbi;
	ZeroMemory(&pbi, sizeof(PROCESS_BASIC_INFORMATION));

	NTSTATUS ntStatus = _NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL);
	if (NT_SUCCESS(ntStatus))
		return pbi.UniqueProcessId;
	else
		return (DWORD)-1;
}

void DeviceNameToPathName(_Out_ WCHAR* szPathName, _In_ const WCHAR* szDeviceName)
{
	memset(szPathName, 0, MAX_PATH * 2);
	wstring strDeviceName = szDeviceName;
	size_t pos = strDeviceName.find(L'\\', 9);
	wstring strTemp1 = strDeviceName.substr(0, pos);
	wstring strTemp2 = strDeviceName.substr(pos + 1);
	wstring strDriverLetter = g_mapDevice2Path[strTemp1];
	wstring strPathName = strDriverLetter + strTemp2;

	wcscpy_s(szPathName, MAX_PATH, strPathName.c_str());
}

VOID Detour_o_o()
{
	static DWORD currentPID = GetCurrentProcessId();

	NtQueryVirtualMemory NtQueryVirtualMemory__Hook = [](
		_In_  HANDLE				   ProcessHandle,
		_In_  PVOID					   BaseAddress,
		_In_  MEMORY_INFORMATION_CLASS MemoryInformationClass,
		_Out_ PVOID					   MemoryInformation,
		_In_  ULONG					   MemoryInformationLength,
		_Out_ PULONG				   ReturnLength OPTIONAL) -> NTSTATUS
	{
		BYTE szBuffer[MAX_PATH * 2 + 4];
		TCHAR szModuleName[MAX_PATH];
		TCHAR szPathName[MAX_PATH];

		if (MemoryInformationClass == MemorySectionName)
		{
			NTSTATUS ntStatus1 = _NtQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryInformationClass, &szBuffer, sizeof(szBuffer), ReturnLength);

			if (NT_SUCCESS(ntStatus1))
			{
				PUNICODE_STRING pSectionName = (PUNICODE_STRING)szBuffer;

				if (_wcsnicmp(szModuleName, pSectionName->Buffer, pSectionName->Length / sizeof(WCHAR)))
				{
					wcsncpy_s(szModuleName, pSectionName->Buffer, pSectionName->Length / sizeof(WCHAR));
					szModuleName[pSectionName->Length / sizeof(WCHAR)] = UNICODE_NULL;
					DeviceNameToPathName(szPathName, szModuleName);

					if (HandleToProcessID(ProcessHandle) == currentPID)
					{
						LogOutputW(L"[0x%.8x]\t%s\n", (DWORD)BaseAddress, szPathName);
					}
					else
					{
						LogOutputW(L"[PID:%d]\t[0x%.8x]\t%s\n", HandleToProcessID(ProcessHandle), (DWORD)BaseAddress, szPathName);
					}
				}
			}
		}

		return _NtQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
	};

	DetourFunction(TRUE, reinterpret_cast<LPVOID*>(&_NtQueryVirtualMemory), NtQueryVirtualMemory__Hook);
}