I am trying to Create a Hook for CreateFile, so when a process tryies to create a file
the hookdll we created will notify the user that: "this process xx.exe trying to create xx.exe, Do you want to proceceed?"
So far i am here, So What i need to modify in this code:
library CreateFileHook;
uses
Windows, Dialogs, SysUtils;
type
OldCode = packed record
One: dword;
two: word;
end;
far_jmp = packed record
PuhsOp: byte;
PushArg: pointer;
RetOp: byte;
end;
var
JmpCfw, JmpCfa: far_jmp;
OldCfw, OldCfa: OldCode;
CfwAdr, CfaAdr: pointer;
function NewCreateFileA(lpFileName: PChar;
dwDesiredAccess: DWORD;
dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition: DWORD;
dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
file_name: PWideChar;
name_len: dword;
begin
name_len := lstrlen(lpFileName) * SizeOf(WideChar) + 2;
GetMem(file_name, name_len);
StringToWideChar(lpFileName, file_name, name_len);
CreateFileW(file_name, dwDesiredAccess, dwShareMode, lpSecurityAttributes,
dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
FreeMem(file_name);
end;
function TrueCreateFileW(lpFileName: PWideChar;
dwDesiredAccess: DWORD;
dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition: DWORD;
dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
Written: dword;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr,
#OldCfw, SizeOf(OldCode), Written);
CreateFileW(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr,
#JmpCfw, SizeOf(far_jmp), Written);
end;
function NewCreateFileW(lpFileName: PWideChar;
dwDesiredAccess: DWORD;
dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition: DWORD;
dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
begin
TrueCreateFileW(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
end;
Procedure SetHook();
var
kernel32: dword;
Bytes: dword;
begin
kernel32 := GetModuleHandle('Kernel32.dll');
CfwAdr := GetProcAddress(kernel32, 'CreateFileW');
CfaAdr := GetProcAddress(kernel32, 'CreateFileA');
ReadProcessMemory(INVALID_HANDLE_VALUE, CfwAdr, #OldCfw, SizeOf(OldCode), Bytes);
ReadProcessMemory(INVALID_HANDLE_VALUE, CfaAdr, #OldCfa, SizeOf(OldCode), Bytes);
JmpCfw.PuhsOp := $68;
JmpCfw.PushArg := #NewCreateFileW;
JmpCfw.RetOp := $C3;
JmpCfa.PuhsOp := $68;
JmpCfa.PushArg := #NewCreateFileA;
JmpCfa.RetOp := $C3;
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr, #JmpCfw, SizeOf(far_jmp), Bytes);
WriteProcessMemory(INVALID_HANDLE_VALUE, CfaAdr, #JmpCfa, SizeOf(far_jmp), Bytes);
end;
Procedure Unhook();
var
Bytes: dword;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE, CfaAdr, #OldCfa, SizeOf(OldCode), Bytes);
WriteProcessMemory(INVALID_HANDLE_VALUE, CfwAdr, #OldCfw, SizeOf(OldCode), Bytes);
end;
Function MessageProc(code : integer; wParam : word;
lParam : longint) : longint; stdcall;
begin
CallNextHookEx(0, Code, wParam, lparam);
Result := 0;
end;
Procedure SetGlobalHookProc();
begin
SetWindowsHookEx(WH_GETMESSAGE, #MessageProc, HInstance, 0);
Sleep(INFINITE);
end;
Procedure SetGlobalHook();
var
hMutex: dword;
TrId: dword;
begin
hMutex := CreateMutex(nil, false, 'CreateFileHook');
if GetLastError = 0 then
CreateThread(nil, 0, #SetGlobalHookProc, nil, 0, TrId) else
CloseHandle(hMutex);
end;
procedure DLLEntryPoint(dwReason: DWord);
begin
case dwReason of
DLL_PROCESS_ATTACH: begin
SetGlobalHook();
Randomize();
SetHook()
end;
DLL_PROCESS_DETACH: UnHook();
end;
end;
begin
DllProc := #DLLEntryPoint;
DLLEntryPoint(DLL_PROCESS_ATTACH);
end.
At a quick glance, I see several problems with this code. Where did you get this from? I don't have a reference handy but I'm pretty sure you can find working examples of what you're trying to do on the web.
You shouldn't have to use Read/WriteProcessMemory since you're inside the process you're trying to modify - Windows will do copy-on-write for you.
If you do want/need to use Read/WriteProcessMemory the way to get a handle to use is OpenProcess.
This hook code is not reentrant - one thread may be exiting ReadFile, restoring the redirect code right before another thread attempt to call it but after that second thread thinks it's just 'repaired' it.
A cleaner way to do this is to save the pointer in the import address table that points to the function you wish to hook, then modify that to call your hook routine. Now you can use the saved pointer to call the original routine from within the hook.
Once (if) you get this working, be prepared to see a LOT of calls to CreateFile. CreateFile is used for creating/opening lots of stuff besides physical files, e.g. COM ports, pipes, console buffers, whatnot.
Related
I'm hooking GetWindowThreadProcessId() with sucess using the following code.
Now i want check if dwProcessID parameter corresponds to id of determinated process and in positive case prevent execute original function:
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
I tried this, but not worked:
if dwProcessID = 12345 then exit;
Here is my complete code:
library MyLIB;
uses
Windows,
ImageHlp;
{$R *.res}
type
PGetWindowThreadProcessId = function(hWnd: THandle; dwProcessID: DWord)
: DWord; stdcall;
var
OldGetWindowThreadProcessId: PGetWindowThreadProcessId;
function HookGetWindowThreadProcessId(hWnd: THandle; dwProcessID: DWord)
: DWord; stdcall;
begin
try
// Check if is some process
except
MessageBox(0, 'Error', 'HookGetWindowThreadProcessId Error', 0);
end;
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
end;
procedure PatchIAT(strMod: PAnsichar; Alt, Neu: Pointer);
var
pImportDir: pImage_Import_Descriptor;
size: CardinaL;
Base: CardinaL;
pThunk: PDWORD;
begin
Base := GetModuleHandle(nil);
pImportDir := ImageDirectoryEntryToData(Pointer(Base), True,
IMAGE_DIRECTORY_ENTRY_IMPORT, size);
while pImportDir^.Name <> 0 Do
begin
If (lstrcmpiA(PAnsichar(pImportDir^.Name + Base), strMod) = 0) then
begin
pThunk := PDWORD(Base + pImportDir^.FirstThunk);
While pThunk^ <> 0 Do
begin
if DWord(Alt) = pThunk^ Then
begin
pThunk^ := CardinaL(Neu);
end;
Inc(pThunk);
end;
end;
Inc(pImportDir);
end;
end;
procedure DllMain(reason: Integer);
begin
case reason of
DLL_PROCESS_ATTACH:
begin
OldGetWindowThreadProcessId := GetProcAddress(GetModuleHandle(user32),
'GetWindowThreadProcessId');
PatchIAT(user32, GetProcAddress(GetModuleHandle(user32),
'GetWindowThreadProcessId'), #HookGetWindowThreadProcessId);
end;
DLL_PROCESS_DETACH:
begin
end;
end;
end;
begin
DllProc := #DllMain;
DllProc(DLL_PROCESS_ATTACH);
end.
Your PGetWindowThreadProcessId type and HookGetWindowThreadProcessId() function are both declaring the dwProcessID parameter incorrectly. It is an output parameter, so it needs to be declared as either var dwProcessID: DWord or as dwProcessID: PDWord.
And then you need to call OldGetWindowThreadProcessId() to retrieve the actual PID before you can then compare it to anything. So your requirement of "in positive case prevent execute original function" is not realistic, because you need to execute the original function in order to determine the dwProcessID value to compare with.
Try this instead:
type
PGetWindowThreadProcessId = function(hWnd: THandle; var dwProcessID: DWord): DWord; stdcall;
...
function HookGetWindowThreadProcessId(hWnd: THandle; var dwProcessID: DWord): DWord; stdcall;
begin
Result := OldGetWindowThreadProcessId(hWnd, dwProcessID);
try
if dwProcessID = ... then
...
except
MessageBox(0, 'Error', 'HookGetWindowThreadProcessId Error', 0);
end;
end;
How to ping an IP address (or by server name) in Delphi 10.1 without using Indy components? TIdICMPClient works with elevated privileges but I want to do it as a normal user.
The other answers had some things missing from them.
Here is a complete unit that does the trick:
unit Ping2;
interface
function PingHost(const HostName: AnsiString; TimeoutMS: cardinal = 500): boolean;
implementation
uses Windows, SysUtils, WinSock;
function IcmpCreateFile: THandle; stdcall; external 'iphlpapi.dll';
function IcmpCloseHandle(icmpHandle: THandle): boolean; stdcall;
external 'iphlpapi.dll';
function IcmpSendEcho(icmpHandle: THandle; DestinationAddress: In_Addr;
RequestData: Pointer; RequestSize: Smallint; RequestOptions: Pointer;
ReplyBuffer: Pointer; ReplySize: DWORD; Timeout: DWORD): DWORD; stdcall;
external 'iphlpapi.dll';
type
TEchoReply = packed record
Addr: In_Addr;
Status: DWORD;
RoundTripTime: DWORD;
end;
PEchoReply = ^TEchoReply;
var
WSAData: TWSAData;
procedure Startup;
begin
if WSAStartup($0101, WSAData) <> 0 then
raise Exception.Create('WSAStartup');
end;
procedure Cleanup;
begin
if WSACleanup <> 0 then
raise Exception.Create('WSACleanup');
end;
function PingHost(const HostName: AnsiString;
TimeoutMS: cardinal = 500): boolean;
const
rSize = $400;
var
e: PHostEnt;
a: PInAddr;
h: THandle;
d: string;
r: array [0 .. rSize - 1] of byte;
i: cardinal;
begin
Startup;
e := gethostbyname(PAnsiChar(HostName));
if e = nil then
RaiseLastOSError;
if e.h_addrtype = AF_INET then
Pointer(a) := e.h_addr^
else
raise Exception.Create('Name doesn''t resolve to an IPv4 address');
d := FormatDateTime('yyyymmddhhnnsszzz', Now);
h := IcmpCreateFile;
if h = INVALID_HANDLE_VALUE then
RaiseLastOSError;
try
i := IcmpSendEcho(h, a^, PChar(d), Length(d), nil, #r[0], rSize, TimeoutMS);
Result := (i <> 0) and (PEchoReply(#r[0]).Status = 0);
finally
IcmpCloseHandle(h);
end;
Cleanup;
end;
end.
You can call it with a click event like this:
procedure TForm1.button1Click(Sender: TObject);
begin
if PingHost('172.16.24.2') then
ShowMessage('WORKED')
else
ShowMessage('FAILED');
end;
Remember to add the "Ping2" unit in your uses list.
Use the Windows API.
Something like this crude translation from: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366050(v=vs.85).aspx
Should do the trick.
var
ICMPFile: THandle;
IpAddress: ULONG;
SendData: array[0..31] of AnsiChar;
ReplyBuffer: PICMP_ECHO_REPLY;
ReplySize: DWORD;
NumResponses: DWORD;
begin
IpAddress:= inet_addr('127.0.0.1');
SendData := 'Data Buffer';
IcmpFile := IcmpCreateFile;
if IcmpFile <> INVALID_HANDLE_VALUE then
try
ReplySize:= SizeOf(ICMP_ECHO_REPLY) + SizeOf(SendData);
GetMem(ReplyBuffer, ReplySize);
try
NumResponses := IcmpSendEcho(IcmpFile, IPAddress, #SendData, SizeOf(SendData),
nil, ReplyBuffer, ReplySize, 1000);
if (NumResponses <> 0) then begin
Writeln(Format('Received %d icmp message responses', [NumResponses]));
Writeln('Information from the first response:');
Writeln(Format('Received from %s', [inet_ntoa(in_addr(ReplyBuffer.Address))]));
Writeln(Format('Data: %s', [PAnsiChar(ReplyBuffer.Data)]));
Writeln(Format('Status = %d', [ReplyBuffer.Status]));
WriteLn(Format('Roundtrip time = %d milliseconds',[ReplyBuffer.RoundTripTime]));
end else begin
WriteLn('Call to IcmpSendEcho failed');
WriteLn(Format('IcmpSendEcho returned error: %d', [GetLastError]));
end;
finally
FreeMem(ReplyBuffer);
end;
finally
IcmpCloseHandle(IcmpFile);
end
else begin
Writeln('Unable to open handle');
Writeln(Format('IcmpCreateFile returned error: %d', [GetLastError]));
end;
Here is a Delphi unit which does the ping with a timeout:
unit Ping2;
interface
function PingHost(const HostName:string;TimeoutMS:cardinal=500):boolean;
implementation
uses Windows, SysUtils, WinSock, Sockets;
function IcmpCreateFile:THandle; stdcall; external 'iphlpapi.dll';
function IcmpCloseHandle(icmpHandle:THandle):boolean; stdcall; external 'iphlpapi.dll'
function IcmpSendEcho(IcmpHandle:THandle;DestinationAddress:In_Addr;RequestData:Pointer;
RequestSize:Smallint;RequestOptions:pointer;ReplyBuffer:Pointer;ReplySize:DWORD;
Timeout:DWORD):DWORD; stdcall; external 'iphlpapi.dll';
type
TEchoReply=packed record
Addr:in_addr;
Status:DWORD;
RoundTripTime:DWORD;
//DataSize:
//Reserved:
//Data:pointer;
//Options:
end;
PEchoReply=^TEchoReply;
function PingHost(const HostName:string;TimeoutMS:cardinal=500):boolean;
const
rSize=$400;
var
e:PHostEnt;
a:PInAddr;
h:THandle;
d:string;
r:array[0..rSize-1] of byte;
i:cardinal;
begin
//assert WSAStartup called
e:=gethostbyname(PChar(HostName));
if e=nil then RaiseLastOSError;
if e.h_addrtype=AF_INET then pointer(a):=e.h_addr^ else raise Exception.Create('Name doesn''t resolve to an IPv4 address');
d:=FormatDateTime('yyyymmddhhnnsszzz',Now);
h:=IcmpCreateFile;
if h=INVALID_HANDLE_VALUE then RaiseLastOSError;
try
i:=IcmpSendEcho(h,a^,PChar(d),Length(d),nil,#r[0],rSize,TimeoutMS);
Result:=(i<>0) and (PEchoReply(#r[0]).Status=0);
finally
IcmpCloseHandle(h);
end;
end;
end.
Currently i check if a HWND is a console by EnumWindows and checking the ClassName.
function EnumWindows(AHandle: HWND; AParam: LPARAM): BOOL; stdcall;
var
classname: array[0.. 255] of Char;
begin
GetClassName(AHandle, classname, 255);
if classname = 'ConsoleWindowClass' then
begin
// do something
Result := False;
end
else
Result := True;
end;
I am wondering if there is a better way to accomplish something like this?
Would checking the Style (or/and ExStyle) be "better"?
You can use AttachConsole and FreeConsole do detect if other processes provide a console. One other thing to mind: there are processes with no console windows which allo AttachConsole - here GetConsoleWindow returns 0. There is a very good explanation of this behaviour in this github repository.
Declarations:
function AttachConsole(dwProcessID: Integer): Boolean; stdcall; external 'kernel32.dll';
function FreeConsole(): Boolean; stdcall; external 'kernel32.dll';
function GetConsoleWindow: HWND; stdcall; external kernel32;
Enumerate Processes:
procedure TForm2.FindConsoleWindows(AList: TListBox);
var
LProcHandle: THandle;
LResult, LNext: Boolean;
LProc: TProcessEntry32;
begin
aList.Items.Clear;
LProcHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
LResult := LProcHandle <> INVALID_HANDLE_VALUE;
if LResult then
try
LProc.dwSize := SizeOf(LProc);
LNext := Process32First(LProcHandle, LProc);
while LNext do begin
if AttachConsole(LProc.th32ProcessID) then
try
AList.Items.Add(IntToStr(LProc.th32ProcessID) + ' has a console ' + IntToStr(GetConsoleWindow()))
finally
FreeConsole();
end;
LNext := Process32Next(LProcHandle, LPRoc);
end;
finally
CloseHandle(LProcHandle);
end;
Credits:
JclSysInfo.pas to enumerate the processes
I would like to use Process32FirstW but I get ERROR_BAD_LENGTH when I call GetLastError. Using tlhelp32 seems to work but I would like to know what I do wrong here:
program Project1;
{$APPTYPE CONSOLE}
uses
Windows;
type
PROCESSENTRY32W = record
dwSize: Cardinal;
cntUsage: Cardinal;
th32ProcessID: Cardinal; // this process
th32DefaultHeapID: Pointer;
th32ModuleID: Cardinal; // associated exe
cntThreads: Cardinal;
th32ParentProcessID: Cardinal; // this process's parent process
pcPriClassBase: Longint; // Base priority of process's threads
dwFlags: Cardinal;
szExeFile: array[0..MAX_PATH - 1] of WideChar;// Path
end;
function Process32NextW (hSnapshot: Cardinal; var lppe: PROCESSENTRY32W): LongBool; external 'kernel32';
function Process32FirstW (hSnapshot: Cardinal; var lppe: PROCESSENTRY32W): LongBool; external 'kernel32';
function CreateToolhelp32Snapshot (dwFlags, th32ProcessID: Cardinal): Cardinal; external 'kernel32';
function GetParentPID : Cardinal;
var
HandleSnapShot : Cardinal;
EntryParentProc : PROCESSENTRY32W;
CurrentProcessId : Cardinal;
begin
result := 0;
HandleSnapShot := CreateToolhelp32Snapshot($00000002, 0);
if HandleSnapShot <> Cardinal(-1) then begin
EntryParentProc.dwSize := SizeOf(PROCESSENTRY32W);
if Process32FirstW(HandleSnapShot, EntryParentProc) then begin
CurrentProcessId := GetCurrentProcessId;
repeat
if EntryParentProc.th32ProcessID = CurrentProcessId then begin
result := EntryParentProc.th32ParentProcessID;
break;
end;
until not Process32NextW(HandleSnapShot, EntryParentProc);
end else begin
writeln(GetLastError);
end;
CloseHandle(HandleSnapShot);
end;
end;
begin
writeln (GetParentPID);
readln;
end.
function Process32NextW (hSnapshot: Cardinal; var lppe: PROCESSENTRY32W): LongBool; stdcall; external 'kernel32';
You omitted stdcall;. Calling convention is important, and having this word lost, your code is calling API incorrectly getting you unpredictable result. So, you have to be
careful there.
I would like to know how I can find out which ports a program / process uses. I want to know the used ports from one process and write then in a label.
Is there a unit or function that is available?
You can use the GetExtendedTcpTable function passing the TCP_TABLE_OWNER_PID_ALL TableClass value , this will return a MIB_TCPTABLE_OWNER_PID structure which is an array to the MIB_TCPROW_OWNER_PID record , this structure contains the port number (dwLocalPort) and the PID (dwOwningPid) of the process, you can resolve the name of the PID using the CreateToolhelp32Snapshot function.
Sample
{$APPTYPE CONSOLE}
uses
WinSock,
TlHelp32,
Classes,
Windows,
SysUtils;
const
ANY_SIZE = 1;
iphlpapi = 'iphlpapi.dll';
TCP_TABLE_OWNER_PID_ALL = 5;
type
TCP_TABLE_CLASS = Integer;
PMibTcpRowOwnerPid = ^TMibTcpRowOwnerPid;
TMibTcpRowOwnerPid = packed record
dwState : DWORD;
dwLocalAddr : DWORD;
dwLocalPort : DWORD;
dwRemoteAddr: DWORD;
dwRemotePort: DWORD;
dwOwningPid : DWORD;
end;
PMIB_TCPTABLE_OWNER_PID = ^MIB_TCPTABLE_OWNER_PID;
MIB_TCPTABLE_OWNER_PID = packed record
dwNumEntries: DWORD;
table: Array [0..ANY_SIZE - 1] of TMibTcpRowOwnerPid;
end;
var
GetExtendedTcpTable:function (pTcpTable: Pointer; dwSize: PDWORD; bOrder: BOOL; lAf: ULONG; TableClass: TCP_TABLE_CLASS; Reserved: ULONG): DWord; stdcall;
function GetPIDName(hSnapShot: THandle; PID: DWORD): string;
var
ProcInfo: TProcessEntry32;
begin
ProcInfo.dwSize := SizeOf(ProcInfo);
if not Process32First(hSnapShot, ProcInfo) then
Result := 'Unknow'
else
repeat
if ProcInfo.th32ProcessID = PID then
Result := ProcInfo.szExeFile;
until not Process32Next(hSnapShot, ProcInfo);
end;
procedure ShowTCPPortsUsed(const AppName : string);
var
Error : DWORD;
TableSize : DWORD;
i : integer;
pTcpTable : PMIB_TCPTABLE_OWNER_PID;
SnapShot : THandle;
LAppName : string;
LPorts : TStrings;
begin
LPorts:=TStringList.Create;
try
TableSize := 0;
//Get the size o the tcp table
Error := GetExtendedTcpTable(nil, #TableSize, False, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);
if Error <> ERROR_INSUFFICIENT_BUFFER then exit;
GetMem(pTcpTable, TableSize);
try
SnapShot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
try
//get the tcp table data
if GetExtendedTcpTable(pTcpTable, #TableSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0) = NO_ERROR then
for i := 0 to pTcpTable.dwNumEntries - 1 do
begin
LAppName:=GetPIDName(SnapShot, pTcpTable.Table[i].dwOwningPid);
if SameText(LAppName, AppName) and (LPorts.IndexOf(IntToStr(pTcpTable.Table[i].dwLocalPort))=-1) then
LPorts.Add(IntToStr(pTcpTable.Table[i].dwLocalPort));
end;
finally
CloseHandle(SnapShot);
end;
finally
FreeMem(pTcpTable);
end;
Writeln(LPorts.Text);
finally
LPorts.Free;
end;
end;
var
hModule : THandle;
begin
try
hModule := LoadLibrary(iphlpapi);
try
GetExtendedTcpTable := GetProcAddress(hModule, 'GetExtendedTcpTable');
ShowTCPPortsUsed('Skype.exe');
finally
FreeLibrary(hModule);
end;
except
on E: Exception do
Writeln(E.ClassName, ': ', E.Message);
end;
Readln;
end.
In order to get the correct Port number you have to use ntohs()
if SameText(LAppName, AppName) and
(LPorts.IndexOf(IntToStr(pTcpTable.Table[i].dwLocalPort))=-1) then
LPorts.Add(IntToStr(ntohs(pTcpTable.Table[i].dwLocalPort)));
more info here