www.pudn.com > hookN.zip > hooked_proc.cpp

extern "C" 
{ 
 
#include "hooked_proc.h" 
#include "debug.h" 
#include "func.h" 
 
NTSTATUS NewZwOpenProcess(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); 
} //extern "C" 
 
 
/* 
 pointers to original functions 
*/ 
 
ZW_OPEN_PROCESS OldZwOpenProcess=NULL; 
 
 
/* 
 our implementation of ZwOpenProcess, this time we only log it and call  
 original code, run taskman after it is hooked and watch DebugView 
*/ 
 
NTSTATUS NewZwOpenProcess(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId) 
{ 
  DbgMsg("hooked_proc.cpp: NewZwOpenProcess(ProcessHandle:0x%.8X,DesiredAccess:0x%.8X,ObjectAttributes:0x%.8X,ClientId:0x%.8X)", 
         ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); 
 
  int cid_valid=func_is_good_read_ptr(ClientId,sizeof(CLIENT_ID)); 
  if (cid_valid) 
  { 
    DbgMsg("hooked_proc.cpp: NewZwOpenProcess: ClientId->UniqueProcess=0x%.8X",ClientId->UniqueProcess); 
    DbgMsg("hooked_proc.cpp: NewZwOpenProcess: ClientId->UniqueThread=0x%.8X",ClientId->UniqueThread); 
  } 
 
  NTSTATUS status; 
 
  status=OldZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); 
 
  DbgMsg("hooked_proc.cpp: NewZwOpenProcess(-):0x%.8X",status); 
  return status; 
}