hookN.zip hooked

www.pudn.com > hookN.zip > hooked_proc.cpp
extern "C" 
{ 
 
#include "hooked_proc.h" 
#include "debug.h" 
#include "func.h" 
 
NTSTATUS NewZwOpenProcess(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); 
NTSTATUS NewZwOpenThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); 
} //extern "C" 
 
 
/* 
 pointers to original functions 
*/ 
 
ZW_OPEN_PROCESS OldZwOpenProcess=NULL; 
ZW_OPEN_THREAD OldZwOpenThread=NULL; 
 
 
/* 
 our implementation of ZwOpenProcess 
 at first check whether pid is protected 
 if so return STATUS_ACCESS_DENIED 
 otherwise call original function 
*/ 
 
NTSTATUS NewZwOpenProcess(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId) 
{ 
  DbgMsg("hooked_proc.cpp: NewZwOpenProcess(ProcessHandle:0x%.8X,DesiredAccess:0x%.8X,ObjectAttributes:0x%.8X,ClientId:0x%.8X)", 
         ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); 
 
  int cid_valid=func_is_good_read_ptr(ClientId,sizeof(CLIENT_ID)); 
  if (cid_valid) 
  { 
    DbgMsg("hooked_proc.cpp: NewZwOpenProcess: ClientId->UniqueProcess=0x%.8X",ClientId->UniqueProcess); 
    DbgMsg("hooked_proc.cpp: NewZwOpenProcess: ClientId->UniqueThread=0x%.8X",ClientId->UniqueThread); 
  } 
 
  NTSTATUS status; 
 
  int protect=cid_valid?func_check_process_protection((ULONG)ClientId->UniqueProcess):FALSE; 
 
  if (!protect) status=OldZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); 
  else status=STATUS_ACCESS_DENIED; 
 
  DbgMsg("hooked_proc.cpp: NewZwOpenProcess(-):0x%.8X",status); 
  return status; 
} 
 
 
/* 
 our implementation of ZwOpenThread 
 at first check whether pid is protected 
 if so return STATUS_ACCESS_DENIED 
 otherwise call original function 
*/ 
 
NTSTATUS NewZwOpenThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId) 
{ 
  DbgMsg("hooked_proc.cpp: NewZwOpenThread(ThreadHandle:0x%.8X,DesiredAccess:0x%.8X,ObjectAttributes:0x%.8X,ClientId:0x%.8X)", 
         ThreadHandle,DesiredAccess,ObjectAttributes,ClientId); 
 
  int cid_valid=func_is_good_read_ptr(ClientId,sizeof(CLIENT_ID)); 
  if (cid_valid) 
  { 
    DbgMsg("hooked_proc.cpp: NewZwOpenThread: ClientId->UniqueProcess=0x%.8X",ClientId->UniqueProcess); 
    DbgMsg("hooked_proc.cpp: NewZwOpenThread: ClientId->UniqueThread=0x%.8X",ClientId->UniqueThread); 
  } 
 
  NTSTATUS status; 
 
  int protect=cid_valid?func_check_process_protection((ULONG)ClientId->UniqueProcess):FALSE; 
 
  if (!protect) status=OldZwOpenThread(ThreadHandle,DesiredAccess,ObjectAttributes,ClientId); 
  else status=STATUS_ACCESS_DENIED; 
 
  DbgMsg("hooked_proc.cpp: NewZwOpenThread(-):0x%.8X",status); 
  return status; 
}