PDA

View Full Version : api hooking via vxd...


hex0r
January 21st, 2002, 08:52
Hello All!

I'm trying to hook LoadLibraryA via vxd.
I created dynamic vxd which receive from my program address of loadlibraryA in kernel32.dll via deviceiocontrol. In vxd i'm saveing 5 bytes from start of loadlibrary and write there jmp to my code in vxd. In vxd in my LoadLibrary code i'm trying to restore original bytes, but windows crash while i'm trying to write to kernel32.dll. I think here the problem with memory context or something. Who can tell me what i must to do for correct writeing?

WBR hex0r

^DAEMON^
January 22nd, 2002, 08:20
just modify page permissions (anyway strange since vxd runs in r0, hmmm)

hex0r
January 22nd, 2002, 12:30
how?

NikDH
January 22nd, 2002, 13:34
Quote:
Originally posted by hex0r
how?


Hi hex0r,
u can use the VirtualProtect() and VirtualProtectEx()
to change permission to page address

See ya
NikDH

hex0r
January 22nd, 2002, 13:40
that's vmm calls?

NikDH
January 22nd, 2002, 20:43
Quote:
Originally posted by hex0r
that's vmm calls?


Hi hex0r,
they're api calls that stay in kernel
But thinking better about this thing u r at ring0 and pte
shouldnt bother u so dont care about thos api

Perhaps the write protection flag is set in the cr0 reg (if its used under win9x i dont really know)
Perhaps u r getting a wrong pointer
Try to trace ur vxd with sice and check ur pointer
Its better to single step ur vxd and check where is exaclty crashing and whats the err msg

See ya
NikDH

^DAEMON^
January 23rd, 2002, 02:32
hi,

maybe just one advise for you: DON'T patch the api directly, better use the export table!

maybe u wanna check out my source:
h**p://cdaemon.piranho.de/api%20hookerv0.2.txt

^DAEMON^

hex0r
January 23rd, 2002, 14:15
i found problem, the problem was that when i get control in my loadlibrary code i'm not in ring0, so i can't write to kernel. but i can call deviceiocontrol from my code to my vxd again and patch kernel directly from driver. All works fine now