1

Topic: ZwTerminateProcess

I do  on system function ZwTerminateProcess
Is :

library Hook;
uses
Windows, AdvApiHook, NativeAPI;
var
TrueZwTerminateProcess:Function (ProcessHandle:dword;
ExitStatus:dword):NTStatus; stdcall;
//
function NewZwTerminateProcess (ProcessHandle:dword;
ExitStatus:dword):NTStatus; stdcall;
var
pid: DWORD;
MyHandle: DWORD;
begin
pid: = GetProcessId (' Explorer.EXE ');//so for an example :)
MyHandle: = OpenProcess (PROCESS_ALL_ACCESS, false, pid);
if MyHandle = ProcessHandle
then
MessageBox (0, ' Was :) ', ' Check ', MB_ICONINFORMATION or MB_OK)
else
TrueZwTerminateProcess (ProcessHandle, ExitStatus);
end;
procedure LibraryProc (Reason: integer);
begin
case Reason of
DLL_PROCESS_ATTACH://event of association to process
begin
//we put 
HookProc (' ntdll.dll ', ' ZwTerminateProcess ', @NewZwTerminateProcess, @TrueZwTerminateProcess);
end;
DLL_PROCESS_DETACH:
//Detaching from process
//it is removed 
begin
UnhookCode (@TrueZwTerminateProcess);
end;
end;
end;
begin
DllProc: = LibraryProc;
DllProc (DLL_PROCESS_ATTACH);
end.

Why that function

OpenProcess (PROCESS_ALL_ACCESS, false, pid);

Does not return Hendl of process and consequently the condition is not fulfilled sad I do not know why! Help to understand please

2

Re: ZwTerminateProcess

What unless who does not know? sad

3

Re: ZwTerminateProcess

it is not enough?

4

Re: ZwTerminateProcess

Different calls OpenProcess return different .
[mergetime] 1142869030 [/mergetime]
It is possible to receive a way to a program from which procedure  (ParamStr (0)),  to what-thread normal  (the register lower to make for example) is caused and to compare with for example ' c:\windows\explorer.exe'

5

Re: ZwTerminateProcess

bems, 3/20/2006, 18:32, post678058 wrote:

Different calls OpenProcess return different .

How it?:sample

bems, 3/20/2006, 18:32, post678058 wrote:

It is possible to receive a way to a program from which procedure  (ParamStr (0)),  to what-thread normal  (the register lower to make for example) is caused and to compare with for example ' c:\windows\explorer.exe '

.... And it is idea as I did not guess:stena, thanks!

6

Re: ZwTerminateProcess

bartram, 3/20/2006, 20:26, post678186 wrote:

As it?

And here so.  at process one, and Hendlov can be . And each of them  only in that process which caused OpenProcess
[mergetime] 1142877693 [/mergetime]

bartram, 3/20/2006, 20:26, post678186 wrote:

thanks!

Always please!
[mergetime] 1142877980 [/mergetime]

bartram, 3/20/2006, 20:26, post678186 wrote:

Hm.... And it is idea as I did not guess

And it is correct! It I .  that-thread I will invent...

7

Re: ZwTerminateProcess

bems, 3/20/2006, 20:59, post678213 wrote:

And here so.  at process one, and Hendlov can be . And each of them  only in that process which caused OpenProcess

So and how all the same to receive "necessary" to me?

8

Re: ZwTerminateProcess

bartram, 3/20/2006, 21:07, post678225 wrote:

So and how all the same to receive "necessary" to me?

In any way.  it is your personal key to object. At someone another the key besides to object (in your case to process). Keys not the identical.

9

Re: ZwTerminateProcess

type NTSTATUS=DWORD;
PROCESS_BASIC_INFORMATION=record
ExitStatus:integer;
PebBaseAddress:pointer;
AffinityMask:DWORD;
BasePriority:integer;
UniqueProcessId:DWORD;
InheritedFromUniqueProcessId:DWORD;
end;
function NtQueryInformationProcess (handle:THandle; ZeroInYourCase:integer;
var BaseInfo:PROCESS_BASIC_INFORMATION;BuffSize:DWORD;var Writensize:DWORD):NTSTATUS;
stdcall; external ' ntdll.dll ';
function ProcessHandleToID (handle:THANDLE):DWORD;
var len:dword; info:PROCESS_BASIC_INFORMATION;
begin
ZeroMemory (@info, SizeOf (info))
NtQueryInformationProcess (handle, 0, info, sizeof (info), len);
result: = info. UniqueProcessId;
end;

[mergetime] 1142883094 [/mergetime]
function on  process finds it .  it is unique, it can be compared.

10

Re: ZwTerminateProcess

bartram , and at me AdvApiHook  not . Swears on  in . You as made it?

11

Re: ZwTerminateProcess

bems , in what place swears?
Throw the code

12

Re: ZwTerminateProcess

Procedure Injector ();
asm
pushad
db $E8// call short 0
dd 0//
pop eax//eax - the address of the current instruction
add eax, $12
mov [eax], esi//we modify an operand dd $00000000
push [esi + $0C]//we put in a stack name DLL <- HERE  advApiHook.pas (1407) invalid combination of opcode and operands
call [esi + $08]//call LoadLibraryA <here too most
popad
mov esi, [esi + $4]//it is reset esi from an old context
dw $25FF// Jmp dword ptr [00000000h]
dd $00000000//a modified operand
ret
end;

the fifth

13

Re: ZwTerminateProcess

Strange!
Here my procedure, like same, but all works for me, Delfi 7

Procedure Injector ();
asm
pushad
db $E8// call short 0
dd 0//
pop eax//eax - the address of the current instruction
add eax, $12
mov [eax], esi//we modify an operand dd $00000000
push [esi + $0C]//we put in a stack name DLL
call [esi + $08]//call LoadLibraryA
popad
mov esi, [esi + $4]//it is reset esi from an old context
dw $25FF// Jmp dword ptr [00000000h]
dd $00000000//a modified operand
ret
end;

[mergetime] 1142954140 [/mergetime]

bems, 3/21/2006, 14:50, post678894 wrote:

  the fifth

And you that on 5th sit? It is time to pass on newer smile

14

Re: ZwTerminateProcess

I so think a problem in Versii Delfi because Asm is Asm smile For me works and at you is not present, outputs  smile

15

Re: ZwTerminateProcess

bems, 3/20/2006, 22:29, post678297 wrote:

  function on  process finds it .  it is unique, it can be compared.

Function does not plow sad

bems, 3/20/2006, 18:32, post678058 wrote:

It is possible to receive a way to a program from which procedure  (ParamStr (0)),  to what-thread normal  (the register lower to make for example) is caused and to compare with for example ' c:\windows\explorer.exe '

In this case it is returned in quality paramstr (0) way to that a program WHICH completes, instead of WHICH complete. In my case 2 variant so this method approaches is necessary sad

16

Re: ZwTerminateProcess

bartram, 3/21/2006, 20:42, post679284 wrote:

In this case is returned in quality paramstr (0) way to that a program WHICH completes, instead of WHICH complete. In my case 2 variant so this method approaches

well, certainly is necessary. I understood for a long time it

bems, 3/20/2006, 20:59, post678213 wrote:

It is added 21:06
The citation (bartram 3/20/2006, 20:26)
.... And it is idea as I did not guess
And it is correct! It I

Vobshchem excuse

bartram, 3/21/2006, 20:42, post679284 wrote:

Function does not plow

and here it is strange. For me worked. What Windows? What does function return?

17

Re: ZwTerminateProcess

bems , I here outlined function on  that code that you gave to me

//function compares two processes if Unique id coincide that returns true
function CompareProcesses (pid: dword): boolean;
var
MyHandle, ProcessHandle: Thandle;
ProcMyUnPid, ProcUnPid: dword;
begin
MyHandle: = OpenProcess (PROCESS_ALL_ACCESS, false, GetCurrentProcessId);
ProcessHandle: = OpenProcess (PROCESS_ALL_ACCESS, false, pid);
ProcMyUnPid: = ProcessHandleToID (MyHandle);
ProcUnPid: = ProcessHandleToID (ProcessHandle);
if ProcMyUnPid = ProcUnPid
then
Result: = True
else
Result: = False;
end;

It why does not plow that, though should sad
Windows XP sp1

18

Re: ZwTerminateProcess

MyHandle: = OpenProcess (PROCESS_ALL_ACCESS, false, GetCurrentProcessId);
ProcessHandle: = OpenProcess (PROCESS_ALL_ACCESS, false, pid);
// on 
ProcMyUnPid: = ProcessHandleToID (MyHandle);
ProcUnPid: = ProcessHandleToID (ProcessHandle);
//and now on the contrary?

I did not understand these complications smile
Make so

MyHandle: = OpenProcess (PROCESS_ALL_ACCESS, false, GetCurrentProcessId);
ProcMyUnPid: = ProcessHandleToID (MyHandle);
if GetCurrentProcessID=ProcMyUnPid then MessageBox (0, ' So should be always ', "0)
else MessageBox (0, ' Bems! ! A ram, a pancake! ', "0);

19

Re: ZwTerminateProcess

bartram, 3/19/2006, 00:06, post676321 wrote:

AdvApiHook, NativeAPI

And where to take these units?

20

Re: ZwTerminateProcess

http://www.wasm.ru/pub/21/files/advapihook.rar