Wednesday, April 11, 2012

[VB] Hook API Example Hooking NtTerminateProcess

This Module is for Visual Basic and serve's as an example for hooking the Win32 API's in Visual Basic

Option Explicit   
 
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long 
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long 
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Long)  
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long 
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long 
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long 
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long 
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long 
Private Declare Function EnumProcessModules Lib "psapi" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByVal lpcbNeeded As Long) As Long 
Private Declare Function GetModuleFileNameEx Lib "psapi" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long 
 
Private Const MEM_RELEASE = &H8000  
Private Const MEM_COMMIT = &H1000  
Private Const MEM_RESERVE = &H2000  
Private Const PAGE_EXECUTE_READWRITE = &H40  
Private Const PROCESS_ALL_ACCESS = &H1F0FFF  
 
Private hProcess As Long 
Private FuncAddr As Long 
Private OldCode(4) As Byte 
Private NewCode(4) As Byte 
Private HookCode(4) As Byte 
Private CodeAddr As Long 
 
Private Function GetModuleHandleEx(ByVal hProcess As Long, ByVal ModuleName As String) As Long 
Dim hMods(1024) As Long 
Dim cbNeeded As Long 
Dim szModName As String 
Dim i As Integer 
 
If EnumProcessModules(hProcess, hMods(0), 1025 * 4, VarPtr(cbNeeded)) Then 
    For i = 0 To (cbNeeded / 4)  
        If hMods(i) Then 
            szModName = String(260, 0)  
            If GetModuleFileNameEx(hProcess, hMods(i), szModName, Len(szModName)) Then 
                szModName = Left(szModName, InStr(1, szModName, Chr(0)) - 1)  
                If LCase(szModName) = LCase(ModuleName) Then '  
                    GetModuleHandleEx = hMods(i)  
                    Erase hMods  
                    Exit Function 
                End If 
            End If 
        End If 
    Next i  
End If 
Erase hMods  
End Function 
 
Public Function HookNtTerminateProcess(ByVal ProcessId As Long) As Boolean 
Dim hMod As Long 
 
NewCode(0) = &HE9 ' jmp  
' xor eax,eax  
' ret 8  
HookCode(0) = &H33  
HookCode(1) = &HC0  
HookCode(2) = &HC2  
HookCode(3) = &H8  
HookCode(4) = &H0  
 
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId)  
 
If hProcess Then 
    hMod = GetModuleHandleEx(hProcess, "c:\windows\system32\ntdll.dll")  
    If hMod Then 
        FuncAddr = GetProcAddress(hMod, "NtTerminateProcess")  
        If FuncAddr Then 
            ReadProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0  
            CodeAddr = VirtualAllocEx(hProcess, ByVal 0, 5, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)  
            If CodeAddr Then 
                CopyMemory VarPtr(NewCode(1)), VarPtr(CodeAddr - FuncAddr - 5), 4  
                WriteProcessMemory hProcess, ByVal CodeAddr, HookCode(0), 5, 0  
                WriteProcessMemory hProcess, ByVal FuncAddr, NewCode(0), 5, 0  
                HookNtTerminateProcess = True 
            End If 
        End If 
    End If 
End If 
End Function 
 
Public Sub UnhookNtTerminateProcess()  
WriteProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0  
VirtualFreeEx hProcess, ByVal CodeAddr, 5, MEM_RELEASE  
CloseHandle hProcess  
End Sub

0 comments for "[VB] Hook API Example Hooking NtTerminateProcess"

Post a Comment

background