Register for your free account! | Forgot your password?

Go Back   elitepvpers > Coders Den > .NET Languages
C# EasyHook SYSTEM_INFORMATION_CLASS C# EasyHook SYSTEM_INFORMATION_CLASS
You last visited: Today at 20:13

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

C# EasyHook SYSTEM_INFORMATION_CLASS

Discussion on C# EasyHook SYSTEM_INFORMATION_CLASS within the .NET Languages forum part of the Coders Den category.

Reply
 
Old   #1
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Apr 2014
Posts: 3
Received Thanks: 1
C# EasyHook SYSTEM_INFORMATION_CLASS

I have a hook of ZwQuerySystemInformation trying to hide a process. All is fine...except making sense of the hooked SystemInformation values. How can I loop thru the process names?(C#)

C++ looks like this: (I'm lost)
NTSTATUS HookNtQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength)
{
PSYSTEM_PROCESS_INFO pCurr,pNext;
NTSTATUS ret;

if(InfoClass!=5)
{
return fnNtQuerySystemInformation(InfoClass,Buffer,Length ,ReturnLength);
}

ret=fnNtQuerySystemInformation(InfoClass,Buffer,Le ngth,ReturnLength);

if(NT_SUCCESS(ret))
{
pCurr=NULL;
pNext=Buffer;

while(pNext->NextEntryOffset!=0)
{
pCurr=pNext;
pNext=(PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr+pCurr->NextEntryOffset);

if(!wcscmp(L"svchost.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}

else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}

pNext=pCurr;
}

if(!wcscmp(L"cmd.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}

else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}

pNext=pCurr;
}
}
}

return ret;
}

Can anyone convert the above to C#?
My Hook:
static IntPtr NTQuerryInfo_Hooked(SYSTEM_INFORMATION_CLASS SystemInformationClass,
System.IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength)
{
Main This = (Main)HookRuntimeInfo.Callback;


//I need to read the Structure here and remove the process name before returning.....

return ZwQuerySystemInformation(SystemInformationClass,
SystemInformation, SystemInformationLength, ref ReturnLength);
}
cablehead is offline  
Old 05/11/2014, 02:14   #2
 
cookie69's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Nov 2009
Posts: 627
Received Thanks: 688
Quote:
Originally Posted by cablehead View Post
I have a hook of ZwQuerySystemInformation trying to hide a process. All is fine...except making sense of the hooked SystemInformation values. How can I loop thru the process names?(C#)

C++ looks like this: (I'm lost)
NTSTATUS HookNtQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength)
{
PSYSTEM_PROCESS_INFO pCurr,pNext;
NTSTATUS ret;

if(InfoClass!=5)
{
return fnNtQuerySystemInformation(InfoClass,Buffer,Length ,ReturnLength);
}

ret=fnNtQuerySystemInformation(InfoClass,Buffer,Le ngth,ReturnLength);

if(NT_SUCCESS(ret))
{
pCurr=NULL;
pNext=Buffer;

while(pNext->NextEntryOffset!=0)
{
pCurr=pNext;
pNext=(PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr+pCurr->NextEntryOffset);

if(!wcscmp(L"svchost.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}

else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}

pNext=pCurr;
}

if(!wcscmp(L"cmd.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}

else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}

pNext=pCurr;
}
}
}

return ret;
}

Can anyone convert the above to C#?
My Hook:
static IntPtr NTQuerryInfo_Hooked(SYSTEM_INFORMATION_CLASS SystemInformationClass,
System.IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength)
{
Main This = (Main)HookRuntimeInfo.Callback;


//I need to read the Structure here and remove the process name before returning.....

return ZwQuerySystemInformation(SystemInformationClass,
SystemInformation, SystemInformationLength, ref ReturnLength);
}
If you want to "hide" a process you will need to make a driver in kernel mode to hide it..you should search for "windows driver kit" in google but it is not easy at all as programming since you will have to play with undocumented routines (NTxxx and ZWxxx) and it is easy to make a blue screen of death... And I don't think that you can do it in c# (most drivers are written in C) Now, even if you "hide" your process, it is ALWAYS possible to find it => brute force!!

Instead, try to hook OpenProcess() routine in kernel mode (make a driver) so other processes don't get access to it. Well, it depends on what you are looking for..
cookie69 is offline  
Old 05/11/2014, 02:48   #3
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Apr 2014
Posts: 3
Received Thanks: 1
The C code posted is working to hide a process...from task manager, process explorer etc. My C# API hook (EasyHook) to NTQuerry is also working fine...I can actually get a list of processes every time it fires....but...my list is returned as an array of SYSTEM_PROCESS_INFORMATION structures....in an IntPtr..

The posted code modifies one offset/process structure of the array.(the exe to be hidden) and returns the modified array.

That where Im stuck..
cablehead is offline  
Reply

Tags
c#, easyhook, system_information_class

« Programm funktioniert auf Windows 8 nicht richtig | Suche Hilfe in C# Microsoft Visual Studio 2013 »

Similar Threads Similar Threads
EasyHook (Easy Injection/Hooking for C# [and C++]) Problem
03/25/2013 - CO2 Programming - 1 Replies
So I'm having an error that says: And here is the EntryPoint class of my .dll (pastebin): FoxxyDefender EntryPoint.cs - Pastebin.com



All times are GMT +1. The time now is 20:14.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2025 elitepvpers All Rights Reserved.