0

I am hooking the SSDT of Windows 7 x64 (I already hooked it correctly and such - that's not the problem.) to bypass a certain Anti-Cheat for a game.

The problem: Trying to get the exe name is of no use since it always outputs svchost.exe for Windows services, and since the anticheat is doing it's work in a service I can't correctly "guess" which svchost.exe is the Anti-Cheat.

The (pseudo-)code:

NTSTATUS newOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId) { if(ClientId points to our game) // checks name of process to be opened DbgPrint("%s", PsGetProcessImageFileName(PsGetCurrentProcess())); // svchost.exe - NEED THE SERVICE NAME return oldOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); }

Please note: THIS IS NOT FOR ANYTHING BUT LEARNING PURPOSES. This is not for malware or anything of the such; it is not illegal!

MeepDarknessMeep
  • 1
  • 1
  • A few ideas: `svchost.exe` works by loading a DLL for the service it is to run, so if you can enumerate the modules for each instance of `svchost.exe` you can identify the right one that way. Or you could look for the process that has the DLL file open. Or if you can get a user-mode process to do the work for you, you could use QueryServiceStatusEx to get the process ID. – Harry Johnston Nov 22 '14 at 02:52
  • Is this article of any help? http://www.osronline.com/article.cfm?article=472 It uses ZwQueryInformationProcess which gives you much better information (such as full path - as seen in the article). – Itaypk May 25 '15 at 11:16
  • That would probably be perfect if I were to attempt to write a driver again. Thanks for the link! Feel free to post it as an answer and i will accept it. – MeepDarknessMeep May 26 '15 at 16:05

0 Answers0