1

I'm currently working on hooking ntdll.dll calls via dll injection. At first, I create thread in existing process via CreateRemoteThread() then I load my dll via LoadLibrary and finally hook calls on PROCESS_ATTACH.

Injection works fine, but then I want to log all registry and file system queries. And the problem is that it doesn't work properly.

I decided to publish code via PasteBin, because piece is pretty big. Here is the link: http://pastebin.com/39r4Me6B

I'm trying to hook ZwOpenKey, then log key content and then launch "true" function by pointer. Function NOpenKey gets executed, but process stops without any errors.

Does anyone see any issues?

qutron
  • 1,710
  • 4
  • 18
  • 30

1 Answers1

2

If you use OllyDbg, ZwOpenKey starts with 5 bytes MOV EAX, 77.

You can overwrite these bytes like so JMP _myZwOpenKey then from there you can do whatever with the values on the stack, restore all registers then do a JMP 7C90D5B5 which is address of ZwOpenKey + 5 bytes. 

CPU Disasm
Address   Hex dump          Command                 Comments
7C90D5AF      90            NOP
7C90D5B0  /$  B8 77000000   MOV EAX,77              ; ntdll.ZwOpenKey(guessed rg1,Arg2,Arg3)
7C90D5B5  |.  BA 0003FE7F   MOV EDX,7FFE0300
7C90D5BA  |.  FF12          CALL DWORD PTR DS:[EDX]
7C90D5BC  \.  C2 0C00       RETN 0C

I usually do these in Assembly that way I don't have to mess around a lot with type casting and all that. Hope this helps.

TheRealChx101
  • 1,468
  • 21
  • 38