tadasv
June 2nd, 2009, 14:17
Hi guys. I am trying to hook ZwAllocateVirtualMemory from ntdll.dll. I rewrite first five bytes of ZwAllocateVirtualMemory with jmp to fake function, you can see the fake below. However the hooked function does not work as expected. If I uncomment test function I get stack overflow. Am I missing here something? Thanks.
Code:
void test()
{
/*FILE *f = fopen ("c:\\test.txt", "a";
fprintf (f, "PROCESS: %08X\nBASE: %08X\nZERO BITS: %08X\n"
"SiZE: %08X\nALLOC TYPE: %08X\nPROTECT: %08X\n\n",
hdZwAllocateVirtualMemory.par_process,
hdZwAllocateVirtualMemory.par_baseAddress,
hdZwAllocateVirtualMemory.par_zeroBits,
hdZwAllocateVirtualMemory.par_regionSize,
hdZwAllocateVirtualMemory.par_allocationType,
hdZwAllocateVirtualMemory.par_protect);
fclose (f);*/
}
void __declspec (naked) FakeZwAllocateVirtualMemory()
{
// save parameters
__asm {
mov eax, dword ptr ss:[esp + 4]
mov dword ptr [hdZwAllocateVirtualMemory].par_process, eax
mov eax, dword ptr ss:[esp + 8]
mov dword ptr [hdZwAllocateVirtualMemory].par_baseAddress, eax
mov eax, dword ptr ss:[esp + 12]
mov dword ptr [hdZwAllocateVirtualMemory].par_zeroBits, eax
mov eax, dword ptr ss:[esp + 16]
mov dword ptr [hdZwAllocateVirtualMemory].par_regionSize, eax
mov eax, dword ptr ss:[esp + 20]
mov dword ptr [hdZwAllocateVirtualMemory].par_allocationType, eax
mov eax, dword ptr ss:[esp + 24]
mov dword ptr [hdZwAllocateVirtualMemory].par_protect, eax
}
test();
__asm mov eax, 0x11
__asm jmp dword ptr hdZwAllocateVirtualMemory.exitAddress
}