what you dont like new hooking ideas... :d
and the initial tests and dry runs for hooking with a system mapped shared section o0
maybe its all lost on non 'dev' type's as I am not a good explainer of what indeed I am trying to accomplish.
so maybe if I explain the code as I 'see' it...(cause out of sight, out of my mind for me xD )
this client Opens Events for Synchronization(Sync) and Communication(Comm) after opening on success of said handles I Set the Event off for Comm,this Event Triggers the server to start Listen(thistimeatleast) the client then creates it own section to use for mapping by the system(sharing is nice ).
this can summed up by the code here:
Code:
RtlInitUnicodeString(&Unicode,LpcCommEvent);
InitializeObjectAttributes(&oa,&Unicode,OBJ_KERNEL_HANDLE,0,0);
Status = NtOpenEvent(&CommEvent,EVENT_ALL_ACCESS,&oa);
if!NT_SUCCESS(Status))
{
__leave;
}
RtlInitUnicodeString(&Unicode,LpcEventName);
InitializeObjectAttributes(&oa,&Unicode,OBJ_KERNEL_HANDLE,0,0);
Status = NtOpenEvent(&SyncEvent,EVENT_ALL_ACCESS,&oa);
if(!NT_SUCCESS(Status))
{
__leave;
}
Status = NtSetEvent(CommEvent,&EventState);
if(!NT_SUCCESS(Status))
{
return STATUS_UNSUCCESSFUL;
}
Then client Connects to the Server this is the fun part..
after NtCompleteConnect is called successfully by the server the client Waits for the comm event to be signaled by the server. this is done to ensure the Server Has Called NtReplyWaitRecievePort is called(otherwise you have client waiting before server waits..(lame..)so..this can be represented as this small part of code..
Code:
NtWaitForSingleObject(CommEvent,FALSE,0);
InitializeMessageHeader(&MessageHeader, sizeof(PORT_MESSAGE), LPC_NEW_MESSAGE+11);//10 defined so imma use 11 ..
Status = NtRequestWaitReplyPort(PortHandle,&MessageHeader,&MessageHeader);
if(!NT_SUCCESS(Status))
{
RtlInitUnicodeString(&Unicode,L"NtRequestWaitReplyPort Status:"

;
__leave;
}
heres the new bit ive come up with

Upon Successful Reply From The server I then Call a InitUserHooks and pass in the ClientView mapped by the call in the server to NtReplyPort...In InitUserHooks I then use the View to point my hooks to :d this code here represents that..(part of the InitUserHooks routine I use for hooking
Code:
ULONG SizeFirstHk = *(ULONG*)CodeView.ViewBase;
ULONG Hook_BaseThreadStartThunk = (ULONG)CodeView.ViewBase+4;
ULONG Hook_BaseProcessStartThunk = Hook_BaseThreadStartThunk + SizeFirstHk;
__asm
{
pushad
lds esi, Addr_BaseThreadStartThunk
les edi, CodBaseThread
mov ecx,0x5
rep movsb
mov edi, Addr_BaseThreadStartThunk
mov eax, Hook_BaseThreadStartThunk
sub eax, edi
sub eax,5
mov byte ptr [edi+0], 0xE9// ; jmp short
mov dword ptr [edi+1], eax
mov esi, Addr_BaseProcessStartThunk
les edi, CodBaseProcess
mov ecx,0x5
rep movsb
mov edi, Addr_BaseProcessStartThunk
mov eax, Hook_BaseProcessStartThunk
sub eax,edi
sub eax,5
mov byte ptr [edi+0],0xE9
mov dword ptr [edi+1],eax
popad
}
I know, I know its not complete yet and Still needs revision but the concept and usage are there
Hopefully in the future I hope to be able to 'attach' the section to the PE during runtime so no "out of image range" detections work.. I could also forge my own entry into peb..and then hide myself after the hooks are installed.but that is all superficial as hotpatchs are going to be in the 3rd or 4th revision of the client '_' so maybe something to look forward to..
Iono its all up to these fun test's and outcomes

and hopefully sometime a little feedback :]
regards BanMe