How to hook NtTerminateProcess and protect my process???

closed account (3hMz8vqX)
Hi all,
How to hook NtTerminateProcess and protect my process???
Can anyone give me an example code???
Regards,
Aravind.
Hi,

I gave you the source to hook KiFastSystemCall, use that instead of hooking NtTerminateProcess as KiFastSystemCall is much more lower level in Usermode (Ring-3).
To capture protect you process, via hook KiFastSystemCall - you need to preserve EAX, ESP.
To be more specific ESP+4 and ESP+8. You need to preserve ESP, as it holds the parameters for NtTerminateProcess.
You need to preserve EAX, because it holds the NT functions ID, this is used to identify the NT call.

To identify the ID's for some syscalls - use this: http://indefinitestudies.org/2009/01/22/digging-up-system-calls-ordinals-on-xp-x64/

for NtTerminateProcess the ID -> 29h

______________________

You are getting way ahead of your self, slow down and go back to the basic & before learn to use debuggers, a good one is Ollydbg.

Download Ollydbg:
http://www.ollydbg.de/

______________________

As for hooking ZW\NT TerminateProcess in Kernel mode (Ring-0), You need to create a main driver routine routine and create a procedure to hook ZW\NT TerminateProcess then call it from the driver entry routine.

Check my blog out, it contains a lot about these stuff:
http://codeempire.blogspot.co.uk/

Good Luck.
closed account (3hMz8vqX)
Hi,
your blog is awesome!!!
theres a lot of good things ...
I checked out the other articles and its awesome!
but can you please give me the code to hook NtTerminateProcess at user level, since, Im developing a small application:)
Thankyou in advance!!!:)
Hi,

I will just give the code to hook NtTerminateProcess although, you need to manage the callback. As that is the "real" part of this hook.

Method:

- First we will be unprotecting the target address (Nt\ZwTerminateProcess)
- Replace first instruction - mov eax, 29h with jmp [callback address]
- Finally re-protecting the target address with it's previous\original protection level

Code:
1
2
3
4
5
6
7
8
9
10
11
12
DWORD NtHookInstall(LPVOID lpTargetAddress,LPVOID lpCallbackAddress)
{
              if(lpTargetAddress == 0 || lpCallbackAddress == 0) return 0; //Misc. Check

             DWORD dwOldProtection = 0;
             if(VirtualProtect(lpTargetAddress,7,PAGE_EXECUTE_READWRITE,&dwOldProtection) == 0) return 0;
             
             *(BYTE*)(lpTargetAddress)= 0xE9;  // Opcode for JMP 
             *(long*)((LPBYTE)lpTargetAddress+1) = ((DWORD)lpCallbackAddress - ((DWORD)lpTargetAddress + 5));
             VirtualProtect(lpTargetAddress,7,dwOldProtection,&dwOldProtection); //reinstate original protection
             return 1; // SUCCESS
}


Usage:

1
2
3
4
5
int main()
{
            NtHookInstall(GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"ZwTerminateProcess"), (LPVOID) Callback);
   return 0; 
}

***NOTE*** The above code works with all NT functions, although you need to work with the callback

The code, given is ONLY for local hooking, if you wish to make it System-Wide hook\Global hook, you can use several methods to do so these include:

- PE Injection
- Code Injection
- DLL Injection

For the PE & Code Injection, the code is more or less straight forward but for DLL Injection, you need to convert the above into a DLL. Then inject the DLL into all processes in the memory.

Lastly, I would highly recommend you learn & understand assembly (both x64 & x86), this would massively help you when doing this sort of stuff.
At the moment you are copy & pasting with minimal knowledge of working behind this.
The Callback should ideally be only assembly and set it as _declspec(naked) mainly because, it would exist as a simple stub in the memory, therefore your callback can be easily patched back to return the real function.


Good Luck! Hope This helps.
Last edited on
closed account (3hMz8vqX)
Okay,
so can you show me the callback???
Hi,

It feels as if, I am simply handing you the source code - without impacting you, in learning nor am I making use of this time.

Please show me you're hook callback. I will from fourth just tell you what's wrong but not give you code. As I have the feeling you are not learning, but just copy pasting.

Thanks
Last edited on
closed account (3hMz8vqX)
Okay,
can you explain the entire code, because I didnt understand...
Again, you need to elaborate - what code do you not understand.
Next, I said show me YOUR callback.
Moreover, you need to learn debugging.

Anyway if you want the direct code without hassle you can pay me $1.
closed account (3hMz8vqX)
Anyway this topic is solved...
im not gonna ask any more questions on this thread:(
Topic archived. No new replies allowed.