Question : Application Process Path 2

This was Aflarin's comment on Application Process Path 1
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_26413438.html#33496630


I have research a code regarding to "ZwOpenFile"
And,  as I look at the code, it seems to get the way I want,  to get the application path and name with or without a window or a console.

2 questions only to answer.
a. Is this the code that Aflarin is talking about in his number 3 comment?  Yes or NO
b. And where I could find NativeAPI.pas?

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141:

library x; uses Windows, sysUtils, NativeAPI; //I can't find this type OldCode = packed record One: dword; two: word; end; far_jmp = packed record PuhsOp: byte; PushArg: pointer; RetOp: byte; end; var JmpZwq: far_jmp; OldZwq: OldCode; PtrZwq: pointer; function ZwOpenFile(OUT FileHandle:PHANDLE; const DesiredAccess:ACCESS_MASK; const ObjectAttributes:PObjectAttributes; OUT IoStatusBlock:PIO_STATUS_BLOCK; const ShareAccess, OpenOptions:ULONG):NTStatus; stdcall; external 'ntdll.dll'; function TrueZwOpenFile(OUT FileHandle:PHANDLE; const DesiredAccess:ACCESS_MASK; const ObjectAttributes:PObjectAttributes; OUT IoStatusBlock:PIO_STATUS_BLOCK; const ShareAccess, OpenOptions:ULONG):NTStatus; stdcall; var Written: dword; begin WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Written); Result := ZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions); WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Written); end; function NewZwOpenFile(OUT FileHandle:PHANDLE; const DesiredAccess:ACCESS_MASK; const ObjectAttributes:PObjectAttributes; OUT IoStatusBlock:PIO_STATUS_BLOCK; const ShareAccess, OpenOptions:ULONG):NTStatus; stdcall; var s:string; begin s:=WideCharToString(ObjectAttributes^.ObjectName^.Buffer); if uppercase(s)='\??\C:\XSB.TXT' then begin result:=STATUS_ACCESS_DENIED; exit; end else result:=TrueZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions); end; Procedure SetHook(); var Bytes: dword; begin PtrZwq := GetProcAddress(GetModuleHandle('ntdll.dll'),'ZwOpenFile'); ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes); JmpZwq.PuhsOp := $68; JmpZwq.PushArg := @NewZwOpenFile; JmpZwq.RetOp := $C3; WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes); end; Procedure Unhook(); var Bytes: dword; begin WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes); end; // ?????? Function MessageProc(code : integer; wParam : word; lParam : longint) : longint; stdcall; begin CallNextHookEx(0, Code, wParam, lparam); Result := 0; end; Procedure SetGlobalHookProc(); begin SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0); Sleep(INFINITE); end; // Procedure SetGlobalHook(); var hMutex: dword; TrId: dword; begin hMutex := CreateMutex(nil, false, 'ScanerHook'); if GetLastError = 0 then CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else CloseHandle(hMutex); end; procedure DLLEntryPoint(dwReason: DWord); begin case dwReason of DLL_PROCESS_ATTACH: begin SetGlobalHook(); SetHook(); end; DLL_PROCESS_DETACH: begin Unhook(); end; end; end; begin DllProc := @DLLEntryPoint; DLLEntryPoint(DLL_PROCESS_ATTACH); end.

Answer : Application Process Path 2

>> Is this the code that Aflarin is talking about in his number 3 comment? Is that you want to say Aflarin?

I'm afraid the answer is no. I really talked about hooking ZwOpenFile, but it must be within kernel mode driver. Your library x is working in user mode. So, it can only hook the user-mode proxy of ZwOpenFile. It means your code will intercept the ZwOpenFile calls only if they come from user-mode app/dll.
I guess when app calls CreateProcess (or something like that), it goes to NtCreateProcess into kernel mode and then ZwOpenFile is called by NtCreateProcess from the kernel mode. So this call will pass by your hook.

I suggest you to read corresponding article from my post (and examine the article's code). For example, you can find that there are some reasons to hook NtCreateSection instead of ZwOpenFile :)