Question : Application Process Path 2

This was Aflarin's comment on Application Process Path 1
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_26413438.html#33496630

I have research a code regarding to "ZwOpenFile"
And, as I look at the code, it seems to get the way I want, to get the application path and name with or without a window or a console.

2 questions only to answer.
a. Is this the code that Aflarin is talking about in his number 3 comment? Yes or NO
b. And where I could find NativeAPI.pas?

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:

           
           
          library x;

uses
  Windows,
  sysUtils,
  NativeAPI; //I can't find this

type
 OldCode = packed record
  One: dword;
  two: word;
 end;


far_jmp = packed record
  PuhsOp: byte;
  PushArg: pointer;
  RetOp: byte;
 end;

var
 JmpZwq: far_jmp;
 OldZwq: OldCode;
 PtrZwq: pointer;

function ZwOpenFile(OUT FileHandle:PHANDLE;
    const DesiredAccess:ACCESS_MASK;
    const ObjectAttributes:PObjectAttributes;
    OUT IoStatusBlock:PIO_STATUS_BLOCK;
    const ShareAccess,
          OpenOptions:ULONG):NTStatus;
    stdcall; external 'ntdll.dll';

function TrueZwOpenFile(OUT FileHandle:PHANDLE;
    const DesiredAccess:ACCESS_MASK;
    const ObjectAttributes:PObjectAttributes;
    OUT IoStatusBlock:PIO_STATUS_BLOCK;
    const ShareAccess,
          OpenOptions:ULONG):NTStatus;
    stdcall;

var
 Written: dword;
 begin
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
                     @OldZwq, SizeOf(OldCode), Written);

  Result := ZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);

  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
                     @JmpZwq, SizeOf(far_jmp), Written);
end;


function NewZwOpenFile(OUT FileHandle:PHANDLE;
    const DesiredAccess:ACCESS_MASK;
    const ObjectAttributes:PObjectAttributes;
    OUT IoStatusBlock:PIO_STATUS_BLOCK;
    const ShareAccess,
          OpenOptions:ULONG):NTStatus;
    stdcall;
var
    s:string;
begin
 s:=WideCharToString(ObjectAttributes^.ObjectName^.Buffer);


 if uppercase(s)='\??\C:\XSB.TXT' then
 begin
  result:=STATUS_ACCESS_DENIED;
  exit;
 end


 else
 result:=TrueZwOpenFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);
end;

Procedure SetHook();
var
 Bytes: dword;
begin
  PtrZwq  := GetProcAddress(GetModuleHandle('ntdll.dll'),'ZwOpenFile');
  ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
  JmpZwq.PuhsOp  := $68;
  JmpZwq.PushArg := @NewZwOpenFile;
  JmpZwq.RetOp   := $C3;
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);
end;

Procedure Unhook();
var
 Bytes: dword;
begin
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
end;

// ??????
Function MessageProc(code : integer; wParam : word;
                    lParam : longint) : longint; stdcall;
begin
 CallNextHookEx(0, Code, wParam, lparam);
 Result := 0;
end;

Procedure SetGlobalHookProc();
begin
 SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);
 Sleep(INFINITE);
end;
//

Procedure SetGlobalHook();
var
 hMutex: dword;
 TrId: dword;
begin
 hMutex := CreateMutex(nil, false, 'ScanerHook');
 if GetLastError = 0 then
 CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else
 CloseHandle(hMutex);
end;

procedure DLLEntryPoint(dwReason: DWord);
begin
  case dwReason of
    DLL_PROCESS_ATTACH: begin
                          SetGlobalHook();
                          SetHook();
                        end;
    DLL_PROCESS_DETACH: begin
                          Unhook();
                        end;
  end;
end;


begin
 DllProc := @DLLEntryPoint;
 DLLEntryPoint(DLL_PROCESS_ATTACH);
end.

           
         

Answer : Application Process Path 2

>> Is this the code that Aflarin is talking about in his number 3 comment? Is that you want to say Aflarin?

I'm afraid the answer is no. I really talked about hooking ZwOpenFile, but it must be within kernel mode driver. Your library x is working in user mode. So, it can only hook the user-mode proxy of ZwOpenFile. It means your code will intercept the ZwOpenFile calls only if they come from user-mode app/dll.
I guess when app calls CreateProcess (or something like that), it goes to NtCreateProcess into kernel mode and then ZwOpenFile is called by NtCreateProcess from the kernel mode. So this call will pass by your hook.

I suggest you to read corresponding article from my post (and examine the article's code). For example, you can find that there are some reasons to hook NtCreateSection instead of ZwOpenFile :)