I am writing a program that lists the hooks created by SetWindowsHookEx()this process:
- Use
GetProcAddress()to get gSharedInfoexported to User32.dll(works, verified) - Reading user mode memory in
gSharedInfo + 8, the result should be a pointer to the record of the first control. (works, verified) - Reading user mode memory in
[gSharedInfo] + 8, the result should be countfor pens to list. (works, verified) - Read the data from the address obtained in step 2, repeat
countonce - Check that
HANDLEENTRY.bTypeequals 5 (this means it's HHOOK). If yes, print the information.
The problem is that although step 1-3 is just a mess in user mode memory, step 4 requires the program to read kernel memory. After some research, I discovered what ZwSystemDebugControlcan be used to access kernel memory from user mode. So I wrote the following function:
BOOL GetKernelMemory(PVOID pKernelAddr, PBYTE pBuffer, ULONG uLength)
{
MEMORY_CHUNKS mc;
ULONG uReaded = 0;
mc.Address = (UINT)pKernelAddr;
mc.pData = (UINT)pBuffer;
mc.Length = (UINT)uLength;
ULONG st = -1;
ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtSystemDebugControl");
st = ZwSystemDebugControl(SysDbgCopyMemoryChunks_0, &mc, sizeof(MEMORY_CHUNKS), 0, 0, &uReaded);
return st == 0;
}
But the above function does not work. uReadedalways 0, and stalways 0xC0000002. How to fix this error?
my full program:
http://pastebin.com/xzYfGdC5
source
share