How to get the DLL

#10865 by utsav.0202
Fri Jan 06, 2012 10:32 am

Hi,
There is this function

HHOOK NtUserSetWindowsHookEx(HINSTANCE Mod, 
								PUNICODE_STRING UnsafeModuleName, 
								DWORD ThreadId, 
								INT HookId, 
								PVOID HookProc, 
								BOOL Ansi)

that injects DLL represented by 'Mod'.
How do I get the name and path of this DLL?

Thanks and Regards
Utsav

Username

utsav.0202

Posts

61

Joined

Mon Apr 11, 2011 2:04 pm

Re: How to get the DLL

#10867 by Vrtule
Fri Jan 06, 2012 12:37 pm

Nt/ZwQueryVirtualMemory with MemoryMappedFilenameInformation should do the job. However, I am not sure whether this routine is exported by the kernel.

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: How to get the DLL

#10878 by EP_X0FF
Fri Jan 06, 2012 5:20 pm

Vrtule wrote:Nt/ZwQueryVirtualMemory with MemoryMappedFilenameInformation should do the job. However, I am not sure whether this routine is exported by the kernel.

The problem is that KM variant of this routine not exists in some OS versions (2k, XP, 2k3), neither documented or not. There a big variety of workarounds here - mostly dirty system hacks (peb walking in driver, forced service call simulation, even vad tree parsing). Probably the best solution is to notify user mode app about the event and pass required information to your UM routine that will call NtQueryVirtualMemory/VirtualQueryEx and after that return data to driver.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact