API Hook OpenProcess

Messages postés
18
Date d'inscription
dimanche 8 mai 2005
Statut
Membre
Dernière intervention
13 janvier 2006
- - Dernière réponse : GeneticW
Messages postés
35
Date d'inscription
samedi 3 juin 2006
Statut
Membre
Dernière intervention
23 avril 2011
- 13 avril 2007 à 06:04
Hi guys.

I try get some help in this problem.

API Openprocess which within its parameters uses a PID, the this delivery the use of some of these APIs :

pid = FindWindow -> parameters ...
pid = GetHProcExe -> parameters ...
pid = GetWindowProcessID -> parameters ...

OpenProcess(reqdAccess, bInherit , pid )

Is posible using DLL hook Specify Program and Intercept value the PID when is used in OpenProcess API ?

Is required some Event where i know the PID value used in Program Injected.

Any idea ?
Afficher la suite 

11 réponses

Messages postés
4936
Date d'inscription
lundi 17 février 2003
Statut
Modérateur
Dernière intervention
14 février 2014
32
0
Merci
hi...

you want another process PID or current application PID ?

Sébastien FERRAND
[MVP C#]
Commenter la réponse de sebmafate
Messages postés
18
Date d'inscription
dimanche 8 mai 2005
Statut
Membre
Dernière intervention
13 janvier 2006
0
Merci
From my .Net code Set PID value the external program and Spy or Hook when if use API OpenProcess and when use API OpenProcess then capture the values used in PID parameter.

Cheat use API OpenProcess(reqdAccess, bInherit , pid ) so in PID values is the GAME PID in memory.

Game is not .Net code.

Understand me ?
Commenter la réponse de vitoto
Messages postés
4936
Date d'inscription
lundi 17 février 2003
Statut
Modérateur
Dernière intervention
14 février 2014
32
0
Merci
if you know process name, you can find process id with System.Diagnostics.Process class.

Example :

foreach( Process p in Process.GetProcessesByName("yourProcessName")) {
/// if p is the process you are searching
/// p.Id is its PID
}

you can use Process.GetProcesses method too.

But if you want to use win32 APIs, i can't help you, sorry.

Sébastien FERRAND
[MVP C#]
Commenter la réponse de sebmafate
Messages postés
18
Date d'inscription
dimanche 8 mai 2005
Statut
Membre
Dernière intervention
13 janvier 2006
0
Merci
Yes i know man, i need LOG, SPY or HOOK when any program use API OpenProcess.
Commenter la réponse de vitoto
Messages postés
4936
Date d'inscription
lundi 17 février 2003
Statut
Modérateur
Dernière intervention
14 février 2014
32
0
Merci
you can't make system hook with .net... you must use win32 dll (c++)

Sébastien FERRAND
[MVP C#]
Commenter la réponse de sebmafate
Messages postés
18
Date d'inscription
dimanche 8 mai 2005
Statut
Membre
Dernière intervention
13 janvier 2006
0
Merci
Thank you, so alternative to system Hook, some Remote Hook is posible ?

I Re-formule the problem and use Samples and images for help.

Global Model Image.

Detail :
This is the API OpenProcess or Class in .Net GetProcessID
/library/en-us/wcekernl/html/_wcesdk_win32_OpenProcess.asp http:<WBR>/<WBR>/<WBR>msdn.<WBR>microsoft.<WBR>com/<WBR>library/<WBR>default.<WBR>asp?<WBR>url=<WBR>/<WBR>library/<WBR>en-<WBR>us/<WBR>wcekernl/<WBR>html/<WBR>_<WBR>wcesdk_<WBR>win32_<WBR>OpenProcess.<WBR>asp

Cheat program use the API and use in parameter PID the Game in Memory.
Game is not .Net program, i not have source, only launch from .Net code.

Example : Game Pid is : 5675

When cheat program "program01.exe(pid 1234)" use the API then in parameters use the value 5675.

Example :

IDProcess = 5675
HandleWindow = OpenProcess(PROCESS_ALL_ACCESS,False,IDP<WBR>rocess);

For get value 5675 use others APIs :

IDProcess = FindWindow -> Get using Window Name -> "Game Window Name"
IDProcess = GetHProcExe -> Get using game.exe
IDProcess = GetWindowProcessID -> Get using Directly IDProcess -> PID the Game.exe

I not want stop this 3 methods, i need Stop OpenProcess where values will be passed.

After OpenProcess get Access to Game Process using parameter : PROCESS_ALL_ACCESS
Return HandleWindow and use after in API WriteProcessMemory
WriteProcessMemory(HandleWindow, Offset, Value, 1, 0&)

From my ".Net Program" i use PID 1234 "program01.exe" for Spy, Hook or Intercept if Use API OpenProcess.

When program01.exe was detected using the API OpenProcess then Log, Hook or Intercept the value in parameter used.

If value is IDProcess = 5675, then assume "program01.exe" is Cheat Program trying attack GAME Process.

After check program02.exe and detect not using API OpenProcess, skip for monitor others process.

I Can scan all process alrey running enumerating Process in memory and for get all new programs open in RealTime using "WMI and Win32_ProcessStartTrace", you can look Sample code working in VB.Net 2003 and 2005.
Only need update XP SP2 to last update.

Imports System.Management

Public Class Form1
Inherits System.Windows.Forms.Form

#Region " Windows Form Designer generated code " ....

Dim q As New EventQuery("SELECT * FROM Win32_ProcessStartTrace")
WithEvents w As New ManagementEventWatcher(q)
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
'start subscribing to WMI event
w.Start()
End Sub
Private Sub ProcStartEventArrived(ByVal sender As Object, ByVal e As EventArrivedEventArgs) Handles w.EventArrived
'Get the Event object and display it
TextBox1.Text += e.NewEvent("ProcessName") & Environment.NewLine
End Sub

Private Sub Form1_Closing(ByVal sender As Object, ByVal e As System.ComponentModel.CancelEventArgs) Handles MyBase.Closing
'stop subscribing to WMI event
w.Stop()
End Sub
End Class

If you have problem in updates, only can use e.NewEvent("ProcessName"), If you have last update then use e.NewEvent("ProcessID") too.

Backing my problem.
If is necesary some win32 dll (c++), you know where i can found ?

Any can help me ?
Commenter la réponse de vitoto
Messages postés
6352
Date d'inscription
samedi 1 juin 2002
Statut
Modérateur
Dernière intervention
2 août 2014
75
0
Merci
Eh beh, heureusement que nous sommes sur une communauté francophone...

/*
coq
MVP Visual C#
*/
Commenter la réponse de cs_coq
Messages postés
18
Date d'inscription
dimanche 8 mai 2005
Statut
Membre
Dernière intervention
13 janvier 2006
0
Merci
I try translate the post.
Commenter la réponse de vitoto
Messages postés
5507
Date d'inscription
dimanche 4 août 2002
Statut
Modérateur
Dernière intervention
20 juin 2013
42
0
Merci
lol, allez coq sort nous ton Anglais


<HR>

[Pub] http://www.csharpfr.com/auteurdetail.aspx?ID=13319 [\Pub]
C# forever
Commenter la réponse de cs_Bidou
Messages postés
18
Date d'inscription
dimanche 8 mai 2005
Statut
Membre
Dernière intervention
13 janvier 2006
0
Merci
I need a service that Intercepts all the programs that use the API OpenProcess and that the value that returns HandleWindow is passed to an application Net, or better even it passes the value that uses like IDProcess parameter. HandleWindow = OpenProcess(PROCESS_ALL_ACCESS, False, IDProcess);

J'ai besoin d'un service qui arrête tous les programmes qui emploient l'api OpenProcess et qui la valeur qui retourne HandleWindow est passé à un filet d'application, ou meilleur égal elle passe la valeur qui emploie comme le paramètre d'IDProcess.

HandleWindow = OpenProcess(PROCESS_ALL_ACCESS, Faux, IDProcess);

Is Posible ?
Commenter la réponse de vitoto
Messages postés
35
Date d'inscription
samedi 3 juin 2006
Statut
Membre
Dernière intervention
23 avril 2011
0
Merci
yeah it's possible. but only in c++ like it has been said, not in DOT NET
there is a guy that made something similar to what you want and he gave source FREE

the code was intended to show other program that access that API,
but you'll have to make the part of returning a different value.

www.rootkit.com/vault/hoglund/Governor.zip

would be nice if you post your end code here.
----------------------
Désolé les gars, j'ai répondu en Anglais parce que le gars parle ni francais ni anglais.
certains bout ses commentaire sont meme difficile a lire en anglais.

Le gars veut un code permettant d'intercepter les call a un API et d'envoyer une reponse differente.  j'ai fournit un code qui (va parraitre d'ici AOUT 2007 dans un nouveau livre sur la programmation des Hack pour jeu) qui intercepte les appels a cet API.
Commenter la réponse de GeneticW