[ithurricane]

I use shadow hook like kaspersky do it on X64,
and hook is success,but in hook function, it always return error:

Code: Select all

HANDLE NtUserCreateWindowExCallBack(
		ULONG64  	dwExStyle,
		ULONG64  	plstrClassName,
		ULONG64  	plstrClsVersion,
		ULONG64  	plstrWindowName,
		ULONG64  	dwStyle,
		ULONG64  	x,
		ULONG64  	y,
		ULONG64  	nWidth,
		ULONG64  	nHeight,
		ULONG64  	hWndParent,
		ULONG64  	hMenu,
		ULONG64  	hInstance,
		ULONG64  	lpParam,
		ULONG64  	dwFlags,
		ULONG64  	acbiBuffer 								 
								 )
{
	HANDLE Handle;
	
	Handle = RealNtUserCreateWindowEx( 
		  	dwExStyle,
		  	plstrClassName,
		  	plstrClsVersion,
		  	plstrWindowName,
		  	dwStyle,
		  	x,
		  	y,
		  	nWidth,
		  	nHeight,
		  	hWndParent,
		  	hMenu,
		  	hInstance,
		  	lpParam,
		  	dwFlags,
		  	acbiBuffer );
   return Handle;
}

but Handle is always 0,
so I want to know how to deal with the 15 params?
Tank you for help!!! :geek:

[nullptr]

I've not tested/looked but the declaration should be no different to x86-32.

Code: Select all

HWND NTAPI NtUserCreateWindowEx ( 
    DWORD          dwExStyle,  
    PLARGE_STRING  plstrClassName,  
    PLARGE_STRING  plstrClsVersion,  
    PLARGE_STRING  plstrWindowName,  
    DWORD          dwStyle,  
    int            x,  
    int            y,  
    int            nWidth,  
    int            nHeight,  
    HWND           hWndParent,  
    HMENU          hMenu,  
    HINSTANCE      hInstance,  
    LPVOID         lpParam,  
    DWORD          dwFlags,  
    PVOID          acbiBuffer  
);

All pointers and handles will automatically be 8 bytes, int and DWORD will remain at 4 bytes.

[EP_X0FF]

Defining everything as ulong64 type was a definitelly great idea :sarcasm: If you don't know why they are declated like on win32 and nullptr post, then omg why you want to change behaviour of this routine. And your hooking won't work on win8 which means it is useless as you can expect PatchGuard update to win7 in any patch at any time.

[ithurricane]

Yes, I also declare as it, but also failed,
I disasm my function, and compare to system function,
Is it have any problem?

Code: Select all

fffff880`02dbf900 4c894c2420      mov     qword ptr [rsp+20h],r9
fffff880`02dbf905 4c89442418      mov     qword ptr [rsp+18h],r8
fffff880`02dbf90a 4889542410      mov     qword ptr [rsp+10h],rdx
fffff880`02dbf90f 894c2408        mov     dword ptr [rsp+8],ecx
fffff880`02dbf913 4881eca8000000  sub     rsp,0A8h
fffff880`02dbf91a 488b842420010000 mov     rax,qword ptr [rsp+120h]
fffff880`02dbf922 4889442470      mov     qword ptr [rsp+70h],rax
fffff880`02dbf927 8b842418010000  mov     eax,dword ptr [rsp+118h]
fffff880`02dbf92e 89442468        mov     dword ptr [rsp+68h],eax
fffff880`02dbf932 488b842410010000 mov     rax,qword ptr [rsp+110h]
fffff880`02dbf93a 4889442460      mov     qword ptr [rsp+60h],rax
fffff880`02dbf93f 488b842408010000 mov     rax,qword ptr [rsp+108h]
fffff880`02dbf947 4889442458      mov     qword ptr [rsp+58h],rax
fffff880`02dbf94c 488b842400010000 mov     rax,qword ptr [rsp+100h]
fffff880`02dbf954 4889442450      mov     qword ptr [rsp+50h],rax
fffff880`02dbf959 488b8424f8000000 mov     rax,qword ptr [rsp+0F8h]
fffff880`02dbf961 4889442448      mov     qword ptr [rsp+48h],rax
fffff880`02dbf966 8b8424f0000000  mov     eax,dword ptr [rsp+0F0h]
fffff880`02dbf96d 89442440        mov     dword ptr [rsp+40h],eax
fffff880`02dbf971 8b8424e8000000  mov     eax,dword ptr [rsp+0E8h]
fffff880`02dbf978 89442438        mov     dword ptr [rsp+38h],eax
fffff880`02dbf97c 8b8424e0000000  mov     eax,dword ptr [rsp+0E0h]
fffff880`02dbf983 89442430        mov     dword ptr [rsp+30h],eax
fffff880`02dbf987 8b8424d8000000  mov     eax,dword ptr [rsp+0D8h]
fffff880`02dbf98e 89442428        mov     dword ptr [rsp+28h],eax
fffff880`02dbf992 8b8424d0000000  mov     eax,dword ptr [rsp+0D0h]
fffff880`02dbf999 89442420        mov     dword ptr [rsp+20h],eax
fffff880`02dbf99d 4c8b8c24c8000000 mov     r9,qword ptr [rsp+0C8h]
fffff880`02dbf9a5 4c8b8424c0000000 mov     r8,qword ptr [rsp+0C0h]
fffff880`02dbf9ad 488b9424b8000000 mov     rdx,qword ptr [rsp+0B8h]
fffff880`02dbf9b5 8b8c24b0000000  mov     ecx,dword ptr [rsp+0B0h]
fffff880`02dbf9bc ff1546d30000    call    qword ptr [block!RealNtUserCreateWindowEx (fffff880`02dccd08)]




                                                      mov     rcx, [rsp+368h+var_2C0]
.text:0000000078C30315                 mov     r9, [rsp+368h+var_2A0]
.text:0000000078C3031D                 mov     r8, rsi

.text:0000000078C30320                 mov     [rsp+368h+var_2F8], rcx     // acbiBuffer

.text:0000000078C30325                 mov     ecx, [rsp+368h+var_2D0]

.text:0000000078C3032C                 mov     [rsp+368h+var_300], eax   // dwFlags

.text:0000000078C30330                 mov     rax, [rsp+368h+var_290]   
.text:0000000078C30338                 mov     rdx, rdi

.text:0000000078C3033B                 mov     [rsp+368h+var_308], rax   // lpParam

.text:0000000078C30340                 mov     rax, [rsp+368h+var_298]
.text:0000000078C30348                 mov     [rsp+368h+var_310], rax             // hInstance
.text:0000000078C3034D                 mov     rax, [rsp+368h+var_268]
.text:0000000078C30355                 mov     [rsp+368h+var_318], rax            // hMenu
.text:0000000078C3035A                 mov     rax, [rsp+368h+var_2A8]
.text:0000000078C30362                 mov     [rsp+368h+var_320], rax            // hWndParent


.text:0000000078C30367                 mov     eax, [rsp+368h+arg_28]

.text:0000000078C3036E                 mov     [rsp+368h+var_328], r14d             // nHeight
.text:0000000078C30373                 mov     [rsp+368h+var_330], r15d            // nWidth
.text:0000000078C30378                 mov     [rsp+368h+var_338], eax              // y

.text:0000000078C3037C                 mov     eax, [rsp+368h+arg_20]
.text:0000000078C30383                 mov     [rsp+368h+var_340], eax               // x

.text:0000000078C30387                 mov     eax, [rsp+368h+var_2CC]
.text:0000000078C3038E                 mov     dword ptr [rsp+368h+var_348], eax // dwStyle

.text:0000000078C30392                 call    ZwUserCreateWindowEx

I've not tested/looked but the declaration should be no different to x86-32.

Code: Select all

HWND NTAPI NtUserCreateWindowEx ( 
    DWORD          dwExStyle,  
    PLARGE_STRING  plstrClassName,  
    PLARGE_STRING  plstrClsVersion,  
    PLARGE_STRING  plstrWindowName,  
    DWORD          dwStyle,  
    int            x,  
    int            y,  
    int            nWidth,  
    int            nHeight,  
    HWND           hWndParent,  
    HMENU          hMenu,  
    HINSTANCE      hInstance,  
    LPVOID         lpParam,  
    DWORD          dwFlags,  
    PVOID          acbiBuffer  
);

All pointers and handles will automatically be 8 bytes, int and DWORD will remain at 4 bytes.

[ithurricane]

Defining everything as ulong64 type was a definitelly great idea :sarcasm: If you don't know why they are declated like on win32 and nullptr post, then omg why you want to change behaviour of this routine. And your hooking won't work on win8 which means it is useless as you can expect PatchGuard update to win7 in any patch at any time.

Yes, you are right, but now I want to hook it on win7X64, and I declated like on win32 and nullptr post, but also failed...
Failed at win32k!ValidateHmenu likes hMenu is not right....
Maybe param at stack(esp) is wrong at first?
Do you have any idea?

Code: Select all

fffff880`02dbf900 4c894c2420      mov     qword ptr [rsp+20h],r9
fffff880`02dbf905 4c89442418      mov     qword ptr [rsp+18h],r8
fffff880`02dbf90a 4889542410      mov     qword ptr [rsp+10h],rdx
fffff880`02dbf90f 894c2408        mov     dword ptr [rsp+8],ecx
fffff880`02dbf913 4881eca8000000  sub     rsp,0A8h
fffff880`02dbf91a 488b842420010000 mov     rax,qword ptr [rsp+120h]
fffff880`02dbf922 4889442470      mov     qword ptr [rsp+70h],rax
fffff880`02dbf927 8b842418010000  mov     eax,dword ptr [rsp+118h]
fffff880`02dbf92e 89442468        mov     dword ptr [rsp+68h],eax
fffff880`02dbf932 488b842410010000 mov     rax,qword ptr [rsp+110h]
fffff880`02dbf93a 4889442460      mov     qword ptr [rsp+60h],rax
fffff880`02dbf93f 488b842408010000 mov     rax,qword ptr [rsp+108h]
fffff880`02dbf947 4889442458      mov     qword ptr [rsp+58h],rax
fffff880`02dbf94c 488b842400010000 mov     rax,qword ptr [rsp+100h]
fffff880`02dbf954 4889442450      mov     qword ptr [rsp+50h],rax
fffff880`02dbf959 488b8424f8000000 mov     rax,qword ptr [rsp+0F8h]
fffff880`02dbf961 4889442448      mov     qword ptr [rsp+48h],rax
fffff880`02dbf966 8b8424f0000000  mov     eax,dword ptr [rsp+0F0h]
fffff880`02dbf96d 89442440        mov     dword ptr [rsp+40h],eax
fffff880`02dbf971 8b8424e8000000  mov     eax,dword ptr [rsp+0E8h]
fffff880`02dbf978 89442438        mov     dword ptr [rsp+38h],eax
fffff880`02dbf97c 8b8424e0000000  mov     eax,dword ptr [rsp+0E0h]
fffff880`02dbf983 89442430        mov     dword ptr [rsp+30h],eax
fffff880`02dbf987 8b8424d8000000  mov     eax,dword ptr [rsp+0D8h]
fffff880`02dbf98e 89442428        mov     dword ptr [rsp+28h],eax
fffff880`02dbf992 8b8424d0000000  mov     eax,dword ptr [rsp+0D0h]
fffff880`02dbf999 89442420        mov     dword ptr [rsp+20h],eax
fffff880`02dbf99d 4c8b8c24c8000000 mov     r9,qword ptr [rsp+0C8h]
fffff880`02dbf9a5 4c8b8424c0000000 mov     r8,qword ptr [rsp+0C0h]
fffff880`02dbf9ad 488b9424b8000000 mov     rdx,qword ptr [rsp+0B8h]
fffff880`02dbf9b5 8b8c24b0000000  mov     ecx,dword ptr [rsp+0B0h]
fffff880`02dbf9bc ff1546d30000    call    qword ptr [block!RealNtUserCreateWindowEx (fffff880`02dccd08)]




                                                 mov     rcx, [rsp+368h+var_2C0]
.text:0000000078C30315                 mov     r9, [rsp+368h+var_2A0]
.text:0000000078C3031D                 mov     r8, rsi

.text:0000000078C30320                 mov     [rsp+368h+var_2F8], rcx     // acbiBuffer

.text:0000000078C30325                 mov     ecx, [rsp+368h+var_2D0]

.text:0000000078C3032C                 mov     [rsp+368h+var_300], eax   // dwFlags

.text:0000000078C30330                 mov     rax, [rsp+368h+var_290]   
.text:0000000078C30338                 mov     rdx, rdi

.text:0000000078C3033B                 mov     [rsp+368h+var_308], rax   // lpParam

.text:0000000078C30340                 mov     rax, [rsp+368h+var_298]
.text:0000000078C30348                 mov     [rsp+368h+var_310], rax             // hInstance
.text:0000000078C3034D                 mov     rax, [rsp+368h+var_268]
.text:0000000078C30355                 mov     [rsp+368h+var_318], rax            // hMenu
.text:0000000078C3035A                 mov     rax, [rsp+368h+var_2A8]
.text:0000000078C30362                 mov     [rsp+368h+var_320], rax            // hWndParent


.text:0000000078C30367                 mov     eax, [rsp+368h+arg_28]

.text:0000000078C3036E                 mov     [rsp+368h+var_328], r14d             // nHeight
.text:0000000078C30373                 mov     [rsp+368h+var_330], r15d            // nWidth
.text:0000000078C30378                 mov     [rsp+368h+var_338], eax              // y

.text:0000000078C3037C                 mov     eax, [rsp+368h+arg_20]
.text:0000000078C30383                 mov     [rsp+368h+var_340], eax               // x

.text:0000000078C30387                 mov     eax, [rsp+368h+var_2CC]
.text:0000000078C3038E                 mov     dword ptr [rsp+368h+var_348], eax // dwStyle

.text:0000000078C30392                 call    ZwUserCreateWindowEx

[ithurricane]

Defining everything as ulong64 type was a definitelly great idea :sarcasm: If you don't know why they are declated like on win32 and nullptr post, then omg why you want to change behaviour of this routine. And your hooking won't work on win8 which means it is useless as you can expect PatchGuard update to win7 in any patch at any time.

I solved the problem, it caused by I forgot to set params num to shadowtable...
Thanks for EP_X0FF and nullptr help

[myid]

I've not tested/looked but the declaration should be no different to x86-32.

Code: Select all

HWND NTAPI NtUserCreateWindowEx ( 
    DWORD          dwExStyle,  
    PLARGE_STRING  plstrClassName,  
    PLARGE_STRING  plstrClsVersion,  
    PLARGE_STRING  plstrWindowName,  
    DWORD          dwStyle,  
    int            x,  
    int            y,  
    int            nWidth,  
    int            nHeight,  
    HWND           hWndParent,  
    HMENU          hMenu,  
    HINSTANCE      hInstance,  
    LPVOID         lpParam,  
    DWORD          dwFlags,  
    PVOID          acbiBuffer  
);

All pointers and handles will automatically be 8 bytes, int and DWORD will remain at 4 bytes.

What is "LARGE_STRING"? What difference between "LARGE_STRING" and "UNICODE_STRING"?

[EP_X0FF]

What is "LARGE_STRING"? What difference between "LARGE_STRING" and "UNICODE_STRING"?

Code: Select all

typedef struct _LARGE_STRING {
    ULONG Length;
    ULONG MaximumLength : 31;
    ULONG bAnsi : 1;
    PVOID Buffer;
} LARGE_STRING, *PLARGE_STRING;

[myid]

What is "LARGE_STRING"? What difference between "LARGE_STRING" and "UNICODE_STRING"?

Code: Select all

typedef struct _LARGE_STRING {
    ULONG Length;
    ULONG MaximumLength : 31;
    ULONG bAnsi : 1;
    PVOID Buffer;
} LARGE_STRING, *PLARGE_STRING;

You are a great Russian man! Putin will bless you! :lol: