A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #10865  by utsav.0202
 Fri Jan 06, 2012 10:32 am
Hi,
There is this function
Code: Select all
HHOOK NtUserSetWindowsHookEx(HINSTANCE Mod, 
								PUNICODE_STRING UnsafeModuleName, 
								DWORD ThreadId, 
								INT HookId, 
								PVOID HookProc, 
								BOOL Ansi)
that injects DLL represented by 'Mod'.
How do I get the name and path of this DLL?

Thanks and Regards
Utsav
 #10867  by Vrtule
 Fri Jan 06, 2012 12:37 pm
Nt/ZwQueryVirtualMemory with MemoryMappedFilenameInformation should do the job. However, I am not sure whether this routine is exported by the kernel.
 #10878  by EP_X0FF
 Fri Jan 06, 2012 5:20 pm
Vrtule wrote:Nt/ZwQueryVirtualMemory with MemoryMappedFilenameInformation should do the job. However, I am not sure whether this routine is exported by the kernel.
The problem is that KM variant of this routine not exists in some OS versions (2k, XP, 2k3), neither documented or not. There a big variety of workarounds here - mostly dirty system hacks (peb walking in driver, forced service call simulation, even vad tree parsing). Probably the best solution is to notify user mode app about the event and pass required information to your UM routine that will call NtQueryVirtualMemory/VirtualQueryEx and after that return data to driver.