Skip to content

Commit

Permalink
We're not really interested in NtWriteVirtualMemory/NtReadVirtualMemo…
Browse files Browse the repository at this point in the history 
…ry on ourselves -- it's effectively no different from using pointers with a registered exception handler, and some samples use it simply to clutter up logs or frustrate emulation. Stop logging these cases.
  • Loading branch information
@brad-sp
brad-sp committed Mar 5, 2015
1 parent ae93abe commit 73cb2b1
Showing 1 changed file with 26 additions and 15 deletions.
41 changes: 26 additions & 15 deletions hook_process.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -438,9 +438,12 @@ HOOKDEF(NTSTATUS, WINAPI, NtReadVirtualMemory,
ret = Old_NtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer,
NumberOfBytesToRead, NumberOfBytesReaded);

LOQ_ntstatus("process", "ppB", "ProcessHandle", ProcessHandle, "BaseAddress", BaseAddress,
"Buffer", NumberOfBytesReaded, Buffer);
return ret;
if (pid_from_process_handle(ProcessHandle) != GetCurrentProcessId()) {
LOQ_ntstatus("process", "ppB", "ProcessHandle", ProcessHandle, "BaseAddress", BaseAddress,
"Buffer", NumberOfBytesReaded, Buffer);
}

return ret;
}

HOOKDEF(BOOL, WINAPI, ReadProcessMemory,
Expand All @@ -456,8 +459,11 @@ HOOKDEF(BOOL, WINAPI, ReadProcessMemory,
ret = Old_ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer,
nSize, lpNumberOfBytesRead);

LOQ_bool("process", "ppB", "ProcessHandle", hProcess, "BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesRead, lpBuffer);
if (pid_from_process_handle(hProcess) != GetCurrentProcessId()) {
LOQ_bool("process", "ppB", "ProcessHandle", hProcess, "BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesRead, lpBuffer);
}

return ret;
}

Expand All @@ -469,22 +475,25 @@ HOOKDEF(NTSTATUS, WINAPI, NtWriteVirtualMemory,
__out_opt ULONG *NumberOfBytesWritten
) {
NTSTATUS ret;
DWORD pid;
ENSURE_ULONG(NumberOfBytesWritten);

ret = Old_NtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer,
NumberOfBytesToWrite, NumberOfBytesWritten);

LOQ_ntstatus("process", "ppB", "ProcessHandle", ProcessHandle, "BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer);
pid = pid_from_process_handle(ProcessHandle);

if (NT_SUCCESS(ret)) {
DWORD pid = pid_from_process_handle(ProcessHandle);
if (pid != GetCurrentProcessId()) {
if (pid != GetCurrentProcessId()) {
LOQ_ntstatus("process", "ppB", "ProcessHandle", ProcessHandle, "BaseAddress", BaseAddress,
"Buffer", NumberOfBytesWritten, Buffer);

if (NT_SUCCESS(ret)) {
pipe("PROCESS:%d:%d", is_suspended(pid, 0), pid);
disable_sleep_skip();
}
}


return ret;
}

Expand All @@ -496,17 +505,19 @@ HOOKDEF(BOOL, WINAPI, WriteProcessMemory,
_Out_ SIZE_T *lpNumberOfBytesWritten
) {
BOOL ret;
DWORD pid;
ENSURE_SIZET(lpNumberOfBytesWritten);

ret = Old_WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer,
nSize, lpNumberOfBytesWritten);

LOQ_bool("process", "ppB", "ProcessHandle", hProcess, "BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer);
pid = pid_from_process_handle(hProcess);

if (ret) {
DWORD pid = pid_from_process_handle(hProcess);
if (pid != GetCurrentProcessId()) {
if (pid != GetCurrentProcessId()) {
LOQ_bool("process", "ppB", "ProcessHandle", hProcess, "BaseAddress", lpBaseAddress,
"Buffer", lpNumberOfBytesWritten, lpBuffer);

if (ret) {
pipe("PROCESS:%d:%d", is_suspended(pid, 0), pid);
disable_sleep_skip();
}
Expand Down

0 comments on commit 73cb2b1

Please sign in to comment.