bool FKRuijie()
{
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
hProcSetTimer = (FUNC)GetProcAddress(LoadLibraryA("user32.dll"), "SetTimer");
FORCE(LhInstallHook(
hProcSetTimer,
SetTimerHook,
(PVOID)0x12345678,
hHook));
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
return TRUE;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(RtlGetLastError() != 0)
MessageBoxA(NULL, "ERROR", "FKAdvapi", 0);
return NtStatus;
}
VoodooResult VOODOO_METHODTYPE VSHookManager::Add(_In_ const String & name, _In_ void * pSrc, _In_ void * pDest)
{
VOODOO_DEBUG_FUNCLOG(m_Core->GetLogger());
HookMap::iterator hook = m_Hooks.find(name);
if (hook != m_Hooks.end())
{
m_Core->GetLogger()->LogMessage
(
VSLog_PlugError, VOODOO_HOOKMANAGER_NAME,
StringFormat(VSTR("Attempted to create a hook with a duplicate name (%1%).")) << name
);
return VSFERR_INVALIDPARAMS;
}
m_Core->GetLogger()->LogMessage
(
VSLog_PlugDebug, VOODOO_HOOKMANAGER_NAME,
StringFormat(VSTR("Creating hook %1%. Redirecting function %2% to %3%.")) << name << pSrc << pDest
);
TRACED_HOOK_HANDLE hookHandle = new HOOK_TRACE_INFO();
NTSTATUS result = LhInstallHook(pSrc, pDest, nullptr, hookHandle);
if (result == STATUS_NOT_SUPPORTED || result == STATUS_NO_MEMORY || result == STATUS_INSUFFICIENT_RESOURCES)
{
if (hookHandle)
{
delete hookHandle;
}
m_Core->GetLogger()->LogMessage
(
VSLog_PlugError, VOODOO_HOOKMANAGER_NAME,
StringFormat(VSTR("Error %1 creating hook %s.")) << (uint32_t)result << name
);
return VSFERR_INVALIDCALL;
}
else
{
LhSetInclusiveACL(m_ThreadIDs, m_ThreadCount, hookHandle);
m_Hooks[name] = hookHandle;
return VSF_OK;
}
}
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
std::cout << "\n\nNativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)\n\n" <<
"IIIII jjj tt dd !!! \n"
" III nn nnn eee cccc tt eee dd !!! \n"
" III nnn nn jjj ee e cc tttt ee e dddddd !!! \n"
" III nn nn jjj eeeee cc tt eeeee dd dd \n"
"IIIII nn nn jjj eeeee ccccc tttt eeeee dddddd !!! \n"
" jjjj \n\n";
std::cout << "NativeInjectionEntryPoint: Injected by process Id: " << inRemoteInfo->HostPID << "\n";
std::cout << "NativeInjectionEntryPoint: Passed in data size: " << inRemoteInfo->UserDataSize << "\n";
if (inRemoteInfo->UserDataSize == sizeof(DWORD))
{
gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData);
std::cout << "NativeInjectionEntryPoint: Adjusting Beep frequency by: " << gFreqOffset << "\n";
}
// Perform hooking
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
std::cout << "\n";
std::cout << "NativeInjectionEntryPoint: Win32 Beep found at address: " << GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep") << "\n";
// Install the hook
NTSTATUS result = LhInstallHook(
GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"),
myBeepHook,
NULL,
&hHook);
if (FAILED(result))
{
std::wstring s(RtlGetLastErrorString());
std::wcout << "NativeInjectionEntryPoint: Failed to install hook: " << s << "\n";
}
else
{
std::cout << "NativeInjectionEntryPoint: Hook 'myBeepHook installed successfully.\n";
}
// If the threadId in the ACL is set to 0,
// then internally EasyHook uses GetCurrentThreadId()
ULONG ACLEntries[1] = { 0 };
// Disable the hook for the provided threadIds, enable for all others
LhSetExclusiveACL(ACLEntries, 1, &hHook);
return;
}
extern "C" __declspec(dllexport) void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO*)
{
try {
TRACED_HOOK_HANDLE globalallochook(new HOOK_TRACE_INFO());
LhInstallHook(GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlAllocateHeap"), MyRtlAllocateHeap, NULL, globalallochook);
ULONG ulTidList[1] = {};
LhSetExclusiveACL(ulTidList, 0, globalallochook);
g_vApiHookHandles.push_back(globalallochook);
// Wakeup the suspended process...
RhWakeUpProcess();
} catch (...) {
::OutputDebugStringW(L"Faultron: NativeInjectionEntryPoint() exception.");
RemoveAllApiHooks();
}
}
bool gdimm_hook::install_hook(HMODULE h_lib, LPCSTR proc_name, void *hook_proc)
{
NTSTATUS eh_ret;
const FARPROC proc_addr = GetProcAddress(h_lib, proc_name);
assert(proc_addr != NULL);
TRACED_HOOK_HANDLE h_hook = new HOOK_TRACE_INFO();
eh_ret = LhInstallHook(proc_addr, hook_proc, NULL, h_hook);
assert(eh_ret == 0);
ULONG thread_id_list = 0;
eh_ret = LhSetExclusiveACL(&thread_id_list, 0, h_hook);
assert(eh_ret == 0);
_hooks.push_back(h_hook);
return true;
}
BOOL CInjection::HookApi(void)
{
if( !MethodDesc::IsInitialized() )
{
s_nStatus = Status_Error_MethodDescInitializationFailed;
return FALSE;
}
if( !LoadedMethodDescIterator::IsInitialized() )
{
s_nStatus = Status_Error_LoadedMethodDescIteratorInitializationFailed;
return FALSE;
}
PFN_compileMethod pfnCompileMethod = &CInjection::compileMethod;
LPVOID * pAddr = (LPVOID*)&pfnCompileMethod;
NTSTATUS ntStatus = LhInstallHook( (PVOID&)ICorJitCompiler::s_pfnComplieMethod
, *pAddr
, NULL
, &s_hHookCompileMethod
);
if( ntStatus != STATUS_SUCCESS )
{
s_nStatus = Status_Error_HookCompileMethodFailed;
return FALSE;
}
ULONG ulThreadID = GetCurrentProcessId();
LhSetExclusiveACL( &ulThreadID, 1, &s_hHookCompileMethod);
s_nStatus = Status_Ready;
return TRUE;
}
extern "C" int main(int argc, wchar_t* argv[])
{
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
ORIG_CreateFontIndirectW = CreateFontIndirectW;
FORCE(LhInstallHook(
ORIG_CreateFontIndirectW,
IMPL_CreateFontIndirectW,
(PVOID)0,
hHook));
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
CreateFontIndirectW(0);
CreateFontW(10, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, L"system");
LOGFONTA lf = {};
CreateFontIndirectA(&lf);
CreateFontA(12, 0, 0, 0, 400, 0, 0, 0, 2, 0, 0, 0, 0, "MARLETT");
#if 0
ORIG_GetTextExtentPoint32A = GetTextExtentPoint32A;
FORCE(LhInstallHook(
ORIG_GetTextExtentPoint32A,
IMPL_GetTextExtentPoint32A,
(PVOID)0,
hHook));
HDC hdc = GetDC(NULL);
SIZE size;
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
GetTextExtentPoint32W(hdc, L"abc", 3, &size);
GetTextExtentPointW(hdc, L"abc", 3, &size);
GetTextExtentPoint32A(hdc, "abc", 3, &size);
GetTextExtentPointA(hdc, "abc", 3, &size);
#endif
#if 0
ORIG_MessageBeepHook = MessageBeep;
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
ORIG_MessageBeepHook,
MessageBeepHook,
(PVOID)0,
hHook));
printf(".\n");
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
getch();
BOOL flags = 1;
FORCE(LhIsThreadIntercepted(hHook, 0, &flags));
printf("Intercepted %d\n", flags);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
FORCE(LhIsThreadIntercepted(hHook, 0, &flags));
printf("Intercepted %d\n", flags);
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
FORCE(LhSetGlobalExclusiveACL(ACLEntries, 1));
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
FORCE(LhSetGlobalInclusiveACL(ACLEntries, 1));
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
printf(".\n");
// won't invoke the hook handler because hooks are inactive after installation
ORIG_MessageBeepHook(123);
getch();
#endif
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
extern "C" int main(int argc, wchar_t* argv[])
{
HMODULE hUser32 = LoadLibraryA("user32.dll");
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
HANDLE hRemoteThread;
// test driver...
printf("Installing support driver...\n");
FORCE(RhInstallSupportDriver());
printf("Installing test driver...\n");
if(RhIsX64System())
FORCE(RhInstallDriver(L"TestDriver64.sys", L"TestDriver64.sys"))
else
FORCE(RhInstallDriver(L"TestDriver32.sys", L"TestDriver32.sys"));
// test stealth thread creation...
printf("Testing stealth thread creation...\n");
hRemoteThread = CreateThread(NULL, 0, TestThread, NULL, 0, NULL);
FORCE(RhCreateStealthRemoteThread(GetCurrentProcessId(), HijackEntry, (PVOID)0x12345678, &hRemoteThread));
Sleep(500);
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
GetProcAddress(hUser32, "MessageBeep"),
MessageBeepHook,
(PVOID)0x12345678,
hHook));
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
// will be redirected into the handler...
MessageBeep(123);
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
/*
In many situations you will need the handler utilities.
*/
HANDLE Handle = CreateEventA(NULL, TRUE, FALSE, "MyEvent");
ULONG RequiredSize;
ULONG RealThreadId;
ULONG ThreadId;
// handle to name
if(!SUCCEEDED(NtStatus = DbgHandleToObjectName(Handle, NULL, 0, &RequiredSize)))
goto ERROR_ABORT;
NameBuffer = (UNICODE_STRING*)malloc(RequiredSize);
FORCE(DbgHandleToObjectName(Handle, NameBuffer, RequiredSize, &RequiredSize));
printf("\n[Info]: Event name is \"%S\".\n", NameBuffer->Buffer);
// handle to thread ID
Handle = CreateThread(NULL, 0, NULL, NULL, CREATE_SUSPENDED, &RealThreadId);
FORCE(DbgGetThreadIdByHandle(Handle, &ThreadId));
if(ThreadId != RealThreadId)
return EXIT_FAILURE;
_getch();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
void CWinSystemWin32DX::InitHooks(IDXGIOutput* pOutput)
{
DXGI_OUTPUT_DESC outputDesc;
if (!pOutput || FAILED(pOutput->GetDesc(&outputDesc)))
return;
DISPLAY_DEVICEW displayDevice;
displayDevice.cb = sizeof(DISPLAY_DEVICEW);
DWORD adapter = 0;
bool deviceFound = false;
// delete exiting hooks.
UninitHooks();
// enum devices to find matched
while (EnumDisplayDevicesW(nullptr, adapter, &displayDevice, 0))
{
if (wcscmp(displayDevice.DeviceName, outputDesc.DeviceName) == 0)
{
deviceFound = true;
break;
}
adapter++;
}
if (!deviceFound)
return;
CLog::Log(LOGDEBUG, __FUNCTION__": Hooking into UserModeDriver on device %S. ", displayDevice.DeviceKey);
wchar_t* keyName =
#ifndef _M_X64
// on x64 system and x32 build use UserModeDriverNameWow key
CSysInfo::GetKernelBitness() == 64 ? keyName = L"UserModeDriverNameWow" :
#endif // !_WIN64
L"UserModeDriverName";
DWORD dwType = REG_MULTI_SZ;
HKEY hKey = nullptr;
wchar_t value[1024];
DWORD valueLength = sizeof(value);
LSTATUS lstat;
// to void \Registry\Machine at the beginning, we use shifted pointer at 18
if (ERROR_SUCCESS == (lstat = RegOpenKeyExW(HKEY_LOCAL_MACHINE, displayDevice.DeviceKey + 18, 0, KEY_READ, &hKey))
&& ERROR_SUCCESS == (lstat = RegQueryValueExW(hKey, keyName, nullptr, &dwType, (LPBYTE)&value, &valueLength)))
{
// 1. registry value has a list of drivers for each API with the following format: dx9\0dx10\0dx11\0dx12\0\0
// 2. we split the value by \0
std::vector<std::wstring> drivers;
const wchar_t* pValue = value;
while (*pValue)
{
drivers.push_back(std::wstring(pValue));
pValue += drivers.back().size() + 1;
}
// no entries in the registry
if (drivers.empty())
return;
// 3. we take only first three values (dx12 driver isn't needed if it exists ofc)
if (drivers.size() > 3)
drivers = std::vector<std::wstring>(drivers.begin(), drivers.begin() + 3);
// 4. and then iterate with reverse order to start iterate with the best candidate for d3d11 driver
for (auto it = drivers.rbegin(); it != drivers.rend(); ++it)
{
m_hDriverModule = LoadLibraryW(it->c_str());
if (m_hDriverModule != nullptr)
{
s_fnOpenAdapter10_2 = reinterpret_cast<PFND3D10DDI_OPENADAPTER>(GetProcAddress(m_hDriverModule, "OpenAdapter10_2"));
if (s_fnOpenAdapter10_2 != nullptr)
{
ULONG ACLEntries[1] = { 0 };
m_hHook = new HOOK_TRACE_INFO();
// install and activate hook into a driver
if (SUCCEEDED(LhInstallHook(s_fnOpenAdapter10_2, HookOpenAdapter10_2, nullptr, m_hHook))
&& SUCCEEDED(LhSetInclusiveACL(ACLEntries, 1, m_hHook)))
{
CLog::Log(LOGDEBUG, __FUNCTION__": D3D11 hook installed and activated.");
break;
}
else
{
CLog::Log(LOGDEBUG, __FUNCTION__": Unable ot install and activate D3D11 hook.");
SAFE_DELETE(m_hHook);
FreeLibrary(m_hDriverModule);
m_hDriverModule = nullptr;
}
}
}
}
}
if (lstat != ERROR_SUCCESS)
CLog::Log(LOGDEBUG, __FUNCTION__": error open registry key with error %ld.", lstat);
if (hKey != nullptr)
RegCloseKey(hKey);
}
