void RemoveAllApiHooks(void)
{
LhUninstallAllHooks();
LhWaitForPendingRemovals();
for (std::vector<TRACED_HOOK_HANDLE>::const_iterator it = g_vApiHookHandles.begin(); it != g_vApiHookHandles.end(); it++) {
delete *it;
}
}
void gdimm_hook::unhook()
{
NTSTATUS eh_ret;
eh_ret = LhUninstallAllHooks();
assert(eh_ret == 0);
eh_ret = LhWaitForPendingRemovals();
assert(eh_ret == 0);
for (list<TRACED_HOOK_HANDLE>::const_iterator iter = _hooks.begin(); iter != _hooks.end(); iter++)
delete *iter;
}
void CWinSystemWin32DX::UninitHooks()
{
// uninstall
LhUninstallAllHooks();
// we need to wait for memory release
LhWaitForPendingRemovals();
SAFE_DELETE(m_hHook);
if (m_hDriverModule)
{
FreeLibrary(m_hDriverModule);
m_hDriverModule = nullptr;
}
}
void LhCriticalFinalize()
{
/*
Description:
Will be called in the DLL_PROCESS_DETACH event and just uninstalls
all hooks. If it is possible also their memory is released.
*/
LhUninstallAllHooks();
LhWaitForPendingRemovals();
RtlDeleteLock(&GlobalHookLock);
}
void CInjection::Uninitialize(void)
{
if( s_nStatus == Status_Ready )
{
s_nStatus = Status_Uninitialized;
LhUninstallAllHooks();
}
std::map< CORINFO_METHOD_HANDLE, ILCodeBuffer>::iterator iter;
for( iter = s_mpILBuffers.begin(); iter != s_mpILBuffers.end(); iter ++)
{
LocalFree(iter->second.pBuffer);
}
s_mpILBuffers.clear();
if( s_hEvent )
{
CloseHandle(s_hEvent);
s_hEvent = NULL;
}
}
static LONG hook_term()
{
#include "hooklist.h"
LhUninstallAllHooks();
return LhWaitForPendingRemovals();
}
extern "C" int main(int argc, wchar_t* argv[])
{
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
ORIG_CreateFontIndirectW = CreateFontIndirectW;
FORCE(LhInstallHook(
ORIG_CreateFontIndirectW,
IMPL_CreateFontIndirectW,
(PVOID)0,
hHook));
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
CreateFontIndirectW(0);
CreateFontW(10, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, L"system");
LOGFONTA lf = {};
CreateFontIndirectA(&lf);
CreateFontA(12, 0, 0, 0, 400, 0, 0, 0, 2, 0, 0, 0, 0, "MARLETT");
#if 0
ORIG_GetTextExtentPoint32A = GetTextExtentPoint32A;
FORCE(LhInstallHook(
ORIG_GetTextExtentPoint32A,
IMPL_GetTextExtentPoint32A,
(PVOID)0,
hHook));
HDC hdc = GetDC(NULL);
SIZE size;
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
GetTextExtentPoint32W(hdc, L"abc", 3, &size);
GetTextExtentPointW(hdc, L"abc", 3, &size);
GetTextExtentPoint32A(hdc, "abc", 3, &size);
GetTextExtentPointA(hdc, "abc", 3, &size);
#endif
#if 0
ORIG_MessageBeepHook = MessageBeep;
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
ORIG_MessageBeepHook,
MessageBeepHook,
(PVOID)0,
hHook));
printf(".\n");
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
getch();
BOOL flags = 1;
FORCE(LhIsThreadIntercepted(hHook, 0, &flags));
printf("Intercepted %d\n", flags);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
FORCE(LhIsThreadIntercepted(hHook, 0, &flags));
printf("Intercepted %d\n", flags);
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
FORCE(LhSetGlobalExclusiveACL(ACLEntries, 1));
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
FORCE(LhSetGlobalInclusiveACL(ACLEntries, 1));
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
printf(".\n");
// won't invoke the hook handler because hooks are inactive after installation
ORIG_MessageBeepHook(123);
getch();
#endif
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
extern "C" int main(int argc, wchar_t* argv[])
{
HMODULE hUser32 = LoadLibraryA("user32.dll");
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
HANDLE hRemoteThread;
// test driver...
printf("Installing support driver...\n");
FORCE(RhInstallSupportDriver());
printf("Installing test driver...\n");
if(RhIsX64System())
FORCE(RhInstallDriver(L"TestDriver64.sys", L"TestDriver64.sys"))
else
FORCE(RhInstallDriver(L"TestDriver32.sys", L"TestDriver32.sys"));
// test stealth thread creation...
printf("Testing stealth thread creation...\n");
hRemoteThread = CreateThread(NULL, 0, TestThread, NULL, 0, NULL);
FORCE(RhCreateStealthRemoteThread(GetCurrentProcessId(), HijackEntry, (PVOID)0x12345678, &hRemoteThread));
Sleep(500);
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
GetProcAddress(hUser32, "MessageBeep"),
MessageBeepHook,
(PVOID)0x12345678,
hHook));
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
// will be redirected into the handler...
MessageBeep(123);
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
/*
In many situations you will need the handler utilities.
*/
HANDLE Handle = CreateEventA(NULL, TRUE, FALSE, "MyEvent");
ULONG RequiredSize;
ULONG RealThreadId;
ULONG ThreadId;
// handle to name
if(!SUCCEEDED(NtStatus = DbgHandleToObjectName(Handle, NULL, 0, &RequiredSize)))
goto ERROR_ABORT;
NameBuffer = (UNICODE_STRING*)malloc(RequiredSize);
FORCE(DbgHandleToObjectName(Handle, NameBuffer, RequiredSize, &RequiredSize));
printf("\n[Info]: Event name is \"%S\".\n", NameBuffer->Buffer);
// handle to thread ID
Handle = CreateThread(NULL, 0, NULL, NULL, CREATE_SUSPENDED, &RealThreadId);
FORCE(DbgGetThreadIdByHandle(Handle, &ThreadId));
if(ThreadId != RealThreadId)
return EXIT_FAILURE;
_getch();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
