int wmain(int argc, WCHAR* argv[])
{
if (argc < 3) {
std::wcout << argv[0] << " dll command_line\n";
return 1;
}
std::wstring dllToInject (argv[1]);
std::wstring exe (argv[2]);
exe = exe.substr (0, exe.find (' '));
std::wstring command_line (argv[2]);
command_line = command_line.substr (command_line.find (' ') + 1);
ULONG pid;
NTSTATUS nt = RhCreateAndInject
( const_cast<WCHAR*> (exe.c_str())
, const_cast<WCHAR*> (command_line.c_str())
, 0
, EASYHOOK_INJECT_DEFAULT
, const_cast<WCHAR*> (dllToInject.c_str())
, nullptr
, nullptr
, 0
, &pid
);
if (nt != 0)
{
std::wcout << "RhCreateAndInject failed with error code = " << nt << "\n " << RtlGetLastErrorString() << "\n";
return 1;
}
return 0;
}
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
std::cout << "\n\nNativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)\n\n" <<
"IIIII jjj tt dd !!! \n"
" III nn nnn eee cccc tt eee dd !!! \n"
" III nnn nn jjj ee e cc tttt ee e dddddd !!! \n"
" III nn nn jjj eeeee cc tt eeeee dd dd \n"
"IIIII nn nn jjj eeeee ccccc tttt eeeee dddddd !!! \n"
" jjjj \n\n";
std::cout << "NativeInjectionEntryPoint: Injected by process Id: " << inRemoteInfo->HostPID << "\n";
std::cout << "NativeInjectionEntryPoint: Passed in data size: " << inRemoteInfo->UserDataSize << "\n";
if (inRemoteInfo->UserDataSize == sizeof(DWORD))
{
gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData);
std::cout << "NativeInjectionEntryPoint: Adjusting Beep frequency by: " << gFreqOffset << "\n";
}
// Perform hooking
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
std::cout << "\n";
std::cout << "NativeInjectionEntryPoint: Win32 Beep found at address: " << GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep") << "\n";
// Install the hook
NTSTATUS result = LhInstallHook(
GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"),
myBeepHook,
NULL,
&hHook);
if (FAILED(result))
{
std::wstring s(RtlGetLastErrorString());
std::wcout << "NativeInjectionEntryPoint: Failed to install hook: " << s << "\n";
}
else
{
std::cout << "NativeInjectionEntryPoint: Hook 'myBeepHook installed successfully.\n";
}
// If the threadId in the ACL is set to 0,
// then internally EasyHook uses GetCurrentThreadId()
ULONG ACLEntries[1] = { 0 };
// Disable the hook for the provided threadIds, enable for all others
LhSetExclusiveACL(ACLEntries, 1, &hHook);
return;
}
extern "C" int main(int argc, wchar_t* argv[])
{
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
ORIG_CreateFontIndirectW = CreateFontIndirectW;
FORCE(LhInstallHook(
ORIG_CreateFontIndirectW,
IMPL_CreateFontIndirectW,
(PVOID)0,
hHook));
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
CreateFontIndirectW(0);
CreateFontW(10, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, L"system");
LOGFONTA lf = {};
CreateFontIndirectA(&lf);
CreateFontA(12, 0, 0, 0, 400, 0, 0, 0, 2, 0, 0, 0, 0, "MARLETT");
#if 0
ORIG_GetTextExtentPoint32A = GetTextExtentPoint32A;
FORCE(LhInstallHook(
ORIG_GetTextExtentPoint32A,
IMPL_GetTextExtentPoint32A,
(PVOID)0,
hHook));
HDC hdc = GetDC(NULL);
SIZE size;
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
GetTextExtentPoint32W(hdc, L"abc", 3, &size);
GetTextExtentPointW(hdc, L"abc", 3, &size);
GetTextExtentPoint32A(hdc, "abc", 3, &size);
GetTextExtentPointA(hdc, "abc", 3, &size);
#endif
#if 0
ORIG_MessageBeepHook = MessageBeep;
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
ORIG_MessageBeepHook,
MessageBeepHook,
(PVOID)0,
hHook));
printf(".\n");
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
getch();
BOOL flags = 1;
FORCE(LhIsThreadIntercepted(hHook, 0, &flags));
printf("Intercepted %d\n", flags);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
FORCE(LhIsThreadIntercepted(hHook, 0, &flags));
printf("Intercepted %d\n", flags);
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
FORCE(LhSetGlobalExclusiveACL(ACLEntries, 1));
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
FORCE(LhSetGlobalInclusiveACL(ACLEntries, 1));
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
printf(".\n");
// won't invoke the hook handler because hooks are inactive after installation
ORIG_MessageBeepHook(123);
getch();
#endif
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
printf(".\n");
// will be redirected into the handler...
MessageBeep(123);
getch();
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
extern "C" int main(int argc, wchar_t* argv[])
{
HMODULE hUser32 = LoadLibraryA("user32.dll");
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
HANDLE hRemoteThread;
// test driver...
printf("Installing support driver...\n");
FORCE(RhInstallSupportDriver());
printf("Installing test driver...\n");
if(RhIsX64System())
FORCE(RhInstallDriver(L"TestDriver64.sys", L"TestDriver64.sys"))
else
FORCE(RhInstallDriver(L"TestDriver32.sys", L"TestDriver32.sys"));
// test stealth thread creation...
printf("Testing stealth thread creation...\n");
hRemoteThread = CreateThread(NULL, 0, TestThread, NULL, 0, NULL);
FORCE(RhCreateStealthRemoteThread(GetCurrentProcessId(), HijackEntry, (PVOID)0x12345678, &hRemoteThread));
Sleep(500);
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
GetProcAddress(hUser32, "MessageBeep"),
MessageBeepHook,
(PVOID)0x12345678,
hHook));
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
// will be redirected into the handler...
MessageBeep(123);
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
/*
In many situations you will need the handler utilities.
*/
HANDLE Handle = CreateEventA(NULL, TRUE, FALSE, "MyEvent");
ULONG RequiredSize;
ULONG RealThreadId;
ULONG ThreadId;
// handle to name
if(!SUCCEEDED(NtStatus = DbgHandleToObjectName(Handle, NULL, 0, &RequiredSize)))
goto ERROR_ABORT;
NameBuffer = (UNICODE_STRING*)malloc(RequiredSize);
FORCE(DbgHandleToObjectName(Handle, NameBuffer, RequiredSize, &RequiredSize));
printf("\n[Info]: Event name is \"%S\".\n", NameBuffer->Buffer);
// handle to thread ID
Handle = CreateThread(NULL, 0, NULL, NULL, CREATE_SUSPENDED, &RealThreadId);
FORCE(DbgGetThreadIdByHandle(Handle, &ThreadId));
if(ThreadId != RealThreadId)
return EXIT_FAILURE;
_getch();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
