/
faultrondll.cpp
78 lines (53 loc) · 2.14 KB
/
faultrondll.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#include <windows.h>
#include <vector>
#include <memory>
#include "EasyHook\easyhook.h"
HMODULE g_hModule = NULL;
std::vector<TRACED_HOOK_HANDLE> g_vApiHookHandles;
void RemoveAllApiHooks(void);
void RemoveAllApiHooks(void)
{
LhUninstallAllHooks();
LhWaitForPendingRemovals();
for (std::vector<TRACED_HOOK_HANDLE>::const_iterator it = g_vApiHookHandles.begin(); it != g_vApiHookHandles.end(); it++) {
delete *it;
}
}
PVOID NTAPI MyRtlAllocateHeap(PVOID HeapHandle, ULONG Flags, SIZE_T Size);
PVOID NTAPI MyRtlAllocateHeap(PVOID HeapHandle, ULONG Flags, SIZE_T Size)
{
::MessageBoxW(NULL, L"MyRtlAllocateHeap", L"MyRtlAllocateHeap", MB_OK);
return ::RtlAllocateHeap(HeapHandle, Flags, Size);
}
extern "C" __declspec(dllexport) void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO*);
extern "C" __declspec(dllexport) void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO*)
{
try {
TRACED_HOOK_HANDLE globalallochook(new HOOK_TRACE_INFO());
LhInstallHook(GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlAllocateHeap"), MyRtlAllocateHeap, NULL, globalallochook);
ULONG ulTidList[1] = {};
LhSetExclusiveACL(ulTidList, 0, globalallochook);
g_vApiHookHandles.push_back(globalallochook);
// Wakeup the suspended process...
RhWakeUpProcess();
} catch (...) {
::OutputDebugStringW(L"Faultron: NativeInjectionEntryPoint() exception.");
RemoveAllApiHooks();
}
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD fdwReason, LPVOID);
BOOL WINAPI DllMain(HMODULE hModule, DWORD fdwReason, LPVOID)
{
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
g_hModule = hModule;
::DisableThreadLibraryCalls(hModule);
::OutputDebugStringW(L"Faultron: DLL_PROCESS_ATTACH.");
break;
case DLL_PROCESS_DETACH:
::OutputDebugStringW(L"Faultron: DLL_PROCESS_DETACH.");
RemoveAllApiHooks();
break;
}
return TRUE;
}