unsigned WINAPI init_portable(void * pParam)
{
HMODULE hShell32 = GetModuleHandleW(L"shell32.dll");
if (hShell32 != NULL)
{
TrueSHGetFolderPathW = (_NtSHGetFolderPathW)GetProcAddress(hShell32,
"SHGetFolderPathW");
TrueSHGetSpecialFolderPathW = (_NtSHGetSpecialFolderPathW)GetProcAddress(hShell32,
"SHGetSpecialFolderPathW");
TrueSHGetSpecialFolderLocation = (_NtSHGetSpecialFolderLocation)GetProcAddress(hShell32,
"SHGetSpecialFolderLocation");
}
/* hook 下面几个函数 */
if (TrueSHGetSpecialFolderLocation)
{
Mhook_SetHook((PVOID*)&TrueSHGetSpecialFolderLocation, (PVOID)HookSHGetSpecialFolderLocation);
}
if (TrueSHGetFolderPathW)
{
Mhook_SetHook((PVOID*)&TrueSHGetFolderPathW, (PVOID)HookSHGetFolderPathW);
}
if (TrueSHGetSpecialFolderPathW)
{
Mhook_SetHook((PVOID*)&TrueSHGetSpecialFolderPathW, (PVOID)HookSHGetSpecialFolderPathW);
}
return (1);
}
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
(void)hinst;
(void)reserved;
if (dwReason == DLL_PROCESS_ATTACH) {
#if defined(USE_SYELOG)
// open log
SyelogOpen("clcoffee", SYELOG_FACILITY_APPLICATION);
#endif
// get xorvalue && filename
const char* xorvalueStr = getenv("CLCOFFEE_VALUE");
const char* fileStr = getenv("CLCOFFEE_FILE");
if (xorvalueStr && fileStr) {
XORVALUE = hex2dec(xorvalueStr[0])*16 + hex2dec(xorvalueStr[1]);
SOURCEFILE = cstr2wstr(fileStr);
}
#if defined(USE_SYELOG)
// open log
Syelog(SYELOG_SEVERITY_INFORMATION, "XORVALUE: 0x%X, SOURCEFILE: %ls\n", XORVALUE, SOURCEFILE);
#endif
// detour it
Mhook_SetHook((PVOID*)&Real_CreateFileW, Mine_CreateFileW);
Mhook_SetHook((PVOID*)&Real_ReadFile, Mine_ReadFile);
Mhook_SetHook((PVOID*)&Real_CloseHandle, Mine_CloseHandle);
#if defined(USE_SYELOG)
if (error == NO_ERROR) {
Syelog(SYELOG_SEVERITY_INFORMATION, "Detoured ok: %d\n", error);
} else {
Syelog(SYELOG_SEVERITY_INFORMATION, "Error detouring: %d\n", error);
}
#endif
}
else if (dwReason == DLL_PROCESS_DETACH) {
Mhook_Unhook((PVOID*)&Real_CreateFileW);
Mhook_Unhook((PVOID*)&Real_ReadFile);
Mhook_Unhook((PVOID*)&Real_CloseHandle);
free(SOURCEFILE);
SOURCEFILE = 0;
#if defined(USE_SYELOG)
Syelog(SYELOG_SEVERITY_INFORMATION, "Removed detour: %d\n", error);
SyelogClose(FALSE);
#endif
}
return TRUE;
}
SmileyCreateHook::SmileyCreateHook(void)
{
if (!Mhook_SetHook((PVOID*)&TrueCoCreateInstance, HookCoCreateInstance))
{
SASSERT(FALSE);
}
if (!Mhook_SetHook((PVOID*)&TrueProgIDFromCLSID, HookProgIDFromCLSID))
{
SASSERT(FALSE);
}
}
//=========================================================================
// This is where the work gets done.
//
int wmain(int argc, WCHAR* argv[])
{
HANDLE hProc = NULL;
// Set the hook
if (Mhook_SetHook((PVOID*)&TrueNtOpenProcess, HookNtOpenProcess)) {
// Now call OpenProcess and observe NtOpenProcess being redirected
// under the hood.
hProc = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, GetCurrentProcessId());
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %d\n", GetLastError());
}
// Remove the hook
Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
}
// Call OpenProces again - this time there won't be a redirection as
// the hook has bee removed.
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %d\n", GetLastError());
}
// Test another hook, this time in SelectObject
// (SelectObject is interesting in that on XP x64, the second instruction
// in the trampoline uses IP-relative addressing and we need to do some
// extra work under the hood to make things work properly. This really
// is more of a test case rather than a demo.)
if (Mhook_SetHook((PVOID*)&TrueSelectObject, HookSelectobject)) {
// error checking omitted for brevity. doesn't matter much
// in this context anyway.
HDC hdc = GetDC(NULL);
HDC hdcMem = CreateCompatibleDC(hdc);
HBITMAP hbm = CreateCompatibleBitmap(hdc, 32, 32);
HBITMAP hbmOld = (HBITMAP)SelectObject(hdcMem, hbm);
SelectObject(hdcMem, hbmOld);
DeleteObject(hbm);
DeleteDC(hdcMem);
ReleaseDC(NULL, hdc);
// Remove the hook
Mhook_Unhook((PVOID*)&TrueSelectObject);
}
return 0;
}
unsigned WINAPI init_safed(void * pParam)
{
HMODULE hNtdll;
DWORD ver = GetOsVersion();
TrueLoadLibraryExW = (_NtLoadLibraryExW)GetProcAddress(GetModuleHandleW(L"kernel32.dll"),"LoadLibraryExW");
if (!TrueLoadLibraryExW)
{
#ifdef _LOGDEBUG
logmsg("TrueLoadLibraryExW is null %lu\n",GetLastError());
#endif
}
hNtdll = GetModuleHandleW(L"ntdll.dll");
if (hNtdll)
{
TrueNtSuspendThread = (_NtSuspendThread)GetProcAddress
(hNtdll, "NtSuspendThread");
TrueNtResumeThread = (_NtResumeThread)GetProcAddress
(hNtdll, "NtResumeThread");
TrueNtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(hNtdll,
"NtQueryInformationProcess");
TrueNtWriteVirtualMemory = (_NtWriteVirtualMemory)GetProcAddress(hNtdll,
"NtWriteVirtualMemory");
TrueRtlNtStatusToDosError = (_RtlNtStatusToDosError)GetProcAddress(hNtdll,
"RtlNtStatusToDosError");
if (ver>601) /* win8 */
{
TrueNtCreateUserProcess = (_NtCreateUserProcess)GetProcAddress(hNtdll, "NtCreateUserProcess");
if (TrueNtCreateUserProcess)
{
Mhook_SetHook((PVOID*)&TrueNtCreateUserProcess, (PVOID)HookNtCreateUserProcess);
}
}
else
{
TrueCreateProcessInternalW = (_CreateProcessInternalW)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "CreateProcessInternalW");
if (TrueCreateProcessInternalW)
{
Mhook_SetHook((PVOID*)&TrueCreateProcessInternalW, (PVOID)HookCreateProcessInternalW);
}
}
}
if (TrueLoadLibraryExW)
{
Mhook_SetHook((PVOID*)&TrueLoadLibraryExW, (PVOID)HookLoadLibraryExW);
}
if (TrueNtWriteVirtualMemory)
{
Mhook_SetHook((PVOID*)&TrueNtWriteVirtualMemory, (PVOID)HookNtWriteVirtualMemory);
}
return (1);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpReserved) // reserved
{
// Perform actions based on the reason for calling.
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
// Initialize once for each new process.
// Return FALSE to fail DLL load.
m_fptr = fopen("C:\\HelloQQ.txt", "a");
Mhook_SetHook((PVOID*)&TrueGetStatus, HookGetStatus);
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
if (m_fptr)
{
fclose(m_fptr);
m_fptr = NULL;
}
Mhook_Unhook((PVOID*)&TrueGetStatus);
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
//=========================================================================
// This is where the work gets done.
//
int _tmain(int argc, WCHAR* argv[])
{
HANDLE hProc = NULL;
TrueNtOpenProcess = (_NtOpenProcess)GetProcAddress(GetModuleHandleW(L"ntdll"), "NtOpenProcess");
// Set the hook
if (Mhook_SetHook((PVOID *)&TrueNtOpenProcess, HookNtOpenProcess)) {
// Now call OpenProcess and observe NtOpenProcess being redirected
// under the hood.
hProc = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, GetCurrentProcessId());
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %lu\n", GetLastError());
}
}
else
{
printf("Mhook_SetHook false\n");
}
// Call OpenProces again - this time there won't be a redirection as
// the hook has bee removed.
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2624);
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %lu\n", GetLastError());
}
getchar();
// Remove the hook
Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
return 0;
}
// called in every hooked LoadLibrary* function, if winscard.dll is loaded, hook SCardTransmit
void checkAndHook(){
if((GetModuleHandle(L"winscard.dll") != NULL) && !ALREADY_HOOKED){
// hook it
OrigSCardTransmit = (PSCARDTRANSMIT)::GetProcAddress(::GetModuleHandle(L"winscard"), "SCardTransmit");
Mhook_SetHook((PVOID*)&OrigSCardTransmit, HookedSCardTransmit);
ALREADY_HOOKED = true;
}
}
void HookCrypt() {
HMODULE hAdvapi32 = GetModuleHandle(kAdvapi32);
SavedCryptGenKey = (CryptGenKeyPtr)GetProcAddress(hAdvapi32, "CryptGenKey");
assert(SavedCryptGenKey);
Mhook_SetHook((PVOID*)&SavedCryptGenKey, (PVOID)CryptGenKeyHook);
gCryptHooked = true;
}
unsigned WINAPI init_exeception(void * pParam)
{
TrueSetUnhandledExceptionFilter = (_NtSetUnhandledExceptionFilter)GetProcAddress
(GetModuleHandleW(L"kernel32.dll"), "SetUnhandledExceptionFilter");
if (TrueSetUnhandledExceptionFilter)
{
Mhook_SetHook((PVOID*)&TrueSetUnhandledExceptionFilter, (PVOID)HookSetUnhandledExceptionFilter);
}
return (1);
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
wchar_t *pos = NULL;
wchar_t pathToExe[MAX_PATH];
switch (ul_reason_for_call){
case DLL_PROCESS_ATTACH:
// get the path to this dll, log file will be saved as <PATH>\Application.exe.txt
// so each application will have it's own log file
GetModuleFileNameW((HINSTANCE)&__ImageBase, pathToLog, MAX_PATH);
// currently i don't really care about actuall path being longer than MAX_PATH
pos = wcsrchr(pathToLog,'\\');
*++pos = '\0';
pos = NULL;
if(GetModuleFileName(NULL,pathToExe,MAX_PATH)){
pos = wcsrchr(pathToExe,'\\');
*++pos;
}
if(pos != NULL){
wcscat_s(pathToLog,MAX_PATH,pos);
wcscat_s(pathToLog,MAX_PATH,L".txt");
}else{ // clumsy , i know
wcscat_s(pathToLog,MAX_PATH,L"winscard.txt");
}
// place all needed hooks
Mhook_SetHook((PVOID*)&OrigLoadLibraryA, HookedLoadLibraryA);
Mhook_SetHook((PVOID*)&OrigLoadLibraryW, HookedLoadLibraryW);
Mhook_SetHook((PVOID*)&OrigLoadLibraryExW, HookedLoadLibraryExW);
Mhook_SetHook((PVOID*)&OrigLoadLibraryExA, HookedLoadLibraryExA);
break;
case DLL_PROCESS_DETACH:
Mhook_Unhook((PVOID*)&OrigLoadLibraryA);
Mhook_Unhook((PVOID*)&OrigLoadLibraryW);
Mhook_Unhook((PVOID*)&OrigLoadLibraryExA);
Mhook_Unhook((PVOID*)&OrigLoadLibraryExW);
if(ALREADY_HOOKED){
//unhook winscard too
Mhook_Unhook((PVOID*)&OrigSCardTransmit);
ALREADY_HOOKED = false;
}
break;
}
return TRUE;
}
bool Hook::setHook()
{
BOOL hookResult;
int count = 0, max = 3;
do
{
if (count == max)
break;
else
hookResult = Mhook_SetHook((PVOID*)&this->TrueCreateFile, (PVOID)(Hook::SecuredCreateFile));
++count;
} while ((!hookResult));
return hookResult;
}
BOOL WINAPI DllMain(
__in HINSTANCE hInstance,
__in DWORD Reason,
__in LPVOID Reserved
)
{
switch (Reason)
{
case DLL_PROCESS_ATTACH:
//Mhook_SetHook((PVOID*)&OriginalNtQuerySystemInformation, HookedNtQuerySystemInformation);
Mhook_SetHook((PVOID*)&loclTimeFun, HookedLocalTime);
Mhook_SetHook((PVOID*)&fileTimeFun,HookedFileTime);
break;
case DLL_PROCESS_DETACH:
//Mhook_Unhook((PVOID*)&OriginalNtQuerySystemInformation);
Mhook_Unhook((PVOID*)&loclTimeFun);
Mhook_Unhook((PVOID*)&fileTimeFun);
break;
}
return TRUE;
}
void InstallHooks()
{
for(size_t i = 0; i < g_FunctionsCount; ++i)
{
if(!GetModuleHandleA(g_Functions[i].FunctionModule))
throw std::runtime_error("Cannot find the module ");
*g_Functions[i].OriginalFunction = GetProcAddress(GetModuleHandleA(g_Functions[i].FunctionModule), g_Functions[i].FunctionName);
if(*g_Functions[i].OriginalFunction == NULL)
throw std::runtime_error("Cannot find the function ");
if(!Mhook_SetHook(g_Functions[i].OriginalFunction, g_Functions[i].HookFunction))
throw std::runtime_error("Cannot set hook on the function ");
}
}
BOOL Mhook_SetHookEx(PVOID ppSystemFunction, PVOID pHookFunction) {
PVOID * p = ppSystemFunction == NULL ? NULL : (PVOID*)&ppSystemFunction;
return Mhook_SetHook(p,pHookFunction);
}
