NTSTATUS HookDirectInput8(PVOID *ModuleBase, PDHOOK_HOOK_INFO Context) { PVOID DInput8ModuleBase; NTSTATUS Status; UNICODE_STRING DllName; LPDIRECTINPUT8W dinput; HRESULT (WINAPI *DirectInput8Create)(HINSTANCE, DWORD, REFIID, PVOID*, LPUNKNOWN); Status = STATUS_UNSUCCESSFUL; dinput = NULL; LOOP_ONCE { RTL_CONST_STRING(DllName, L"dinput8.dll"); Status = LdrGetDllHandle(NULL, 0, &DllName, &DInput8ModuleBase); if (!NT_SUCCESS(Status)) return Status; Status = STATUS_UNSUCCESSFUL; *(PVOID *)&DirectInput8Create = Nt_GetProcAddress(DInput8ModuleBase, "DirectInput8Create"); if (DirectInput8Create == NULL) break; MEMORY_FUNCTION_PATCH f[] = { INLINE_HOOK_JUMP(DirectInput8Create, HookDirectInput8Create, StubDirectInput8Create), }; Status = Nt_PatchMemory(NULL, 0, f, countof(f), NULL); if (ModuleBase != NULL) *ModuleBase = DInput8ModuleBase; DInput8CallbackContext = Context; } return Status; }
ForceInline VOID main2(Int argc, WChar **argv) { NTSTATUS Status; WCHAR *pExePath, szDllPath[MAX_NTPATH], FullExePath[MAX_NTPATH]; STARTUPINFOW si; PROCESS_INFORMATION pi; #if 0 PVOID buf; // CNtFileDisk file; UNICODE_STRING str; // file.Open((FIELD_BASE(FindLdrModuleByName(NULL)->InLoadOrderModuleList.Flink, LDR_MODULE, InLoadOrderModuleList))->FullDllName.Buffer); // buf = AllocateMemory(file.GetSize32()); // file.Read(buf); // file.Close(); RTL_CONST_STRING(str, L"OllyDbg.exe"); LoadDllFromMemory(GetNtdllHandle(), -1, &str, NULL, LMD_MAPPED_DLL); PrintConsoleW( L"%s handle = %08X\n" L"%s.NtSetEvent = %08X\n", str.Buffer, GetModuleHandleW(str.Buffer), str.Buffer, Nt_GetProcAddress(GetModuleHandleW(str.Buffer), "NtSetEvent") ); getch(); FreeMemory(buf); return; #endif #if 1 if (argc == 1) return; RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, (PBOOLEAN)&Status); while (--argc) { pExePath = findextw(*++argv); if (CHAR_UPPER4W(*(PULONG64)pExePath) == CHAR_UPPER4W(TAG4W('.LNK'))) { if (FAILED(GetPathFromLinkFile(*argv, FullExePath, countof(FullExePath)))) { pExePath = *argv; } else { pExePath = FullExePath; } } else { pExePath = *argv; } RtlGetFullPathName_U(pExePath, sizeof(szDllPath), szDllPath, NULL); #if 0 Status = FakeCreateProcess(szDllPath, NULL); if (!NT_SUCCESS(Status)) #else rmnamew(szDllPath); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); Status = CreateProcessInternalW( NULL, pExePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, *szDllPath == 0 ? NULL : szDllPath, &si, &pi, NULL); if (!Status) #endif { PrintConsoleW(L"%s: CreateProcess() failed\n", pExePath); continue; } ULONG Length; UNICODE_STRING DllFullPath; Length = Nt_GetExeDirectory(szDllPath, countof(szDllPath)); CopyStruct(szDllPath + Length, L"XP3Viewer.dll", sizeof(L"XP3Viewer.dll")); DllFullPath.Buffer = szDllPath; DllFullPath.Length = (USHORT)(Length + CONST_STRLEN(L"XP3Viewer.dll")); DllFullPath.Length *= sizeof(WCHAR); DllFullPath.MaximumLength = DllFullPath.Length; Status = InjectDllToRemoteProcess(pi.hProcess, pi.hThread, &DllFullPath, FALSE); if (!NT_SUCCESS(Status)) { // PrintError(GetLastError()); NtTerminateProcess(pi.hProcess, 0); } NtClose(pi.hProcess); NtClose(pi.hThread); } #endif }
NTSTATUS Nt_CreateProcess( LPCWSTR ApplicationName, LPWSTR CommandLine, ULONG CreationFlags, LPCWSTR CurrentDirectory, LPSTARTUPINFO StartupInfo, LPPROCESS_INFORMATION ProcessInformation ) { NTSTATUS Status; WCHAR FullPathBuffer[MAX_PATH *2], DllPathBuffer[0x3000]; UNICODE_STRING PathVariableName, DllPath, ImagePathName; UNICODE_STRING _CommandLine, _CurrentDirectory; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; RTL_USER_PROCESS_INFORMATION ProcessInfo; if (!RtlDosPathNameToNtPathName_U(ApplicationName, &ImagePathName, NULL, NULL)) return STATUS_OBJECT_PATH_NOT_FOUND; RTL_CONST_STRING(PathVariableName, L"Path"); DllPath.Length = 0; DllPath.MaximumLength = sizeof(DllPathBuffer); DllPath.Buffer = DllPathBuffer; RtlQueryEnvironmentVariable_U(NULL, &PathVariableName, &DllPath); if (CommandLine != NULL) RtlInitUnicodeString(&_CommandLine, CommandLine); if (CurrentDirectory != NULL) RtlInitUnicodeString(&_CurrentDirectory, CurrentDirectory); Status = RtlCreateProcessParameters( &ProcessParameters, &ImagePathName, &DllPath, CurrentDirectory == NULL ? NULL : &_CurrentDirectory, CommandLine == NULL ? NULL : &_CommandLine, NULL, NULL, NULL, NULL, NULL ); if (!NT_SUCCESS(Status)) { RtlFreeUnicodeString(&ImagePathName); return Status; } ProcessInfo.Size = sizeof(ProcessInfo); Status = RtlCreateUserProcess( &ImagePathName, OBJ_CASE_INSENSITIVE, ProcessParameters, NULL, NULL, NULL, FALSE, NULL, NULL, &ProcessInfo ); RtlDestroyProcessParameters(ProcessParameters); RtlFreeUnicodeString(&ImagePathName); if (!NT_SUCCESS(Status)) return Status; if (!FLAG_ON(CreationFlags, CREATE_SUSPENDED)) { NtResumeThread(ProcessInfo.ThreadHandle, NULL); } if (ProcessInformation == NULL) { NtClose(ProcessInfo.ProcessHandle); NtClose(ProcessInfo.ThreadHandle); return Status; } ProcessInformation->dwProcessId = (ULONG)ProcessInfo.ClientId.UniqueProcess; ProcessInformation->dwThreadId = (ULONG)ProcessInfo.ClientId.UniqueThread; ProcessInformation->hProcess = ProcessInfo.ProcessHandle; ProcessInformation->hThread = ProcessInfo.ThreadHandle; return Status; }