int InjectDLL(HANDLE Proc, wchar_t *LibraryName) { // Trying to get current HookLibraryReady event state HANDLE hEvent = CreateEvent(NULL, FALSE, FALSE, UTASK_GLOBAL_HOOKLIB_READY_EVENT); if (ReadEvent(hEvent, 0) == 0) return 1; HMODULE coredll = GetModuleHandle(L"coredll.dll"); DWORD result = 1; if (coredll) { // Loading our library to gwes.exe memory space CALLBACKINFO ci; ci.hProc = Proc; ci.pfn = (FARPROC)MapPtrToProcess(GetProcAddress(coredll, L"LoadLibraryW"), Proc); ci.pvArg0 = MapPtrToProcess(LibraryName, GetCurrentProcess()); PerformCallBack4(&ci); Sleep(2000); // Waiting for HookLibraryReady event pulsation for 3000 ms result = ReadEvent(hEvent, 3000); } CloseHandle(hEvent); return result; };
void * AllocateMemInKernelProc(int p_iSize) { LPVOID pAllocated = NULL; // find process id of nk.exe HANDLE snapShot = INVALID_HANDLE_VALUE; DWORD dwNKProcessId = 0; __try { snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPNOHEAPS, 0); if (snapShot != INVALID_HANDLE_VALUE) { // Build new list PROCESSENTRY32 processEntry; processEntry.dwSize = sizeof(PROCESSENTRY32); BOOL ret = Process32First(snapShot, &processEntry); while (ret == TRUE) { if (lstrcmpi(processEntry.szExeFile, L"nk.exe") == 0) { dwNKProcessId = processEntry.th32ProcessID; break; } ret = Process32Next(snapShot, &processEntry); } CloseToolhelp32Snapshot(snapShot); } } __except (EXCEPTION_EXECUTE_HANDLER) { if (snapShot != INVALID_HANDLE_VALUE) { CloseToolhelp32Snapshot(snapShot); } return NULL; } HANDLE hNKProcess = OpenProcess(0, FALSE, dwNKProcessId); if (hNKProcess == NULL) return NULL; HINSTANCE hCoreDll = LoadLibrary(_T("COREDLL")); CALLBACKINFO cbi; cbi.m_hDestinationProcessHandle = hNKProcess; cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(hCoreDll, L"VirtualAlloc"), hNKProcess); cbi.m_pFirstArgument = (LPVOID)0; DWORD dwParam2 = p_iSize; DWORD dwParam3 = MEM_COMMIT; DWORD dwParam4 = PAGE_EXECUTE_READWRITE; DWORD dwPtr = PerformCallBack4(&cbi, dwParam2, dwParam3, dwParam4); //returns 1 if correctly executed pAllocated = MapPtrToProcess( (LPVOID)dwPtr, hNKProcess); CloseHandle(hNKProcess); return pAllocated; }
BOOL InstallHook() { static long s_lCount = 0; if (InterlockedIncrement(&s_lCount) > 1) { // no need to install again return TRUE; } BOOL bResult = TRUE; if (m_hDestProcess == NULL) { int iAPISetId = SH_WMGR; DWORD dwOldPermissions = 0; SetKMode(TRUE); dwOldPermissions = SetProcPermissions(-1); __try { CINFO ** pSystemAPISets = (CINFO**)(UserKInfo[KINX_APISETS]); m_hDestProcess = pSystemAPISets[iAPISetId]->m_pProcessServer->hProc; CALLBACKINFO cbi; ZeroMemory(&cbi, sizeof(CALLBACKINFO)); cbi.m_hDestinationProcessHandle = m_hDestProcess; cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), m_hDestProcess); cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(L"\\Windows\\FingerSuiteDll.dll", GetCurrentProcess()); m_hDllInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW Sleep(1000); ZeroMemory(&cbi, sizeof(CALLBACKINFO)); cbi.m_hDestinationProcessHandle = m_hDestProcess; cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(m_hDllInst, L"StartHookOnServer"), m_hDestProcess); cbi.m_pFirstArgument = NULL; DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly executed Sleep(1000); } __except(FilterException(GetExceptionInformation())) { bResult = FALSE; } if(dwOldPermissions) { SetProcPermissions(dwOldPermissions); } SetKMode(FALSE); }
int _tmain(int argc, _TCHAR* argv[]) { BOOL bMode = SetKMode(TRUE); DWORD dwPerm = SetProcPermissions(0xFFFFFFFF); CINFO **SystemAPISets= (CINFO **)KData.aInfo[KINX_APISETS]; for(int i=0; i<NUM_SYSTEM_SETS; i++) { DEBUGMSG(1, (L"SystemAPISets[%d]:\n",i)); DEBUGMSG(1, (L"API set: %s\n", getApiName(i))); if(SystemAPISets[i]==0) { DEBUGMSG(1, (L" NULL\n")); continue; } DEBUGMSG(1, (L" acName: %S\n",SystemAPISets[i]->acName)); //use %S (capital S) as acName is char* DEBUGMSG(1, (L" cMethods: %d\n",SystemAPISets[i]->cMethods)); DEBUGMSG(1, (L" handle type: %i\n",SystemAPISets[i]->type)); DEBUGMSG(1, (L" disp type: %s\n",getDispType(SystemAPISets[i]->disp))); DEBUGMSG(1, (L"\n")); } DWORD Tmp= (FIRST_METHOD-FAULT_ADDR)/APICALL_SCALE; DWORD ApiSet=(Tmp>>HANDLE_SHIFT)&HANDLE_MASK; DWORD Method=Tmp&METHOD_MASK; // validate if(ApiSet>NUM_SYSTEM_SETS) { DEBUGMSG(1, (L"Invalid ApiSet\n")); return 0; } if(SystemAPISets[ApiSet]==0) { DEBUGMSG(1, (L"Invalid ApiSet\n")); return 0; } if(SystemAPISets[ApiSet]->cMethods<=Method) { DEBUGMSG(1, (L"Invalid method number\n")); return 0; } // I support only filesystem and similar hooks that are processed inside filesys.exe if(SystemAPISets[ApiSet]->pServer==0) { DEBUGMSG(1, (L"Calls with pServer==0 are not supported\n")); return 0; } // get server process and inject DLL there HANDLE Proc=SystemAPISets[ApiSet]->pServer->hProc; void *Ptr=MapPtrToProcess(L"TestApiSetHookDll.dll",GetCurrentProcess()); CALLBACKINFO ci; ci.hProc=Proc; void *t=GetProcAddress(GetModuleHandle(L"coredll.dll"),L"LoadLibraryW"); ci.pfn=(FARPROC)MapPtrToProcess(t,Proc); ci.pvArg0=Ptr; PerformCallBack4(&ci); Sleep(1000); // allow PerformCallBack4 to finish before exit. Better enum loaded DLLs or use events // bug in VS2005b1 causes DllMain not to be called in DLLs HMODULE Hm=LoadLibrary(L"TestApiSetHookDll.dll"); void *Fn=GetProcAddress(Hm,L"PerformHook"); if(Hm==0 || Fn==0) { DEBUGMSG(1, (L"Unable to load library\n")); return 0; } ci.hProc=Proc; ci.pfn=(FARPROC)MapPtrToProcess(Fn,Proc); ci.pvArg0=Proc; // pass the hooked process ID as parameter to be sure that we are called from the context of hooked process PerformCallBack4(&ci); // so we call function ourselves, fortunately DLLs are loaded at the same address in all processes Sleep(3000); DEBUGMSG(1, (L"exit\n")); MessageBox(GetForegroundWindow(),L"CreateFileW hooked!",L"Done",0); FreeLibrary(Hm); return 0; }
DWORD ThreadForTx(PSPI_PUBLIC_CONTEXT pSpiPublic) { volatile S3C2450_HSSPI_REG *pSPIregs = pSpiPublic->pHSSPIregs; // for HS-SPI volatile S3C2450_INTR_REG *pINTRregs = pSpiPublic->pINTRregs; volatile S3C2450_DMA_REG *pDMAregs = pSpiPublic->pDMAregs; PSPI_PRIVATE_CONTEXT pSpiPrivate; DWORD dwTxCount; PBYTE pTxBuffer; DWORD dwOldPerm; PBYTE pTestBuffer; DWORD dwTestCount; do { WaitForSingleObject(pSpiPublic->hTxEvent, INFINITE); pSpiPrivate = (PSPI_PRIVATE_CONTEXT) pSpiPublic->pSpiPrivate; dwTestCount = dwTxCount = pSpiPrivate->dwTxCount; dwOldPerm = SetProcPermissions((DWORD)-1); pTestBuffer = pTxBuffer = (PBYTE) MapPtrToProcess(pSpiPrivate->pTxBuffer, (HANDLE) GetCurrentProcessId()); RETAILMSG(1,(TEXT("pTxBuffer : 0x%X, dwTxCount : %d \r\n"), pTxBuffer, dwTxCount)); //Reset pSPIregs->CH_CFG |= SW_RST; RETAILMSG(1,(TEXT("\n HS SPI reset\n"))); pSPIregs->CH_CFG &= ~SW_RST; if(pSpiPrivate->bUseTxIntr) // INT + TX { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : USE INT \r\n"))); pSpiPrivate->State = STATE_TXINTR; /* if(pSpiPrivate->dwMode == SPI_MASTER_MODE) { pSPIregs->CH_CFG = 0x0; pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG; pSPIregs->MODE_CFG = (TX_TRIG_LEVEL<<5); } else { pSPIregs->CH_CFG = (0x1<<4); pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG; pSPIregs->MODE_CFG = (TX_TRIG_LEVEL<<5); } pSPIregs->SP_INT_EN = (1<<0); pSPIregs->PENDING_CLR_REG = (0x1f); pSPIregs->CH_CFG = (1<<0); if(pSpiPrivate->dwMode == SPI_MASTER_MODE) { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : MASTER MODE \r\n"))); pSPIregs->SLAVE_SELECTION_REG = 0; } else{ RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : SLAVE MODE \r\n"))); } WaitForSingleObject(pSpiPublic->hTxIntrDoneEvent, INFINITE); while(((pSPIregs ->SPI_STATUS>>6) & 0x7f)); while(!((pSPIregs ->SPI_STATUS>>21) & 0x1)); */ } else if(pSpiPrivate->bUseTxDMA) // DMA + TX { DWORD dwDmaLen = dwTxCount & 0xFFFFF ; RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : USE DMA (TxCount : %d) \r\n"),dwDmaLen)); pSpiPrivate->State = STATE_TXDMA; VirtualCopy((PVOID)pSpiPrivate->pTxBuffer, (PVOID)((ULONG) pSpiPrivate->pTxDMABuffer>>8), sizeof(dwTxCount), PAGE_READWRITE | PAGE_NOCACHE | PAGE_PHYSICAL); if(pSpiPrivate->dwMode == SPI_MASTER_MODE) { pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG; pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG; pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG; }else { pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG; pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG; pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG; } if(dwDmaLen > 0) { pSPIregs->MODE_CFG |= TX_DMA_ON|DMA_SINGLE; pSPIregs->CH_CFG |= TX_CH_ON; pDMAregs->DISRC4 = (UINT)pSpiPrivate->pTxDMABuffer; pDMAregs->DISRCC4 = ~(DESTINATION_PERIPHERAL_BUS | FIXED_DESTINATION_ADDRESS); pDMAregs->DIDST4 = (UINT)SPI_TX_DATA_PHY_ADDR; pDMAregs->DIDSTC4 = (SOURCE_PERIPHERAL_BUS | FIXED_SOURCE_ADDRESS); // pDMAregs->DCON4 = HANDSHAKE_MODE |GENERATE_INTERRUPT |PADDRFIX |NO_DMA_AUTO_RELOAD | dwDmaLen; pDMAregs->DCON4 = HANDSHAKE_MODE |GENERATE_INTERRUPT |NO_DMA_AUTO_RELOAD | dwDmaLen; pDMAregs->DMAREQSEL4 = ( DMAREQSEL_SPI_0TX | DMA_TRIGGERED_BY_HARDWARE ); if(pSpiPrivate->dwMode == SPI_MASTER_MODE) { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : MASTER MODE \r\n"))); MASTER_CS_ENABLE; } else { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : SLAVE MODE \r\n"))); } pDMAregs->DMASKTRIG4 = ENABLE_DMA_CHANNEL; WaitForSingleObject(pSpiPublic->hTxDmaDoneDoneEvent, INFINITE); pSpiPrivate->dwTxCount -= dwDmaLen; pSpiPrivate->pTxBuffer = (((PUINT) pSpiPrivate->pTxBuffer) + dwDmaLen); } VirtualFree((PVOID)pTxBuffer, 0, MEM_RELEASE); while(((pSPIregs ->SPI_STATUS>>6) & 0x7f)); while(!(pSPIregs ->SPI_STATUS & TX_DONE)); } else // POLLING + TX { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : USE Polling (TxCount : %d) \r\n"), dwTxCount)); if(pSpiPrivate->dwMode == SPI_MASTER_MODE) { pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG; pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG; pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG; } else{ pSPIregs->CH_CFG = pSpiPrivate->TxSPIregs.CH_CFG; pSPIregs->CLK_CFG = pSpiPrivate->TxSPIregs.CLK_CFG; pSPIregs->MODE_CFG = pSpiPrivate->TxSPIregs.MODE_CFG; } pSPIregs->CH_CFG |= TX_CH_ON; if(pSpiPrivate->dwMode == SPI_MASTER_MODE) { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : MASTER MODE \r\n"))); MASTER_CS_ENABLE; } else { RETAILMSG(1,(TEXT("[HSPI DD] Thread for TX : SLAVE MODE \r\n"))); } do { while(((pSPIregs ->SPI_STATUS>>6) & 0x7f)==FIFO_FULL); pSPIregs->SPI_TX_DATA = *(PBYTE)pSpiPrivate->pTxBuffer; } while(--pSpiPrivate->dwTxCount > 0 && ++(PBYTE)pSpiPrivate->pTxBuffer); while(((pSPIregs ->SPI_STATUS>>6) & 0x7f)); while(!(pSPIregs ->SPI_STATUS & TX_DONE)); } pSpiPrivate->dwTxCount = dwTestCount - pSpiPrivate->dwTxCount; #ifdef TEST_MODE do { RETAILMSG(1,(TEXT("WRITE BYTE : %02X(dwTxCount : %d)\n"), *pTestBuffer, dwTestCount)); } while( (--dwTestCount > 0) && ++pTestBuffer); #endif RETAILMSG(FALSE,(TEXT("[HSPI DD] TX_CH_OFF \n"))); pSPIregs->CH_CFG &= ~TX_CH_ON; if(pSpiPrivate->dwMode == SPI_MASTER_MODE) MASTER_CS_DISABLE; UnMapPtr(pTxBuffer); SetProcPermissions(dwOldPerm); SetEvent(pSpiPublic->hTxDoneEvent); } while(TRUE);