Exemple #1
0
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
    (void)hinst;
    (void)reserved;

    if (dwReason == DLL_PROCESS_ATTACH) {
#if defined(USE_SYELOG)
		// open log
		SyelogOpen("clcoffee", SYELOG_FACILITY_APPLICATION);
#endif

		// get xorvalue && filename
		const char* xorvalueStr = getenv("CLCOFFEE_VALUE");
		const char* fileStr = getenv("CLCOFFEE_FILE");

		if (xorvalueStr && fileStr) {
			XORVALUE = hex2dec(xorvalueStr[0])*16 + hex2dec(xorvalueStr[1]);
			SOURCEFILE = cstr2wstr(fileStr);
		}

#if defined(USE_SYELOG)
		// open log
		Syelog(SYELOG_SEVERITY_INFORMATION, "XORVALUE: 0x%X, SOURCEFILE: %ls\n", XORVALUE, SOURCEFILE);
#endif

		// detour it
		Mhook_SetHook((PVOID*)&Real_CreateFileW, Mine_CreateFileW);
		Mhook_SetHook((PVOID*)&Real_ReadFile, Mine_ReadFile);
		Mhook_SetHook((PVOID*)&Real_CloseHandle, Mine_CloseHandle);

#if defined(USE_SYELOG)
		if (error == NO_ERROR) {
			Syelog(SYELOG_SEVERITY_INFORMATION, "Detoured ok: %d\n", error);
		} else {
			Syelog(SYELOG_SEVERITY_INFORMATION, "Error detouring: %d\n", error);
        }
#endif
    }
    else if (dwReason == DLL_PROCESS_DETACH) {
		Mhook_Unhook((PVOID*)&Real_CreateFileW);
		Mhook_Unhook((PVOID*)&Real_ReadFile);
		Mhook_Unhook((PVOID*)&Real_CloseHandle);

		free(SOURCEFILE);
		SOURCEFILE = 0;

#if defined(USE_SYELOG)
		Syelog(SYELOG_SEVERITY_INFORMATION, "Removed detour: %d\n", error);

		SyelogClose(FALSE);
#endif
    }
    return TRUE;
}
Exemple #2
0
//=========================================================================
// This is where the work gets done.
//
int wmain(int argc, WCHAR* argv[])
{
	HANDLE hProc = NULL;

	// Set the hook
	if (Mhook_SetHook((PVOID*)&TrueNtOpenProcess, HookNtOpenProcess)) {
		// Now call OpenProcess and observe NtOpenProcess being redirected
		// under the hood.
		hProc = OpenProcess(PROCESS_ALL_ACCESS, 
			FALSE, GetCurrentProcessId());
		if (hProc) {
			printf("Successfully opened self: %p\n", hProc);
			CloseHandle(hProc);
		} else {
			printf("Could not open self: %d\n", GetLastError());
		}
		// Remove the hook
		Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
	}

	// Call OpenProces again - this time there won't be a redirection as
	// the hook has bee removed.
	hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
	if (hProc) {
		printf("Successfully opened self: %p\n", hProc);
		CloseHandle(hProc);
	} else {
		printf("Could not open self: %d\n", GetLastError());
	}

	// Test another hook, this time in SelectObject
	// (SelectObject is interesting in that on XP x64, the second instruction
	// in the trampoline uses IP-relative addressing and we need to do some
	// extra work under the hood to make things work properly. This really
	// is more of a test case rather than a demo.)
	if (Mhook_SetHook((PVOID*)&TrueSelectObject, HookSelectobject)) {
		// error checking omitted for brevity. doesn't matter much 
		// in this context anyway.
		HDC hdc = GetDC(NULL);
		HDC hdcMem = CreateCompatibleDC(hdc);
		HBITMAP hbm = CreateCompatibleBitmap(hdc, 32, 32);
		HBITMAP hbmOld = (HBITMAP)SelectObject(hdcMem, hbm);
		SelectObject(hdcMem, hbmOld);
		DeleteObject(hbm);
		DeleteDC(hdcMem);
		ReleaseDC(NULL, hdc);
		// Remove the hook
		Mhook_Unhook((PVOID*)&TrueSelectObject);
	}

	return 0;
}
Exemple #3
0
BOOL WINAPI DllMain(HINSTANCE hinstDLL,		// handle to DLL module
					DWORD fdwReason,		// reason for calling function
					LPVOID lpReserved)		// reserved
{
    // Perform actions based on the reason for calling.
    switch (fdwReason) 
    { 
        case DLL_PROCESS_ATTACH:
         // Initialize once for each new process.
         // Return FALSE to fail DLL load.
			m_fptr = fopen("C:\\HelloQQ.txt", "a");
			Mhook_SetHook((PVOID*)&TrueGetStatus, HookGetStatus);
            break;

        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.
			if (m_fptr) 
			{
				fclose(m_fptr);
				m_fptr = NULL;
			}
			Mhook_Unhook((PVOID*)&TrueGetStatus);
            break;
    }
    return TRUE;  // Successful DLL_PROCESS_ATTACH.
}
Exemple #4
0
//=========================================================================
// This is where the work gets done.
//
int _tmain(int argc, WCHAR* argv[])
{
	HANDLE hProc = NULL;
	TrueNtOpenProcess = (_NtOpenProcess)GetProcAddress(GetModuleHandleW(L"ntdll"), "NtOpenProcess");
	// Set the hook
	if (Mhook_SetHook((PVOID *)&TrueNtOpenProcess, HookNtOpenProcess)) {
		// Now call OpenProcess and observe NtOpenProcess being redirected
		// under the hood.
		hProc = OpenProcess(PROCESS_ALL_ACCESS, 
			FALSE, GetCurrentProcessId());
		if (hProc) {
			printf("Successfully opened self: %p\n", hProc);
			CloseHandle(hProc);
		} else {
			printf("Could not open self: %lu\n", GetLastError());
		}
	}
	else
	{
		printf("Mhook_SetHook false\n");
	}
	// Call OpenProces again - this time there won't be a redirection as
	// the hook has bee removed.
	hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2624);
	if (hProc) {
		printf("Successfully opened self: %p\n", hProc);
		CloseHandle(hProc);
	} else {
		printf("Could not open self: %lu\n", GetLastError());
	}
	getchar();
	// Remove the hook
	Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
	return 0;
}
Exemple #5
0
void jmp_end(void)
{
	if (TrueSetUnhandledExceptionFilter)
	{
		Mhook_Unhook((PVOID*)&TrueSetUnhandledExceptionFilter);
	}
	return;
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved){
	wchar_t *pos = NULL;
	wchar_t pathToExe[MAX_PATH];
	switch (ul_reason_for_call){
	case DLL_PROCESS_ATTACH:
		// get the path to this dll, log file will be saved as <PATH>\Application.exe.txt
		// so each application will have it's own log file
		GetModuleFileNameW((HINSTANCE)&__ImageBase, pathToLog, MAX_PATH); 
		// currently i don't really care about actuall path being longer than MAX_PATH
		pos = wcsrchr(pathToLog,'\\');
		*++pos = '\0';
		pos = NULL;
		if(GetModuleFileName(NULL,pathToExe,MAX_PATH)){
			pos = wcsrchr(pathToExe,'\\');
			*++pos;
		}
		if(pos != NULL){
			wcscat_s(pathToLog,MAX_PATH,pos);
			wcscat_s(pathToLog,MAX_PATH,L".txt");
		}else{ // clumsy , i know 
			wcscat_s(pathToLog,MAX_PATH,L"winscard.txt");
		}
		// place all needed hooks
		Mhook_SetHook((PVOID*)&OrigLoadLibraryA, HookedLoadLibraryA);
		Mhook_SetHook((PVOID*)&OrigLoadLibraryW, HookedLoadLibraryW);
		Mhook_SetHook((PVOID*)&OrigLoadLibraryExW, HookedLoadLibraryExW);
		Mhook_SetHook((PVOID*)&OrigLoadLibraryExA, HookedLoadLibraryExA);
		break;
	case DLL_PROCESS_DETACH:
		Mhook_Unhook((PVOID*)&OrigLoadLibraryA);
		Mhook_Unhook((PVOID*)&OrigLoadLibraryW);
		Mhook_Unhook((PVOID*)&OrigLoadLibraryExA);
		Mhook_Unhook((PVOID*)&OrigLoadLibraryExW);
		if(ALREADY_HOOKED){
			//unhook winscard too
			Mhook_Unhook((PVOID*)&OrigSCardTransmit);
			ALREADY_HOOKED = false;
		}
		break;
	}
	return TRUE;
}
Exemple #7
0
void safe_end(void)
{
	if (TrueLoadLibraryExW)
	{
		Mhook_Unhook((PVOID*)&TrueLoadLibraryExW);
	}
	if (TrueCreateProcessInternalW)
	{
		Mhook_Unhook((PVOID*)&TrueCreateProcessInternalW);
	}
	if (TrueNtCreateUserProcess)
	{
		Mhook_Unhook((PVOID*)&TrueNtCreateUserProcess);
	}
	if (TrueNtWriteVirtualMemory)
	{
		Mhook_Unhook((PVOID*)&TrueNtWriteVirtualMemory);
	}
	return;
}
void UninstallHooks()
{
    BOOL failed = false;

    for(size_t i = 0; i < g_FunctionsCount; ++i)
    {
        if (g_Functions[i].OriginalFunction)
            failed = failed || !Mhook_Unhook(g_Functions[i].OriginalFunction);
    }

    if (failed)
        throw std::runtime_error("UninstallHooks was failed to remove one or more hooks");
}
Exemple #9
0
bool Hook::unsetHook()
{
	BOOL unHookResult;
	int count = 0, max = 3;
	do
	{
		if (count == max)
			break;
		else
			unHookResult = Mhook_Unhook((PVOID*)&this->TrueCreateFile);
		++count;
	} while ((!unHookResult));
	return unHookResult;
}
Exemple #10
0
BOOL WINAPI DllMain(
    __in HINSTANCE  hInstance,
    __in DWORD      Reason,
    __in LPVOID     Reserved
    )
{        
    switch (Reason)
    {
    case DLL_PROCESS_ATTACH:
        //Mhook_SetHook((PVOID*)&OriginalNtQuerySystemInformation, HookedNtQuerySystemInformation);
		Mhook_SetHook((PVOID*)&loclTimeFun, HookedLocalTime);
		Mhook_SetHook((PVOID*)&fileTimeFun,HookedFileTime);
        break;

    case DLL_PROCESS_DETACH:
        //Mhook_Unhook((PVOID*)&OriginalNtQuerySystemInformation);
		Mhook_Unhook((PVOID*)&loclTimeFun);
		Mhook_Unhook((PVOID*)&fileTimeFun);
        break;
    }

    return TRUE;
}
Exemple #11
0
/* uninstall hook and clean up */
void WINAPI undo_it(void)
{
	if (ff_info.atom_str)
	{
		UnregisterHotKey(NULL, ff_info.atom_str);
		GlobalDeleteAtom(ff_info.atom_str);
	}
	if (TrueSHGetFolderPathW)
	{
		Mhook_Unhook((PVOID*)&TrueSHGetFolderPathW);
	}
    if (TrueSHGetSpecialFolderPathW)
    {
        Mhook_Unhook((PVOID*)&TrueSHGetSpecialFolderPathW);
    }
	if (TrueSHGetSpecialFolderLocation)
	{
		Mhook_Unhook((PVOID*)&TrueSHGetSpecialFolderLocation);
	}
	jmp_end();
	safe_end();
	return;
}
void UnhookCrypt() {
  if (gCryptHooked) {
    Mhook_Unhook((PVOID*)&SavedCryptGenKey);
  }
}
 BOOL Mhook_UnhookEx(PVOID ppHookedFunction) {
         PVOID * p = ppHookedFunction == NULL ? NULL : (PVOID*)&ppHookedFunction;
         return Mhook_Unhook(p);
 }
Exemple #14
0
SmileyCreateHook::~SmileyCreateHook(void)
{
    Mhook_Unhook((PVOID*)&TrueProgIDFromCLSID);
    Mhook_Unhook((PVOID*)&TrueCoCreateInstance);

}