BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { char szCurProc[MAX_PATH] = {0,}; char *p = NULL; // HideProc2.exe 프로세스에는 인젝션 되지 않도록 예외처리 GetModuleFileNameA(NULL, szCurProc, MAX_PATH); p = strrchr(szCurProc, '\\'); if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") ) return TRUE; // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE); switch( fdwReason ) { case DLL_PROCESS_ATTACH : // hook hook_by_hotpatch("kernel32.dll", "CreateProcessA", (PROC)NewCreateProcessA); hook_by_hotpatch("kernel32.dll", "CreateProcessW", (PROC)NewCreateProcessW); hook_by_code("ntdll.dll", "ZwQuerySystemInformation", (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI); break; case DLL_PROCESS_DETACH : // unhook unhook_by_hotpatch("kernel32.dll", "CreateProcessA"); unhook_by_hotpatch("kernel32.dll", "CreateProcessW"); unhook_by_code("ntdll.dll", "ZwQuerySystemInformation", g_pOrgZwQSI); break; } return TRUE; }
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE); switch( fdwReason ) { case DLL_PROCESS_ATTACH : // hook hook_by_hotpatch("kernel32.dll", "CreateProcessA", (PROC)NewCreateProcessA); hook_by_hotpatch("kernel32.dll", "CreateProcessW", (PROC)NewCreateProcessW); break; case DLL_PROCESS_DETACH : // unhook unhook_by_hotpatch("kernel32.dll", "CreateProcessA"); unhook_by_hotpatch("kernel32.dll", "CreateProcessW"); break; } return TRUE; }