HOOKDEF(HWND, WINAPI, FindWindowW,
__in_opt LPWSTR lpClassName,
__in_opt LPWSTR lpWindowName
) {
HWND ret = Old_FindWindowW(lpClassName, lpWindowName);
if(((DWORD_PTR) lpClassName & 0xffff) == (DWORD_PTR) lpClassName) {
LOQ("lu", "ClassName", lpClassName, "WindowName", lpWindowName);
}
else {
LOQ("uu", "ClassName", lpClassName, "WindowName", lpWindowName);
}
return ret;
}
HOOKDEF(HWND, WINAPI, FindWindowA,
__in_opt LPCTSTR lpClassName,
__in_opt LPCTSTR lpWindowName
) {
// The atom must be in the low-order word of lpClassName;
// the high-order word must be zero (from MSDN documentation.)
HWND ret = Old_FindWindowA(lpClassName, lpWindowName);
if(((DWORD_PTR) lpClassName & 0xffff) == (DWORD_PTR) lpClassName) {
LOQ("ls", "ClassName", lpClassName, "WindowName", lpWindowName);
}
else {
LOQ("ss", "ClassName", lpClassName, "WindowName", lpWindowName);
}
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtClose,
__in HANDLE Handle
) {
NTSTATUS ret = Old_NtClose(Handle);
LOQ("p", "Handle", Handle);
return ret;
}
HOOKDEF(int, WSAAPI, closesocket,
__in SOCKET s
) {
int ret = Old_closesocket(s);
LOQ("p", "socket", s);
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, RtlCreateUserThread,
IN HANDLE ProcessHandle,
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN BOOLEAN CreateSuspended,
IN ULONG StackZeroBits,
IN OUT PULONG StackReserved,
IN OUT PULONG StackCommit,
IN PVOID StartAddress,
IN PVOID StartParameter OPTIONAL,
OUT PHANDLE ThreadHandle,
OUT PCLIENT_ID ClientId
) {
ENSURE_CLIENT_ID(ClientId);
NTSTATUS ret = Old_RtlCreateUserThread(ProcessHandle, SecurityDescriptor,
CreateSuspended, StackZeroBits, StackReserved, StackCommit,
StartAddress, StartParameter, ThreadHandle, ClientId);
LOQ("plppPl", "ProcessHandle", ProcessHandle,
"CreateSuspended", CreateSuspended, "StartAddress", StartAddress,
"StartParameter", StartParameter, "ThreadHandle", ThreadHandle,
"ThreadIdentifier", ClientId->UniqueThread);
if(NT_SUCCESS(ret)) {
pipe("PROCESS:0,%d", ClientId->UniqueThread);
disable_sleep_skip();
}
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtDelayExecution,
__in BOOLEAN Alertable,
__in PLARGE_INTEGER DelayInterval
) {
NTSTATUS ret = 0;
// do we want to skip this sleep?
if(sleep_skip_active != 0) {
FILETIME ft; LARGE_INTEGER li;
GetSystemTimeAsFileTime(&ft);
li.HighPart = ft.dwHighDateTime;
li.LowPart = ft.dwLowDateTime;
// check if we're still within the hardcoded limit
if(li.QuadPart < time_start.QuadPart + MAX_SLEEP_SKIP_DIFF * 10000) {
time_skipped.QuadPart += -DelayInterval->QuadPart;
// notify how much we've skipped
unsigned long milli = -DelayInterval->QuadPart / 10000;
LOQ("ls", "Milliseconds", milli, "Status", "Skipped");
return ret;
}
else {
sleep_skip_active = 0;
}
}
unsigned long milli = -DelayInterval->QuadPart / 10000;
LOQ2("l", "Milliseconds", milli);
return Old_NtDelayExecution(Alertable, DelayInterval);
}
HOOKDEF(NTSTATUS, WINAPI, NtDelayExecution,
__in BOOLEAN Alertable,
__in PLARGE_INTEGER DelayInterval
) {
int ret = 0;
LOQ("l", "Milliseconds", -DelayInterval->QuadPart / 10000);
return Old_NtDelayExecution(Alertable, DelayInterval);
}
HOOKDEF(int, WSAAPI, shutdown,
__in SOCKET s,
__in int how
) {
int ret = Old_shutdown(s, how);
LOQ("pl", "socket", s, "how", how);
return ret;
}
HOOKDEF(int, WSAAPI, listen,
__in SOCKET s,
__in int backlog
) {
int ret = Old_listen(s, backlog);
LOQ("p", "socket", s);
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtTerminateThread,
__in HANDLE ThreadHandle,
__in NTSTATUS ExitStatus
) {
NTSTATUS ret = Old_NtTerminateThread(ThreadHandle, ExitStatus);
LOQ("pl", "ThreadHandle", ThreadHandle, "ExitStatus", ExitStatus);
return ret;
}
HOOKDEF(int, WINAPI, WSAStartup,
_In_ WORD wVersionRequested,
_Out_ LPWSADATA lpWSAData
) {
int ret = Old_WSAStartup(wVersionRequested, lpWSAData);
LOQ("p", "VersionRequested", wVersionRequested);
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtGetContextThread,
__in HANDLE ThreadHandle,
__inout LPCONTEXT Context
) {
NTSTATUS ret = Old_NtGetContextThread(ThreadHandle, Context);
LOQ("p", "ThreadHandle", ThreadHandle);
return ret;
}
HOOKDEF(BOOL, WINAPI, IsDebuggerPresent,
void
) {
IS_SUCCESS_BOOL();
BOOL ret = Old_IsDebuggerPresent();
LOQ("");
return ret;
}
HOOKDEF(BOOL, WINAPI, UnhookWindowsHookEx,
__in HHOOK hhk
) {
IS_SUCCESS_BOOL();
BOOL ret = Old_UnhookWindowsHookEx(hhk);
LOQ("p", "HookHandle", hhk);
return ret;
}
HOOKDEF(struct hostent *, WSAAPI, gethostbyname,
__in const char *name
) {
IS_SUCCESS_HANDLE();
struct hostent *ret = Old_gethostbyname(name);
LOQ("s", "Name", name);
return ret;
}
HOOKDEF(HANDLE, WINAPI, OpenThread,
__in DWORD dwDesiredAccess,
__in BOOL bInheritHandle,
__in DWORD dwThreadId
) {
HANDLE ret = Old_OpenThread(dwDesiredAccess, bInheritHandle, dwThreadId);
LOQ("ll", "DesiredAccess", dwDesiredAccess, "ThreadId", dwThreadId);
return ret;
}
HOOKDEF(SOCKET, WSAAPI, socket,
__in int af,
__in int type,
__in int protocol
) {
SOCKET ret = Old_socket(af, type, protocol);
LOQ("lll", "af", af, "type", type, "protocol", protocol);
return ret;
}
HOOKDEF(int, WSAAPI, connect,
__in SOCKET s,
__in const struct sockaddr *name,
__in int namelen
) {
int ret = Old_connect(s, name, namelen);
LOQ("p", "socket", s);
return ret;
}
HOOKDEF(int, WSAAPI, ioctlsocket,
__in SOCKET s,
__in long cmd,
__inout u_long *argp
) {
int ret = Old_ioctlsocket(s, cmd, argp);
LOQ("pl", "socket", s, "command", cmd);
return ret;
}
HOOKDEF(SOCKET, WSAAPI, accept,
__in SOCKET s,
__out struct sockaddr *addr,
__inout int *addrlen
) {
SOCKET ret = Old_accept(s, addr, addrlen);
LOQ("pp", "socket", s, "ClientSocket", ret);
return ret;
}
HOOKDEF(VOID, WINAPI, ExitThread,
__in DWORD dwExitCode
) {
IS_SUCCESS_VOID();
int ret = 0;
LOQ("l", "ExitCode", dwExitCode);
Old_ExitThread(dwExitCode);
}
HOOKDEF(BOOL, WINAPI, ExitWindowsEx,
__in UINT uFlags,
__in DWORD dwReason
) {
IS_SUCCESS_BOOL();
int ret = 0;
LOQ("ll", "Flags", uFlags, "Reason", dwReason);
return Old_ExitWindowsEx(uFlags, dwReason);
}
HOOKDEF(NTSTATUS, WINAPI, NtSetContextThread,
__in HANDLE ThreadHandle,
__in const CONTEXT *Context
) {
NTSTATUS ret = Old_NtSetContextThread(ThreadHandle, Context);
LOQ("p", "ThreadHandle", ThreadHandle);
pipe("PROCESS:%d", pid_from_thread_handle(ThreadHandle));
return ret;
}
HOOKDEF(BOOL, WINAPI, TerminateThread,
__inout HANDLE hThread,
__in DWORD dwExitCode
) {
IS_SUCCESS_BOOL();
BOOL ret = Old_TerminateThread(hThread, dwExitCode);
LOQ("pl", "ThreadHandle", hThread, "ExitCode", dwExitCode);
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtResumeThread,
__in HANDLE ThreadHandle,
__out_opt ULONG *SuspendCount
) {
ENSURE_ULONG(SuspendCount);
NTSTATUS ret = Old_NtResumeThread(ThreadHandle, SuspendCount);
LOQ("pL", "ThreadHandle", ThreadHandle, "SuspendCount", SuspendCount);
return ret;
}
HOOKDEF(int, WSAAPI, recv,
__in SOCKET s,
__out char *buf,
__in int len,
__in int flags
) {
int ret = Old_recv(s, buf, len, flags);
LOQ("pb", "socket", s, "buffer", ret < 1 ? 0 : len, buf);
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtSetContextThread,
__in HANDLE ThreadHandle,
__in const CONTEXT *Context
) {
IS_SUCCESS_NTSTATUS();
NTSTATUS ret = Old_NtSetContextThread(ThreadHandle, Context);
LOQ("p", "ThreadHandle", ThreadHandle);
return ret;
}
HOOKDEF(int, WSAAPI, send,
__in SOCKET s,
__in const char *buf,
__in int len,
__in int flags
) {
int ret = Old_send(s, buf, len, flags);
LOQ("pb", "socket", s, "buffer", ret < 1 ? 0 : ret, buf);
return ret;
}
HOOKDEF(NTSTATUS, WINAPI, NtSuspendThread,
__in HANDLE ThreadHandle,
__out_opt ULONG *PreviousSuspendCount
) {
ENSURE_ULONG(PreviousSuspendCount);
NTSTATUS ret = Old_NtSuspendThread(ThreadHandle, PreviousSuspendCount);
LOQ("pL", "ThreadHandle", ThreadHandle,
"SuspendCount", PreviousSuspendCount);
return ret;
}
HOOKDEF(int, WSAAPI, select,
__in SOCKET s,
__inout fd_set *readfds,
__inout fd_set *writefds,
__inout fd_set *exceptfds,
__in const struct timeval *timeout
) {
int ret = Old_select(s, readfds, writefds, exceptfds, timeout);
LOQ("p", "socket", s);
return ret;
}
