EASYHOOK_NT_EXPORT RhInstallSupportDriver() { /* Description: Installs the EasyHook support driver. This will allow your driver to successfully obtain the EasyHook driver API using EasyHookQueryInterface(). */ WCHAR* DriverName = L"EasyHook32Drv.sys"; if(RhIsX64System()) DriverName = L"EasyHook64Drv.sys"; return RhInstallDriver(DriverName, DriverName); }
extern "C" int main(int argc, wchar_t* argv[]) { HMODULE hUser32 = LoadLibraryA("user32.dll"); TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO(); NTSTATUS NtStatus; ULONG ACLEntries[1] = {0}; UNICODE_STRING* NameBuffer = NULL; HANDLE hRemoteThread; // test driver... printf("Installing support driver...\n"); FORCE(RhInstallSupportDriver()); printf("Installing test driver...\n"); if(RhIsX64System()) FORCE(RhInstallDriver(L"TestDriver64.sys", L"TestDriver64.sys")) else FORCE(RhInstallDriver(L"TestDriver32.sys", L"TestDriver32.sys")); // test stealth thread creation... printf("Testing stealth thread creation...\n"); hRemoteThread = CreateThread(NULL, 0, TestThread, NULL, 0, NULL); FORCE(RhCreateStealthRemoteThread(GetCurrentProcessId(), HijackEntry, (PVOID)0x12345678, &hRemoteThread)); Sleep(500); /* The following shows how to install and remove local hooks... */ FORCE(LhInstallHook( GetProcAddress(hUser32, "MessageBeep"), MessageBeepHook, (PVOID)0x12345678, hHook)); // won't invoke the hook handler because hooks are inactive after installation MessageBeep(123); // activate the hook for the current thread FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook)); // will be redirected into the handler... MessageBeep(123); // this will also invalidate "hHook", because it is a traced handle... LhUninstallAllHooks(); // this will do nothing because the hook is already removed... LhUninstallHook(hHook); // now we can safely release the traced handle delete hHook; hHook = NULL; // even if the hook is removed, we need to wait for memory release LhWaitForPendingRemovals(); /* In many situations you will need the handler utilities. */ HANDLE Handle = CreateEventA(NULL, TRUE, FALSE, "MyEvent"); ULONG RequiredSize; ULONG RealThreadId; ULONG ThreadId; // handle to name if(!SUCCEEDED(NtStatus = DbgHandleToObjectName(Handle, NULL, 0, &RequiredSize))) goto ERROR_ABORT; NameBuffer = (UNICODE_STRING*)malloc(RequiredSize); FORCE(DbgHandleToObjectName(Handle, NameBuffer, RequiredSize, &RequiredSize)); printf("\n[Info]: Event name is \"%S\".\n", NameBuffer->Buffer); // handle to thread ID Handle = CreateThread(NULL, 0, NULL, NULL, CREATE_SUSPENDED, &RealThreadId); FORCE(DbgGetThreadIdByHandle(Handle, &ThreadId)); if(ThreadId != RealThreadId) return EXIT_FAILURE; _getch(); return 0; ERROR_ABORT: if(hHook != NULL) delete hHook; if(NameBuffer != NULL) free(NameBuffer ); printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError()); _getch(); return NtStatus; }