EASYHOOK_NT_EXPORT RhInstallSupportDriver()
{
/*
Description:
Installs the EasyHook support driver.
This will allow your driver to successfully obtain the EasyHook driver
API using EasyHookQueryInterface().
*/
WCHAR* DriverName = L"EasyHook32Drv.sys";
if(RhIsX64System())
DriverName = L"EasyHook64Drv.sys";
return RhInstallDriver(DriverName, DriverName);
}
extern "C" int main(int argc, wchar_t* argv[])
{
HMODULE hUser32 = LoadLibraryA("user32.dll");
TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
NTSTATUS NtStatus;
ULONG ACLEntries[1] = {0};
UNICODE_STRING* NameBuffer = NULL;
HANDLE hRemoteThread;
// test driver...
printf("Installing support driver...\n");
FORCE(RhInstallSupportDriver());
printf("Installing test driver...\n");
if(RhIsX64System())
FORCE(RhInstallDriver(L"TestDriver64.sys", L"TestDriver64.sys"))
else
FORCE(RhInstallDriver(L"TestDriver32.sys", L"TestDriver32.sys"));
// test stealth thread creation...
printf("Testing stealth thread creation...\n");
hRemoteThread = CreateThread(NULL, 0, TestThread, NULL, 0, NULL);
FORCE(RhCreateStealthRemoteThread(GetCurrentProcessId(), HijackEntry, (PVOID)0x12345678, &hRemoteThread));
Sleep(500);
/*
The following shows how to install and remove local hooks...
*/
FORCE(LhInstallHook(
GetProcAddress(hUser32, "MessageBeep"),
MessageBeepHook,
(PVOID)0x12345678,
hHook));
// won't invoke the hook handler because hooks are inactive after installation
MessageBeep(123);
// activate the hook for the current thread
FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook));
// will be redirected into the handler...
MessageBeep(123);
// this will also invalidate "hHook", because it is a traced handle...
LhUninstallAllHooks();
// this will do nothing because the hook is already removed...
LhUninstallHook(hHook);
// now we can safely release the traced handle
delete hHook;
hHook = NULL;
// even if the hook is removed, we need to wait for memory release
LhWaitForPendingRemovals();
/*
In many situations you will need the handler utilities.
*/
HANDLE Handle = CreateEventA(NULL, TRUE, FALSE, "MyEvent");
ULONG RequiredSize;
ULONG RealThreadId;
ULONG ThreadId;
// handle to name
if(!SUCCEEDED(NtStatus = DbgHandleToObjectName(Handle, NULL, 0, &RequiredSize)))
goto ERROR_ABORT;
NameBuffer = (UNICODE_STRING*)malloc(RequiredSize);
FORCE(DbgHandleToObjectName(Handle, NameBuffer, RequiredSize, &RequiredSize));
printf("\n[Info]: Event name is \"%S\".\n", NameBuffer->Buffer);
// handle to thread ID
Handle = CreateThread(NULL, 0, NULL, NULL, CREATE_SUSPENDED, &RealThreadId);
FORCE(DbgGetThreadIdByHandle(Handle, &ThreadId));
if(ThreadId != RealThreadId)
return EXIT_FAILURE;
_getch();
return 0;
ERROR_ABORT:
if(hHook != NULL)
delete hHook;
if(NameBuffer != NULL)
free(NameBuffer );
printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError());
_getch();
return NtStatus;
}
