BOOL InstallHook() { static long s_lCount = 0; if (InterlockedIncrement(&s_lCount) > 1) { // no need to install again return TRUE; } BOOL bResult = TRUE; if (m_hDestProcess == NULL) { int iAPISetId = SH_WMGR; DWORD dwOldPermissions = 0; SetKMode(TRUE); dwOldPermissions = SetProcPermissions(-1); __try { CINFO ** pSystemAPISets = (CINFO**)(UserKInfo[KINX_APISETS]); m_hDestProcess = pSystemAPISets[iAPISetId]->m_pProcessServer->hProc; CALLBACKINFO cbi; ZeroMemory(&cbi, sizeof(CALLBACKINFO)); cbi.m_hDestinationProcessHandle = m_hDestProcess; cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), m_hDestProcess); cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(L"\\Windows\\FingerSuiteDll.dll", GetCurrentProcess()); m_hDllInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW Sleep(1000); ZeroMemory(&cbi, sizeof(CALLBACKINFO)); cbi.m_hDestinationProcessHandle = m_hDestProcess; cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(m_hDllInst, L"StartHookOnServer"), m_hDestProcess); cbi.m_pFirstArgument = NULL; DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly executed Sleep(1000); } __except(FilterException(GetExceptionInformation())) { bResult = FALSE; } if(dwOldPermissions) { SetProcPermissions(dwOldPermissions); } SetKMode(FALSE); }
int InjectDLL(HANDLE Proc, wchar_t *LibraryName) { // Trying to get current HookLibraryReady event state HANDLE hEvent = CreateEvent(NULL, FALSE, FALSE, UTASK_GLOBAL_HOOKLIB_READY_EVENT); if (ReadEvent(hEvent, 0) == 0) return 1; HMODULE coredll = GetModuleHandle(L"coredll.dll"); DWORD result = 1; if (coredll) { // Loading our library to gwes.exe memory space CALLBACKINFO ci; ci.hProc = Proc; ci.pfn = (FARPROC)MapPtrToProcess(GetProcAddress(coredll, L"LoadLibraryW"), Proc); ci.pvArg0 = MapPtrToProcess(LibraryName, GetCurrentProcess()); PerformCallBack4(&ci); Sleep(2000); // Waiting for HookLibraryReady event pulsation for 3000 ms result = ReadEvent(hEvent, 3000); } CloseHandle(hEvent); return result; };
void * AllocateMemInKernelProc(int p_iSize) { LPVOID pAllocated = NULL; // find process id of nk.exe HANDLE snapShot = INVALID_HANDLE_VALUE; DWORD dwNKProcessId = 0; __try { snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPNOHEAPS, 0); if (snapShot != INVALID_HANDLE_VALUE) { // Build new list PROCESSENTRY32 processEntry; processEntry.dwSize = sizeof(PROCESSENTRY32); BOOL ret = Process32First(snapShot, &processEntry); while (ret == TRUE) { if (lstrcmpi(processEntry.szExeFile, L"nk.exe") == 0) { dwNKProcessId = processEntry.th32ProcessID; break; } ret = Process32Next(snapShot, &processEntry); } CloseToolhelp32Snapshot(snapShot); } } __except (EXCEPTION_EXECUTE_HANDLER) { if (snapShot != INVALID_HANDLE_VALUE) { CloseToolhelp32Snapshot(snapShot); } return NULL; } HANDLE hNKProcess = OpenProcess(0, FALSE, dwNKProcessId); if (hNKProcess == NULL) return NULL; HINSTANCE hCoreDll = LoadLibrary(_T("COREDLL")); CALLBACKINFO cbi; cbi.m_hDestinationProcessHandle = hNKProcess; cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(hCoreDll, L"VirtualAlloc"), hNKProcess); cbi.m_pFirstArgument = (LPVOID)0; DWORD dwParam2 = p_iSize; DWORD dwParam3 = MEM_COMMIT; DWORD dwParam4 = PAGE_EXECUTE_READWRITE; DWORD dwPtr = PerformCallBack4(&cbi, dwParam2, dwParam3, dwParam4); //returns 1 if correctly executed pAllocated = MapPtrToProcess( (LPVOID)dwPtr, hNKProcess); CloseHandle(hNKProcess); return pAllocated; }
int _tmain(int argc, _TCHAR* argv[]) { BOOL bMode = SetKMode(TRUE); DWORD dwPerm = SetProcPermissions(0xFFFFFFFF); CINFO **SystemAPISets= (CINFO **)KData.aInfo[KINX_APISETS]; for(int i=0; i<NUM_SYSTEM_SETS; i++) { DEBUGMSG(1, (L"SystemAPISets[%d]:\n",i)); DEBUGMSG(1, (L"API set: %s\n", getApiName(i))); if(SystemAPISets[i]==0) { DEBUGMSG(1, (L" NULL\n")); continue; } DEBUGMSG(1, (L" acName: %S\n",SystemAPISets[i]->acName)); //use %S (capital S) as acName is char* DEBUGMSG(1, (L" cMethods: %d\n",SystemAPISets[i]->cMethods)); DEBUGMSG(1, (L" handle type: %i\n",SystemAPISets[i]->type)); DEBUGMSG(1, (L" disp type: %s\n",getDispType(SystemAPISets[i]->disp))); DEBUGMSG(1, (L"\n")); } DWORD Tmp= (FIRST_METHOD-FAULT_ADDR)/APICALL_SCALE; DWORD ApiSet=(Tmp>>HANDLE_SHIFT)&HANDLE_MASK; DWORD Method=Tmp&METHOD_MASK; // validate if(ApiSet>NUM_SYSTEM_SETS) { DEBUGMSG(1, (L"Invalid ApiSet\n")); return 0; } if(SystemAPISets[ApiSet]==0) { DEBUGMSG(1, (L"Invalid ApiSet\n")); return 0; } if(SystemAPISets[ApiSet]->cMethods<=Method) { DEBUGMSG(1, (L"Invalid method number\n")); return 0; } // I support only filesystem and similar hooks that are processed inside filesys.exe if(SystemAPISets[ApiSet]->pServer==0) { DEBUGMSG(1, (L"Calls with pServer==0 are not supported\n")); return 0; } // get server process and inject DLL there HANDLE Proc=SystemAPISets[ApiSet]->pServer->hProc; void *Ptr=MapPtrToProcess(L"TestApiSetHookDll.dll",GetCurrentProcess()); CALLBACKINFO ci; ci.hProc=Proc; void *t=GetProcAddress(GetModuleHandle(L"coredll.dll"),L"LoadLibraryW"); ci.pfn=(FARPROC)MapPtrToProcess(t,Proc); ci.pvArg0=Ptr; PerformCallBack4(&ci); Sleep(1000); // allow PerformCallBack4 to finish before exit. Better enum loaded DLLs or use events // bug in VS2005b1 causes DllMain not to be called in DLLs HMODULE Hm=LoadLibrary(L"TestApiSetHookDll.dll"); void *Fn=GetProcAddress(Hm,L"PerformHook"); if(Hm==0 || Fn==0) { DEBUGMSG(1, (L"Unable to load library\n")); return 0; } ci.hProc=Proc; ci.pfn=(FARPROC)MapPtrToProcess(Fn,Proc); ci.pvArg0=Proc; // pass the hooked process ID as parameter to be sure that we are called from the context of hooked process PerformCallBack4(&ci); // so we call function ourselves, fortunately DLLs are loaded at the same address in all processes Sleep(3000); DEBUGMSG(1, (L"exit\n")); MessageBox(GetForegroundWindow(),L"CreateFileW hooked!",L"Done",0); FreeLibrary(Hm); return 0; }