BOOL WINAPI MessageBeepHook(__in UINT uType) { /* Test barrier methods... */ PVOID CallStack[64]; MODULE_INFORMATION Mod; ULONG MethodCount; LhUpdateModuleInformation(); LhEnumModules((HMODULE*)CallStack, 64, &MethodCount); for(ULONG i = 0; i < MethodCount; i++) { LhBarrierPointerToModule(CallStack[i], &Mod); } LhBarrierCallStackTrace(CallStack, 64, &MethodCount); LhBarrierGetCallingModule(&Mod); return TRUE; }
EASYHOOK_NT_EXPORT LhBarrierPointerToModule( PVOID InPointer, MODULE_INFORMATION* OutModule) { /* Description: Translates the given pointer (likely a method) to its owning module if possible. Parameters: - InPointer A method pointer to be translated. - OutModule Receives the owner of a given method. Returns: STATUS_NOT_FOUND No matching module could be found. */ UCHAR* Pointer = (UCHAR*)InPointer; NTSTATUS NtStatus; BOOL CanTryAgain = TRUE; MODULE_INFORMATION* List; if(!IsValidPointer(OutModule, sizeof(MODULE_INFORMATION))) THROW(STATUS_INVALID_PARAMETER_2, L"The given module storage is invalid."); LABEL_TRY_AGAIN: RtlAcquireLock(&GlobalHookLock); { List = LhModuleArray; // walk through process modules while(List != NULL) { if((Pointer >= List->BaseAddress) && (Pointer <= List->BaseAddress + List->ImageSize)) { *OutModule = *List; RtlReleaseLock(&GlobalHookLock); RETURN; } List = List->Next; } } RtlReleaseLock(&GlobalHookLock); if((InPointer == NULL) || (InPointer == (PVOID)~0)) { // this pointer does not belong to any module... } else { // unable to find calling module... FORCE(LhUpdateModuleInformation()); if(CanTryAgain) { CanTryAgain = FALSE; goto LABEL_TRY_AGAIN; } } THROW(STATUS_NOT_FOUND, L"Unable to determine module."); THROW_OUTRO: FINALLY_OUTRO: return NtStatus; }
/************************************************************** Description: Initializes the driver and also loads the system specific PatchGuard information. */ NTSTATUS DriverEntry( IN PDRIVER_OBJECT InDriverObject, IN PUNICODE_STRING InRegistryPath) { NTSTATUS Status; UNICODE_STRING NtDeviceName; UNICODE_STRING DosDeviceName; PEASYHOOK_DEVICE_EXTENSION DeviceExtension; PDEVICE_OBJECT DeviceObject = NULL; BOOLEAN SymbolicLink = FALSE; /* Create device... */ RtlInitUnicodeString(&NtDeviceName, EASYHOOK_DEVICE_NAME); Status = IoCreateDevice( InDriverObject, sizeof(EASYHOOK_DEVICE_EXTENSION), // DeviceExtensionSize &NtDeviceName, // DeviceName FILE_DEVICE_EASYHOOK, // DeviceType 0, // DeviceCharacteristics TRUE, // Exclusive &DeviceObject // [OUT] ); if (!NT_SUCCESS(Status)) goto ERROR_ABORT; /* Expose interfaces... */ DeviceExtension = (PEASYHOOK_DEVICE_EXTENSION)DeviceObject->DeviceExtension; DeviceExtension->MaxVersion = EASYHOOK_INTERFACE_v_1; // Disable warning C4276: no prototype provided; assumed no parameters #pragma warning(disable: 4276) DeviceExtension->API_v_1.RtlGetLastError = RtlGetLastError; DeviceExtension->API_v_1.RtlGetLastErrorString = RtlGetLastErrorString; DeviceExtension->API_v_1.LhInstallHook = LhInstallHook; DeviceExtension->API_v_1.LhUninstallHook = LhUninstallHook; DeviceExtension->API_v_1.LhWaitForPendingRemovals = LhWaitForPendingRemovals; DeviceExtension->API_v_1.LhBarrierGetCallback = LhBarrierGetCallback; DeviceExtension->API_v_1.LhBarrierGetReturnAddress = LhBarrierGetReturnAddress; DeviceExtension->API_v_1.LhBarrierGetAddressOfReturnAddress = LhBarrierGetAddressOfReturnAddress; DeviceExtension->API_v_1.LhBarrierBeginStackTrace = LhBarrierBeginStackTrace; DeviceExtension->API_v_1.LhBarrierEndStackTrace = LhBarrierEndStackTrace; DeviceExtension->API_v_1.LhBarrierPointerToModule = LhBarrierPointerToModule; DeviceExtension->API_v_1.LhBarrierGetCallingModule = LhBarrierGetCallingModule; DeviceExtension->API_v_1.LhBarrierCallStackTrace = LhBarrierCallStackTrace; DeviceExtension->API_v_1.LhSetGlobalExclusiveACL = LhSetGlobalExclusiveACL; DeviceExtension->API_v_1.LhSetGlobalInclusiveACL = LhSetGlobalInclusiveACL; DeviceExtension->API_v_1.LhSetExclusiveACL = LhSetExclusiveACL; DeviceExtension->API_v_1.LhSetInclusiveACL = LhSetInclusiveACL; DeviceExtension->API_v_1.LhIsProcessIntercepted = LhIsProcessIntercepted; /* Register for user-mode accessibility and set major functions... */ RtlInitUnicodeString(&DosDeviceName, EASYHOOK_DOS_DEVICE_NAME); if (!NT_SUCCESS(Status = IoCreateSymbolicLink(&DosDeviceName, &NtDeviceName))) goto ERROR_ABORT; SymbolicLink = TRUE; InDriverObject->MajorFunction[IRP_MJ_CREATE] = EasyHookDispatchCreate; InDriverObject->MajorFunction[IRP_MJ_CLOSE] = EasyHookDispatchClose; InDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = EasyHookDispatchDeviceControl; InDriverObject->DriverUnload = EasyHookUnload; // initialize EasyHook if (!NT_SUCCESS(Status = LhBarrierProcessAttach())) goto ERROR_ABORT; PsSetLoadImageNotifyRoutine(OnImageLoadNotification); LhCriticalInitialize(); return LhUpdateModuleInformation(); ERROR_ABORT: /* Rollback in case of errors... */ if (SymbolicLink) IoDeleteSymbolicLink(&DosDeviceName); if (DeviceObject != NULL) IoDeleteDevice(DeviceObject); return Status; }