BOOL WINAPI MessageBeepHook(__in UINT uType)
{
/*
Test barrier methods...
*/
PVOID CallStack[64];
MODULE_INFORMATION Mod;
ULONG MethodCount;
LhUpdateModuleInformation();
LhEnumModules((HMODULE*)CallStack, 64, &MethodCount);
for(ULONG i = 0; i < MethodCount; i++)
{
LhBarrierPointerToModule(CallStack[i], &Mod);
}
LhBarrierCallStackTrace(CallStack, 64, &MethodCount);
LhBarrierGetCallingModule(&Mod);
return TRUE;
}
EASYHOOK_NT_EXPORT LhBarrierPointerToModule(
PVOID InPointer,
MODULE_INFORMATION* OutModule)
{
/*
Description:
Translates the given pointer (likely a method) to its
owning module if possible.
Parameters:
- InPointer
A method pointer to be translated.
- OutModule
Receives the owner of a given method.
Returns:
STATUS_NOT_FOUND
No matching module could be found.
*/
UCHAR* Pointer = (UCHAR*)InPointer;
NTSTATUS NtStatus;
BOOL CanTryAgain = TRUE;
MODULE_INFORMATION* List;
if(!IsValidPointer(OutModule, sizeof(MODULE_INFORMATION)))
THROW(STATUS_INVALID_PARAMETER_2, L"The given module storage is invalid.");
LABEL_TRY_AGAIN:
RtlAcquireLock(&GlobalHookLock);
{
List = LhModuleArray;
// walk through process modules
while(List != NULL)
{
if((Pointer >= List->BaseAddress) && (Pointer <= List->BaseAddress + List->ImageSize))
{
*OutModule = *List;
RtlReleaseLock(&GlobalHookLock);
RETURN;
}
List = List->Next;
}
}
RtlReleaseLock(&GlobalHookLock);
if((InPointer == NULL) || (InPointer == (PVOID)~0))
{
// this pointer does not belong to any module...
}
else
{
// unable to find calling module...
FORCE(LhUpdateModuleInformation());
if(CanTryAgain)
{
CanTryAgain = FALSE;
goto LABEL_TRY_AGAIN;
}
}
THROW(STATUS_NOT_FOUND, L"Unable to determine module.");
THROW_OUTRO:
FINALLY_OUTRO:
return NtStatus;
}
/**************************************************************
Description:
Initializes the driver and also loads the system specific PatchGuard
information.
*/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT InDriverObject,
IN PUNICODE_STRING InRegistryPath)
{
NTSTATUS Status;
UNICODE_STRING NtDeviceName;
UNICODE_STRING DosDeviceName;
PEASYHOOK_DEVICE_EXTENSION DeviceExtension;
PDEVICE_OBJECT DeviceObject = NULL;
BOOLEAN SymbolicLink = FALSE;
/*
Create device...
*/
RtlInitUnicodeString(&NtDeviceName, EASYHOOK_DEVICE_NAME);
Status = IoCreateDevice(
InDriverObject,
sizeof(EASYHOOK_DEVICE_EXTENSION), // DeviceExtensionSize
&NtDeviceName, // DeviceName
FILE_DEVICE_EASYHOOK, // DeviceType
0, // DeviceCharacteristics
TRUE, // Exclusive
&DeviceObject // [OUT]
);
if (!NT_SUCCESS(Status))
goto ERROR_ABORT;
/*
Expose interfaces...
*/
DeviceExtension = (PEASYHOOK_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
DeviceExtension->MaxVersion = EASYHOOK_INTERFACE_v_1;
// Disable warning C4276: no prototype provided; assumed no parameters
#pragma warning(disable: 4276)
DeviceExtension->API_v_1.RtlGetLastError = RtlGetLastError;
DeviceExtension->API_v_1.RtlGetLastErrorString = RtlGetLastErrorString;
DeviceExtension->API_v_1.LhInstallHook = LhInstallHook;
DeviceExtension->API_v_1.LhUninstallHook = LhUninstallHook;
DeviceExtension->API_v_1.LhWaitForPendingRemovals = LhWaitForPendingRemovals;
DeviceExtension->API_v_1.LhBarrierGetCallback = LhBarrierGetCallback;
DeviceExtension->API_v_1.LhBarrierGetReturnAddress = LhBarrierGetReturnAddress;
DeviceExtension->API_v_1.LhBarrierGetAddressOfReturnAddress = LhBarrierGetAddressOfReturnAddress;
DeviceExtension->API_v_1.LhBarrierBeginStackTrace = LhBarrierBeginStackTrace;
DeviceExtension->API_v_1.LhBarrierEndStackTrace = LhBarrierEndStackTrace;
DeviceExtension->API_v_1.LhBarrierPointerToModule = LhBarrierPointerToModule;
DeviceExtension->API_v_1.LhBarrierGetCallingModule = LhBarrierGetCallingModule;
DeviceExtension->API_v_1.LhBarrierCallStackTrace = LhBarrierCallStackTrace;
DeviceExtension->API_v_1.LhSetGlobalExclusiveACL = LhSetGlobalExclusiveACL;
DeviceExtension->API_v_1.LhSetGlobalInclusiveACL = LhSetGlobalInclusiveACL;
DeviceExtension->API_v_1.LhSetExclusiveACL = LhSetExclusiveACL;
DeviceExtension->API_v_1.LhSetInclusiveACL = LhSetInclusiveACL;
DeviceExtension->API_v_1.LhIsProcessIntercepted = LhIsProcessIntercepted;
/*
Register for user-mode accessibility and set major functions...
*/
RtlInitUnicodeString(&DosDeviceName, EASYHOOK_DOS_DEVICE_NAME);
if (!NT_SUCCESS(Status = IoCreateSymbolicLink(&DosDeviceName, &NtDeviceName)))
goto ERROR_ABORT;
SymbolicLink = TRUE;
InDriverObject->MajorFunction[IRP_MJ_CREATE] = EasyHookDispatchCreate;
InDriverObject->MajorFunction[IRP_MJ_CLOSE] = EasyHookDispatchClose;
InDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = EasyHookDispatchDeviceControl;
InDriverObject->DriverUnload = EasyHookUnload;
// initialize EasyHook
if (!NT_SUCCESS(Status = LhBarrierProcessAttach()))
goto ERROR_ABORT;
PsSetLoadImageNotifyRoutine(OnImageLoadNotification);
LhCriticalInitialize();
return LhUpdateModuleInformation();
ERROR_ABORT:
/*
Rollback in case of errors...
*/
if (SymbolicLink)
IoDeleteSymbolicLink(&DosDeviceName);
if (DeviceObject != NULL)
IoDeleteDevice(DeviceObject);
return Status;
}
