int HookDirect3D(int version){ HINSTANCE hinst; void *tmp; LPDIRECT3D9 lpd3d; switch(version){ case 0: tmp = HookAPI("d3d8.dll", "Direct3DCreate8", extDirect3DCreate8); if(tmp) pDirect3DCreate8 = (Direct3DCreate8_Type)tmp; tmp = HookAPI("d3d9.dll", "Direct3DCreate9", extDirect3DCreate9); if(tmp) pDirect3DCreate9 = (Direct3DCreate9_Type)tmp; break; case 8: hinst = LoadLibrary("d3d8.dll"); pDirect3DCreate8 = (Direct3DCreate8_Type)GetProcAddress(hinst, "Direct3DCreate8"); if(pDirect3DCreate8){ lpd3d = (LPDIRECT3D9)extDirect3DCreate8(220); if(lpd3d) lpd3d->Release(); } break; case 9: hinst = LoadLibrary("d3d9.dll"); pDirect3DCreate9 = (Direct3DCreate9_Type)GetProcAddress(hinst, "Direct3DCreate9"); if(pDirect3DCreate9){ lpd3d = (LPDIRECT3D9)extDirect3DCreate9(31); if(lpd3d) lpd3d->Release(); } break; } if(pDirect3DCreate8 || pDirect3DCreate9) return 1; return 0; }
static void InstallTextOutHooks() { HookAPI("gdi32.dll", "TextOutA", (PROC)TextOutACallbackProc, (PROC*)&TextOutANextHook); HookAPI("gdi32.dll", "TextOutW", (PROC)TextOutWCallbackProc, (PROC*)&TextOutWNextHook); HookAPI("gdi32.dll", "ExtTextOutA", (PROC)ExtTextOutACallbackProc, (PROC*)&ExtTextOutANextHook); HookAPI("gdi32.dll", "ExtTextOutW", (PROC)ExtTextOutWCallbackProc, (PROC*)&ExtTextOutWNextHook); }
static void UninstallTextOutHooks() { if (TextOutANextHook) HookAPI("gdi32.dll", "TextOutA", (PROC)TextOutANextHook, NULL); if (TextOutWNextHook) HookAPI("gdi32.dll", "TextOutW", (PROC)TextOutWNextHook, NULL); if (ExtTextOutANextHook) HookAPI("gdi32.dll", "ExtTextOutA", (PROC)ExtTextOutANextHook, NULL); if (ExtTextOutWNextHook) HookAPI("gdi32.dll", "ExtTextOutW", (PROC)ExtTextOutWNextHook, NULL); }
static void InstallTextOutHooks() { TextOutAOri = NULL; HookAPI("gdi32.dll", "TextOutA", (PROC)TextOutAHook, (PROC*)&TextOutAOri); TextOutWOri = NULL; HookAPI("gdi32.dll", "TextOutW", (PROC)TextOutWHook, (PROC*)&TextOutWOri); ExtTextOutAOri = NULL; HookAPI("gdi32.dll", "ExtTextOutA", (PROC)ExtTextOutAHook, (PROC*)&ExtTextOutAOri); ExtTextOutWOri = NULL; HookAPI("gdi32.dll", "ExtTextOutW", (PROC)ExtTextOutWHook, (PROC*)&ExtTextOutWOri); }
SECURITY_STATUS SEC_ENTRY _DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) { SECURITY_STATUS ret; LPBYTE data; int i; if(pMessage) i = pMessage->cBuffers; UnHookAPI("DecryptMessage", "secur32.dll", _DecryptMsg); ret = DecryptMessage(phContext, pMessage, MessageSeqNo, pfQOP); _DecryptMsg = HookAPI("DecryptMessage", "secur32.dll", (DWORD) _DecryptMessage); if(pMessage) while(i--) if(pMessage->pBuffers[i].BufferType == SECBUFFER_DATA || pMessage->pBuffers[i].BufferType == SECBUFFER_EMPTY) { data = (LPBYTE) malloc(pMessage->pBuffers[i].cbBuffer*sizeof(BYTE) + 1); strncpy((LPSTR) data, (LPCSTR) pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer); data[pMessage->pBuffers[i].cbBuffer] = NULL; OutputDebugStringA((LPCSTR) data); free(data); } return ret; }
HINTERNET WINAPI _HttpOpenRequestW(HINTERNET hConnect, LPCWSTR lpszVerb, LPCWSTR lpszObjectName, LPCWSTR lpszVersion, LPCWSTR lpszReferrer, LPCWSTR *lplpszAcceptTypes, DWORD dwFlags, DWORD_PTR dwContext) { HINTERNET ret; /*__asm { int 3; } wsprintfW((LPWSTR) msg, L"_HttpOpenRequestW: %s | %s | %s | %s | %s", lpszVerb, lpszObjectName, lpszVersion, lpszReferrer, lplpszAcceptTypes[0]); OutputDebugStringW((LPWSTR) msg); BuildRequestW(lpszVerb, lpszObjectName, lplpszAcceptTypes, lpszReferrer, dwFlags);*/ addVerbW(lpszVerb); addHostW(dwFlags); addObjectW(lpszObjectName); addAcceptTypesW(lplpszAcceptTypes); addReferrerW(lpszReferrer); if(dwFlags & INTERNET_FLAG_KEEP_CONNECTION) addKeepAliveW(); UnHookAPI("HttpOpenRequestW", "wininet.dll", _OpenReqW); ret = HttpOpenRequestW(hConnect, lpszVerb, lpszObjectName, lpszVersion, lpszReferrer, lplpszAcceptTypes, dwFlags, dwContext); _OpenReqW = HookAPI("HttpOpenRequestW", "wininet.dll", (DWORD) _HttpOpenRequestW); return ret; }
int HookDirectInput(HMODULE module, int version) { HINSTANCE hinst; void *tmp; LPDIRECTINPUT lpdi; const GUID di7 = {0x9A4CB684,0x236D,0x11D3,0x8E,0x9D,0x00,0xC0,0x4F,0x68,0x44,0xAE}; const GUID di8 = {0xBF798030,0x483A,0x4DA2,0xAA,0x99,0x5D,0x64,0xED,0x36,0x97,0x00}; tmp = HookAPI(module, "dinput.dll", NULL, "DirectInputCreateA", extDirectInputCreate); if(tmp) pDirectInputCreate = (DirectInputCreate_Type)tmp; tmp = HookAPI(module, "dinput.dll", NULL, "DirectInputCreateW", extDirectInputCreate); if(tmp) pDirectInputCreate = (DirectInputCreate_Type)tmp; tmp = HookAPI(module, "dinput.dll", NULL, "DirectInputCreateEx", extDirectInputCreateEx); if(tmp) pDirectInputCreateEx = (DirectInputCreateEx_Type)tmp; tmp = HookAPI(module, "dinput8.dll", NULL, "DirectInput8Create", extDirectInput8Create); if(tmp) pDirectInputCreateEx = (DirectInputCreateEx_Type)tmp; if(!pDirectInputCreate && !pDirectInputCreateEx){ if(version < 8){ hinst = LoadLibrary("dinput.dll"); pDirectInputCreate = (DirectInputCreate_Type)GetProcAddress(hinst, "DirectInputCreateA"); if(pDirectInputCreate) if(!extDirectInputCreate(GetModuleHandle(0), DIRECTINPUT_VERSION, &lpdi, 0)) lpdi->Release(); pDirectInputCreateEx = (DirectInputCreateEx_Type)GetProcAddress(hinst, "DirectInputCreateEx"); if(pDirectInputCreateEx) if(!extDirectInputCreateEx(GetModuleHandle(0), DIRECTINPUT_VERSION, di7, (void **)&lpdi, 0)) lpdi->Release(); } else{ hinst = LoadLibrary("dinput8.dll"); pDirectInputCreateEx = (DirectInputCreateEx_Type)GetProcAddress(hinst, "DirectInput8Create"); if(pDirectInputCreateEx) if(!extDirectInputCreateEx(GetModuleHandle(0), DIRECTINPUT_VERSION, di8, (void **)&lpdi, 0)) lpdi->Release(); } } if(pDirectInputCreate || pDirectInputCreateEx) return 1; return 0; }
BOOL WINAPI _HttpSendRequestA(HINTERNET hRequest, LPCSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength) { BOOL ret; sprintf(msg, "_HttpSendRequestA - %s", lpszHeaders); OutputDebugStringA(msg); if(lpOptional) { sprintf(msg, "POST: %s", (LPSTR) lpOptional); OutputDebugStringA(msg); } UnHookAPI("HttpSendRequestA", "wininet.dll", _SendReqA); ret = HttpSendRequestA(hRequest, lpszHeaders, dwHeadersLength, lpOptional, dwOptionalLength); _SendReqA = HookAPI("HttpSendRequestA", "wininet.dll", (DWORD) _HttpSendRequestA); return ret; }
HINTERNET WINAPI _HttpOpenRequestA(HINTERNET hConnect, LPCSTR lpszVerb, LPCSTR lpszObjectName, LPCSTR lpszVersion, LPCSTR lpszReferrer, LPCSTR *lplpszAcceptTypes, DWORD dwFlags, DWORD_PTR dwContext) { HINTERNET ret; /*__asm { int 3; } sprintf(msg, "_HttpOpenRequestA: %s | %s | %s | %s | %s", lpszVerb, lpszObjectName, lpszVersion, lpszReferrer, lplpszAcceptTypes[0]); OutputDebugStringA(msg);*/ UnHookAPI("HttpOpenRequestA", "wininet.dll", _OpenReqA); ret = HttpOpenRequestA(hConnect, lpszVerb, lpszObjectName, lpszVersion, lpszReferrer, lplpszAcceptTypes, dwFlags, dwContext); _OpenReqA = HookAPI("HttpOpenRequestA", "wininet.dll", (DWORD) _HttpOpenRequestA); return ret; }
BOOL WINAPI _HttpSendRequestW(HINTERNET hRequest, LPCWSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength) { BOOL ret; WCHAR tmp[MAX_PATH*sizeof(WCHAR)]; /*wsprintfW((LPWSTR) msg, L"_HttpSendRequestW - %s", lpszHeaders); OutputDebugStringW((LPWSTR) msg); ZeroMemory(tmp, MAX_PATH*sizeof(WCHAR)); if(lpszHeaders) { wcscpy(tmp, L"\r\n\0"); wcscat(tmp, lpszHeaders); } if(lpOptional) { //sprintf(msg, "POST: %s", (LPSTR) lpOptional); //OutputDebugStringA(msg); wsprintfW((LPWSTR) msg, L"\r\nContent-Length: %d", dwOptionalLength); wcscat(tmp, (LPCWSTR) msg); wcscat(tmp, L"\r\n\0"); wcsncat(tmp, (LPCWSTR) lpOptional, dwOptionalLength); wcscat(tmp, L"\r\n\r\n\0"); } if(wcslen(tmp)) { wrequest = (LPWSTR) realloc(wrequest, wcslen(wrequest) + wcslen(tmp)); wcsncat(wrequest, tmp, wcslen(tmp)); } OutputDebugStringW(L"\n"); OutputDebugStringW(wrequest); free(wrequest); */ if(dwHeadersLength) addHeadersW(lpszHeaders); if(dwOptionalLength) addOptionalW(lpOptional, dwOptionalLength); OutputDebugStringW(L"\n"); OutputDebugStringW(wrequest); OutputDebugStringW(L"\n"); free(wrequest); UnHookAPI("HttpSendRequestW", "wininet.dll", _SendReqW); ret = HttpSendRequestW(hRequest, lpszHeaders, dwHeadersLength, lpOptional, dwOptionalLength); _SendReqW = HookAPI("HttpSendRequestW", "wininet.dll", (DWORD) _HttpSendRequestW); return ret; }
//------------------------------------------------------------------------------------------ // Function name: DllMain // Description: The dll's main entry point // Parameters: Parameters are used to determine the creation purpose. // Returns: TRUE. //------------------------------------------------------------------------------------------ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { //DisableThreadLibraryCalls(hModule); HookHandle = hModule; HookAPI(); } else if (ul_reason_for_call == DLL_PROCESS_DETACH) { UnhookAPI(); } return TRUE; }
HINTERNET WINAPI _InternetConnectA(HINTERNET hInternet, LPCSTR lpszServerName, INTERNET_PORT nServerPort, LPCSTR lpszUsername, LPCSTR lpszPassword, DWORD dwService, DWORD dwFlags, DWORD_PTR dwContext) { HINTERNET ret; /*__asm { int 3; }*/ sprintf(msg, "_InternetConnectA - %s", lpszServerName); OutputDebugStringA(msg); UnHookAPI("InternetConnectA", "wininet.dll", _InternetConA); ret = InternetConnectA(hInternet, lpszServerName, nServerPort, lpszUsername, lpszPassword, dwService, dwFlags, dwContext); _InternetConA = HookAPI("InternetConnectA", "wininet.dll", (DWORD) _InternetConnectA); return ret; }
static void UninstallTextOutHooks() { if (TextOutAOri != NULL) { HookAPI("gdi32.dll", "TextOutA", (PROC)TextOutAOri, NULL); } if (TextOutWOri != NULL) { HookAPI("gdi32.dll", "TextOutW", (PROC)TextOutWOri, NULL); } if (ExtTextOutAOri != NULL) { HookAPI("gdi32.dll", "ExtTextOutA", (PROC)ExtTextOutAOri, NULL); } if (ExtTextOutWOri != NULL) { HookAPI("gdi32.dll", "ExtTextOutW", (PROC)ExtTextOutWOri, NULL); //ExtTextOutWOri = NULL; /* May ExtTextOutWHook is being called. */ } Sleep(20); // Wait TextOutHook series functions exit -- don't know if necessay. /* Don't know exactly what happens if TextOutHook series are called when TextOutHooks are being uninstall. It seems Sleep(20) not help. */ }
HINTERNET WINAPI _InternetConnectW(HINTERNET hInternet, LPCWSTR lpszServerName, INTERNET_PORT nServerPort, LPCWSTR lpszUsername, LPCWSTR lpszPassword, DWORD dwService, DWORD dwFlags, DWORD_PTR dwContext) { HINTERNET ret; /*__asm { int 3; } wsprintfW((LPWSTR) msg, L"_InternetConnectW - %s", lpszServerName); OutputDebugStringW((LPWSTR) msg);*/ ZeroMemory(whost, MAX_PATH); wcscpy(whost, lpszServerName); UnHookAPI("InternetConnectW", "wininet.dll", _InternetConW); ret = InternetConnectW(hInternet, lpszServerName, nServerPort, lpszUsername, lpszPassword, dwService, dwFlags, dwContext); _InternetConW = HookAPI("InternetConnectW", "wininet.dll", (DWORD) _InternetConnectW); return ret; }
/// /// @brief /// void StartHook() { pRule = new CWeb_Rule; InitializeMadCHook(); /// TODO : CoCreateInstance Hook HookAPI("ntdll.dll", "ZwResumeThread", (PVOID)ZwResumeThreadCallback, (PVOID*)&ZwResumeThreadNext); HookAPI("Comdlg32.dll", "GetOpenFileNameW", (PVOID)GetOpenFileNameWCallback, (PVOID*)&GetOpenFileNameWNext); HookAPI("Comdlg32.dll", "GetOpenFileNameA", (PVOID)GetOpenFileNameACallback, (PVOID*)&GetOpenFileNameANext); HookAPI("Shell32.dll", "DragQueryFileW", (PVOID)DragQueryFileWCallback, (PVOID*)&DragQueryFileWNext); HookAPI("Shell32.dll", "DragQueryFileA", (PVOID)DragQueryFileACallback, (PVOID*)&DragQueryFileANext); HookAPI("Ws2_32.dll", "send", (PVOID)sendCallback, (PVOID*)&sendNext); HookAPI("Ws2_32.dll", "WSASend", (PVOID)WSASendCallback, (PVOID*)&WSASendNext); HookAPI("Wininet.dll", "InternetWriteFile", (PVOID)InternetWriteFileCallback, (PVOID*)&InternetWriteFileNext); HookAPI("Ole32.dll", "CoCreateInstance", CoCreateInstanceCallback, (PVOID*) &CoCreateInstanceNext); }
BOOL _InternetCloseHandle(HINTERNET hInternet) { BOOL ret; LPVOID data; DWORD size; data = malloc(10240*sizeof(BYTE)); ZeroMemory(data, 10240*sizeof(BYTE)); size = 0; HttpQueryInfoA(hInternet, HTTP_QUERY_RAW_HEADERS_CRLF, data, &size, 0); if(size) OutputDebugStringA((LPCSTR) data); free(data); UnHookAPI("InternetCloseHandle", "wininet.dll", _Close); ret = InternetCloseHandle(hInternet); _Close = HookAPI("InternetCloseHandle", "wininet.dll", (DWORD) _InternetCloseHandle); return ret; }
CHookAPI::CHookAPI(void) { #ifdef _DEBUG CreateFileAPI=(pfnCreateFile)HookAPI(_T("KERNEL32.dll"),LPCSTR("CreateFileW"),(FARPROC)Hook_CreateFile,GetModuleHandle(_T("Duilib_ud.dll"))); EnableCreateFile(true); HookAPI(_T("Duilib_ud.dll"),LPCSTR("?Invalidate@CPaintManagerUI@DuiLib@@QAEXAAUtagRECT@@@Z"),(FARPROC)Hook_Invalidate,m_InvalidateHookInfo); EnableInvalidate(true); HookAPI(_T("Duilib_ud.dll"),LPCSTR("?GetImageEx@CPaintManagerUI@DuiLib@@QAEPAUtagTImageInfo@2@PB_W0K@Z"),(FARPROC)Hook_GetImageEx,m_GetImageExHookInfo); EnableGetImageEx(true); #else CreateFileAPI=(pfnCreateFile)HookAPI(_T("KERNEL32.dll"),LPCSTR("CreateFileW"),(FARPROC)Hook_CreateFile,GetModuleHandle(_T("Duilib_u.dll"))); EnableCreateFile(true); HookAPI(_T("Duilib_u.dll"),LPCSTR("?Invalidate@CPaintManagerUI@DuiLib@@QAEXAAUtagRECT@@@Z"),(FARPROC)Hook_Invalidate,m_InvalidateHookInfo); EnableInvalidate(true); HookAPI(_T("Duilib_u.dll"),LPCSTR("?GetImageEx@CPaintManagerUI@DuiLib@@QAEPAUtagTImageInfo@2@PB_W0K@Z"),(FARPROC)Hook_GetImageEx,m_GetImageExHookInfo); EnableGetImageEx(true); #endif }
int HookedInit(WPARAM, LPARAM) { HookAPI(); return 0; }
int HookedInit(WPARAM wParam, LPARAM lParam) { HookAPI(); return 0; }