bool FKRuijie() { NTSTATUS NtStatus; ULONG ACLEntries[1] = {0}; TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO(); hProcSetTimer = (FUNC)GetProcAddress(LoadLibraryA("user32.dll"), "SetTimer"); FORCE(LhInstallHook( hProcSetTimer, SetTimerHook, (PVOID)0x12345678, hHook)); FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook)); return TRUE; ERROR_ABORT: if(hHook != NULL) delete hHook; if(RtlGetLastError() != 0) MessageBoxA(NULL, "ERROR", "FKAdvapi", 0); return NtStatus; }
VoodooResult VOODOO_METHODTYPE VSHookManager::Add(_In_ const String & name, _In_ void * pSrc, _In_ void * pDest) { VOODOO_DEBUG_FUNCLOG(m_Core->GetLogger()); HookMap::iterator hook = m_Hooks.find(name); if (hook != m_Hooks.end()) { m_Core->GetLogger()->LogMessage ( VSLog_PlugError, VOODOO_HOOKMANAGER_NAME, StringFormat(VSTR("Attempted to create a hook with a duplicate name (%1%).")) << name ); return VSFERR_INVALIDPARAMS; } m_Core->GetLogger()->LogMessage ( VSLog_PlugDebug, VOODOO_HOOKMANAGER_NAME, StringFormat(VSTR("Creating hook %1%. Redirecting function %2% to %3%.")) << name << pSrc << pDest ); TRACED_HOOK_HANDLE hookHandle = new HOOK_TRACE_INFO(); NTSTATUS result = LhInstallHook(pSrc, pDest, nullptr, hookHandle); if (result == STATUS_NOT_SUPPORTED || result == STATUS_NO_MEMORY || result == STATUS_INSUFFICIENT_RESOURCES) { if (hookHandle) { delete hookHandle; } m_Core->GetLogger()->LogMessage ( VSLog_PlugError, VOODOO_HOOKMANAGER_NAME, StringFormat(VSTR("Error %1 creating hook %s.")) << (uint32_t)result << name ); return VSFERR_INVALIDCALL; } else { LhSetInclusiveACL(m_ThreadIDs, m_ThreadCount, hookHandle); m_Hooks[name] = hookHandle; return VSF_OK; } }
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo) { std::cout << "\n\nNativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)\n\n" << "IIIII jjj tt dd !!! \n" " III nn nnn eee cccc tt eee dd !!! \n" " III nnn nn jjj ee e cc tttt ee e dddddd !!! \n" " III nn nn jjj eeeee cc tt eeeee dd dd \n" "IIIII nn nn jjj eeeee ccccc tttt eeeee dddddd !!! \n" " jjjj \n\n"; std::cout << "NativeInjectionEntryPoint: Injected by process Id: " << inRemoteInfo->HostPID << "\n"; std::cout << "NativeInjectionEntryPoint: Passed in data size: " << inRemoteInfo->UserDataSize << "\n"; if (inRemoteInfo->UserDataSize == sizeof(DWORD)) { gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData); std::cout << "NativeInjectionEntryPoint: Adjusting Beep frequency by: " << gFreqOffset << "\n"; } // Perform hooking HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook std::cout << "\n"; std::cout << "NativeInjectionEntryPoint: Win32 Beep found at address: " << GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep") << "\n"; // Install the hook NTSTATUS result = LhInstallHook( GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"), myBeepHook, NULL, &hHook); if (FAILED(result)) { std::wstring s(RtlGetLastErrorString()); std::wcout << "NativeInjectionEntryPoint: Failed to install hook: " << s << "\n"; } else { std::cout << "NativeInjectionEntryPoint: Hook 'myBeepHook installed successfully.\n"; } // If the threadId in the ACL is set to 0, // then internally EasyHook uses GetCurrentThreadId() ULONG ACLEntries[1] = { 0 }; // Disable the hook for the provided threadIds, enable for all others LhSetExclusiveACL(ACLEntries, 1, &hHook); return; }
extern "C" __declspec(dllexport) void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO*) { try { TRACED_HOOK_HANDLE globalallochook(new HOOK_TRACE_INFO()); LhInstallHook(GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlAllocateHeap"), MyRtlAllocateHeap, NULL, globalallochook); ULONG ulTidList[1] = {}; LhSetExclusiveACL(ulTidList, 0, globalallochook); g_vApiHookHandles.push_back(globalallochook); // Wakeup the suspended process... RhWakeUpProcess(); } catch (...) { ::OutputDebugStringW(L"Faultron: NativeInjectionEntryPoint() exception."); RemoveAllApiHooks(); } }
bool gdimm_hook::install_hook(HMODULE h_lib, LPCSTR proc_name, void *hook_proc) { NTSTATUS eh_ret; const FARPROC proc_addr = GetProcAddress(h_lib, proc_name); assert(proc_addr != NULL); TRACED_HOOK_HANDLE h_hook = new HOOK_TRACE_INFO(); eh_ret = LhInstallHook(proc_addr, hook_proc, NULL, h_hook); assert(eh_ret == 0); ULONG thread_id_list = 0; eh_ret = LhSetExclusiveACL(&thread_id_list, 0, h_hook); assert(eh_ret == 0); _hooks.push_back(h_hook); return true; }
BOOL CInjection::HookApi(void) { if( !MethodDesc::IsInitialized() ) { s_nStatus = Status_Error_MethodDescInitializationFailed; return FALSE; } if( !LoadedMethodDescIterator::IsInitialized() ) { s_nStatus = Status_Error_LoadedMethodDescIteratorInitializationFailed; return FALSE; } PFN_compileMethod pfnCompileMethod = &CInjection::compileMethod; LPVOID * pAddr = (LPVOID*)&pfnCompileMethod; NTSTATUS ntStatus = LhInstallHook( (PVOID&)ICorJitCompiler::s_pfnComplieMethod , *pAddr , NULL , &s_hHookCompileMethod ); if( ntStatus != STATUS_SUCCESS ) { s_nStatus = Status_Error_HookCompileMethodFailed; return FALSE; } ULONG ulThreadID = GetCurrentProcessId(); LhSetExclusiveACL( &ulThreadID, 1, &s_hHookCompileMethod); s_nStatus = Status_Ready; return TRUE; }
extern "C" int main(int argc, wchar_t* argv[]) { TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO(); NTSTATUS NtStatus; ULONG ACLEntries[1] = {0}; UNICODE_STRING* NameBuffer = NULL; ORIG_CreateFontIndirectW = CreateFontIndirectW; FORCE(LhInstallHook( ORIG_CreateFontIndirectW, IMPL_CreateFontIndirectW, (PVOID)0, hHook)); FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook)); CreateFontIndirectW(0); CreateFontW(10, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, L"system"); LOGFONTA lf = {}; CreateFontIndirectA(&lf); CreateFontA(12, 0, 0, 0, 400, 0, 0, 0, 2, 0, 0, 0, 0, "MARLETT"); #if 0 ORIG_GetTextExtentPoint32A = GetTextExtentPoint32A; FORCE(LhInstallHook( ORIG_GetTextExtentPoint32A, IMPL_GetTextExtentPoint32A, (PVOID)0, hHook)); HDC hdc = GetDC(NULL); SIZE size; FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook)); GetTextExtentPoint32W(hdc, L"abc", 3, &size); GetTextExtentPointW(hdc, L"abc", 3, &size); GetTextExtentPoint32A(hdc, "abc", 3, &size); GetTextExtentPointA(hdc, "abc", 3, &size); #endif #if 0 ORIG_MessageBeepHook = MessageBeep; /* The following shows how to install and remove local hooks... */ FORCE(LhInstallHook( ORIG_MessageBeepHook, MessageBeepHook, (PVOID)0, hHook)); printf(".\n"); // won't invoke the hook handler because hooks are inactive after installation MessageBeep(123); getch(); BOOL flags = 1; FORCE(LhIsThreadIntercepted(hHook, 0, &flags)); printf("Intercepted %d\n", flags); // activate the hook for the current thread FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook)); FORCE(LhIsThreadIntercepted(hHook, 0, &flags)); printf("Intercepted %d\n", flags); printf(".\n"); // will be redirected into the handler... MessageBeep(123); getch(); FORCE(LhSetGlobalExclusiveACL(ACLEntries, 1)); printf(".\n"); // will be redirected into the handler... MessageBeep(123); getch(); FORCE(LhSetGlobalInclusiveACL(ACLEntries, 1)); printf(".\n"); // will be redirected into the handler... MessageBeep(123); getch(); printf(".\n"); // won't invoke the hook handler because hooks are inactive after installation ORIG_MessageBeepHook(123); getch(); #endif // this will also invalidate "hHook", because it is a traced handle... LhUninstallAllHooks(); // this will do nothing because the hook is already removed... LhUninstallHook(hHook); printf(".\n"); // will be redirected into the handler... MessageBeep(123); getch(); // now we can safely release the traced handle delete hHook; hHook = NULL; // even if the hook is removed, we need to wait for memory release LhWaitForPendingRemovals(); return 0; ERROR_ABORT: if(hHook != NULL) delete hHook; if(NameBuffer != NULL) free(NameBuffer ); printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError()); _getch(); return NtStatus; }
extern "C" int main(int argc, wchar_t* argv[]) { HMODULE hUser32 = LoadLibraryA("user32.dll"); TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO(); NTSTATUS NtStatus; ULONG ACLEntries[1] = {0}; UNICODE_STRING* NameBuffer = NULL; HANDLE hRemoteThread; // test driver... printf("Installing support driver...\n"); FORCE(RhInstallSupportDriver()); printf("Installing test driver...\n"); if(RhIsX64System()) FORCE(RhInstallDriver(L"TestDriver64.sys", L"TestDriver64.sys")) else FORCE(RhInstallDriver(L"TestDriver32.sys", L"TestDriver32.sys")); // test stealth thread creation... printf("Testing stealth thread creation...\n"); hRemoteThread = CreateThread(NULL, 0, TestThread, NULL, 0, NULL); FORCE(RhCreateStealthRemoteThread(GetCurrentProcessId(), HijackEntry, (PVOID)0x12345678, &hRemoteThread)); Sleep(500); /* The following shows how to install and remove local hooks... */ FORCE(LhInstallHook( GetProcAddress(hUser32, "MessageBeep"), MessageBeepHook, (PVOID)0x12345678, hHook)); // won't invoke the hook handler because hooks are inactive after installation MessageBeep(123); // activate the hook for the current thread FORCE(LhSetInclusiveACL(ACLEntries, 1, hHook)); // will be redirected into the handler... MessageBeep(123); // this will also invalidate "hHook", because it is a traced handle... LhUninstallAllHooks(); // this will do nothing because the hook is already removed... LhUninstallHook(hHook); // now we can safely release the traced handle delete hHook; hHook = NULL; // even if the hook is removed, we need to wait for memory release LhWaitForPendingRemovals(); /* In many situations you will need the handler utilities. */ HANDLE Handle = CreateEventA(NULL, TRUE, FALSE, "MyEvent"); ULONG RequiredSize; ULONG RealThreadId; ULONG ThreadId; // handle to name if(!SUCCEEDED(NtStatus = DbgHandleToObjectName(Handle, NULL, 0, &RequiredSize))) goto ERROR_ABORT; NameBuffer = (UNICODE_STRING*)malloc(RequiredSize); FORCE(DbgHandleToObjectName(Handle, NameBuffer, RequiredSize, &RequiredSize)); printf("\n[Info]: Event name is \"%S\".\n", NameBuffer->Buffer); // handle to thread ID Handle = CreateThread(NULL, 0, NULL, NULL, CREATE_SUSPENDED, &RealThreadId); FORCE(DbgGetThreadIdByHandle(Handle, &ThreadId)); if(ThreadId != RealThreadId) return EXIT_FAILURE; _getch(); return 0; ERROR_ABORT: if(hHook != NULL) delete hHook; if(NameBuffer != NULL) free(NameBuffer ); printf("\n[Error(0x%p)]: \"%S\" (code: %d {0x%p})\n", (PVOID)NtStatus, RtlGetLastErrorString(), RtlGetLastError(), (PVOID)RtlGetLastError()); _getch(); return NtStatus; }
void CWinSystemWin32DX::InitHooks(IDXGIOutput* pOutput) { DXGI_OUTPUT_DESC outputDesc; if (!pOutput || FAILED(pOutput->GetDesc(&outputDesc))) return; DISPLAY_DEVICEW displayDevice; displayDevice.cb = sizeof(DISPLAY_DEVICEW); DWORD adapter = 0; bool deviceFound = false; // delete exiting hooks. UninitHooks(); // enum devices to find matched while (EnumDisplayDevicesW(nullptr, adapter, &displayDevice, 0)) { if (wcscmp(displayDevice.DeviceName, outputDesc.DeviceName) == 0) { deviceFound = true; break; } adapter++; } if (!deviceFound) return; CLog::Log(LOGDEBUG, __FUNCTION__": Hooking into UserModeDriver on device %S. ", displayDevice.DeviceKey); wchar_t* keyName = #ifndef _M_X64 // on x64 system and x32 build use UserModeDriverNameWow key CSysInfo::GetKernelBitness() == 64 ? keyName = L"UserModeDriverNameWow" : #endif // !_WIN64 L"UserModeDriverName"; DWORD dwType = REG_MULTI_SZ; HKEY hKey = nullptr; wchar_t value[1024]; DWORD valueLength = sizeof(value); LSTATUS lstat; // to void \Registry\Machine at the beginning, we use shifted pointer at 18 if (ERROR_SUCCESS == (lstat = RegOpenKeyExW(HKEY_LOCAL_MACHINE, displayDevice.DeviceKey + 18, 0, KEY_READ, &hKey)) && ERROR_SUCCESS == (lstat = RegQueryValueExW(hKey, keyName, nullptr, &dwType, (LPBYTE)&value, &valueLength))) { // 1. registry value has a list of drivers for each API with the following format: dx9\0dx10\0dx11\0dx12\0\0 // 2. we split the value by \0 std::vector<std::wstring> drivers; const wchar_t* pValue = value; while (*pValue) { drivers.push_back(std::wstring(pValue)); pValue += drivers.back().size() + 1; } // no entries in the registry if (drivers.empty()) return; // 3. we take only first three values (dx12 driver isn't needed if it exists ofc) if (drivers.size() > 3) drivers = std::vector<std::wstring>(drivers.begin(), drivers.begin() + 3); // 4. and then iterate with reverse order to start iterate with the best candidate for d3d11 driver for (auto it = drivers.rbegin(); it != drivers.rend(); ++it) { m_hDriverModule = LoadLibraryW(it->c_str()); if (m_hDriverModule != nullptr) { s_fnOpenAdapter10_2 = reinterpret_cast<PFND3D10DDI_OPENADAPTER>(GetProcAddress(m_hDriverModule, "OpenAdapter10_2")); if (s_fnOpenAdapter10_2 != nullptr) { ULONG ACLEntries[1] = { 0 }; m_hHook = new HOOK_TRACE_INFO(); // install and activate hook into a driver if (SUCCEEDED(LhInstallHook(s_fnOpenAdapter10_2, HookOpenAdapter10_2, nullptr, m_hHook)) && SUCCEEDED(LhSetInclusiveACL(ACLEntries, 1, m_hHook))) { CLog::Log(LOGDEBUG, __FUNCTION__": D3D11 hook installed and activated."); break; } else { CLog::Log(LOGDEBUG, __FUNCTION__": Unable ot install and activate D3D11 hook."); SAFE_DELETE(m_hHook); FreeLibrary(m_hDriverModule); m_hDriverModule = nullptr; } } } } } if (lstat != ERROR_SUCCESS) CLog::Log(LOGDEBUG, __FUNCTION__": error open registry key with error %ld.", lstat); if (hKey != nullptr) RegCloseKey(hKey); }