NTSTATUS HookDirectInput8(PVOID *ModuleBase, PDHOOK_HOOK_INFO Context)
{
PVOID DInput8ModuleBase;
NTSTATUS Status;
UNICODE_STRING DllName;
LPDIRECTINPUT8W dinput;
HRESULT (WINAPI *DirectInput8Create)(HINSTANCE, DWORD, REFIID, PVOID*, LPUNKNOWN);
Status = STATUS_UNSUCCESSFUL;
dinput = NULL;
LOOP_ONCE
{
RTL_CONST_STRING(DllName, L"dinput8.dll");
Status = LdrGetDllHandle(NULL, 0, &DllName, &DInput8ModuleBase);
if (!NT_SUCCESS(Status))
return Status;
Status = STATUS_UNSUCCESSFUL;
*(PVOID *)&DirectInput8Create = Nt_GetProcAddress(DInput8ModuleBase, "DirectInput8Create");
if (DirectInput8Create == NULL)
break;
MEMORY_FUNCTION_PATCH f[] =
{
INLINE_HOOK_JUMP(DirectInput8Create, HookDirectInput8Create, StubDirectInput8Create),
};
Status = Nt_PatchMemory(NULL, 0, f, countof(f), NULL);
if (ModuleBase != NULL)
*ModuleBase = DInput8ModuleBase;
DInput8CallbackContext = Context;
}
return Status;
}
ForceInline VOID main2(Int argc, WChar **argv)
{
NTSTATUS Status;
WCHAR *pExePath, szDllPath[MAX_NTPATH], FullExePath[MAX_NTPATH];
STARTUPINFOW si;
PROCESS_INFORMATION pi;
#if 0
PVOID buf;
// CNtFileDisk file;
UNICODE_STRING str;
// file.Open((FIELD_BASE(FindLdrModuleByName(NULL)->InLoadOrderModuleList.Flink, LDR_MODULE, InLoadOrderModuleList))->FullDllName.Buffer);
// buf = AllocateMemory(file.GetSize32());
// file.Read(buf);
// file.Close();
RTL_CONST_STRING(str, L"OllyDbg.exe");
LoadDllFromMemory(GetNtdllHandle(), -1, &str, NULL, LMD_MAPPED_DLL);
PrintConsoleW(
L"%s handle = %08X\n"
L"%s.NtSetEvent = %08X\n",
str.Buffer, GetModuleHandleW(str.Buffer),
str.Buffer, Nt_GetProcAddress(GetModuleHandleW(str.Buffer), "NtSetEvent")
);
getch();
FreeMemory(buf);
return;
#endif
#if 1
if (argc == 1)
return;
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, (PBOOLEAN)&Status);
while (--argc)
{
pExePath = findextw(*++argv);
if (CHAR_UPPER4W(*(PULONG64)pExePath) == CHAR_UPPER4W(TAG4W('.LNK')))
{
if (FAILED(GetPathFromLinkFile(*argv, FullExePath, countof(FullExePath))))
{
pExePath = *argv;
}
else
{
pExePath = FullExePath;
}
}
else
{
pExePath = *argv;
}
RtlGetFullPathName_U(pExePath, sizeof(szDllPath), szDllPath, NULL);
#if 0
Status = FakeCreateProcess(szDllPath, NULL);
if (!NT_SUCCESS(Status))
#else
rmnamew(szDllPath);
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
Status = CreateProcessInternalW(
NULL,
pExePath,
NULL,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
*szDllPath == 0 ? NULL : szDllPath,
&si,
&pi,
NULL);
if (!Status)
#endif
{
PrintConsoleW(L"%s: CreateProcess() failed\n", pExePath);
continue;
}
ULONG Length;
UNICODE_STRING DllFullPath;
Length = Nt_GetExeDirectory(szDllPath, countof(szDllPath));
CopyStruct(szDllPath + Length, L"XP3Viewer.dll", sizeof(L"XP3Viewer.dll"));
DllFullPath.Buffer = szDllPath;
DllFullPath.Length = (USHORT)(Length + CONST_STRLEN(L"XP3Viewer.dll"));
DllFullPath.Length *= sizeof(WCHAR);
DllFullPath.MaximumLength = DllFullPath.Length;
Status = InjectDllToRemoteProcess(pi.hProcess, pi.hThread, &DllFullPath, FALSE);
if (!NT_SUCCESS(Status))
{
// PrintError(GetLastError());
NtTerminateProcess(pi.hProcess, 0);
}
NtClose(pi.hProcess);
NtClose(pi.hThread);
}
#endif
}
NTSTATUS
Nt_CreateProcess(
LPCWSTR ApplicationName,
LPWSTR CommandLine,
ULONG CreationFlags,
LPCWSTR CurrentDirectory,
LPSTARTUPINFO StartupInfo,
LPPROCESS_INFORMATION ProcessInformation
)
{
NTSTATUS Status;
WCHAR FullPathBuffer[MAX_PATH *2], DllPathBuffer[0x3000];
UNICODE_STRING PathVariableName, DllPath, ImagePathName;
UNICODE_STRING _CommandLine, _CurrentDirectory;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
RTL_USER_PROCESS_INFORMATION ProcessInfo;
if (!RtlDosPathNameToNtPathName_U(ApplicationName, &ImagePathName, NULL, NULL))
return STATUS_OBJECT_PATH_NOT_FOUND;
RTL_CONST_STRING(PathVariableName, L"Path");
DllPath.Length = 0;
DllPath.MaximumLength = sizeof(DllPathBuffer);
DllPath.Buffer = DllPathBuffer;
RtlQueryEnvironmentVariable_U(NULL, &PathVariableName, &DllPath);
if (CommandLine != NULL)
RtlInitUnicodeString(&_CommandLine, CommandLine);
if (CurrentDirectory != NULL)
RtlInitUnicodeString(&_CurrentDirectory, CurrentDirectory);
Status = RtlCreateProcessParameters(
&ProcessParameters,
&ImagePathName,
&DllPath,
CurrentDirectory == NULL ? NULL : &_CurrentDirectory,
CommandLine == NULL ? NULL : &_CommandLine,
NULL,
NULL,
NULL,
NULL,
NULL
);
if (!NT_SUCCESS(Status))
{
RtlFreeUnicodeString(&ImagePathName);
return Status;
}
ProcessInfo.Size = sizeof(ProcessInfo);
Status = RtlCreateUserProcess(
&ImagePathName,
OBJ_CASE_INSENSITIVE,
ProcessParameters,
NULL,
NULL,
NULL,
FALSE,
NULL,
NULL,
&ProcessInfo
);
RtlDestroyProcessParameters(ProcessParameters);
RtlFreeUnicodeString(&ImagePathName);
if (!NT_SUCCESS(Status))
return Status;
if (!FLAG_ON(CreationFlags, CREATE_SUSPENDED))
{
NtResumeThread(ProcessInfo.ThreadHandle, NULL);
}
if (ProcessInformation == NULL)
{
NtClose(ProcessInfo.ProcessHandle);
NtClose(ProcessInfo.ThreadHandle);
return Status;
}
ProcessInformation->dwProcessId = (ULONG)ProcessInfo.ClientId.UniqueProcess;
ProcessInformation->dwThreadId = (ULONG)ProcessInfo.ClientId.UniqueThread;
ProcessInformation->hProcess = ProcessInfo.ProcessHandle;
ProcessInformation->hThread = ProcessInfo.ThreadHandle;
return Status;
}
