SHARE
TWEET

Untitled

a guest Nov 8th, 2019 95 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <thread>
  2. #include <windows.h>
  3.  
  4. #ifndef __IATHOOK_H
  5. #define __IATHOOK_H
  6.  
  7. #include <iostream>
  8. #include <windows.h>
  9. #include <cstdint>
  10. /*
  11.  * Most of this code was stolen from wikipedia. I've optimized it a tad and put it into a class.
  12.  */
  13. namespace Iat_hook
  14. {
  15.  
  16.     void** find(const char* function, HMODULE module)
  17.     {
  18.         if (!module)
  19.             module = GetModuleHandle(0);
  20.  
  21.         PIMAGE_DOS_HEADER img_dos_headers = (PIMAGE_DOS_HEADER)module;
  22.         PIMAGE_NT_HEADERS img_nt_headers = (PIMAGE_NT_HEADERS)((byte*)img_dos_headers + img_dos_headers->e_lfanew);
  23.         PIMAGE_IMPORT_DESCRIPTOR img_import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((byte*)img_dos_headers + img_nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  24.         if (img_dos_headers->e_magic != IMAGE_DOS_SIGNATURE)
  25.             printf("ERROR: e_magic is no valid DOS signature\n");
  26.  
  27.         for (IMAGE_IMPORT_DESCRIPTOR *iid = img_import_desc; iid->Name != 0; iid++) {
  28.             for (int func_idx = 0; *(func_idx + (void**)(iid->FirstThunk + (size_t)module)) != nullptr; func_idx++) {
  29.                 char* mod_func_name = (char*)(*(func_idx + (size_t*)(iid->OriginalFirstThunk + (size_t)module)) + (size_t)module + 2);
  30.                 const intptr_t nmod_func_name = (intptr_t)mod_func_name;
  31.                 if (nmod_func_name >= 0) {
  32.                     if (!::strcmp(function, mod_func_name))
  33.                         return func_idx + (void**)(iid->FirstThunk + (size_t)module);
  34.                 }
  35.             }
  36.         }
  37.  
  38.         return 0;
  39.  
  40.     }
  41.  
  42.     uintptr_t detour_iat_ptr(const char* function, void* newfunction, HMODULE module = 0)
  43.     {
  44.         auto&& func_ptr = find(function, module);
  45.         if (*func_ptr == newfunction || *func_ptr == nullptr)
  46.             return 0;
  47.  
  48.         DWORD old_rights, new_rights = PAGE_READWRITE;
  49.         VirtualProtect(func_ptr, sizeof(uintptr_t), new_rights, &old_rights);
  50.         uintptr_t ret = (uintptr_t)*func_ptr;
  51.         *func_ptr = newfunction;
  52.         VirtualProtect(func_ptr, sizeof(uintptr_t), old_rights, &new_rights);
  53.         return ret;
  54.     }
  55. };
  56.  
  57.  
  58. #endif //__IATHOOK_H
  59.  
  60.  
  61. using GetVolumeInformationHook = BOOL(__stdcall*)(_In_opt_ LPCSTR lpRootPathName,
  62.     _Out_writes_opt_(nVolumeNameSize) LPSTR lpVolumeNameBuffer,
  63.     _In_ DWORD nVolumeNameSize,
  64.     _Out_opt_ LPDWORD lpVolumeSerialNumber,
  65.     _Out_opt_ LPDWORD lpMaximumComponentLength,
  66.     _Out_opt_ LPDWORD lpFileSystemFlags,
  67.     _Out_writes_opt_(nFileSystemNameSize) LPSTR lpFileSystemNameBuffer,
  68.     _In_ DWORD nFileSystemNameSize);
  69.  
  70. GetVolumeInformationHook pVolumeHook;
  71.  
  72. BOOL __stdcall hooked_volume(_In_opt_ LPCSTR lpRootPathName,
  73.     _Out_writes_opt_(nVolumeNameSize) LPSTR lpVolumeNameBuffer,
  74.     _In_ DWORD nVolumeNameSize,
  75.     _Out_opt_ LPDWORD lpVolumeSerialNumber,
  76.     _Out_opt_ LPDWORD lpMaximumComponentLength,
  77.     _Out_opt_ LPDWORD lpFileSystemFlags,
  78.     _Out_writes_opt_(nFileSystemNameSize) LPSTR lpFileSystemNameBuffer,
  79.     _In_ DWORD nFileSystemNameSize)
  80. {
  81.     return pVolumeHook(lpRootPathName,
  82.         lpVolumeNameBuffer,
  83.         nVolumeNameSize,
  84.         (LPDWORD)818675177/*a whitelisted serial goes here*/,
  85.         lpMaximumComponentLength,
  86.         lpFileSystemFlags,
  87.         lpFileSystemNameBuffer,
  88.         nFileSystemNameSize);
  89. }
  90.  
  91. int IatHook()
  92. {
  93.    
  94.     pVolumeHook = (GetVolumeInformationHook)Iat_hook::detour_iat_ptr("GetVolumeInformationA", (void*)hooked_volume);
  95.  
  96.    
  97.     return 0;
  98. }
  99.  
  100. BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
  101. {
  102.     if (dwReason == DLL_PROCESS_ATTACH)
  103.     {
  104.    
  105.         DisableThreadLibraryCalls(hModule);
  106.         CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)IatHook, NULL, NULL, NULL);
  107.         return TRUE;
  108.    
  109.     }
  110.     return TRUE;
  111. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top