#include <thread>#include <windows.h>#ifndef __IATHOOK_H#define __IATHOO

1. #include <thread>
2. #include <windows.h>
3.  
4. #ifndef __IATHOOK_H
5. #define __IATHOOK_H
6.  
7. #include <iostream>
8. #include <windows.h>
9. #include <cstdint>
10. /*
11. * Most of this code was stolen from wikipedia. I've optimized it a tad and put it into a class.
12. */
13. namespace Iat_hook
14. {
15.  
16. void** find(const char* function, HMODULE module)
17. {
18. if (!module)
19. module = GetModuleHandle(0);
20.  
21. PIMAGE_DOS_HEADER img_dos_headers = (PIMAGE_DOS_HEADER)module;
22. PIMAGE_NT_HEADERS img_nt_headers = (PIMAGE_NT_HEADERS)((byte*)img_dos_headers + img_dos_headers->e_lfanew);
23. PIMAGE_IMPORT_DESCRIPTOR img_import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((byte*)img_dos_headers + img_nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
24. if (img_dos_headers->e_magic != IMAGE_DOS_SIGNATURE)
25. printf("ERROR: e_magic is no valid DOS signature\n");
26.  
27. for (IMAGE_IMPORT_DESCRIPTOR *iid = img_import_desc; iid->Name != 0; iid++) {
28. for (int func_idx = 0; *(func_idx + (void**)(iid->FirstThunk + (size_t)module)) != nullptr; func_idx++) {
29. char* mod_func_name = (char*)(*(func_idx + (size_t*)(iid->OriginalFirstThunk + (size_t)module)) + (size_t)module + 2);
30. const intptr_t nmod_func_name = (intptr_t)mod_func_name;
31. if (nmod_func_name >= 0) {
32. if (!::strcmp(function, mod_func_name))
33. return func_idx + (void**)(iid->FirstThunk + (size_t)module);
34. }
35. }
36. }
37.  
38. return 0;
39.  
40. }
41.  
42. uintptr_t detour_iat_ptr(const char* function, void* newfunction, HMODULE module = 0)
43. {
44. auto&& func_ptr = find(function, module);
45. if (*func_ptr == newfunction || *func_ptr == nullptr)
46. return 0;
47.  
48. DWORD old_rights, new_rights = PAGE_READWRITE;
49. VirtualProtect(func_ptr, sizeof(uintptr_t), new_rights, &old_rights);
50. uintptr_t ret = (uintptr_t)*func_ptr;
51. *func_ptr = newfunction;
52. VirtualProtect(func_ptr, sizeof(uintptr_t), old_rights, &new_rights);
53. return ret;
54. }
55. };
56.  
57.  
58. #endif //__IATHOOK_H
59.  
60.  
61. using GetVolumeInformationHook = BOOL(__stdcall*)(_In_opt_ LPCSTR lpRootPathName,
62. _Out_writes_opt_(nVolumeNameSize) LPSTR lpVolumeNameBuffer,
63. _In_ DWORD nVolumeNameSize,
64. _Out_opt_ LPDWORD lpVolumeSerialNumber,
65. _Out_opt_ LPDWORD lpMaximumComponentLength,
66. _Out_opt_ LPDWORD lpFileSystemFlags,
67. _Out_writes_opt_(nFileSystemNameSize) LPSTR lpFileSystemNameBuffer,
68. _In_ DWORD nFileSystemNameSize);
69.  
70. GetVolumeInformationHook pVolumeHook;
71.  
72. BOOL __stdcall hooked_volume(_In_opt_ LPCSTR lpRootPathName,
73. _Out_writes_opt_(nVolumeNameSize) LPSTR lpVolumeNameBuffer,
74. _In_ DWORD nVolumeNameSize,
75. _Out_opt_ LPDWORD lpVolumeSerialNumber,
76. _Out_opt_ LPDWORD lpMaximumComponentLength,
77. _Out_opt_ LPDWORD lpFileSystemFlags,
78. _Out_writes_opt_(nFileSystemNameSize) LPSTR lpFileSystemNameBuffer,
79. _In_ DWORD nFileSystemNameSize)
80. {
81. return pVolumeHook(lpRootPathName,
82. lpVolumeNameBuffer,
83. nVolumeNameSize,
84. (LPDWORD)818675177/*a whitelisted serial goes here*/,
85. lpMaximumComponentLength,
86. lpFileSystemFlags,
87. lpFileSystemNameBuffer,
88. nFileSystemNameSize);
89. }
90.  
91. int IatHook()
92. {
93.  
94. pVolumeHook = (GetVolumeInformationHook)Iat_hook::detour_iat_ptr("GetVolumeInformationA", (void*)hooked_volume);
95.  
96.  
97. return 0;
98. }
99.  
100. BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
101. {
102. if (dwReason == DLL_PROCESS_ATTACH)
103. {
104.  
105. DisableThreadLibraryCalls(hModule);
106. CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)IatHook, NULL, NULL, NULL);
107. return TRUE;
108.  
109. }
110. return TRUE;
111. }