├── .gitignore ├── LICENSE ├── README.md ├── Win10 1909.png ├── Win10 21h1.jpg ├── Win11.jpg ├── Win7.jpg ├── Win8.jpg └── infinity_hook_pro ├── infinity_hook_pro.sln └── infinity_hook_pro ├── hde ├── hde64.cpp ├── hde64.h ├── pstdint.h └── table64.h ├── headers.hpp ├── hook.cpp ├── hook.hpp ├── imports.hpp ├── infinity_hook_pro.inf ├── infinity_hook_pro.vcxproj ├── infinity_hook_pro.vcxproj.filters ├── infinity_hook_pro.vcxproj.user ├── main.cpp └── utils.hpp /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 华仔 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # InfinityHookPro 2 | InfinityHookPro Win7 -> Win11 latest 3 | 4 | 最近来了兴致,拿起了InfinityHook,原始的版本有点小问题,后来改了支持Win7到Win10 1909的,后来就没有然后了 5 | 6 | 今天参考了网上大佬发出来的各种版本,最终出了这份代码,理论上支持Win7到最新版本的Win11了 7 | 8 | Win11支持完毕,也只是GetCpuClock偏移变动而已 9 | 10 | 代码里面有很详细的注释,不懂的地方可以结合博客 11 | 12 | 再次接力,Make InfinityHook Great Again Again 💪💪💪 13 | 14 | 参考博客 15 | https://bbs.pediy.com/thread-266207.htm (带逆向分析) 16 | https://bbs.pediy.com/thread-266136.htm (挂钩失效问题) 17 | https://bbs.pediy.com/thread-260962.htm (19041) 18 | https://bbs.pediy.com/thread-253450.htm (雪碧) 19 | https://www.anquanke.com/post/id/206288#h2-1 (19041) 20 | https://www.freebuf.com/articles/system/278857.html (2004) 21 | 22 | 参考源码 23 | https://github.com/everdox/InfinityHook (原版) 24 | https://github.com/fIappy/infhook19041 (19041) 25 | https://github.com/huoji120/MakeInfinityHookGreatAgain (2004) 26 | 27 | 测试系统 Win7, Win8, Win10 1909, Win10 21h1, Win11 22000 28 | 29 |

30 | Win7 31 | Win8 32 | Win10 1909 33 | Win10 21h1 34 | Win10 22000 35 |

36 | 37 | -------------------------------------------------------------------------------- /Win10 1909.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/Win10 1909.png -------------------------------------------------------------------------------- /Win10 21h1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/Win10 21h1.jpg -------------------------------------------------------------------------------- /Win11.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/Win11.jpg -------------------------------------------------------------------------------- /Win7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/Win7.jpg -------------------------------------------------------------------------------- /Win8.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/Win8.jpg -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31624.102 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "infinity_hook_pro", "infinity_hook_pro\infinity_hook_pro.vcxproj", "{E753FDB6-774D-41ED-9E07-A09B837BE1CC}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|ARM.Build.0 = Debug|ARM 22 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|ARM.Deploy.0 = Debug|ARM 23 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|ARM64.ActiveCfg = Debug|ARM64 24 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|ARM64.Build.0 = Debug|ARM64 25 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|ARM64.Deploy.0 = Debug|ARM64 26 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|x64.ActiveCfg = Debug|x64 27 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|x64.Build.0 = Debug|x64 28 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|x64.Deploy.0 = Debug|x64 29 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|x86.ActiveCfg = Debug|Win32 30 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|x86.Build.0 = Debug|Win32 31 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Debug|x86.Deploy.0 = Debug|Win32 32 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|ARM.ActiveCfg = Release|ARM 33 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|ARM.Build.0 = Release|ARM 34 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|ARM.Deploy.0 = Release|ARM 35 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|ARM64.ActiveCfg = Release|ARM64 36 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|ARM64.Build.0 = Release|ARM64 37 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|ARM64.Deploy.0 = Release|ARM64 38 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|x64.ActiveCfg = Release|x64 39 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|x64.Build.0 = Release|x64 40 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|x64.Deploy.0 = Release|x64 41 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|x86.ActiveCfg = Release|Win32 42 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|x86.Build.0 = Release|Win32 43 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC}.Release|x86.Deploy.0 = Release|Win32 44 | EndGlobalSection 45 | GlobalSection(SolutionProperties) = preSolution 46 | HideSolutionNode = FALSE 47 | EndGlobalSection 48 | GlobalSection(ExtensibilityGlobals) = postSolution 49 | SolutionGuid = {8521F805-BDD3-4285-9628-2DB2EB48602B} 50 | EndGlobalSection 51 | EndGlobal 52 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/hde/hde64.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #include "../headers.hpp" 9 | 10 | #if defined(_M_X64) || defined(__x86_64__) 11 | #pragma warning(push, 0) 12 | #pragma warning(disable: 4701 4706 26451) 13 | 14 | #include "hde64.h" 15 | #include "table64.h" 16 | 17 | unsigned int hde64_disasm(const void* code, hde64s* hs) 18 | { 19 | uint8_t x, c, * p = (uint8_t*)code, cflags, opcode, pref = 0; 20 | uint8_t* ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0; 21 | uint8_t op64 = 0; 22 | 23 | // Avoid using memset to reduce the footprint. 24 | memset(hs, 0, sizeof(hde64s)); 25 | 26 | for (x = 16; x; x--) 27 | switch (c = *p++) { 28 | case 0xf3: 29 | hs->p_rep = c; 30 | pref |= PRE_F3; 31 | break; 32 | case 0xf2: 33 | hs->p_rep = c; 34 | pref |= PRE_F2; 35 | break; 36 | case 0xf0: 37 | hs->p_lock = c; 38 | pref |= PRE_LOCK; 39 | break; 40 | case 0x26: case 0x2e: case 0x36: 41 | case 0x3e: case 0x64: case 0x65: 42 | hs->p_seg = c; 43 | pref |= PRE_SEG; 44 | break; 45 | case 0x66: 46 | hs->p_66 = c; 47 | pref |= PRE_66; 48 | break; 49 | case 0x67: 50 | hs->p_67 = c; 51 | pref |= PRE_67; 52 | break; 53 | default: 54 | goto pref_done; 55 | } 56 | pref_done: 57 | 58 | hs->flags = (uint32_t)pref << 23; 59 | 60 | if (!pref) 61 | pref |= PRE_NONE; 62 | 63 | if ((c & 0xf0) == 0x40) { 64 | hs->flags |= F_PREFIX_REX; 65 | if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8) 66 | op64++; 67 | hs->rex_r = (c & 7) >> 2; 68 | hs->rex_x = (c & 3) >> 1; 69 | hs->rex_b = c & 1; 70 | if (((c = *p++) & 0xf0) == 0x40) { 71 | opcode = c; 72 | goto error_opcode; 73 | } 74 | } 75 | 76 | if ((hs->opcode = c) == 0x0f) { 77 | hs->opcode2 = c = *p++; 78 | ht += DELTA_OPCODES; 79 | } 80 | else if (c >= 0xa0 && c <= 0xa3) { 81 | op64++; 82 | if (pref & PRE_67) 83 | pref |= PRE_66; 84 | else 85 | pref &= ~PRE_66; 86 | } 87 | 88 | opcode = c; 89 | cflags = ht[ht[opcode / 4] + (opcode % 4)]; 90 | 91 | if (cflags == C_ERROR) { 92 | error_opcode: 93 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 94 | cflags = 0; 95 | if ((opcode & -3) == 0x24) 96 | cflags++; 97 | } 98 | 99 | x = 0; 100 | if (cflags & C_GROUP) { 101 | uint16_t t; 102 | t = *(uint16_t*)(ht + (cflags & 0x7f)); 103 | cflags = (uint8_t)t; 104 | x = (uint8_t)(t >> 8); 105 | } 106 | 107 | if (hs->opcode2) { 108 | ht = hde64_table + DELTA_PREFIXES; 109 | if (ht[ht[opcode / 4] + (opcode % 4)] & pref) 110 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 111 | } 112 | 113 | if (cflags & C_MODRM) { 114 | hs->flags |= F_MODRM; 115 | hs->modrm = c = *p++; 116 | hs->modrm_mod = m_mod = c >> 6; 117 | hs->modrm_rm = m_rm = c & 7; 118 | hs->modrm_reg = m_reg = (c & 0x3f) >> 3; 119 | 120 | if (x && ((x << m_reg) & 0x80)) 121 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 122 | 123 | if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) { 124 | uint8_t t = opcode - 0xd9; 125 | if (m_mod == 3) { 126 | ht = hde64_table + DELTA_FPU_MODRM + t * 8; 127 | t = ht[m_reg] << m_rm; 128 | } 129 | else { 130 | ht = hde64_table + DELTA_FPU_REG; 131 | t = ht[t] << m_reg; 132 | } 133 | if (t & 0x80) 134 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 135 | } 136 | 137 | if (pref & PRE_LOCK) { 138 | if (m_mod == 3) { 139 | hs->flags |= F_ERROR | F_ERROR_LOCK; 140 | } 141 | else { 142 | uint8_t* table_end, op = opcode; 143 | if (hs->opcode2) { 144 | ht = hde64_table + DELTA_OP2_LOCK_OK; 145 | table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; 146 | } 147 | else { 148 | ht = hde64_table + DELTA_OP_LOCK_OK; 149 | table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; 150 | op &= -2; 151 | } 152 | for (; ht != table_end; ht++) 153 | if (*ht++ == op) { 154 | if (!((*ht << m_reg) & 0x80)) 155 | goto no_lock_error; 156 | else 157 | break; 158 | } 159 | hs->flags |= F_ERROR | F_ERROR_LOCK; 160 | no_lock_error: 161 | ; 162 | } 163 | } 164 | 165 | if (hs->opcode2) { 166 | switch (opcode) { 167 | case 0x20: case 0x22: 168 | m_mod = 3; 169 | if (m_reg > 4 || m_reg == 1) 170 | goto error_operand; 171 | else 172 | goto no_error_operand; 173 | case 0x21: case 0x23: 174 | m_mod = 3; 175 | if (m_reg == 4 || m_reg == 5) 176 | goto error_operand; 177 | else 178 | goto no_error_operand; 179 | } 180 | } 181 | else { 182 | switch (opcode) { 183 | case 0x8c: 184 | if (m_reg > 5) 185 | goto error_operand; 186 | else 187 | goto no_error_operand; 188 | case 0x8e: 189 | if (m_reg == 1 || m_reg > 5) 190 | goto error_operand; 191 | else 192 | goto no_error_operand; 193 | } 194 | } 195 | 196 | if (m_mod == 3) { 197 | uint8_t* table_end; 198 | if (hs->opcode2) { 199 | ht = hde64_table + DELTA_OP2_ONLY_MEM; 200 | table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; 201 | } 202 | else { 203 | ht = hde64_table + DELTA_OP_ONLY_MEM; 204 | table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; 205 | } 206 | for (; ht != table_end; ht += 2) 207 | if (*ht++ == opcode) { 208 | if (*ht++ & pref && !((*ht << m_reg) & 0x80)) 209 | goto error_operand; 210 | else 211 | break; 212 | } 213 | goto no_error_operand; 214 | } 215 | else if (hs->opcode2) { 216 | switch (opcode) { 217 | case 0x50: case 0xd7: case 0xf7: 218 | if (pref & (PRE_NONE | PRE_66)) 219 | goto error_operand; 220 | break; 221 | case 0xd6: 222 | if (pref & (PRE_F2 | PRE_F3)) 223 | goto error_operand; 224 | break; 225 | case 0xc5: 226 | goto error_operand; 227 | } 228 | goto no_error_operand; 229 | } 230 | else 231 | goto no_error_operand; 232 | 233 | error_operand: 234 | hs->flags |= F_ERROR | F_ERROR_OPERAND; 235 | no_error_operand: 236 | 237 | c = *p++; 238 | if (m_reg <= 1) { 239 | if (opcode == 0xf6) 240 | cflags |= C_IMM8; 241 | else if (opcode == 0xf7) 242 | cflags |= C_IMM_P66; 243 | } 244 | 245 | switch (m_mod) { 246 | case 0: 247 | if (pref & PRE_67) { 248 | if (m_rm == 6) 249 | disp_size = 2; 250 | } 251 | else 252 | if (m_rm == 5) 253 | disp_size = 4; 254 | break; 255 | case 1: 256 | disp_size = 1; 257 | break; 258 | case 2: 259 | disp_size = 2; 260 | if (!(pref & PRE_67)) 261 | disp_size <<= 1; 262 | } 263 | 264 | if (m_mod != 3 && m_rm == 4) { 265 | hs->flags |= F_SIB; 266 | p++; 267 | hs->sib = c; 268 | hs->sib_scale = c >> 6; 269 | hs->sib_index = (c & 0x3f) >> 3; 270 | if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1)) 271 | disp_size = 4; 272 | } 273 | 274 | p--; 275 | switch (disp_size) { 276 | case 1: 277 | hs->flags |= F_DISP8; 278 | hs->disp.disp8 = *p; 279 | break; 280 | case 2: 281 | hs->flags |= F_DISP16; 282 | hs->disp.disp16 = *(uint16_t*)p; 283 | break; 284 | case 4: 285 | hs->flags |= F_DISP32; 286 | hs->disp.disp32 = *(uint32_t*)p; 287 | } 288 | p += disp_size; 289 | } 290 | else if (pref & PRE_LOCK) 291 | hs->flags |= F_ERROR | F_ERROR_LOCK; 292 | 293 | if (cflags & C_IMM_P66) { 294 | if (cflags & C_REL32) { 295 | if (pref & PRE_66) { 296 | hs->flags |= F_IMM16 | F_RELATIVE; 297 | hs->imm.imm16 = *(uint16_t*)p; 298 | p += 2; 299 | goto disasm_done; 300 | } 301 | goto rel32_ok; 302 | } 303 | if (op64) { 304 | hs->flags |= F_IMM64; 305 | hs->imm.imm64 = *(uint64_t*)p; 306 | p += 8; 307 | } 308 | else if (!(pref & PRE_66)) { 309 | hs->flags |= F_IMM32; 310 | hs->imm.imm32 = *(uint32_t*)p; 311 | p += 4; 312 | } 313 | else 314 | goto imm16_ok; 315 | } 316 | 317 | if (cflags & C_IMM16) { 318 | imm16_ok: 319 | hs->flags |= F_IMM16; 320 | hs->imm.imm16 = *(uint16_t*)p; 321 | p += 2; 322 | } 323 | if (cflags & C_IMM8) { 324 | hs->flags |= F_IMM8; 325 | hs->imm.imm8 = *p++; 326 | } 327 | 328 | if (cflags & C_REL32) { 329 | rel32_ok: 330 | hs->flags |= F_IMM32 | F_RELATIVE; 331 | hs->imm.imm32 = *(uint32_t*)p; 332 | p += 4; 333 | } 334 | else if (cflags & C_REL8) { 335 | hs->flags |= F_IMM8 | F_RELATIVE; 336 | hs->imm.imm8 = *p++; 337 | } 338 | 339 | disasm_done: 340 | 341 | if ((hs->len = (uint8_t)(p - (uint8_t*)code)) > 15) { 342 | hs->flags |= F_ERROR | F_ERROR_LENGTH; 343 | hs->len = 15; 344 | } 345 | 346 | return (unsigned int)hs->len; 347 | } 348 | 349 | #pragma warning(pop) 350 | #endif // defined(_M_X64) || defined(__x86_64__) -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/hde/hde64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | * hde64.h: C/C++ header file 7 | * 8 | */ 9 | 10 | #ifndef _HDE64_H_ 11 | #define _HDE64_H_ 12 | 13 | /* stdint.h - C99 standard header 14 | * http://en.wikipedia.org/wiki/stdint.h 15 | * 16 | * if your compiler doesn't contain "stdint.h" header (for 17 | * example, Microsoft Visual C++), you can download file: 18 | * http://www.azillionmonkeys.com/qed/pstdint.h 19 | * and change next line to: 20 | * #include "pstdint.h" 21 | */ 22 | #include "pstdint.h" 23 | 24 | #define F_MODRM 0x00000001 25 | #define F_SIB 0x00000002 26 | #define F_IMM8 0x00000004 27 | #define F_IMM16 0x00000008 28 | #define F_IMM32 0x00000010 29 | #define F_IMM64 0x00000020 30 | #define F_DISP8 0x00000040 31 | #define F_DISP16 0x00000080 32 | #define F_DISP32 0x00000100 33 | #define F_RELATIVE 0x00000200 34 | #define F_ERROR 0x00001000 35 | #define F_ERROR_OPCODE 0x00002000 36 | #define F_ERROR_LENGTH 0x00004000 37 | #define F_ERROR_LOCK 0x00008000 38 | #define F_ERROR_OPERAND 0x00010000 39 | #define F_PREFIX_REPNZ 0x01000000 40 | #define F_PREFIX_REPX 0x02000000 41 | #define F_PREFIX_REP 0x03000000 42 | #define F_PREFIX_66 0x04000000 43 | #define F_PREFIX_67 0x08000000 44 | #define F_PREFIX_LOCK 0x10000000 45 | #define F_PREFIX_SEG 0x20000000 46 | #define F_PREFIX_REX 0x40000000 47 | #define F_PREFIX_ANY 0x7f000000 48 | 49 | #define PREFIX_SEGMENT_CS 0x2e 50 | #define PREFIX_SEGMENT_SS 0x36 51 | #define PREFIX_SEGMENT_DS 0x3e 52 | #define PREFIX_SEGMENT_ES 0x26 53 | #define PREFIX_SEGMENT_FS 0x64 54 | #define PREFIX_SEGMENT_GS 0x65 55 | #define PREFIX_LOCK 0xf0 56 | #define PREFIX_REPNZ 0xf2 57 | #define PREFIX_REPX 0xf3 58 | #define PREFIX_OPERAND_SIZE 0x66 59 | #define PREFIX_ADDRESS_SIZE 0x67 60 | 61 | #pragma pack(push,1) 62 | 63 | typedef struct { 64 | uint8_t len; 65 | uint8_t p_rep; 66 | uint8_t p_lock; 67 | uint8_t p_seg; 68 | uint8_t p_66; 69 | uint8_t p_67; 70 | uint8_t rex; 71 | uint8_t rex_w; 72 | uint8_t rex_r; 73 | uint8_t rex_x; 74 | uint8_t rex_b; 75 | uint8_t opcode; 76 | uint8_t opcode2; 77 | uint8_t modrm; 78 | uint8_t modrm_mod; 79 | uint8_t modrm_reg; 80 | uint8_t modrm_rm; 81 | uint8_t sib; 82 | uint8_t sib_scale; 83 | uint8_t sib_index; 84 | uint8_t sib_base; 85 | union { 86 | uint8_t imm8; 87 | uint16_t imm16; 88 | uint32_t imm32; 89 | uint64_t imm64; 90 | } imm; 91 | union { 92 | uint8_t disp8; 93 | uint16_t disp16; 94 | uint32_t disp32; 95 | } disp; 96 | uint32_t flags; 97 | } hde64s; 98 | 99 | #pragma pack(pop) 100 | 101 | #ifdef __cplusplus 102 | extern "C" { 103 | #endif 104 | 105 | /* __cdecl */ 106 | unsigned int hde64_disasm(const void *code, hde64s *hs); 107 | 108 | #ifdef __cplusplus 109 | } 110 | #endif 111 | 112 | #endif /* _HDE64_H_ */ 113 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/hde/pstdint.h: -------------------------------------------------------------------------------- 1 | /* 2 | * MinHook - The Minimalistic API Hooking Library for x64/x86 3 | * Copyright (C) 2009-2017 Tsuda Kageyu. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright 10 | * notice, this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR 16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | 27 | #pragma once 28 | 29 | // Integer types for HDE. 30 | typedef INT8 int8_t; 31 | typedef INT16 int16_t; 32 | typedef INT32 int32_t; 33 | typedef INT64 int64_t; 34 | typedef UINT8 uint8_t; 35 | typedef UINT16 uint16_t; 36 | typedef UINT32 uint32_t; 37 | typedef UINT64 uint64_t; 38 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/hde/table64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #define C_NONE 0x00 9 | #define C_MODRM 0x01 10 | #define C_IMM8 0x02 11 | #define C_IMM16 0x04 12 | #define C_IMM_P66 0x10 13 | #define C_REL8 0x20 14 | #define C_REL32 0x40 15 | #define C_GROUP 0x80 16 | #define C_ERROR 0xff 17 | 18 | #define PRE_ANY 0x00 19 | #define PRE_NONE 0x01 20 | #define PRE_F2 0x02 21 | #define PRE_F3 0x04 22 | #define PRE_66 0x08 23 | #define PRE_67 0x10 24 | #define PRE_LOCK 0x20 25 | #define PRE_SEG 0x40 26 | #define PRE_ALL 0xff 27 | 28 | #define DELTA_OPCODES 0x4a 29 | #define DELTA_FPU_REG 0xfd 30 | #define DELTA_FPU_MODRM 0x104 31 | #define DELTA_PREFIXES 0x13c 32 | #define DELTA_OP_LOCK_OK 0x1ae 33 | #define DELTA_OP2_LOCK_OK 0x1c6 34 | #define DELTA_OP_ONLY_MEM 0x1d8 35 | #define DELTA_OP2_ONLY_MEM 0x1e7 36 | 37 | unsigned char hde64_table[] = { 38 | 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5, 39 | 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1, 40 | 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea, 41 | 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0, 42 | 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab, 43 | 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92, 44 | 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90, 45 | 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b, 46 | 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b, 47 | 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc, 48 | 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20, 49 | 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff, 50 | 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00, 51 | 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01, 52 | 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10, 53 | 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00, 54 | 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00, 55 | 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00, 56 | 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00, 57 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff, 58 | 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00, 59 | 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40, 60 | 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43, 61 | 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40, 62 | 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40, 63 | 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06, 64 | 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07, 65 | 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04, 66 | 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10, 67 | 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00, 68 | 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb, 69 | 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff, 70 | 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09, 71 | 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff, 72 | 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08, 73 | 0x00,0xf0,0x02,0x00 74 | }; 75 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/headers.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/hook.cpp: -------------------------------------------------------------------------------- 1 | #pragma warning(disable : 4201 4819 4311 4302) 2 | #include "hook.hpp" 3 | #include "utils.hpp" 4 | 5 | /* 微软官方文档定义 6 | * https://docs.microsoft.com/en-us/windows/win32/etw/wnode-header 7 | */ 8 | typedef struct _WNODE_HEADER 9 | { 10 | ULONG BufferSize; 11 | ULONG ProviderId; 12 | union { 13 | ULONG64 HistoricalContext; 14 | struct { 15 | ULONG Version; 16 | ULONG Linkage; 17 | }; 18 | }; 19 | union { 20 | HANDLE KernelHandle; 21 | LARGE_INTEGER TimeStamp; 22 | }; 23 | GUID Guid; 24 | ULONG ClientContext; 25 | ULONG Flags; 26 | } WNODE_HEADER, * PWNODE_HEADER; 27 | 28 | /* 微软文档定义 29 | * https://docs.microsoft.com/en-us/windows/win32/api/evntrace/ns-evntrace-event_trace_properties 30 | */ 31 | typedef struct _EVENT_TRACE_PROPERTIES 32 | { 33 | WNODE_HEADER Wnode; 34 | ULONG BufferSize; 35 | ULONG MinimumBuffers; 36 | ULONG MaximumBuffers; 37 | ULONG MaximumFileSize; 38 | ULONG LogFileMode; 39 | ULONG FlushTimer; 40 | ULONG EnableFlags; 41 | union { 42 | LONG AgeLimit; 43 | LONG FlushThreshold; 44 | } DUMMYUNIONNAME; 45 | ULONG NumberOfBuffers; 46 | ULONG FreeBuffers; 47 | ULONG EventsLost; 48 | ULONG BuffersWritten; 49 | ULONG LogBuffersLost; 50 | ULONG RealTimeBuffersLost; 51 | HANDLE LoggerThreadId; 52 | ULONG LogFileNameOffset; 53 | ULONG LoggerNameOffset; 54 | } EVENT_TRACE_PROPERTIES, * PEVENT_TRACE_PROPERTIES; 55 | 56 | /* 57 | * 这结构是大佬逆向出来的 58 | */ 59 | typedef struct _CKCL_TRACE_PROPERIES : EVENT_TRACE_PROPERTIES 60 | { 61 | ULONG64 Unknown[3]; 62 | UNICODE_STRING ProviderName; 63 | } CKCL_TRACE_PROPERTIES, * PCKCL_TRACE_PROPERTIES; 64 | 65 | /* 66 | * 操作类型 67 | */ 68 | typedef enum _trace_type 69 | { 70 | start_trace = 1, 71 | stop_trace = 2, 72 | query_trace = 3, 73 | syscall_trace = 4, 74 | flush_trace = 5 75 | }trace_type; 76 | 77 | namespace k_hook 78 | { 79 | fssdt_call_back m_ssdt_call_back = nullptr; 80 | unsigned long m_build_number = 0; 81 | void* m_syscall_table = nullptr; 82 | bool m_routine_status = true; 83 | 84 | void* m_EtwpDebuggerData = nullptr; 85 | void* m_CkclWmiLoggerContext = nullptr; 86 | 87 | void** m_EtwpDebuggerDataSilo = nullptr; 88 | void** m_GetCpuClock = nullptr; 89 | 90 | unsigned long long m_original_GetCpuClock = 0; 91 | unsigned long long m_HvlpReferenceTscPage = 0; 92 | unsigned long long m_HvlGetQpcBias = 0; 93 | 94 | typedef __int64 (*FHvlGetQpcBias)(); 95 | FHvlGetQpcBias m_original_HvlGetQpcBias = nullptr; 96 | 97 | // 修改跟踪设置 98 | NTSTATUS modify_trace_settings(trace_type type) 99 | { 100 | const unsigned long tag = 'VMON'; 101 | 102 | // 申请结构体空间 103 | CKCL_TRACE_PROPERTIES* property = (CKCL_TRACE_PROPERTIES*)ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, tag); 104 | if (!property) 105 | { 106 | DbgPrintEx(0, 0, "[%s] allocate ckcl trace propertice struct fail \n", __FUNCTION__); 107 | return STATUS_MEMORY_NOT_ALLOCATED; 108 | } 109 | 110 | // 申请保存名称的空间 111 | wchar_t* provider_name = (wchar_t*)ExAllocatePoolWithTag(NonPagedPool, 256 * sizeof(wchar_t), tag); 112 | if (!provider_name) 113 | { 114 | DbgPrintEx(0, 0, "[%s] allocate provider name fail \n", __FUNCTION__); 115 | ExFreePoolWithTag(property, tag); 116 | return STATUS_MEMORY_NOT_ALLOCATED; 117 | } 118 | 119 | // 清空内存 120 | RtlZeroMemory(property, PAGE_SIZE); 121 | RtlZeroMemory(provider_name, 256 * sizeof(wchar_t)); 122 | 123 | // 名称赋值 124 | RtlCopyMemory(provider_name, L"Circular Kernel Context Logger", sizeof(L"Circular Kernel Context Logger")); 125 | RtlInitUnicodeString(&property->ProviderName, (const wchar_t*)provider_name); 126 | 127 | // 唯一标识符 128 | GUID ckcl_session_guid = { 0x54dea73a, 0xed1f, 0x42a4, { 0xaf, 0x71, 0x3e, 0x63, 0xd0, 0x56, 0xf1, 0x74 } }; 129 | 130 | // 结构体填充 131 | property->Wnode.BufferSize = PAGE_SIZE; 132 | property->Wnode.Flags = 0x00020000; 133 | property->Wnode.Guid = ckcl_session_guid; 134 | property->Wnode.ClientContext = 3; 135 | property->BufferSize = sizeof(unsigned long); 136 | property->MinimumBuffers = 2; 137 | property->MaximumBuffers = 2; 138 | property->LogFileMode = 0x00000400; 139 | 140 | // 执行操作 141 | unsigned long length = 0; 142 | if (type == trace_type::syscall_trace) property->EnableFlags = 0x00000080; 143 | NTSTATUS status = NtTraceControl(type, property, PAGE_SIZE, property, PAGE_SIZE, &length); 144 | 145 | // 释放内存空间 146 | ExFreePoolWithTag(provider_name, tag); 147 | ExFreePoolWithTag(property, tag); 148 | 149 | return status; 150 | } 151 | 152 | // 我们的替换函数,针对的是从Win7到Win10 1909的系统 153 | unsigned long long self_get_cpu_clock() 154 | { 155 | // 放过内核模式的调用 156 | if (ExGetPreviousMode() == KernelMode) return __rdtsc(); 157 | 158 | // 拿到当前线程 159 | PKTHREAD current_thread = (PKTHREAD)__readgsqword(0x188); 160 | 161 | // 不同版本不同偏移 162 | unsigned int call_index = 0; 163 | if (m_build_number <= 7601) call_index = *(unsigned int*)((unsigned long long)current_thread + 0x1f8); 164 | else call_index = *(unsigned int*)((unsigned long long)current_thread + 0x80); 165 | 166 | // 拿到当前栈底和栈顶 167 | void** stack_max = (void**)__readgsqword(0x1a8); 168 | void** stack_frame = (void**)_AddressOfReturnAddress(); 169 | 170 | // 开始查找当前栈中的ssdt调用 171 | for (void** stack_current = stack_max; stack_current > stack_frame; --stack_current) 172 | { 173 | /* 栈中ssdt调用特征,分别是 174 | * mov [rsp+48h+var_20], 501802h 175 | * mov r9d, 0F33h 176 | */ 177 | #define INFINITYHOOK_MAGIC_1 ((unsigned long)0x501802) 178 | #define INFINITYHOOK_MAGIC_2 ((unsigned short)0xF33) 179 | 180 | // 第一个特征值检查 181 | unsigned long* l_value = (unsigned long*)stack_current; 182 | if (*l_value != INFINITYHOOK_MAGIC_1) continue; 183 | 184 | // 这里为什么减?配合寻找第二个特征值啊 185 | --stack_current; 186 | 187 | // 第二个特征值检查 188 | unsigned short* s_value = (unsigned short*)stack_current; 189 | if (*s_value != INFINITYHOOK_MAGIC_2) continue; 190 | 191 | // 特征值匹配成功,再倒过来查找 192 | for (; stack_current < stack_max; ++stack_current) 193 | { 194 | // 检查是否在ssdt表内 195 | unsigned long long* ull_value = (unsigned long long*)stack_current; 196 | if (!(PAGE_ALIGN(*ull_value) >= m_syscall_table && PAGE_ALIGN(*ull_value) < (void*)((unsigned long long)m_syscall_table + (PAGE_SIZE * 2)))) continue; 197 | 198 | // 现在已经确定是ssdt函数调用了 199 | // 这里是找到KiSystemServiceExit 200 | void** system_call_function = &stack_current[9]; 201 | 202 | // 调用回调函数 203 | if (m_ssdt_call_back) m_ssdt_call_back(call_index, system_call_function); 204 | 205 | // 跳出循环 206 | break; 207 | } 208 | 209 | // 跳出循环 210 | break; 211 | } 212 | 213 | // 调用原函数 214 | return __rdtsc(); 215 | } 216 | 217 | // 我们的替换函数,针对的是Win 1919往上的系统 218 | EXTERN_C __int64 self_hvl_get_qpc_bias() 219 | { 220 | // 我们的过滤函数 221 | self_get_cpu_clock(); 222 | 223 | // 这里是真正HvlGetQpcBias做的事情 224 | return *((unsigned long long*)(*((unsigned long long*)m_HvlpReferenceTscPage)) + 3); 225 | } 226 | 227 | // 检测例程 228 | void detect_routine(void*) 229 | { 230 | while (m_routine_status) 231 | { 232 | // 线程常用休眠 233 | k_utils::sleep(4000); 234 | 235 | // GetCpuClock还是一个函数指针 236 | if (m_build_number <= 18363) 237 | { 238 | DbgPrintEx(0, 0, "[%s] fix 0x%p 0x%p \n", __FUNCTION__, m_GetCpuClock, MmIsAddressValid(m_GetCpuClock) ? *m_GetCpuClock : 0); 239 | 240 | if (MmIsAddressValid(m_GetCpuClock) && MmIsAddressValid(*m_GetCpuClock)) 241 | { 242 | // 值不一样,必须重新挂钩 243 | if (self_get_cpu_clock != *m_GetCpuClock) 244 | { 245 | if (initialize(m_ssdt_call_back)) start(); 246 | } 247 | } 248 | else initialize(m_ssdt_call_back); // GetCpuClock无效后要重新获取 249 | } 250 | } 251 | } 252 | 253 | bool initialize(fssdt_call_back ssdt_call_back) 254 | { 255 | if (!m_routine_status) return false; 256 | 257 | // 回调函数指针检查 258 | DbgPrintEx(0, 0, "[%s] ssdt call back ptr is 0x%p \n", __FUNCTION__, ssdt_call_back); 259 | if (!MmIsAddressValid(ssdt_call_back)) return false; 260 | else m_ssdt_call_back = ssdt_call_back; 261 | 262 | // 先尝试挂钩 263 | if (!NT_SUCCESS(modify_trace_settings(syscall_trace))) 264 | { 265 | // 无法开启CKCL 266 | if (!NT_SUCCESS(modify_trace_settings(start_trace))) 267 | { 268 | DbgPrintEx(0, 0, "[%s] start ckcl fail \n", __FUNCTION__); 269 | return false; 270 | } 271 | 272 | // 再次尝试挂钩 273 | if (!NT_SUCCESS(modify_trace_settings(syscall_trace))) 274 | { 275 | DbgPrintEx(0, 0, "[%s] syscall ckcl fail \n", __FUNCTION__); 276 | return false; 277 | } 278 | } 279 | 280 | // 获取系统版本号 281 | m_build_number = k_utils::get_system_build_number(); 282 | DbgPrintEx(0, 0, "[%s] build number is %ld \n", __FUNCTION__, m_build_number); 283 | if (!m_build_number) return false; 284 | 285 | // 获取系统基址 286 | unsigned long long ntoskrnl = k_utils::get_module_address("ntoskrnl.exe", nullptr); 287 | DbgPrintEx(0, 0, "[%s] ntoskrnl address is 0x%llX \n", __FUNCTION__, ntoskrnl); 288 | if (!ntoskrnl) return false; 289 | 290 | // 这里不同系统不同位置 291 | // https://github.com/FiYHer/InfinityHookPro/issues/17 win10 21h2.2130 安装 KB5018410 补丁后需要使用新的特征码 292 | unsigned long long EtwpDebuggerData = k_utils::find_pattern_image(ntoskrnl, "\x00\x00\x2c\x08\x04\x38\x0c", "??xxxxx", ".text"); 293 | if (!EtwpDebuggerData) EtwpDebuggerData = k_utils::find_pattern_image(ntoskrnl, "\x00\x00\x2c\x08\x04\x38\x0c", "??xxxxx", ".data"); 294 | if (!EtwpDebuggerData) EtwpDebuggerData = k_utils::find_pattern_image(ntoskrnl, "\x00\x00\x2c\x08\x04\x38\x0c", "??xxxxx", ".rdata"); 295 | DbgPrintEx(0, 0, "[%s] etwp debugger data is 0x%llX \n", __FUNCTION__, EtwpDebuggerData); 296 | if (!EtwpDebuggerData) return false; 297 | m_EtwpDebuggerData = (void*)EtwpDebuggerData; 298 | 299 | // 这里暂时不知道怎么定位,偏移0x10在全部系统都一样 300 | m_EtwpDebuggerDataSilo = *(void***)((unsigned long long)m_EtwpDebuggerData + 0x10); 301 | DbgPrintEx(0, 0, "[%s] etwp debugger data silo is 0x%p \n", __FUNCTION__, m_EtwpDebuggerDataSilo); 302 | if (!m_EtwpDebuggerDataSilo) return false; 303 | 304 | // 这里也不知道怎么定位,偏移0x2在全部系统都哦一样 305 | m_CkclWmiLoggerContext = m_EtwpDebuggerDataSilo[0x2]; 306 | DbgPrintEx(0, 0, "[%s] ckcl wmi logger context is 0x%p \n", __FUNCTION__, m_CkclWmiLoggerContext); 307 | if (!m_CkclWmiLoggerContext) return false; 308 | 309 | /* Win7系统测试,m_GetCpuClock该值会改变几次,先阶段使用线程检测后修复 310 | * 靠,Win11的偏移变成了0x18,看漏的害我调试这么久 -_- 311 | * 这里总结一下,Win7和Win11都是偏移0x18,其它的是0x28 312 | */ 313 | if (m_build_number <= 7601 || m_build_number >= 22000) m_GetCpuClock = (void**)((unsigned long long)m_CkclWmiLoggerContext + 0x18); // Win7版本以及更旧, Win11也是 314 | else m_GetCpuClock = (void**)((unsigned long long)m_CkclWmiLoggerContext + 0x28); // Win8 -> Win10全系统 315 | if (!MmIsAddressValid(m_GetCpuClock)) return false; 316 | DbgPrintEx(0, 0, "[%s] get cpu clock is 0x%p \n", __FUNCTION__, *m_GetCpuClock); 317 | 318 | // 拿到ssdt指针 319 | m_syscall_table = PAGE_ALIGN(k_utils::get_syscall_entry(ntoskrnl)); 320 | DbgPrintEx(0, 0, "[%s] syscall table is 0x%p \n", __FUNCTION__, m_syscall_table); 321 | if (!m_syscall_table) return false; 322 | 323 | if (m_build_number > 18363) 324 | { 325 | /* HvlGetQpcBias函数内部需要用到这个结构 326 | * 所以我们手动定位这个结构 327 | */ 328 | unsigned long long address = k_utils::find_pattern_image(ntoskrnl, 329 | "\x48\x8b\x05\x00\x00\x00\x00\x48\x8b\x40\x00\x48\x8b\x0d\x00\x00\x00\x00\x48\xf7\xe2", 330 | "xxx????xxx?xxx????xxx"); 331 | if (!address) return false; 332 | m_HvlpReferenceTscPage = reinterpret_cast(reinterpret_cast(address) + 7 + *reinterpret_cast(reinterpret_cast(address) + 3)); 333 | DbgPrintEx(0, 0, "[%s] hvlp reference tsc page is 0x%llX \n", __FUNCTION__, m_HvlpReferenceTscPage); 334 | if (!m_HvlpReferenceTscPage) return false; 335 | 336 | /* 这里我们查找到HvlGetQpcBias的指针 337 | * 详细介绍可以看https://www.freebuf.com/articles/system/278857.html 338 | */ 339 | address = k_utils::find_pattern_image(ntoskrnl, 340 | "\x48\x8b\x05\x00\x00\x00\x00\x48\x85\xc0\x74\x00\x48\x83\x3d\x00\x00\x00\x00\x00\x74", 341 | "xxx????xxxx?xxx?????x"); 342 | if (!address) return false; 343 | m_HvlGetQpcBias = reinterpret_cast(reinterpret_cast(address) + 7 + *reinterpret_cast(reinterpret_cast(address) + 3)); 344 | DbgPrintEx(0, 0, "[%s] hvl get qpc bias is 0x%llX \n", __FUNCTION__, m_HvlGetQpcBias); 345 | if (!m_HvlGetQpcBias) return false; 346 | } 347 | 348 | return true; 349 | } 350 | 351 | bool start() 352 | { 353 | if (!m_ssdt_call_back) return false; 354 | 355 | // 无效指针 356 | if (!MmIsAddressValid(m_GetCpuClock)) 357 | { 358 | DbgPrintEx(0, 0, "[%s] get cpu clock vaild \n", __FUNCTION__); 359 | return false; 360 | } 361 | 362 | /* 这里我们区分一下系统版本 363 | * 从Win7到Win10 1909,g_GetCpuClock是一个函数,往后的版本是一个数值了 364 | * 大于3抛异常 365 | * 等于3用rdtsc 366 | * 等于2用off_140C00A30 367 | * 等于1用KeQueryPerformanceCounter 368 | * 等于0用RtlGetSystemTimePrecise 369 | * 我们的做法参考网址https://www.freebuf.com/articles/system/278857.html 370 | * 我们这里在2身上做文章 371 | */ 372 | if (m_build_number <= 18363) 373 | { 374 | // 直接修改函数指针 375 | DbgPrintEx(0, 0, "[%s] get cpu clock is 0x%p\n", __FUNCTION__, *m_GetCpuClock); 376 | *m_GetCpuClock = self_get_cpu_clock; 377 | DbgPrintEx(0, 0, "[%s] update get cpu clock is 0x%p\n", __FUNCTION__, *m_GetCpuClock); 378 | } 379 | else 380 | { 381 | // 保存GetCpuClock原始值,退出时好恢复 382 | m_original_GetCpuClock = (unsigned long long)(*m_GetCpuClock); 383 | 384 | /* 这里我们设置为2, 这样子才能调用off_140C00A30函数 385 | * 其实该指针就是HalpTimerQueryHostPerformanceCounter函数 386 | * 该函数里面又有两个函数指针,第一个就是HvlGetQpcBias,就是我们的目标 387 | */ 388 | *m_GetCpuClock = (void*)2; 389 | DbgPrintEx(0, 0, "[%s] update get cpu clock is %p \n", __FUNCTION__, *m_GetCpuClock); 390 | 391 | // 保存旧HvlGetQpcBias地址,方便后面清理的时候复原环境 392 | m_original_HvlGetQpcBias = (FHvlGetQpcBias)(*((unsigned long long*)m_HvlGetQpcBias)); 393 | 394 | // 设置钩子 395 | *((unsigned long long*)m_HvlGetQpcBias) = (unsigned long long)self_hvl_get_qpc_bias; 396 | DbgPrintEx(0, 0, "[%s] update hvl get qpc bias is %p \n", __FUNCTION__, self_hvl_get_qpc_bias); 397 | } 398 | 399 | // 创建GetCpuClock数值检测线程 400 | static bool is_create_thread = false; 401 | if (!is_create_thread) 402 | { 403 | is_create_thread = true; 404 | HANDLE h_thread = NULL; 405 | CLIENT_ID client{ 0 }; 406 | OBJECT_ATTRIBUTES att{ 0 }; 407 | InitializeObjectAttributes(&att, 0, OBJ_KERNEL_HANDLE, 0, 0); 408 | NTSTATUS status = PsCreateSystemThread(&h_thread, THREAD_ALL_ACCESS, &att, 0, &client, detect_routine, 0); 409 | if (NT_SUCCESS(status)) ZwClose(h_thread); 410 | DbgPrintEx(0, 0, "[%s] detect routine thread id is %d \n", __FUNCTION__, (int)client.UniqueThread); 411 | } 412 | 413 | return true; 414 | } 415 | 416 | bool stop() 417 | { 418 | // 停止检测线程 419 | m_routine_status = false; 420 | 421 | bool result = NT_SUCCESS(modify_trace_settings(stop_trace)) && NT_SUCCESS(modify_trace_settings(start_trace)); 422 | 423 | // Win10 1909以上系统需要恢复环境 424 | if (m_build_number > 18363) 425 | { 426 | *((unsigned long long*)m_HvlGetQpcBias) = (unsigned long long)m_original_HvlGetQpcBias; 427 | *m_GetCpuClock = (void*)m_original_GetCpuClock; 428 | } 429 | 430 | return result; 431 | } 432 | } 433 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/hook.hpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/infinity_hook_pro/infinity_hook_pro/hook.hpp -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/imports.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "headers.hpp" 3 | 4 | #ifdef __cplusplus 5 | extern "C" 6 | { 7 | #endif 8 | 9 | typedef struct _SYSTEM_MODULE 10 | { 11 | ULONG_PTR Reserved[2]; 12 | PVOID Base; 13 | ULONG Size; 14 | ULONG Flags; 15 | USHORT Index; 16 | USHORT Unknown; 17 | USHORT LoadCount; 18 | USHORT ModuleNameOffset; 19 | CHAR ImageName[256]; 20 | } SYSTEM_MODULE, * PSYSTEM_MODULE; 21 | 22 | typedef struct _SYSTEM_MODULE_INFORMATION 23 | { 24 | ULONG_PTR ulModuleCount; 25 | SYSTEM_MODULE Modules[1]; 26 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; 27 | 28 | NTSTATUS NTAPI ZwQuerySystemInformation( 29 | DWORD32 systemInformationClass, 30 | PVOID systemInformation, 31 | ULONG systemInformationLength, 32 | PULONG returnLength); 33 | 34 | NTSTATUS NTAPI NtTraceControl( 35 | ULONG FunctionCode, 36 | PVOID InBuffer, 37 | ULONG InBufferLen, 38 | PVOID OutBuffer, 39 | ULONG OutBufferLen, 40 | PULONG ReturnLength); 41 | 42 | ULONG NTAPI PsGetProcessSessionId(PEPROCESS Process); 43 | 44 | #ifdef __cplusplus 45 | } 46 | #endif -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/infinity_hook_pro.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; infinity_hook_pro.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=System 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} 9 | Provider=%ManufacturerName% 10 | DriverVer= 11 | CatalogFile=infinity_hook_pro.cat 12 | PnpLockDown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskName%,,,"" 20 | 21 | [SourceDisksFiles] 22 | 23 | 24 | ; [Manufacturer] 25 | ; %ManufacturerName%=Standard,NT$ARCH$ 26 | 27 | ; [Standard.NT$ARCH$] 28 | 29 | 30 | [Strings] 31 | ManufacturerName="" ;TODO: Replace with your manufacturer name 32 | ClassName="" 33 | DiskName="infinity_hook_pro Source Disk" 34 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/infinity_hook_pro.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {E753FDB6-774D-41ED-9E07-A09B837BE1CC} 39 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | infinity_hook_pro 45 | 46 | 47 | 48 | Windows10 49 | true 50 | WindowsKernelModeDriver10.0 51 | Driver 52 | WDM 53 | 54 | 55 | Windows10 56 | false 57 | WindowsKernelModeDriver10.0 58 | Driver 59 | WDM 60 | 61 | 62 | Windows10 63 | true 64 | WindowsKernelModeDriver10.0 65 | Driver 66 | WDM 67 | 68 | 69 | Windows7 70 | false 71 | WindowsKernelModeDriver10.0 72 | Driver 73 | WDM 74 | false 75 | 76 | 77 | Windows10 78 | true 79 | WindowsKernelModeDriver10.0 80 | Driver 81 | WDM 82 | 83 | 84 | Windows10 85 | false 86 | WindowsKernelModeDriver10.0 87 | Driver 88 | WDM 89 | 90 | 91 | Windows10 92 | true 93 | WindowsKernelModeDriver10.0 94 | Driver 95 | WDM 96 | 97 | 98 | Windows10 99 | false 100 | WindowsKernelModeDriver10.0 101 | Driver 102 | WDM 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | DbgengKernelDebugger 114 | 115 | 116 | DbgengKernelDebugger 117 | 118 | 119 | DbgengKernelDebugger 120 | 121 | 122 | DbgengKernelDebugger 123 | false 124 | 125 | 126 | DbgengKernelDebugger 127 | 128 | 129 | DbgengKernelDebugger 130 | 131 | 132 | DbgengKernelDebugger 133 | 134 | 135 | DbgengKernelDebugger 136 | 137 | 138 | 139 | false 140 | false 141 | false 142 | None 143 | AnySuitable 144 | 145 | 146 | false 147 | 148 | 149 | false 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/infinity_hook_pro.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {8E41214B-6785-4CFE-B992-037D68949A14} 14 | inf;inv;inx;mof;mc; 15 | 16 | 17 | {effae938-02ce-456b-a490-7714a0f6d15e} 18 | 19 | 20 | 21 | 22 | Driver Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | hde 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Header Files 39 | 40 | 41 | hde 42 | 43 | 44 | hde 45 | 46 | 47 | hde 48 | 49 | 50 | Header Files 51 | 52 | 53 | Header Files 54 | 55 | 56 | Header Files 57 | 58 | 59 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/infinity_hook_pro.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Off 5 | 6 | -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/infinity_hook_pro/infinity_hook_pro/main.cpp -------------------------------------------------------------------------------- /infinity_hook_pro/infinity_hook_pro/utils.hpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FiYHer/InfinityHookPro/1d0e3bcce2526d805e00e60db6bebd9523d4ea56/infinity_hook_pro/infinity_hook_pro/utils.hpp --------------------------------------------------------------------------------