├── .tfignore
├── FishHook32
    ├── dllmain.cpp
    ├── HookedFunctions.h
    ├── APC.H
    ├── stdafx.h
    ├── IATDLL.cpp
    ├── NativeApi.h
    ├── exports.cpp
    ├── stdafx.cpp
    ├── targetver.h
    ├── FishHook32.cpp
    ├── HookedFunctions.cpp
    ├── internals.h
    ├── StringEx.h
    ├── ReadMe.txt
    ├── exports.h
    ├── var.h
    ├── FishHook32.vcxproj.filters
    ├── hi.h
    ├── Def.h
    ├── IATHookHeader.h
    ├── FishHook32.vcxproj
    └── internals.cpp
├── FishHookTest
    ├── stdafx.h
    ├── stdafx.cpp
    ├── targetver.h
    ├── FishHookTest.cpp
    ├── ReadMe.txt
    ├── FishHookTest.vcxproj.filters
    └── FishHookTest.vcxproj
├── .gitignore
├── FishHook32.sln
├── Manual.md
├── Readme.md
└── LICENSE.md


/.tfignore:
--------------------------------------------------------------------------------
1 | \.git


--------------------------------------------------------------------------------
/FishHook32/dllmain.cpp:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/FishHook32/HookedFunctions.h:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | 


--------------------------------------------------------------------------------
/FishHook32/APC.H:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/APC.H


--------------------------------------------------------------------------------
/FishHook32/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/stdafx.h


--------------------------------------------------------------------------------
/FishHook32/IATDLL.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/IATDLL.cpp


--------------------------------------------------------------------------------
/FishHook32/NativeApi.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/NativeApi.h


--------------------------------------------------------------------------------
/FishHook32/exports.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/exports.cpp


--------------------------------------------------------------------------------
/FishHook32/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/stdafx.cpp


--------------------------------------------------------------------------------
/FishHook32/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/targetver.h


--------------------------------------------------------------------------------
/FishHookTest/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHookTest/stdafx.h


--------------------------------------------------------------------------------
/FishHook32/FishHook32.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/FishHook32.cpp


--------------------------------------------------------------------------------
/FishHookTest/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHookTest/stdafx.cpp


--------------------------------------------------------------------------------
/FishHookTest/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHookTest/targetver.h


--------------------------------------------------------------------------------
/FishHook32/HookedFunctions.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHook32/HookedFunctions.cpp


--------------------------------------------------------------------------------
/FishHookTest/FishHookTest.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Menooker/FishHook/HEAD/FishHookTest/FishHookTest.cpp


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | Thumbs.db
 2 | *.obj
 3 | *.exe
 4 | *.pdb
 5 | *.user
 6 | *.aps
 7 | *.pch
 8 | *.vspscc
 9 | *_i.c
10 | *_p.c
11 | *.ncb
12 | *.suo
13 | *.sln.docstates
14 | *.tlb
15 | *.tlh
16 | *.bak
17 | *.cache
18 | *.ilk
19 | *.log
20 | [Bb]in
21 | [Dd]ebug*/
22 | *.lib
23 | *.sbr
24 | obj/
25 | [Rr]elease*/
26 | _ReSharper*/
27 | [Tt]est[Rr]esult*
28 | *.vssscc
29 | $tf*/
30 | FishHook32.opensdf
31 | FishHook32.sdf
32 | ipch/fishhook32-2494e07d/fishhook32-f11f9bec.ipch
33 | *.ipch
34 | *.sdf
35 | *.opensdf


--------------------------------------------------------------------------------
/FishHook32/internals.h:
--------------------------------------------------------------------------------
 1 | #ifndef _FISHHOOK_INTERNALS
 2 | #define _FISHHOOK_INTERNALS
 3 | 
 4 |  #include <aclapi.h>
 5 | #include <Windows.h>
 6 | void __stdcall TrulyUnloadDLLAndExitThread(HMODULE hmod,DWORD exitcode);
 7 | void __stdcall MsgboxW(WCHAR* str,long a);
 8 | void PopHandles();
 9 | void PushHandles();
10 | BOOL ResumeThreadWhenSuspended(HANDLE hThread);
11 | void ShowSID(HANDLE hNewt);
12 | HANDLE MakeNormalToken(HANDLE hToken);
13 | BOOL CopyToken(HANDLE hsrc,HANDLE hdest);
14 | void SetProcessToken(HANDLE hProcess,HANDLE hToken,HANDLE* hNewToken);
15 | bool SetObjectToLowIntegrity(
16 |  HANDLE hObject, SE_OBJECT_TYPE type = SE_KERNEL_OBJECT);
17 | typedef NTSTATUS( NTAPI *ptDbgPrint)(
18 |   IN LPCSTR               Format,
19 |   ... );
20 | extern ptDbgPrint DbgPrint ;
21 | 
22 | #endif


--------------------------------------------------------------------------------
/FishHookTest/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     控制台应用程序：FishHookTest 项目概述
 3 | ========================================================================
 4 | 
 5 | 应用程序向导已为您创建了此 FishHookTest 应用程序。
 6 | 
 7 | 本文件概要介绍组成 FishHookTest 应用程序的每个文件的内容。
 8 | 
 9 | 
10 | FishHookTest.vcxproj
11 |     这是使用应用程序向导生成的 VC++ 项目的主项目文件，
12 |     其中包含生成该文件的 Visual C++ 
13 |     的版本信息，以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 | 
15 | FishHookTest.vcxproj.filters
16 |     这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。 
17 |     它包含有关项目文件与筛选器之间的关联信息。 在 IDE 
18 |     中，通过这种关联，在特定节点下以分组形式显示具有相似扩展名的文件。
19 |     例如，“.cpp”文件与“源文件”筛选器关联。
20 | 
21 | FishHookTest.cpp
22 |     这是主应用程序源文件。
23 | 
24 | /////////////////////////////////////////////////////////////////////////////
25 | 其他标准文件：
26 | 
27 | StdAfx.h，StdAfx.cpp
28 |     这些文件用于生成名为 FishHookTest.pch 的预编译头 (PCH) 文件和
29 |     名为 StdAfx.obj 的预编译类型文件。
30 | 
31 | /////////////////////////////////////////////////////////////////////////////
32 | 其他注释：
33 | 
34 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
35 | 
36 | /////////////////////////////////////////////////////////////////////////////
37 | 


--------------------------------------------------------------------------------
/FishHook32/StringEx.h:
--------------------------------------------------------------------------------
 1 | char* stristr(const char *pcString1, const char *pcString2)
 2 | {
 3 |  char *pCompareStart = (char *)pcString1;
 4 |  char *pCursor_S1, *pCursor_S2;
 5 |  char cSrc, cDst;
 6 |  
 7 |  // If there is a null source string - this is a "no match"
 8 |  
 9 |  if (!pcString1)
10 |   return NULL;
11 |   
12 |  // Null length string 2 - this is a "no match"
13 |  if (!*pcString2)
14 |   return NULL;
15 |   
16 |  // Search from every start pos in the source string
17 |  while (*pCompareStart)
18 |  {
19 |   pCursor_S1 = pCompareStart;
20 |   pCursor_S2 = (char *)pcString2;
21 |   
22 |   // Scan both string
23 |   
24 |   while (*pCursor_S1 && *pCursor_S2)
25 |   {
26 |    cSrc = *pCursor_S1;
27 |    cDst = *pCursor_S2;
28 |    
29 |    // Correct case
30 |    
31 |    if ((cSrc >= 'A') && (cSrc <= 'Z'))
32 |     cSrc -= ('A' - 'a');
33 |     
34 |    if ((cDst >= 'A') && (cDst <= 'Z'))
35 |     cDst -= ('A' - 'a');
36 |     
37 |    if (cSrc != cDst)
38 |     break;
39 |     
40 |    pCursor_S1++;
41 |    pCursor_S2++;
42 |   }
43 |   
44 |   // If string 2 is exhausted - there is a match
45 |   
46 |   if (!*pCursor_S2)
47 |    return(pCompareStart);
48 |    
49 |   // Offset source and continue
50 |   pCompareStart++;
51 |  }
52 |  
53 |  return NULL;
54 | }


--------------------------------------------------------------------------------
/FishHook32/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |     动态链接库：FishHook32 项目概述
 3 | ========================================================================
 4 | 
 5 | 应用程序向导已为您创建了此 FishHook32 DLL。
 6 | 
 7 | 本文件概要介绍组成 FishHook32 应用程序的每个文件的内容。
 8 | 
 9 | 
10 | FishHook32.vcxproj
11 |     这是使用应用程序向导生成的 VC++ 项目的主项目文件，
12 |     其中包含生成该文件的 Visual C++ 
13 |     的版本信息，以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 | 
15 | FishHook32.vcxproj.filters
16 |     这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。 
17 |     它包含有关项目文件与筛选器之间的关联信息。 在 IDE 
18 |     中，通过这种关联，在特定节点下以分组形式显示具有相似扩展名的文件。
19 |     例如，“.cpp”文件与“源文件”筛选器关联。
20 | 
21 | FishHook32.cpp
22 |     这是主 DLL 源文件。
23 | 
24 | 	此 DLL 在创建时不导出任何符号。 因此，在生成此 DLL 时
25 |  	生成时不会产生 .lib 文件。 如果希望此项目
26 |  	成为其他某个项目的项目依赖项，则需要
27 |  	添加代码以从 DLL 导出某些符号，
28 |  	以便产生一个导出库，或者，也可以在项目“属性页”对话框中的
29 |  	“链接器”文件夹中，将“常规”属性页上的
30 |  	“忽略输入库”属性设置为“是”。
31 | 
32 | /////////////////////////////////////////////////////////////////////////////
33 | 其他标准文件：
34 | 
35 | StdAfx.h，StdAfx.cpp
36 |     这些文件用于生成名为 FishHook32.pch 的预编译头 (PCH) 文件和
37 |     名为 StdAfx.obj 的预编译类型文件。
38 | 
39 | /////////////////////////////////////////////////////////////////////////////
40 | 其他注释：
41 | 
42 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
43 | 
44 | /////////////////////////////////////////////////////////////////////////////
45 | 


--------------------------------------------------------------------------------
/FishHookTest/FishHookTest.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <None Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>头文件</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>头文件</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>源文件</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="FishHookTest.cpp">
33 |       <Filter>源文件</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/FishHook32/exports.h:
--------------------------------------------------------------------------------
 1 | #include "Def.h"
 2 | 
 3 | #define FH_TOKEN_ERROR 2
 4 | #define FH_CREATE_PROCESS_ERROR 3
 5 | 
 6 | MYLIBAPI long __stdcall GetDebugerPid(long* p32,long* p64);
 7 | MYLIBAPI long FHPrint(char *format,...);
 8 | MYLIBAPI void* __stdcall GetSharedInfo();
 9 | MYLIBAPI void* __stdcall GetCustomSharedMemory();
10 | 
11 | MYLIBAPI long __stdcall CreateSyncBlock(WCHAR* lpEvent,WCHAR* lpEventBack,WCHAR* lpMutex,SharedInfo* psinfo,OUT SyncBlock* psb);
12 | MYLIBAPI HANDLE __stdcall EnterSharedMemory(SyncBlock* psb);
13 | MYLIBAPI long __stdcall LeaveSharedMemory(HANDLE hM,SyncBlock* psb);
14 | MYLIBAPI long __stdcall CallFilter(SyncBlock* psb);
15 | MYLIBAPI long __stdcall CreateFilterPort(WCHAR* lpEvent,WCHAR* lpEventBack,WCHAR* lpMutex,SharedInfo* psinfo);
16 | MYLIBAPI long __stdcall CreateNormalProcess(WCHAR* path,HANDLE* pProcess);
17 | MYLIBAPI long __stdcall SetIATHookByAPC(HANDLE hProcess, HANDLE PID,void * callproc,FishHookTypes *pHookid,long num);
18 | MYLIBAPI long __stdcall SetAPIHook64(long pid,long callproc,FishHookTypes *pDLLid,long num);
19 | MYLIBAPI BOOL __stdcall IsWow64ProcessEx(HANDLE hProcess);
20 | MYLIBAPI void __stdcall InitFishHook();
21 | MYLIBAPI long __stdcall SetCustomHook(char* oldName,char* oldMod, char* newName, char* newMod, char* oldProcAddr,long is64);
22 | MYLIBAPI HANDLE __stdcall ListenOutput(ptOutputProc p);
23 | #ifdef _WIN64
24 | MYLIBAPI  void CALLBACK DLLEntry(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine,int nCmdShow);
25 | #endif
26 | MYLIBAPI  void CALLBACK GetAddressProc(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine,int nCmdShow);


--------------------------------------------------------------------------------
/FishHook32/var.h:
--------------------------------------------------------------------------------
 1 | #ifndef _H_VAR
 2 | #define _H_VAR
 3 | 
 4 | #include "def.h"
 5 | #include "NativeApi.h"
 6 | 
 7 | extern void Logn(char* x, long y);
 8 | extern HANDLE hMod;
 9 | extern HHOOK hhook;
10 | 
11 | extern HANDLE hEvent;
12 | extern HANDLE hEventBack;
13 | #ifdef _WIN64
14 | 	extern HANDLE hEvent32;
15 | 	extern HANDLE hEventBack32;
16 | 	extern HANDLE hEProcess;
17 | 	extern HANDLE hEProcessBack;
18 | 	extern HANDLE hEventOutput;
19 | 	extern HANDLE hMu64;
20 | #else
21 | 	extern HANDLE hEvent64;
22 | 	extern HANDLE hEventBack64;
23 | 	extern HANDLE hMu;
24 | #endif
25 | extern HANDLE hEventOutput;
26 | //HANDLE hMsInfo64=0;
27 | //HANDLE hMhook64=0;
28 | extern HANDLE hEProcess;
29 | extern HANDLE hEProcessBack;
30 | extern HANDLE hEProcess32;
31 | extern HANDLE hEProcessBack32;
32 | extern HANDLE hEventRelease;
33 | #ifdef _WIN64
34 | 	extern HANDLE hEventHookBack32;
35 | 	extern DWORD CurrentPid;
36 | 	extern SECURITY_ATTRIBUTES SecAttr;  
37 | 	extern SECURITY_DESCRIPTOR SecDesc;  
38 | #else
39 | 	extern HANDLE hEventHookBack;
40 | #endif
41 | 
42 | extern HANDLE hEventHookBack64;
43 | extern long breakpoint;
44 | extern HANDLE hMapFile;
45 | extern char CurrentDLLPath[255];
46 | extern SharedInfo* psInfo64;
47 | extern SharedInfo sInfo;
48 | extern PSHCreateProcess pSHCreateProcess;
49 | extern SharedMemory3264* psm;
50 | extern ToHookInfo autoHook;
51 | extern ToHookInfo thInfo;
52 | extern HANDLE toHookPid[128];
53 | extern long NeedToLoad;
54 | extern SECURITY_ATTRIBUTES SecAttr;  
55 | extern SECURITY_DESCRIPTOR SecDesc;  
56 | extern DWORD CurrentPid;
57 | //extern RTLINITUNICODESTRING RtlInitUnicodeString;
58 | extern LONG (WINAPI *pRtlUnicodeStringToAnsiString)(PVOID, PVOID, BOOL);
59 | extern NTSTATUS (WINAPI * pRtlAnsiStringToUnicodeString)(PVOID,PVOID,BOOL);
60 | extern ZWSETVALUEKEY ZwSetValueKey;
61 | extern ZWOPENKEY ZwOpenKey;
62 | extern ZWCLOSE ZwClose;
63 | extern ZWQUERYKEY ZwQueryKey;
64 | 
65 | extern HANDLE hMapFile;
66 | extern WCHAR *pClasses[];
67 | extern WCHAR *pSIDs[];
68 | extern int Classcount;
69 | extern int SIDcount;
70 | extern char* PrintBuf;
71 | 
72 | #endif


--------------------------------------------------------------------------------
/FishHook32.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 11.00
 3 | # Visual Studio 2010
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FishHook32", "FishHook32\FishHook32.vcxproj", "{A40684CD-0584-456A-AE3E-C862900377FF}"
 5 | EndProject
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FishHookTest", "FishHookTest\FishHookTest.vcxproj", "{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}"
 7 | EndProject
 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{6D216595-5075-4980-9B1A-3F9045330608}"
 9 | 	ProjectSection(SolutionItems) = preProject
10 | 		Readme.md = Readme.md
11 | 	EndProjectSection
12 | EndProject
13 | Global
14 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
15 | 		Debug|Win32 = Debug|Win32
16 | 		Debug|x64 = Debug|x64
17 | 		Release|Win32 = Release|Win32
18 | 		Release|x64 = Release|x64
19 | 	EndGlobalSection
20 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
21 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Debug|Win32.ActiveCfg = Debug|Win32
22 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Debug|Win32.Build.0 = Debug|Win32
23 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Debug|x64.ActiveCfg = Debug|x64
24 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Debug|x64.Build.0 = Debug|x64
25 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Release|Win32.ActiveCfg = Release|Win32
26 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Release|Win32.Build.0 = Release|Win32
27 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Release|x64.ActiveCfg = Release|x64
28 | 		{A40684CD-0584-456A-AE3E-C862900377FF}.Release|x64.Build.0 = Release|x64
29 | 		{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}.Debug|Win32.ActiveCfg = Debug|Win32
30 | 		{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}.Debug|Win32.Build.0 = Debug|Win32
31 | 		{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}.Debug|x64.ActiveCfg = Debug|Win32
32 | 		{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}.Release|Win32.ActiveCfg = Release|Win32
33 | 		{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}.Release|Win32.Build.0 = Release|Win32
34 | 		{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}.Release|x64.ActiveCfg = Release|Win32
35 | 	EndGlobalSection
36 | 	GlobalSection(SolutionProperties) = preSolution
37 | 		HideSolutionNode = FALSE
38 | 	EndGlobalSection
39 | EndGlobal
40 | 


--------------------------------------------------------------------------------
/FishHook32/FishHook32.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <None Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>头文件</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>头文件</Filter>
26 |     </ClInclude>
27 |     <ClInclude Include="hi.h">
28 |       <Filter>头文件</Filter>
29 |     </ClInclude>
30 |     <ClInclude Include="Def.h">
31 |       <Filter>头文件</Filter>
32 |     </ClInclude>
33 |     <ClInclude Include="APC.H">
34 |       <Filter>头文件</Filter>
35 |     </ClInclude>
36 |     <ClInclude Include="var.h">
37 |       <Filter>头文件</Filter>
38 |     </ClInclude>
39 |     <ClInclude Include="StringEx.h">
40 |       <Filter>头文件</Filter>
41 |     </ClInclude>
42 |     <ClInclude Include="NativeApi.h">
43 |       <Filter>头文件</Filter>
44 |     </ClInclude>
45 |     <ClInclude Include="HookedFunctions.h">
46 |       <Filter>头文件</Filter>
47 |     </ClInclude>
48 |     <ClInclude Include="internals.h">
49 |       <Filter>头文件</Filter>
50 |     </ClInclude>
51 |     <ClInclude Include="exports.h">
52 |       <Filter>头文件</Filter>
53 |     </ClInclude>
54 |   </ItemGroup>
55 |   <ItemGroup>
56 |     <ClCompile Include="stdafx.cpp">
57 |       <Filter>源文件</Filter>
58 |     </ClCompile>
59 |     <ClCompile Include="FishHook32.cpp">
60 |       <Filter>源文件</Filter>
61 |     </ClCompile>
62 |     <ClCompile Include="dllmain.cpp">
63 |       <Filter>源文件</Filter>
64 |     </ClCompile>
65 |     <ClCompile Include="HookedFunctions.cpp">
66 |       <Filter>源文件</Filter>
67 |     </ClCompile>
68 |     <ClCompile Include="IATDLL.cpp">
69 |       <Filter>源文件</Filter>
70 |     </ClCompile>
71 |     <ClCompile Include="internals.cpp">
72 |       <Filter>源文件</Filter>
73 |     </ClCompile>
74 |     <ClCompile Include="exports.cpp">
75 |       <Filter>源文件</Filter>
76 |     </ClCompile>
77 |   </ItemGroup>
78 | </Project>


--------------------------------------------------------------------------------
/Manual.md:
--------------------------------------------------------------------------------
 1 | # FishHook API
 2 | 
 3 | ## First thing first
 4 | You should call InitFishHook() before you call any FishHook APIs in debugger!
 5 | 
 6 | ## APIs only for debugger
 7 | These APIs should only be called in x86 debugger.
 8 | ### SetIATHookByAPC
 9 | C prototype
10 | ```c
11 | long __stdcall SetIATHookByAPC(HANDLE hProcess, HANDLE PID,void * callproc,FishHookTypes *pHookid,long num);
12 | ```
13 | Description: Use remote thread to inject FishHook DLL into the target 32-bit process, and set the custom hooks and filter hooks specified in parameter pHookid.
14 | 
15 | Parameters:
16 | 
17 |   hProcess : the handle to the target process. The handle should have full access to the process.
18 |   
19 |   PID : the PID of the target process
20 |   
21 |   callproc : the user-defined filter callback function, can be null if you don't want to filter the functions.
22 |   
23 |   pHookid : the array of APIs to hook for the user-defined filter, FishHookTypes is defined in "def.h"
24 |   
25 |   num : the number of elements in pHookid
26 |   
27 | Returns: 0 for success.
28 | 
29 | If you what to hook all process created by a target process, whether you want to filter the "CreateProcess" event or not, you should set {HOOK_CreateProcessInternalW,HOOK_SHCreateProcess} in Windows 7 or {HOOK_CreateProcessInternalW,HOOK_AicLaunchAdminProcess} in Windows 10. If these hooks are set, FishHook will automatically inject into the newly created processes of the hooked process and set the filters and custome hooks specified by SetIATHookByAPC or SetAPIHook64. 
30 | 
31 | ### SetAPIHook64
32 | C prototype
33 | ```c
34 | long __stdcall SetAPIHook64(long pid,long callproc,FishHookTypes *pDLLid,long num);
35 | ```
36 | Description: Use remote thread to inject FishHook DLL into the target 64-bit process.
37 | 
38 | Returns: 0 for success.
39 | 
40 | ### SetCustomHook
41 | C prototype
42 | ```c
43 | long __stdcall SetCustomHook(char* oldName,char* oldMod, char* newName, char* newMod, char* oldProcAddr,long is64);
44 | ```
45 | Description: Register the custom hook in FishHook. Note that the custom hooks are not committed in the target process until SetIATHookByAPC or SetAPIHook64 is called. 
46 | 
47 | Parameters: 
48 | 
49 |   oldName : the name of the API to hook
50 |   
51 |   oldMod : the name of DLL where the API to hook is in
52 |   
53 |   newName : the exported name of the custom "fake" API to replace the target API in DLL. You should use the dumpbin tool to see your fake API's exported name in your DLL
54 |   
55 |   newMod : the name of DLL where you fake API is in
56 |   
57 |   oldProcAddr : the exported name of the variable to hold the address of the true API replaced by FishHook. You should export a function pointer variable in your DLL. FishHook will set the variable to hold the address of true API function.
58 |   
59 |   is64 : Is the DLL 64-bit or 32-bit? Set to 1 if true,  otherwise set to 0.
60 | 
61 | ### ListenOutput
62 | C prototype
63 | ```c
64 | HANDLE __stdcall ListenOutput(ptOutputProc p);
65 | typedef void (__stdcall *ptOutputProc)(char*);
66 | ```
67 | Description: Create a thread to listen the debug output of hooked processes.
68 | 
69 | ## Utility APIs
70 | These APIs can be called in both hooked processes and the debugger.
71 | 
72 | ### GetCustomSharedMemory
73 | ```c
74 | void* __stdcall GetCustomSharedMemory();
75 | ```
76 | Description: Get the address of the memory shared by all hooked processes and the debugger. The size of shared memory is 1024+sizeof(SharedInfo) bytes.
77 | 
78 | ###FHPrint
79 | ```c
80 | long FHPrint(char *format,...);
81 | ```
82 | Description: printf like debug output function. The output will be listened by the thread and the callback specified by ListenOutput in the debugger.
83 | You can call GetProcAddress(GetModuleHandle("FishHook32.dll"),"FHPrint") to get the address of this API in hooked function
84 | 


--------------------------------------------------------------------------------
/FishHook32/hi.h:
--------------------------------------------------------------------------------
  1 | // ITAHook.cpp : Defines the entry point for the console application.
  2 | //
  3 | #pragma once
  4 | #include "stdafx.h"
  5 | 
  6 | 
  7 | 
  8 |  #include <windows.h>
  9 | #include <imagehlp.h>
 10 | 
 11 |  //#include <Dbghelp.h>
 12 | 
 13 |  #pragma comment(lib,"imagehlp.lib")
 14 |  #pragma comment(lib,"User32.lib")
 15 | 
 16 |  
 17 | 
 18 | 
 19 | 
 20 | 
 21 | int replace_IAT(const char *pDllName,const char *pApiName,void *pNew,PVOID * pOld)
 22 |  {
 23 | 
 24 |   HANDLE hProcess = ::GetModuleHandle (NULL);
 25 |   DWORD dwSize = 0;
 26 |   PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
 27 |    IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
 28 |   if (NULL == pImageImport)
 29 |    return 1;
 30 |   PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
 31 |   PIMAGE_THUNK_DATA  pImageThunkOriginal = NULL;
 32 |   PIMAGE_THUNK_DATA  pImageThunkReal  = NULL;
 33 |   while (pImageImport->Name)
 34 |   {
 35 |    if (0 == strcmpi((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
 36 |    {
 37 |     break;
 38 |    }
 39 |    ++pImageImport;
 40 |   }
 41 |   if (! pImageImport->Name)
 42 |    return 2;
 43 |   pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk  );
 44 |   pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk   );
 45 |   while (pImageThunkOriginal->u1.Function)
 46 |   {
 47 |    if ((pImageThunkOriginal->u1 .Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
 48 |    {
 49 |     pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+(long)pImageThunkOriginal->u1 .AddressOfData );
 50 |     //MessageBox(0,(char*)pImageImportByName->Name,"",64);
 51 | 	if (0 == strcmpi(pApiName,(char*)pImageImportByName->Name))
 52 |     {
 53 | 
 54 |      MEMORY_BASIC_INFORMATION mbi_thunk;
 55 |      VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION)); 
 56 |      VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect); 
 57 | 
 58 |       *pOld =(PVOID) pImageThunkReal->u1.Function; 
 59 | #ifdef _WIN64
 60 | 	  pImageThunkReal->u1.Function = (ULONGLONG)pNew;
 61 | #else
 62 |       pImageThunkReal->u1.Function = (DWORD)pNew;
 63 | #endif
 64 |      DWORD dwOldProtect; 
 65 |      VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect); 
 66 | 
 67 |      break;
 68 |     }
 69 |    }
 70 |    ++pImageThunkOriginal;
 71 |    ++pImageThunkReal;
 72 |   }
 73 |   return 0;
 74 |  }
 75 | 
 76 |  int chk_IAT(const char *pDllName,const char *pApiName ,void** pOut)
 77 |  {
 78 | 
 79 |   HANDLE hProcess = ::GetModuleHandle (NULL);
 80 |   DWORD dwSize = 0;
 81 |   PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
 82 |    IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
 83 |   if (NULL == pImageImport)
 84 |    return 1;
 85 |   PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
 86 |   PIMAGE_THUNK_DATA  pImageThunkOriginal = NULL;
 87 |   PIMAGE_THUNK_DATA  pImageThunkReal  = NULL;
 88 |   while (pImageImport->Name)
 89 |   {
 90 |    if (0 == strcmpi((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
 91 |    {
 92 |     break;
 93 |    }
 94 |    ++pImageImport;
 95 |   }
 96 |   if (! pImageImport->Name)
 97 |    return 2;
 98 |   pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk  );
 99 |   pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk   );
100 |   while (pImageThunkOriginal->u1.Function)
101 |   {
102 |    if ((pImageThunkOriginal->u1 .Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
103 |    {
104 |     pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+(long)pImageThunkOriginal->u1 .AddressOfData );
105 |     //MessageBox(0,(char*)pImageImportByName->Name,"",64);
106 | 	if (0 == strcmpi(pApiName,(char*)pImageImportByName->Name))
107 |     {
108 | 		
109 | 	    *pOut=(PVOID) pImageThunkReal->u1.Function; 
110 | 
111 |      break;
112 |     }
113 |    }
114 |    ++pImageThunkOriginal;
115 |    ++pImageThunkReal;
116 |   }
117 |   return 0;
118 |  }
119 | 
120 |  


--------------------------------------------------------------------------------
/FishHookTest/FishHookTest.vcxproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup Label="ProjectConfigurations">
 4 |     <ProjectConfiguration Include="Debug|Win32">
 5 |       <Configuration>Debug</Configuration>
 6 |       <Platform>Win32</Platform>
 7 |     </ProjectConfiguration>
 8 |     <ProjectConfiguration Include="Release|Win32">
 9 |       <Configuration>Release</Configuration>
10 |       <Platform>Win32</Platform>
11 |     </ProjectConfiguration>
12 |   </ItemGroup>
13 |   <PropertyGroup Label="Globals">
14 |     <ProjectGuid>{738BD3A8-3D78-42C7-A5E5-BDFDAB94005E}</ProjectGuid>
15 |     <Keyword>Win32Proj</Keyword>
16 |     <RootNamespace>FishHookTest</RootNamespace>
17 |   </PropertyGroup>
18 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
19 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
20 |     <ConfigurationType>Application</ConfigurationType>
21 |     <UseDebugLibraries>true</UseDebugLibraries>
22 |     <CharacterSet>Unicode</CharacterSet>
23 |   </PropertyGroup>
24 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
25 |     <ConfigurationType>Application</ConfigurationType>
26 |     <UseDebugLibraries>false</UseDebugLibraries>
27 |     <WholeProgramOptimization>true</WholeProgramOptimization>
28 |     <CharacterSet>Unicode</CharacterSet>
29 |   </PropertyGroup>
30 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
31 |   <ImportGroup Label="ExtensionSettings">
32 |   </ImportGroup>
33 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
34 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
35 |   </ImportGroup>
36 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
37 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
38 |   </ImportGroup>
39 |   <PropertyGroup Label="UserMacros" />
40 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
41 |     <LinkIncremental>true</LinkIncremental>
42 |   </PropertyGroup>
43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
44 |     <LinkIncremental>false</LinkIncremental>
45 |   </PropertyGroup>
46 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
47 |     <ClCompile>
48 |       <PrecompiledHeader>
49 |       </PrecompiledHeader>
50 |       <WarningLevel>Level3</WarningLevel>
51 |       <Optimization>Disabled</Optimization>
52 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
53 |     </ClCompile>
54 |     <Link>
55 |       <SubSystem>Console</SubSystem>
56 |       <GenerateDebugInformation>true</GenerateDebugInformation>
57 |       <AdditionalDependencies>$(SolutionDir)$(Configuration)\FishHook32.lib;%(AdditionalDependencies)</AdditionalDependencies>
58 |       <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
59 |     </Link>
60 |   </ItemDefinitionGroup>
61 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
62 |     <ClCompile>
63 |       <WarningLevel>Level3</WarningLevel>
64 |       <PrecompiledHeader>
65 |       </PrecompiledHeader>
66 |       <Optimization>MaxSpeed</Optimization>
67 |       <FunctionLevelLinking>true</FunctionLevelLinking>
68 |       <IntrinsicFunctions>true</IntrinsicFunctions>
69 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
70 |     </ClCompile>
71 |     <Link>
72 |       <SubSystem>Console</SubSystem>
73 |       <GenerateDebugInformation>true</GenerateDebugInformation>
74 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
75 |       <OptimizeReferences>true</OptimizeReferences>
76 |     </Link>
77 |   </ItemDefinitionGroup>
78 |   <ItemGroup>
79 |     <None Include="ReadMe.txt" />
80 |   </ItemGroup>
81 |   <ItemGroup>
82 |     <ClInclude Include="stdafx.h" />
83 |     <ClInclude Include="targetver.h" />
84 |   </ItemGroup>
85 |   <ItemGroup>
86 |     <ClCompile Include="FishHookTest.cpp" />
87 |     <ClCompile Include="stdafx.cpp" />
88 |   </ItemGroup>
89 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
90 |   <ImportGroup Label="ExtensionTargets">
91 |   </ImportGroup>
92 | </Project>


--------------------------------------------------------------------------------
/FishHook32/Def.h:
--------------------------------------------------------------------------------
  1 | #ifndef _H_DEF
  2 | #define _H_DEF
  3 | 
  4 | #include <windows.h>
  5 | #include <ShellAPI.h>
  6 | 
  7 | #include<detours.h>
  8 | #ifdef _WIN64
  9 | #pragma comment(lib, "detours64.lib")  
 10 | #else
 11 | #pragma comment(lib, "detours.lib")  
 12 | #endif
 13 | #define REGDLLNUM 11
 14 | #define CHOOK_NUM 10
 15 | 
 16 | #define FILTER_CREATE_PROCESS_PRE 3
 17 | #define FILTER_CREATE_PROCESS_POST 10
 18 | #define FILTER_SET_REG_VALUE 8
 19 | #define FILTER_CREATE_FILE 11
 20 | 
 21 | typedef enum
 22 | {
 23 | 	HOOK_vbaStrCmp=0,
 24 | 	HOOK_SwitchDesktop,
 25 | 	HOOK_CreateProcessA,
 26 | 	HOOK_CreateProcessW,
 27 | 	HOOK_MessageBoxA,
 28 | 	HOOK_MessageBoxW,
 29 | 	HOOK_CreateProcessInternalW,
 30 | 	HOOK_ShellExecuteExW,
 31 | 	HOOK_ZwSetValueKey,
 32 | 	HOOK_SHCreateProcess,
 33 | 	HOOK_NtCreateFile,
 34 | 	HOOK_AicLaunchAdminProcess,
 35 | }FishHookTypes;
 36 | 
 37 | #ifndef MYLIBAPI
 38 | #define MYLIBAPI extern "C"__declspec(dllimport)
 39 | #endif
 40 | 
 41 | 
 42 | #ifdef _WIN64
 43 | #define sInfo (*psInfo)
 44 | #endif
 45 | struct DllFunctionContext
 46 | {
 47 |     long Unknown;
 48 |     long ModuleHandle;
 49 |     PVOID FunctionPtr;
 50 | };
 51 | 
 52 | 
 53 | struct DLLHookInfo
 54 | {
 55 | 	char ModName[MAX_PATH];
 56 | 	char ProcName[MAX_PATH];
 57 | 	PVOID pProc;
 58 | 	void **ppOld;
 59 | };
 60 | 
 61 | struct CustomHookInfo
 62 | {
 63 | 	void* pNew;
 64 | 	void* pOld;
 65 | 	HMODULE hMod;
 66 | };
 67 | 
 68 | struct DLLInfo
 69 | {
 70 | char* ModuleName;char* FunctionName;long Unknown;PVOID ContextPtr;
 71 | };
 72 | 
 73 | 
 74 | 
 75 | 
 76 | struct SharedInfo
 77 | {
 78 | 	int type;
 79 | 	int pid;
 80 | 	int ret;
 81 | 	union data
 82 | 	{
 83 | 		char str[1024];
 84 | 		struct strlong
 85 | 		{
 86 | 			char str1[511];
 87 | 			long p1;
 88 | 		}strlong;
 89 | 		struct strd
 90 | 		{
 91 | 			char str1[512];
 92 | 			char str2[512];
 93 | 		}strd;
 94 |         struct Param2
 95 | 		{
 96 | 			long p1;
 97 | 			long p2;
 98 | 		}Param2;
 99 | 		int intArray[255];
100 | 
101 | 	}data;
102 | 	
103 | };
104 | 
105 |  struct ToHookInfo
106 |  {
107 | 	 int count;
108 | 	 FishHookTypes DLLid[20];
109 |  };
110 | 
111 |  struct CustomHook/*10-25 new*/
112 |  {
113 | 	 char oldName[40];
114 | 	 char oldMod[MAX_PATH];
115 | 	 char newName[40];
116 | 	 char newMod[MAX_PATH];
117 | 	 char oldProcAddr[40];
118 |  };
119 |  
120 | 
121 | struct InheritedHandles32
122 | {
123 | #ifdef _WIN64
124 | #define MHANDLE long
125 | #else
126 | #define MHANDLE HANDLE
127 | #endif
128 | 	MHANDLE hEvent;
129 | 	MHANDLE hEventBack;
130 | 	MHANDLE hEvent64;
131 | 	MHANDLE hEventBack64;
132 | 	MHANDLE hEProcess;
133 | 	MHANDLE hEProcessBack;
134 | 	MHANDLE hEProcess32;
135 | 	MHANDLE hEProcessBack32;
136 | 	MHANDLE hEventRelease;
137 | 	MHANDLE hEventOutput;
138 | 	MHANDLE hEventHookBack32;
139 | 	MHANDLE hEventHookBack64;
140 | #undef MHANDLE
141 | };
142 | 
143 | struct SharedMemory3264
144 | {
145 | 	SharedInfo si;
146 | 	CustomHook ch[CHOOK_NUM];
147 | 	CustomHook ch64[CHOOK_NUM];
148 | 	long DebugerPid;
149 | 	long DebugerPid64;
150 | 	long isWatching;
151 | 	char PrintBuf[500];
152 | 	InheritedHandles32 handle32;
153 | 	long suspend64;
154 | 	long suspend32;
155 | 	char CustomBuf[1024+sizeof(SharedInfo)];
156 | };
157 | 
158 | 
159 | struct SyncBlock{
160 | 	HANDLE hEvent;
161 | 	HANDLE hEventBack;
162 | 	WCHAR* lpMutex;
163 | 	SharedInfo* psinfo;
164 | };
165 | 
166 | 
167 |  //typedef
168 | typedef void (__stdcall *ptOutputProc)(char*);
169 | typedef long (__stdcall *ptrGetAddr)(HMODULE hModule,LPCSTR lpProcName );
170 | typedef long (__stdcall *ptrDllCall)(DLLInfo *);
171 |  typedef long( __stdcall *_vbaStrCmp)(PVOID str1,PVOID str2);
172 |  typedef int (__stdcall *OLD_MessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType );
173 |  typedef int (__stdcall *OLD_MessageBoxW)( HWND hWnd, PWCHAR lpwText, LPCWSTR lpCaption,UINT uType );
174 |  typedef BOOL (_stdcall *PFNCreateProcessInternalW) 
175 |  ( 
176 | HANDLE hToken, LPCWSTR lpApplicationName,LPWSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes, 
177 |      LPSECURITY_ATTRIBUTES lpThreadAttributes,        
178 |      BOOL bInheritHandles,        
179 |      DWORD dwCreationFlags, 
180 |      LPVOID lpEnvironment,        
181 |      LPCWSTR lpCurrentDirectory,        
182 |      LPSTARTUPINFOW lpStartupInfo,        
183 |      LPPROCESS_INFORMATION lpProcessInformation , 
184 |  PHANDLE hNewToken 
185 |  ); 
186 | 
187 | typedef  BOOL (__stdcall *PFShellExecuteExW)(  _Inout_  SHELLEXECUTEINFOW *pExecInfo);
188 | typedef  int (__stdcall *PSHCreateProcess)(int p1,HANDLE hToken,wchar_t *lpApplicationName,wchar_t * lpCommandLine,DWORD dwCreationFlags,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,LPVOID lpEnvironment,LPCWSTR lpCurrentDirectory,LPSTARTUPINFOW lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation,int p2,char p3,int p4);
189 | typedef int (__fastcall *PAicLaunchAdminProcess)(WCHAR *lpApplicationName, WCHAR *lpCommandLine, void* a3, DWORD dwCreationFlags, WCHAR *lpCurrentDirectory, HWND a6, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, DWORD *a9);
190 | 
191 |   typedef  PVOID
192 | (NTAPI
193 | *PRtlGetCallersAddress)(
194 | 
195 |   OUT PVOID               *CallersAddress,
196 |   OUT PVOID               *CallersCaller );
197 | //pointers
198 | #endif


--------------------------------------------------------------------------------
/FishHook32/IATHookHeader.h:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <imagehlp.h>
  3 | 
  4 | 
  5 | typedef long (__stdcall *pf0)();
  6 | typedef long (__stdcall *pf1)(long);
  7 | typedef long (__stdcall *pf2)(long,long);
  8 | typedef long (__stdcall *pf3)(long,long,long);
  9 | typedef long (__stdcall *pf4)(long,long,long,long);
 10 | typedef long (__stdcall *pf5)(long,long,long,long,long);
 11 | typedef long (__stdcall *pf6)(long,long,long,long,long,long);
 12 | typedef long (__stdcall *pf7)(long,long,long,long,long,long,long);
 13 | typedef long (__stdcall *pf8)(long,long,long,long,long,long,long,long);
 14 | typedef long (__stdcall *pf9)(long,long,long,long,long,long,long,long,long);
 15 | typedef long (__stdcall *pf10)(long,long,long,long,long,long,long,long,long,long);
 16 | typedef long (__stdcall *pf11)(long,long,long,long,long,long,long,long,long,long,long);
 17 | 
 18 | 
 19 |      long __stdcall p0();
 20 |      long __stdcall p1(long a1);
 21 |      long __stdcall p2(long a1,long a2);
 22 |      long __stdcall p3(long a1,long a2,long a3);
 23 |      long __stdcall p4(long a1,long a2,long a3,long a4);
 24 |      long __stdcall p5(long a1,long a2,long a3,long a4,long a5);
 25 |      long __stdcall p6(long a1,long a2,long a3,long a4,long a5,long a6);
 26 |      long __stdcall p7(long a1,long a2,long a3,long a4,long a5,long a6,long a7);
 27 |      long __stdcall p8(long a1,long a2,long a3,long a4,long a5,long a6,long a7,long a8);
 28 |      long __stdcall p9(long a1,long a2,long a3,long a4,long a5,long a6,long a7,long a8,long a9);
 29 |      long __stdcall p10(long a1,long a2,long a3,long a4,long a5,long a6,long a7,long a8,long a9,long a10);
 30 | 
 31 | 
 32 | struct IATHook
 33 | {
 34 |     // pf0 pNew0;
 35 |      pf1 pNew1;
 36 |      pf2 pNew2;
 37 |      pf3 pNew3;
 38 |      pf4 pNew4;
 39 |      pf5 pNew5;
 40 |      pf6 pNew6;
 41 |      pf7 pNew7;
 42 |      pf8 pNew8;
 43 |      pf9 pNew9;
 44 |      pf10 pNew10;
 45 |      pf11 pNew11;
 46 | 
 47 | 	 pf0 pOld0;
 48 |      pf1 pOld1;
 49 |      pf2 pOld2;
 50 |      pf3 pOld3;
 51 |      pf4 pOld4;
 52 |      pf5 pOld5;
 53 |      pf6 pOld6;
 54 |      pf7 pOld7;
 55 |      pf8 pOld8;
 56 |      pf9 pOld9;
 57 |      pf10 pOld10;
 58 |      int num;
 59 |     
 60 | };
 61 | 
 62 | long InitIATHook(char *pDllName,const char *pApiName ,void *pNew,int num)
 63 |     {
 64 | 	    IATHook *p=malloc(sizeof(IATHook));
 65 |         funptr[0]=(PVOID)p0;
 66 |         funptr[1]=(PVOID)p1;
 67 |         funptr[2]=(PVOID)p2;
 68 |         funptr[3]=(PVOID)p3;
 69 |         funptr[4]=(PVOID)p4;
 70 |         funptr[5]=(PVOID)p5;
 71 |         funptr[6]=(PVOID)p6;
 72 |         funptr[7]=(PVOID)p7;
 73 |         funptr[8]=(PVOID)p8;
 74 |         funptr[9]=(PVOID)p9;
 75 |         funptr[10]=(PVOID)p10;
 76 |         void** ppNew[10]={&p->pNew1,&pNew2,&pNew3,&pNew4,&pNew5,&pNew6,&pNew7,&pNew8,&pNew9,&pNew10,&pNew11};
 77 |         void** ppOld[10]={&p->pOld0,&p->pOld1,&p->pOld2,&p->pOld3,&p->pOld4,&p->pOld5,&p->pOld6,&p->pOld7,&p->pOld8,&p->pOld9,&p->pOld10};
 78 |         replace_IAT_a(pDllName,pApiName,funptr[num],ppOld[num]);
 79 | 
 80 | 
 81 |     }
 82 | 
 83 | 
 84 | int replace_IAT_a(const char *pDllName,const char *pApiName,void *pNew,PVOID * pOld)
 85 |  {
 86 |   HANDLE hProcess = GetModuleHandle (NULL);
 87 |   DWORD dwSize = 0;
 88 |   PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
 89 |    IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
 90 |   if (NULL == pImageImport)
 91 |    return 1;
 92 |   PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
 93 |   PIMAGE_THUNK_DATA  pImageThunkOriginal = NULL;
 94 |   PIMAGE_THUNK_DATA  pImageThunkReal  = NULL;
 95 |   while (pImageImport->Name)
 96 |   {
 97 |    if (0 == strcmpi((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
 98 |    {
 99 |     break;
100 |    }
101 |    ++pImageImport;
102 |   }
103 |   if (! pImageImport->Name)
104 |    return 2;
105 |   pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk  );
106 |   pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk   );
107 |   while (pImageThunkOriginal->u1.Function)
108 |   {
109 |    if ((pImageThunkOriginal->u1 .Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
110 |    {
111 |     pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+(long)pImageThunkOriginal->u1 .AddressOfData );
112 |     if (0 == strcmpi(pApiName,(char*)pImageImportByName->Name))
113 |     {
114 |      MEMORY_BASIC_INFORMATION mbi_thunk;
115 |      VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
116 |      VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);
117 | 
118 |       *pOld = pImageThunkReal->u1.Function;
119 |       pImageThunkReal->u1.Function = (DWORD*)pNew;
120 |       MessageBox(NULL, pApiName,"in",64);
121 |      DWORD dwOldProtect;
122 |      VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);
123 |      break;
124 |     }
125 |    }
126 |    ++pImageThunkOriginal;
127 |    ++pImageThunkReal;
128 |   }
129 |   return 0;
130 |  }
131 | 
132 | 
133 | 
134 |      long __stdcall p0()
135 |     {
136 |         return pNew1((long)pOld0);
137 |     }
138 | 
139 | 
140 |      long __stdcall p1(long a1)
141 |     {
142 |         return pNew2((long)pOld1,a1);
143 |     }
144 | 
145 |      long __stdcall p2(long a1,long a2)
146 |     {
147 |         return pNew3((long)pOld2,a1,a2);
148 |     }
149 | 
150 |      long __stdcall p3(long a1,long a2,long a3)
151 |     {
152 |         return pNew4((long)pOld3,a1,a2,a3);
153 |     }
154 | 
155 |      long __stdcall p4(long a1,long a2,long a3,long a4)
156 |     {
157 |         return pNew5((long)pOld4,a1,a2,a3,a4);
158 |     }
159 | 
160 |      long __stdcall p5(long a1,long a2,long a3,long a4,long a5)
161 |     {
162 |         return pNew6((long)pOld5,a1,a2,a3,a4,a5);
163 |     }
164 | 
165 | 
166 |      long __stdcall p6(long a1,long a2,long a3,long a4,long a5,long a6)
167 |     {
168 |         return pNew7((long)pOld6,a1,a2,a3,a4,a5,a6);
169 |     }
170 | 
171 |      long __stdcall p7(long a1,long a2,long a3,long a4,long a5,long a6,long a7)
172 |     {
173 |         return pNew8((long)pOld7,a1,a2,a3,a4,a5,a6,a7);
174 |     }
175 | 
176 |      long __stdcall p8(long a1,long a2,long a3,long a4,long a5,long a6,long a7,long a8)
177 |     {
178 |         return pNew9((long)pOld8,a1,a2,a3,a4,a5,a6,a7,a8);
179 |     }
180 | 
181 |      long __stdcall p9(long a1,long a2,long a3,long a4,long a5,long a6,long a7,long a8,long a9)
182 |     {
183 |         return pNew10((long)pOld9,a1,a2,a3,a4,a5,a6,a7,a8,a9);
184 |     }
185 | 
186 |      long __stdcall p10(long a1,long a2,long a3,long a4,long a5,long a6,long a7,long a8,long a9,long a10)
187 |     {
188 |         return pNew11((long)pOld10,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10);
189 |     }
190 | 
191 | 
192 | 


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
  1 | # FishHook
  2 | FishHook is a Windows inline hook platform, which supports x86 and x64 environment. You can write filter routines to monitor or alter the behavior of other programs's API. Also, you can write your own "fake" APIs in your own DLL, and FishHook will inject your DLL into the process and replace the target API with your "fake" one. Besides, FishHook provides a function to hook the child-processes created by a "hooked" process, which is useful for building a "sandbox" environment.
  3 | 
  4 | ## How to build
  5 | ### Dependencies
  6 |  * Visual Studio 2010. The community version is free.
  7 |  * Detours Express 3.0 x86
  8 |  * Detours x64. Original Detours x64 is charged. [Here](http://bbs.pediy.com/showthread.php?t=156369) is a third-party-made Detours x64 lib, which is based on mhook. A copy of it is uploaded [here](https://github.com/Menooker/FishHook/files/605676/Detours.V3.0.x64.zip).
  9 |  
 10 | ### Build me
 11 | This repo includes a VS2010 solution. Open FishHook32.sln. Build x86 version of the project "FishHook32". This generates "FishHook32.dll". Then switch to x64 mode and build the project "FishHook32" again. This generates "FishHook64.dll". Finally, switch to x86 mode and build and run project FishHookTest, which is an example of FishHook.
 12 | 
 13 | ## FishHook Introduction
 14 | A process that initializes FishHook and filters the API calls of hooked processes is called "debugger". Only one debugger is running at a time, and a debugger is a 32-bit process. This means even though you run FishHook on a 64 bit system, usually you should call FishHook APIs in a 32-bit debugger. (However, your custom "fake" APIs can be written in x64 code.)
 15 | 
 16 | The easiest way to use FishHook is to implement a filter. FishHook has implemented some "fake" APIs, such as CreateProcessInternalW and ZwSetValueKey. You should give FishHook a process-id to hook and the list of the APIs you want to hook. In addition, you should write a filter program in your 32-bit debugger. FishHook will replace the APIs with its built-in "fake" APIs. Once the hooked process calls the hooked API, the user-defined filter routine will be called, and you can monitor or alter the behavoir of the API in your filter. Note that the filter runs in the debugger's address space.
 17 | 
 18 | The other way to utilize FishHook is to use custom hooks. You should write the your "fake" APIs in DLLs, and pass the DLL and a process-id to FishHook. FishHook will inject your DLL and replace the target API with yours. Now you can do whatever you want. Note that your "fake" APIs will run in the hooked process's address space.
 19 | 
 20 | Some may want to hook the child-process created by a hooked process, which is a common way to build a sandbox or a monitor program. FishHook provides built-in "fake" APIs which will automatically hook the newly created process launched by a hooked program. 
 21 | 
 22 | ## A quick example on writing a filter
 23 | Create an x86 Win32 console program.
 24 |  ```c
 25 | #include "stdafx.h"
 26 | #include "../FishHook32/exports.h"
 27 | #include <iostream>
 28 | #include <string>
 29 | using namespace std;
 30 | 
 31 | long __stdcall CallBackProc(SharedInfo* psInfo)
 32 |  {
 33 | 	 	 WCHAR* pathname;
 34 | 		 WCHAR* keyname;
 35 | 		 char* pstr;
 36 | 	 	 switch(psInfo->type )
 37 | 		 {
 38 | 		 case FILTER_CREATE_PROCESS_PRE:
 39 | 			 cout<<"CreateProcess @pid "<<psInfo->pid<<endl;
 40 | 			 printf("str1: %ws\n",(wchar_t*)psInfo->data.strd.str1);
 41 |              printf("str2: %ws\n",(wchar_t*)psInfo->data.strd.str2);
 42 | 			 return 1; //change to 0 if you don't want to allow creating process
 43 | 			 break;
 44 | 		 case FILTER_CREATE_PROCESS_POST:
 45 | 			 cout<<"CreateProcess @pid "<<psInfo->pid<<endl;
 46 | 			 printf("str1: %ws\n",(wchar_t*)psInfo->data.strd.str1);
 47 |              printf("str2: %ws\n",(wchar_t*)psInfo->data.strd.str2);
 48 | 			 printf("New pid= %d\n" ,psInfo->data.intArray[253]);
 49 | 			 return 1;
 50 | 			 break;
 51 | 		 default:
 52 | 			 cout<<"???"<<endl;
 53 | 		 }
 54 |  
 55 | 		 return 1;
 56 |  }
 57 | 
 58 | int _tmain(int argc, _TCHAR* argv[])
 59 | {
 60 | 	InitFishHook();
 61 | 	FishHookTypes id[]={HOOK_CreateProcessInternalW,HOOK_AicLaunchAdminProcess};
 62 | 	PROCESS_INFORMATION info;
 63 | 	STARTUPINFO si;
 64 | 	memset(&si,0,sizeof(si));
 65 | 
 66 | 	si.cb=sizeof(si);
 67 | 	si.wShowWindow =SW_SHOW;
 68 | 	si.dwFlags=STARTF_USESHOWWINDOW;
 69 | 	WCHAR path[]=L"cmd";
 70 | 	CreateProcess(NULL,path,NULL,NULL,0,CREATE_SUSPENDED|CREATE_NEW_CONSOLE,NULL,NULL,&si,&info);
 71 | 	printf("RET=%d",SetIATHookByAPC(info.hProcess,(HANDLE)info.dwProcessId,CallBackProc,id,2));
 72 | 	ResumeThread(info.hThread);	
 73 | 	system("pause");
 74 | 	return 0;
 75 | }
 76 | 
 77 |  ```
 78 |  This program writes a filter "CallBackProc" and then creates and hook a "cmd" procress. You should first call InitFishHook() before calling any FishHook APIs. If the cmd process creates a new process, CallBackProc is called and you can see some outputs in our debugger console. Note that all the processes created by the cmd process are hooked too. 
 79 |  
 80 | ## A quick example on writing a custom hook
 81 | Now we write a custom hook on Windows API MessageBoxW. First create a dll and add the following code.
 82 |  ```c
 83 | extern "C" __declspec(dllimport) int (__stdcall *oldMessageBoxW)( HWND hWnd, LPWSTR lpText, LPCWSTR lpCaption,UINT uType);
 84 | int __stdcall myMessageBoxW( HWND hWnd, LPWSTR lpText, LPCWSTR lpCaption,UINT uType)
 85 | {	
 86 |     return oldMessageBoxW(hWnd,L"Hello",L"World",uType);
 87 | }
 88 |  ```
 89 |  We wrote a "fake" MessageBoxW which changed the behavior of the API. Also, in the first line of code, we exported a variable "oldMessageBoxW" which holds the true address of "MessageBoxW". Compile the DLL into x64 and x86 version, "myhook.dll" and "myhook64.dll". We can find the exported name of myMessageBoxW in x86 DLL is changed to "\_myMessageBoxW@16". In x64 version DLL, the exported name is unchanged, "myMessageBoxW".
 90 |  
 91 |  We then write the debugger code. In a 32-bit program:
 92 |   ```c
 93 | int _tmain(int argc, _TCHAR* argv[])
 94 | {
 95 | 	InitFishHook();
 96 | 	FishHookTypes id[]={HOOK_CreateProcessInternalW,HOOK_AicLaunchAdminProcess};
 97 | 	PROCESS_INFORMATION info;
 98 | 	STARTUPINFO si;
 99 | 	memset(&si,0,sizeof(si));
100 | 	si.cb=sizeof(si);
101 | 	si.wShowWindow =SW_SHOW;
102 | 	si.dwFlags=STARTF_USESHOWWINDOW;
103 | 	WCHAR path[]=L"cmd";
104 | 	CreateProcess(NULL,path,NULL,NULL,0,CREATE_SUSPENDED|CREATE_NEW_CONSOLE,NULL,NULL,&si,&info);
105 |   	SetCustomHook("MessageBoxW","user32.dll","_myMessageBoxW@16","C:\\path\\to\\myhook.dll","oldMessageBoxW",0);
106 |   	SetCustomHook("MessageBoxW","user32.dll","myMessageBoxW","C:\\path\\to\\myhook64.dll","oldMessageBoxW",1);	
107 | 	printf("RET=%d",SetIATHookByAPC(info.hProcess,(HANDLE)info.dwProcessId,NULL,id,2));
108 | 	ResumeThread(info.hThread);	
109 | 	system("pause");
110 | 	return 0;
111 | } 
112 |   ``` 
113 |  This program creates and hooks a "cmd" process. All child process created by it are also hooked. In all these processes, the API of MessageBoxW has been replaced by myMessageBoxW, no matter 32-bit or 64-bit the process is. You can try "regsvr32" in cmd console to check it out. (regsvr32 will orignially show a messagebox to tell you the usage of the program, but it will be replaced by our "Hello world" message.)
114 |  
115 |  
116 | ## More details
117 | See Mannual.md
118 | 


--------------------------------------------------------------------------------
/FishHook32/FishHook32.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{A40684CD-0584-456A-AE3E-C862900377FF}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>FishHook32</RootNamespace>
 25 |   </PropertyGroup>
 26 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 27 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 28 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 29 |     <UseDebugLibraries>true</UseDebugLibraries>
 30 |     <CharacterSet>MultiByte</CharacterSet>
 31 |   </PropertyGroup>
 32 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 33 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 34 |     <UseDebugLibraries>true</UseDebugLibraries>
 35 |     <CharacterSet>MultiByte</CharacterSet>
 36 |   </PropertyGroup>
 37 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 38 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 39 |     <UseDebugLibraries>false</UseDebugLibraries>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 44 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 45 |     <UseDebugLibraries>false</UseDebugLibraries>
 46 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 50 |   <ImportGroup Label="ExtensionSettings">
 51 |   </ImportGroup>
 52 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 53 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 54 |   </ImportGroup>
 55 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 56 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 59 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 60 |   </ImportGroup>
 61 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <PropertyGroup Label="UserMacros" />
 65 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 66 |     <LinkIncremental>false</LinkIncremental>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 69 |     <LinkIncremental>false</LinkIncremental>
 70 |     <TargetName>FishHook64</TargetName>
 71 |     <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
 72 |     <IntDir>$(Configuration)\</IntDir>
 73 |   </PropertyGroup>
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 75 |     <LinkIncremental>false</LinkIncremental>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 81 |     <ClCompile>
 82 |       <PrecompiledHeader>Use</PrecompiledHeader>
 83 |       <WarningLevel>Level3</WarningLevel>
 84 |       <Optimization>Disabled</Optimization>
 85 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;FISHHOOK32_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 86 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 87 |       <BasicRuntimeChecks>UninitializedLocalUsageCheck</BasicRuntimeChecks>
 88 |     </ClCompile>
 89 |     <Link>
 90 |       <SubSystem>Windows</SubSystem>
 91 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 92 |       <IgnoreSpecificDefaultLibraries>LIBCMT.lib</IgnoreSpecificDefaultLibraries>
 93 |     </Link>
 94 |   </ItemDefinitionGroup>
 95 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 96 |     <ClCompile>
 97 |       <PrecompiledHeader>Use</PrecompiledHeader>
 98 |       <WarningLevel>Level3</WarningLevel>
 99 |       <Optimization>Disabled</Optimization>
100 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;FISHHOOK32_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
101 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
102 |       <BasicRuntimeChecks>UninitializedLocalUsageCheck</BasicRuntimeChecks>
103 |     </ClCompile>
104 |     <Link>
105 |       <SubSystem>Windows</SubSystem>
106 |       <GenerateDebugInformation>true</GenerateDebugInformation>
107 |       <IgnoreSpecificDefaultLibraries>LIBCMT.lib</IgnoreSpecificDefaultLibraries>
108 |     </Link>
109 |   </ItemDefinitionGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
111 |     <ClCompile>
112 |       <WarningLevel>Level3</WarningLevel>
113 |       <PrecompiledHeader>Use</PrecompiledHeader>
114 |       <Optimization>MaxSpeed</Optimization>
115 |       <FunctionLevelLinking>true</FunctionLevelLinking>
116 |       <IntrinsicFunctions>true</IntrinsicFunctions>
117 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;FISHHOOK32_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |     </ClCompile>
119 |     <Link>
120 |       <SubSystem>Windows</SubSystem>
121 |       <GenerateDebugInformation>true</GenerateDebugInformation>
122 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
123 |       <OptimizeReferences>true</OptimizeReferences>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <PrecompiledHeader>Use</PrecompiledHeader>
130 |       <Optimization>MaxSpeed</Optimization>
131 |       <FunctionLevelLinking>true</FunctionLevelLinking>
132 |       <IntrinsicFunctions>true</IntrinsicFunctions>
133 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;FISHHOOK32_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Windows</SubSystem>
137 |       <GenerateDebugInformation>true</GenerateDebugInformation>
138 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
139 |       <OptimizeReferences>true</OptimizeReferences>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemGroup>
143 |     <None Include="ReadMe.txt" />
144 |   </ItemGroup>
145 |   <ItemGroup>
146 |     <ClInclude Include="APC.H" />
147 |     <ClInclude Include="Def.h" />
148 |     <ClInclude Include="exports.h" />
149 |     <ClInclude Include="hi.h" />
150 |     <ClInclude Include="HookedFunctions.h" />
151 |     <ClInclude Include="internals.h" />
152 |     <ClInclude Include="NativeApi.h" />
153 |     <ClInclude Include="stdafx.h" />
154 |     <ClInclude Include="StringEx.h" />
155 |     <ClInclude Include="targetver.h" />
156 |     <ClInclude Include="var.h" />
157 |   </ItemGroup>
158 |   <ItemGroup>
159 |     <ClCompile Include="dllmain.cpp">
160 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
161 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
162 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
163 |       </PrecompiledHeader>
164 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
165 |       </PrecompiledHeader>
166 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
167 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
168 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
169 |       </PrecompiledHeader>
170 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
171 |       </PrecompiledHeader>
172 |     </ClCompile>
173 |     <ClCompile Include="exports.cpp" />
174 |     <ClCompile Include="FishHook32.cpp" />
175 |     <ClCompile Include="HookedFunctions.cpp" />
176 |     <ClCompile Include="IATDLL.cpp" />
177 |     <ClCompile Include="internals.cpp" />
178 |     <ClCompile Include="stdafx.cpp">
179 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
180 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
181 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
182 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
183 |     </ClCompile>
184 |   </ItemGroup>
185 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
186 |   <ImportGroup Label="ExtensionTargets">
187 |   </ImportGroup>
188 | </Project>


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/FishHook32/internals.cpp:
--------------------------------------------------------------------------------
  1 | #include "StdAfx.h"
  2 | #include <stdlib.h>
  3 | #include <Windows.h>
  4 | #include <stdio.h>
  5 | #include "var.h"
  6 | #include "internals.h"
  7 | #include <Sddl.h>
  8 | 
  9 | ptDbgPrint DbgPrint=(ptDbgPrint)GetProcAddress(GetModuleHandleW(L"ntdll"),"DbgPrint");
 10 | extern "C" long FHPrint(char *format,...);
 11 | 
 12 | typedef HMODULE (WINAPI *ptGetModuleHandleW)(
 13 |     __in_opt LPCWSTR lpModuleName
 14 |     );
 15 | 
 16 | typedef FARPROC (WINAPI *ptGetProcAddress)(
 17 |     __in HMODULE hModule,
 18 |     __in LPCSTR lpProcName
 19 |     );
 20 | typedef BOOL
 21 | (WINAPI
 22 | *ptFreeLibrary) (
 23 |     __in HMODULE hLibModule
 24 |     );
 25 | 
 26 | typedef VOID
 27 | (WINAPI
 28 | *ptExitThread)(
 29 |     __in DWORD dwExitCode
 30 |     );
 31 | 
 32 | typedef HGLOBAL (WINAPI *ptGlobalAlloc)(
 33 |   _In_  UINT uFlags,
 34 |   _In_  SIZE_T dwBytes
 35 | );
 36 | 
 37 | typedef HGLOBAL
 38 | (WINAPI *ptGlobalFree)(
 39 |     __deref HGLOBAL hMem
 40 |     );
 41 | 
 42 | struct myEnvir
 43 | {
 44 | 	ptGetProcAddress GetProcAddress;
 45 | 	ptFreeLibrary FreeLibrary;
 46 | 	ptExitThread ExitThread;
 47 | 	ptGlobalFree GlobalFree;
 48 | } ;
 49 | 
 50 | long __stdcall  DoTrulyUnloadDLLAndExitThread(myEnvir* par,HMODULE hmod,DWORD exitcode,void* pcode)
 51 | {
 52 | 	
 53 | 	BOOL ret=1;
 54 | 	//ptFreeLibrary PFreeLibrary=(ptFreeLibrary)par->GetProcAddress(par->hmodkernel,par->pfree);
 55 | 	// PExitThread=(ptExitThread)par->GetProcAddress(par->hmodkernel,par->pexit);
 56 | 	while(ret)
 57 | 	{
 58 | 
 59 | 		ret=par->FreeLibrary(hmod);
 60 | 	}
 61 | #ifdef _WIN64
 62 | 	typedef void (*ptShellcode)(void* pcode,void* pexit,void* pfree);
 63 | 	ptShellcode pFun=(ptShellcode)((char*)pcode+200);
 64 | 	pFun(pcode,par->ExitThread,par->GlobalFree);
 65 | #else
 66 | 	void* pExit=par->ExitThread;
 67 | 	void* pFree=par->GlobalFree;
 68 | 	__asm{
 69 | 		push exitcode
 70 | 		push 0
 71 | 		push pcode
 72 | 		push pExit
 73 | 		jmp pFree
 74 | 	}
 75 | #endif
 76 | 	return 0;
 77 | }
 78 | 
 79 | 
 80 | #ifdef _WIN64
 81 | void __stdcall TrulyUnloadDLLAndExitThread(HMODULE hmod,DWORD exitcode)
 82 | {
 83 | 
 84 | UCHAR shellcode[10]=
 85 | 
 86 | "\x48\x83\xEC\x28" //4
 87 | "\x52"             //5
 88 | "\x41\xFF\xE0";    //8          
 89 | 	void* p=(BYTE*)GlobalAlloc(GMEM_FIXED,300);
 90 | 	memset(p,0xcc,300);
 91 | 	memcpy(p,DoTrulyUnloadDLLAndExitThread,200);
 92 | 	memcpy((char*)p+200,shellcode,sizeof(shellcode));
 93 | 	DWORD oldpro;
 94 | 	VirtualProtect(p,300,PAGE_EXECUTE_READWRITE,&oldpro);	
 95 | 	typedef long (__stdcall *ptFun)(myEnvir* par,HMODULE hmod,DWORD exitcode,void* pcode);
 96 | 	ptFun pFun=(ptFun)p;
 97 | 	myEnvir par={GetProcAddress,FreeLibrary,ExitThread,GlobalFree};
 98 | 	
 99 | 	pFun(&par,hmod,exitcode,p);
100 | }
101 | 
102 | void PopHandles()
103 | {
104 | 			if (hEvent32==0) hEvent32=(HANDLE)psm->handle32.hEvent;
105 | 			if (hEventBack32==0)hEventBack32=(HANDLE)psm->handle32.hEventBack;
106 | 			if (hEvent==0) hEvent=(HANDLE)psm->handle32.hEvent64;
107 | 			if (hEventBack==0)hEventBack=(HANDLE)psm->handle32.hEventBack64;	
108 | 			if (hEProcess==0) hEProcess=(HANDLE)psm->handle32.hEProcess;
109 | 			if (hEProcessBack==0)hEProcessBack=(HANDLE)psm->handle32.hEProcessBack;
110 | 			if (hEProcess32==0) hEProcess32=(HANDLE)psm->handle32.hEProcess32;
111 | 			if (hEProcessBack32==0)hEProcessBack32=(HANDLE)psm->handle32.hEProcessBack32;
112 | 			if (hEventRelease==0)hEventRelease=(HANDLE)psm->handle32.hEventRelease;
113 | 			if (hEventOutput==0)hEventOutput=(HANDLE)psm->handle32.hEventOutput;
114 | 			if (hEventHookBack32==0)hEventHookBack32=(HANDLE)psm->handle32.hEventHookBack32;
115 | 			if (hEventHookBack64==0)hEventHookBack64=(HANDLE)psm->handle32.hEventHookBack64;
116 | }
117 | 
118 | void PushHandles()
119 | {
120 | 				psm->handle32.hEProcess=(long)hEProcess; psm->handle32.hEProcess32=(long)hEProcess32; psm->handle32.hEProcessBack=(long)hEProcessBack;
121 | 				psm->handle32.hEProcessBack32=(long)hEProcessBack32; psm->handle32.hEvent=(long)hEvent32; psm->handle32.hEvent64=(long)hEvent;
122 | 				psm->handle32.hEventBack=(long)hEventBack32; psm->handle32.hEventBack64=(long)hEventBack; psm->handle32.hEventOutput=(long)hEventOutput;
123 | 				psm->handle32.hEventRelease=(long)hEventRelease; psm->handle32.hEventHookBack32=(long)hEventHookBack32;
124 | 				psm->handle32.hEventHookBack64=(long)hEventHookBack64; 
125 | }
126 | 
127 | #else
128 | 
129 | void __stdcall TrulyUnloadDLLAndExitThread(HMODULE hmod,DWORD exitcode)
130 | {
131 | 
132 |                 
133 | 	void* p=(BYTE*)GlobalAlloc(GMEM_FIXED,200);
134 | 	memcpy(p,DoTrulyUnloadDLLAndExitThread,200);
135 | 	DWORD oldpro;
136 | 	VirtualProtect(p,100,PAGE_EXECUTE_READWRITE,&oldpro);	
137 | 	typedef long (__stdcall *ptFun)(myEnvir* par,HMODULE hmod,DWORD exitcode,void* pcode);
138 | 	ptFun pFun=(ptFun)p;
139 | 	myEnvir par={GetProcAddress,FreeLibrary,ExitThread,GlobalFree};
140 | 	
141 | 	pFun(&par,hmod,exitcode,p);
142 | }
143 | 
144 | void PopHandles()
145 | {
146 | 			if (hEvent==0) hEvent=psm->handle32.hEvent;
147 | 			if (hEventBack==0)hEventBack=psm->handle32.hEventBack;
148 | 			if (hEvent64==0) hEvent64=psm->handle32.hEvent64;
149 | 			if (hEventBack64==0)hEventBack64=psm->handle32.hEventBack64;	
150 | 			if (hEProcess==0) hEProcess=psm->handle32.hEProcess;
151 | 			if (hEProcessBack==0)hEProcessBack=psm->handle32.hEProcessBack;
152 | 			if (hEProcess32==0) hEProcess32=psm->handle32.hEProcess32;
153 | 			if (hEProcessBack32==0)hEProcessBack32=psm->handle32.hEProcessBack32;
154 | 			if (hEventRelease==0)hEventRelease=psm->handle32.hEventRelease;
155 | 			if (hEventOutput==0)hEventOutput=psm->handle32.hEventOutput;
156 | 			if (hEventHookBack==0)hEventHookBack=psm->handle32.hEventHookBack32;
157 | 			if (hEventHookBack64==0)hEventHookBack64=psm->handle32.hEventHookBack64;
158 | }
159 | 
160 | void PushHandles()
161 | {
162 | 				psm->handle32.hEProcess=hEProcess; psm->handle32.hEProcess32=hEProcess32; psm->handle32.hEProcessBack=hEProcessBack;
163 | 				psm->handle32.hEProcessBack32=hEProcessBack32; psm->handle32.hEvent=hEvent; psm->handle32.hEvent64=hEvent64;
164 | 				psm->handle32.hEventBack=hEventBack; psm->handle32.hEventBack64=hEventBack64; psm->handle32.hEventOutput=hEventOutput;
165 | 				psm->handle32.hEventRelease=hEventRelease; psm->handle32.hEventHookBack32=hEventHookBack;
166 | 				psm->handle32.hEventHookBack64=hEventHookBack64; 
167 | }
168 | 
169 | #endif
170 | void __stdcall MsgboxW(WCHAR* str,long a)
171 | {
172 | 	char p[255];
173 | 
174 | 	sprintf(p,"%ws : %d",str,a);
175 | 	MessageBox(NULL,p,"hh",64);
176 | }
177 | 
178 | void __stdcall Msgbox(char* str,long a)
179 | {
180 | 	char p[255];
181 | 
182 | 	sprintf(p,"%s : %d",str,a);
183 | 	MessageBox(NULL,p,str,64);
184 | }
185 | 
186 | 
187 | 
188 | 
189 | 
190 | void ShowSID(HANDLE hNewt)
191 | {
192 | 			WCHAR pbuf[1000]={0};
193 | 			LPWSTR psid=0;
194 | 			TOKEN_MANDATORY_LABEL* pp=(TOKEN_MANDATORY_LABEL* )pbuf;
195 | 			DWORD len;
196 | 			if(GetTokenInformation(hNewt,TokenIntegrityLevel ,pbuf,1000,&len))
197 | 			{
198 | 				if(ConvertSidToStringSidW(pp->Label.Sid,&psid))
199 | 					MessageBoxW(0,psid,L"",64);
200 | 				else
201 | 					Msgbox("CON",GetLastError());
202 | 			}
203 | }
204 | 
205 | HANDLE MakeNormalToken(HANDLE hToken)
206 | {
207 | 	 //HANDLE hToken;
208 | 	
209 | 	 WCHAR wszIntegritySid[20] = L"S-1-16-8192";
210 | 	 PSID pIntegritySid = NULL;
211 | 	 TOKEN_MANDATORY_LABEL TIL = {0};
212 | 	 HANDLE hmNewToken;
213 |      if (OpenProcessToken(GetCurrentProcess(),MAXIMUM_ALLOWED, &hToken))
214 |      {
215 | 
216 |          if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,SecurityImpersonation, TokenPrimary, &hmNewToken))
217 |          { 
218 |               if (ConvertStringSidToSidW(wszIntegritySid, &pIntegritySid))
219 |               {
220 | 				  //Msgbox("TOKEN",(long)hToken);
221 |                   TIL.Label.Attributes = SE_GROUP_INTEGRITY;
222 |                   TIL.Label.Sid = pIntegritySid;
223 |                    // Set the process integrity level
224 |                    if (SetTokenInformation(hmNewToken, TokenIntegrityLevel, &TIL,
225 |                        sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid)))
226 |                    {
227 | 					   CloseHandle(hToken);
228 | 					   return hmNewToken;
229 | 				   }
230 | 			  }
231 | 		 }
232 | 	 }
233 | 	 CloseHandle(hToken);
234 | 	 CloseHandle(hmNewToken);
235 | 	 return 0;
236 | }
237 | 
238 | BOOL CopyToken(HANDLE hsrc,HANDLE hdest)
239 | {
240 | 	//ShowSID(hsrc);
241 | 	DWORD len;
242 | 	PVOID pbuf=malloc(2000);
243 | 	for(int i=1;i<MaxTokenInfoClass;i++)
244 | 	{
245 | 		if(GetTokenInformation(hsrc,(TOKEN_INFORMATION_CLASS)i ,pbuf,2000,&len))
246 | 		{	
247 | 			//Msgbox("i",i);
248 | 			if(!SetTokenInformation(hdest,(TOKEN_INFORMATION_CLASS)i,pbuf,len))
249 | 			{
250 | 				//Msgbox("ERR",GetLastError());
251 | 				continue;
252 | 			}
253 | 		}
254 | 
255 | 	}
256 | 	free(pbuf);
257 | 
258 | 	return 1;
259 | }
260 | 
261 | void SetProcessToken(HANDLE hProcess,HANDLE hToken,HANDLE* hNewToken)
262 | {
263 | 	HANDLE hNewt;
264 | 			if(OpenProcessToken(hProcess,MAXIMUM_ALLOWED,&hNewt)) // now copy the token
265 | 			{
266 | 				CopyToken(hToken,hNewt); //fix-me: is it right to copy the token like this?????
267 | 				if(hNewToken)
268 | 				{
269 | 					CloseHandle(*hNewToken); //fix-me: should we close the old token?????
270 | 					*hNewToken=hNewt;
271 | 				}
272 | 				else{
273 | 					CloseHandle(hNewt);
274 | 				}
275 | 			}
276 | 			else{
277 | 				FHPrint("Failed to load token\n");
278 | 			}
279 | }
280 | 
281 | 
282 | 
283 | LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L"S:(ML;;NW;;;LW)";
284 | 
285 | bool SetObjectToLowIntegrity(
286 |  HANDLE hObject, SE_OBJECT_TYPE type )
287 | {
288 | bool bRet = false;
289 | DWORD dwErr = ERROR_SUCCESS;
290 | PSECURITY_DESCRIPTOR pSD = NULL;
291 | PACL pSacl = NULL;
292 | BOOL fSaclPresent = FALSE;
293 | BOOL fSaclDefaulted = FALSE;
294 |  if ( ConvertStringSecurityDescriptorToSecurityDescriptorW (
295 |          LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL ) )
296 |     {
297 |     if ( GetSecurityDescriptorSacl (
298 | 
299 |            pSD, &fSaclPresent, &pSacl, &fSaclDefaulted ) )
300 | 
301 |       {
302 |       dwErr = SetSecurityInfo (
303 |                 hObject, type, LABEL_SECURITY_INFORMATION,
304 |                 NULL, NULL, NULL, pSacl );
305 |       bRet = (ERROR_SUCCESS == dwErr);
306 |       }
307 |     LocalFree ( pSD );
308 |     }
309 |  return bRet;
310 | }
311 | 
312 | 
313 | BOOL ResumeThreadWhenSuspended(HANDLE hThread)
314 | {
315 | 				  int rcnt;
316 | 				  for (rcnt=0;rcnt<1000;rcnt++)
317 | 				  {
318 | 					  if(ResumeThread(hThread))
319 | 					  {
320 | 						  break;
321 | 					  }
322 | 					  Sleep(0);
323 | 				  }
324 | 				  if(rcnt==1000)
325 | 				  {
326 | 					  return FALSE;
327 | 				  }
328 | 				  return TRUE;
329 | }
330 | /*
331 | // A few required typedefs
332 | 
333 | typedef enum _PROCESS_INFORMATION_CLASS
334 | {
335 |     ProcessBasicInformation,
336 |     ProcessQuotaLimits,
337 |     ProcessIoCounters,
338 |     ProcessVmCounters,
339 |     ProcessTimes,
340 |     ProcessBasePriority,
341 |     ProcessRaisePriority,
342 |     ProcessDebugPort,
343 |     ProcessExceptionPort,
344 |     ProcessAccessToken,
345 |     ProcessLdtInformation,
346 |     ProcessLdtSize,
347 |     ProcessDefaultHardErrorMode,
348 |     ProcessIoPortHandlers,
349 |     ProcessPooledUsageAndLimits,
350 |     ProcessWorkingSetWatch,
351 |     ProcessUserModeIOPL,
352 |     ProcessEnableAlignmentFaultFixup,
353 |     ProcessPriorityClass,
354 |     ProcessWx86Information,
355 |     ProcessHandleCount,
356 |     ProcessAffinityMask,
357 |     ProcessPriorityBoost,
358 |     MaxProcessInfoClass
359 | } PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;
360 | 
361 | typedef struct _PROCESS_ACCESS_TOKEN
362 | {
363 |     HANDLE Token;
364 |     HANDLE Thread;
365 | } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
366 | 
367 | typedef NTSTATUS (NTAPI * NtSetInformationProcess) (HANDLE processHandle, PROCESS_INFORMATION_CLASS infoClass, PVOID info, ULONG infoLength);
368 | 
369 | 
370 | // Assume we have a handle to an existing process: targetProcessHandle, started in a suspended state, and a new token: newToken to assign to this process.
371 | 
372 | // First we must enable SeAssignPrimaryTokenPrivilege.
373 | // Note: The user under which this runs must already hold the privilege, this only enables it (it is initially disabled by default).
374 | LUID luid;
375 | LookupPrivilegeValue(0, SE_ASSIGNPRIMARYTOKEN_NAME, &luid);
376 | TOKEN_PRIVILEGES privs;
377 | privs.PrivilegeCount = 1;
378 | privs.Privileges[0].Luid = luid;
379 | privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
380 | 
381 | HANDLE myToken;
382 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &myToken))
383 | {
384 |     wprintf("Unable to open own process token to enable permissions\n");
385 |     return FALSE;
386 | }
387 | if (!AdjustTokenPrivileges(myToken, FALSE, &privs, sizeof(TOKEN_PRIVILEGES), 0, 0))
388 | {
389 |     wprintf("Error setting token privileges: 0x%08x\n", GetLastError());
390 |     CloseHandle(myToken);
391 |     return FALSE;
392 | }
393 | // Even if AdjustTokenPrivileges returns TRUE, it may not have succeeded, check last error top confirm
394 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
395 | {
396 |     wprintf("Unable to enable a required privilege\n");
397 |     CloseHandle(myToken);
398 |     return FALSE;
399 | }
400 | CloseHandle(myToken);
401 | 
402 | PROCESS_ACCESS_TOKEN tokenInfo;
403 | tokenInfo.Token = newToken;
404 | tokenInfo.Thread = 0;
405 | 
406 | // Get a handle to ntdll
407 | HMODULE ntdll = LoadLibrary(L"ntdll.dll");
408 | 
409 | // And a pointer to the NtSetInformationProcess function
410 | NtSetInformationProcess setInfo = (NtSetInformationProcess)GetProcAddress(ntdll,"NtSetInformationProcess");
411 | NTSTATUS setInfoResult = setInfo(targetProcessHandle, ProcessAccessToken, &tokenInfo, sizeof(PROCESS_ACCESS_TOKEN));
412 | if (setInfoResult < 0)
413 | {
414 |     wprintf(L"Error setting token: 0x%08x\n", setInfoResult);
415 |     return FALSE;
416 | }
417 | 
418 | FreeLibrary(ntdll);
419 | 
420 | // You can now resume the target process' main thread here using ResumeThread().
421 | //http://stackoverflow.com/questions/5141997/is-there-a-way-to-set-a-token-for-another-process
422 | return TRUE;*/


--------------------------------------------------------------------------------