├── .gitattributes
├── .gitignore
├── C2-Hunter.sln
├── C2-Hunter
├── C2-Hunter.vcxproj
├── C2-Hunter.vcxproj.filters
├── MinHook.h
├── dllmain.cpp
├── framework.h
├── libMinHook.x64.lib
├── libMinHook.x86.lib
├── pch.cpp
└── pch.h
└── README.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/C2-Hunter.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32616.157
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "C2-Hunter", "C2-Hunter\C2-Hunter.vcxproj", "{CB3F1325-8442-485C-87A1-C41BC5FD4C72}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Debug|x64.ActiveCfg = Debug|x64
17 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Debug|x64.Build.0 = Debug|x64
18 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Debug|x86.ActiveCfg = Debug|Win32
19 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Debug|x86.Build.0 = Debug|Win32
20 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Release|x64.ActiveCfg = Release|x64
21 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Release|x64.Build.0 = Release|x64
22 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Release|x86.ActiveCfg = Release|Win32
23 | {CB3F1325-8442-485C-87A1-C41BC5FD4C72}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {4525CFFE-B25F-474B-BF97-7E7D4903D53A}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/C2-Hunter/C2-Hunter.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {cb3f1325-8442-485c-87a1-c41bc5fd4c72}
25 | C2Hunter
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;C2HUNTER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
78 | true
79 | Use
80 | pch.h
81 |
82 |
83 | Windows
84 | true
85 | false
86 |
87 |
88 |
89 |
90 | Level3
91 | true
92 | true
93 | true
94 | WIN32;NDEBUG;C2HUNTER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
95 | true
96 | Use
97 | pch.h
98 |
99 |
100 | Windows
101 | true
102 | true
103 | true
104 | false
105 |
106 |
107 |
108 |
109 | Level3
110 | true
111 | _DEBUG;C2HUNTER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
112 | true
113 | Use
114 | pch.h
115 |
116 |
117 | Windows
118 | true
119 | false
120 |
121 |
122 |
123 |
124 | Level3
125 | true
126 | true
127 | true
128 | NDEBUG;C2HUNTER_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
129 | true
130 | Use
131 | pch.h
132 |
133 |
134 | Windows
135 | true
136 | true
137 | true
138 | false
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 | Create
149 | Create
150 | Create
151 | Create
152 |
153 |
154 |
155 |
156 |
157 |
--------------------------------------------------------------------------------
/C2-Hunter/C2-Hunter.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 |
--------------------------------------------------------------------------------
/C2-Hunter/MinHook.h:
--------------------------------------------------------------------------------
1 | /*
2 | * MinHook - The Minimalistic API Hooking Library for x64/x86
3 | * Copyright (C) 2009-2017 Tsuda Kageyu.
4 | * All rights reserved.
5 | *
6 | * Redistribution and use in source and binary forms, with or without
7 | * modification, are permitted provided that the following conditions
8 | * are met:
9 | *
10 | * 1. Redistributions of source code must retain the above copyright
11 | * notice, this list of conditions and the following disclaimer.
12 | * 2. Redistributions in binary form must reproduce the above copyright
13 | * notice, this list of conditions and the following disclaimer in the
14 | * documentation and/or other materials provided with the distribution.
15 | *
16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
19 | * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER
20 | * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
21 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
23 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
24 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
25 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
26 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 | */
28 |
29 | #pragma once
30 |
31 | #if !(defined _M_IX86) && !(defined _M_X64) && !(defined __i386__) && !(defined __x86_64__)
32 | #error MinHook supports only x86 and x64 systems.
33 | #endif
34 |
35 | #include
36 |
37 | // MinHook Error Codes.
38 | typedef enum MH_STATUS
39 | {
40 | // Unknown error. Should not be returned.
41 | MH_UNKNOWN = -1,
42 |
43 | // Successful.
44 | MH_OK = 0,
45 |
46 | // MinHook is already initialized.
47 | MH_ERROR_ALREADY_INITIALIZED,
48 |
49 | // MinHook is not initialized yet, or already uninitialized.
50 | MH_ERROR_NOT_INITIALIZED,
51 |
52 | // The hook for the specified target function is already created.
53 | MH_ERROR_ALREADY_CREATED,
54 |
55 | // The hook for the specified target function is not created yet.
56 | MH_ERROR_NOT_CREATED,
57 |
58 | // The hook for the specified target function is already enabled.
59 | MH_ERROR_ENABLED,
60 |
61 | // The hook for the specified target function is not enabled yet, or already
62 | // disabled.
63 | MH_ERROR_DISABLED,
64 |
65 | // The specified pointer is invalid. It points the address of non-allocated
66 | // and/or non-executable region.
67 | MH_ERROR_NOT_EXECUTABLE,
68 |
69 | // The specified target function cannot be hooked.
70 | MH_ERROR_UNSUPPORTED_FUNCTION,
71 |
72 | // Failed to allocate memory.
73 | MH_ERROR_MEMORY_ALLOC,
74 |
75 | // Failed to change the memory protection.
76 | MH_ERROR_MEMORY_PROTECT,
77 |
78 | // The specified module is not loaded.
79 | MH_ERROR_MODULE_NOT_FOUND,
80 |
81 | // The specified function is not found.
82 | MH_ERROR_FUNCTION_NOT_FOUND
83 | }
84 | MH_STATUS;
85 |
86 | // Can be passed as a parameter to MH_EnableHook, MH_DisableHook,
87 | // MH_QueueEnableHook or MH_QueueDisableHook.
88 | #define MH_ALL_HOOKS NULL
89 |
90 | #ifdef __cplusplus
91 | extern "C" {
92 | #endif
93 |
94 | // Initialize the MinHook library. You must call this function EXACTLY ONCE
95 | // at the beginning of your program.
96 | MH_STATUS WINAPI MH_Initialize(VOID);
97 |
98 | // Uninitialize the MinHook library. You must call this function EXACTLY
99 | // ONCE at the end of your program.
100 | MH_STATUS WINAPI MH_Uninitialize(VOID);
101 |
102 | // Creates a hook for the specified target function, in disabled state.
103 | // Parameters:
104 | // pTarget [in] A pointer to the target function, which will be
105 | // overridden by the detour function.
106 | // pDetour [in] A pointer to the detour function, which will override
107 | // the target function.
108 | // ppOriginal [out] A pointer to the trampoline function, which will be
109 | // used to call the original target function.
110 | // This parameter can be NULL.
111 | MH_STATUS WINAPI MH_CreateHook(LPVOID pTarget, LPVOID pDetour, LPVOID *ppOriginal);
112 |
113 | // Creates a hook for the specified API function, in disabled state.
114 | // Parameters:
115 | // pszModule [in] A pointer to the loaded module name which contains the
116 | // target function.
117 | // pszProcName [in] A pointer to the target function name, which will be
118 | // overridden by the detour function.
119 | // pDetour [in] A pointer to the detour function, which will override
120 | // the target function.
121 | // ppOriginal [out] A pointer to the trampoline function, which will be
122 | // used to call the original target function.
123 | // This parameter can be NULL.
124 | MH_STATUS WINAPI MH_CreateHookApi(
125 | LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal);
126 |
127 | // Creates a hook for the specified API function, in disabled state.
128 | // Parameters:
129 | // pszModule [in] A pointer to the loaded module name which contains the
130 | // target function.
131 | // pszProcName [in] A pointer to the target function name, which will be
132 | // overridden by the detour function.
133 | // pDetour [in] A pointer to the detour function, which will override
134 | // the target function.
135 | // ppOriginal [out] A pointer to the trampoline function, which will be
136 | // used to call the original target function.
137 | // This parameter can be NULL.
138 | // ppTarget [out] A pointer to the target function, which will be used
139 | // with other functions.
140 | // This parameter can be NULL.
141 | MH_STATUS WINAPI MH_CreateHookApiEx(
142 | LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID *ppOriginal, LPVOID *ppTarget);
143 |
144 | // Removes an already created hook.
145 | // Parameters:
146 | // pTarget [in] A pointer to the target function.
147 | MH_STATUS WINAPI MH_RemoveHook(LPVOID pTarget);
148 |
149 | // Enables an already created hook.
150 | // Parameters:
151 | // pTarget [in] A pointer to the target function.
152 | // If this parameter is MH_ALL_HOOKS, all created hooks are
153 | // enabled in one go.
154 | MH_STATUS WINAPI MH_EnableHook(LPVOID pTarget);
155 |
156 | // Disables an already created hook.
157 | // Parameters:
158 | // pTarget [in] A pointer to the target function.
159 | // If this parameter is MH_ALL_HOOKS, all created hooks are
160 | // disabled in one go.
161 | MH_STATUS WINAPI MH_DisableHook(LPVOID pTarget);
162 |
163 | // Queues to enable an already created hook.
164 | // Parameters:
165 | // pTarget [in] A pointer to the target function.
166 | // If this parameter is MH_ALL_HOOKS, all created hooks are
167 | // queued to be enabled.
168 | MH_STATUS WINAPI MH_QueueEnableHook(LPVOID pTarget);
169 |
170 | // Queues to disable an already created hook.
171 | // Parameters:
172 | // pTarget [in] A pointer to the target function.
173 | // If this parameter is MH_ALL_HOOKS, all created hooks are
174 | // queued to be disabled.
175 | MH_STATUS WINAPI MH_QueueDisableHook(LPVOID pTarget);
176 |
177 | // Applies all queued changes in one go.
178 | MH_STATUS WINAPI MH_ApplyQueued(VOID);
179 |
180 | // Translates the MH_STATUS to its name as a string.
181 | const char * WINAPI MH_StatusToString(MH_STATUS status);
182 |
183 | #ifdef __cplusplus
184 | }
185 | #endif
186 |
--------------------------------------------------------------------------------
/C2-Hunter/dllmain.cpp:
--------------------------------------------------------------------------------
1 | #include "pch.h"
2 | #include
3 | #include ;
4 | #include "MinHook.h"
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | #if defined _M_X64
13 | #pragma comment(lib, "libMinHook.x64.lib")
14 | #elif defined _M_IX86
15 | #pragma comment(lib, "libMinHook.x86.lib")
16 | #endif
17 |
18 | #pragma comment(lib, "wininet.lib")
19 | #pragma comment(lib, "Urlmon.lib")
20 | #pragma comment(lib, "Dnsapi.lib")
21 | #pragma comment (lib, "Ws2_32.lib")
22 |
23 |
24 | HRESULT FURLOpenStreamA(
25 | LPUNKNOWN pCaller,
26 | LPCSTR szURL,
27 | _Reserved_ DWORD dwReserved,
28 | LPBINDSTATUSCALLBACK lpfnCB
29 | ) {
30 | MH_DisableHook(&URLOpenStreamA);
31 | std::cout <<
32 | "URL : " << szURL <<
33 | std::endl;
34 | HRESULT ret = URLOpenStreamA(
35 | pCaller,
36 | szURL,
37 | dwReserved,
38 | lpfnCB
39 | );
40 |
41 | MH_EnableHook(&URLOpenStreamA);
42 | return (ret);
43 | }
44 |
45 | HRESULT FURLDownloadToFile(
46 | LPUNKNOWN pCaller,
47 | LPCTSTR szURL,
48 | LPCTSTR szFileName,
49 | _Reserved_ DWORD dwReserved,
50 | LPBINDSTATUSCALLBACK lpfnCB
51 | ) {
52 | MH_DisableHook(&URLDownloadToFile);
53 | std::cout <<
54 | "URL : " << szURL <<
55 | "file path :" << szFileName <<
56 | std::endl;
57 | HRESULT ret = URLDownloadToFile(
58 | pCaller,
59 | szURL,
60 | szFileName,
61 | dwReserved,
62 | lpfnCB
63 | );
64 | MH_EnableHook(&URLDownloadToFile);
65 | return (ret);
66 | }
67 |
68 |
69 | BOOL FInternetWriteFile(
70 | HINTERNET hFile,
71 | LPCVOID lpBuffer,
72 | DWORD dwNumberOfBytesToWrite,
73 | LPDWORD lpdwNumberOfBytesWritten
74 | ) {
75 | MH_DisableHook(&InternetWriteFile);
76 |
77 | DWORD nbytes;
78 | BOOL ret = InternetWriteFile(
79 | hFile,
80 | lpBuffer,
81 | dwNumberOfBytesToWrite,
82 | lpdwNumberOfBytesWritten
83 | );
84 | nbytes = *lpdwNumberOfBytesWritten;
85 | char* buffer = (char*)lpBuffer;
86 | printf("%s", buffer);
87 | MH_EnableHook(&InternetWriteFile);
88 | return (ret);
89 |
90 | }
91 |
92 | HINTERNET WINAPI FInternetConnect(HINTERNET hInternet, LPCTSTR lpszServerName, INTERNET_PORT nServerPort, LPCTSTR lpszUserName, LPCTSTR lpszPassword, DWORD dwService, DWORD dwFlags, DWORD dwContext)
93 | {
94 | MH_DisableHook(&InternetConnect);
95 | std::cout
96 | << "Server Name" << lpszServerName
97 | << std::endl;
98 | HINTERNET ret = InternetConnect(hInternet, lpszServerName, nServerPort, lpszUserName, lpszPassword, dwService, dwFlags, dwContext);
99 | MH_EnableHook(&InternetConnect);
100 | return (ret);
101 |
102 | }
103 |
104 | BOOL FInternetReadFile(
105 | HINTERNET hFile,
106 | LPVOID lpBuffer,
107 | DWORD dwNumberOfBytesToRead,
108 | LPDWORD lpdwNumberOfBytesRead
109 | ) {
110 | MH_DisableHook(&InternetReadFile);
111 |
112 | DWORD nbytes;
113 | BOOL ret = InternetReadFile(
114 | hFile,
115 | lpBuffer,
116 | dwNumberOfBytesToRead,
117 | lpdwNumberOfBytesRead
118 | );
119 | char* buffer = (char*)lpBuffer;
120 | printf("%s", buffer);
121 | MH_EnableHook(&InternetReadFile);
122 | return (ret);
123 | }
124 |
125 | BOOL FInternetReadFileExA(
126 | HINTERNET hFile,
127 | LPINTERNET_BUFFERSA lpBuffersOut,
128 | DWORD dwFlags,
129 | DWORD_PTR dwContext
130 | ) {
131 | MH_DisableHook(&InternetReadFileExA);
132 |
133 | BOOL ret = InternetReadFileExA(
134 | hFile,
135 | lpBuffersOut,
136 | dwFlags,
137 | dwContext
138 | );
139 |
140 | printf("%.*s \n", lpBuffersOut->dwBufferLength, lpBuffersOut->lpvBuffer);
141 | printf("%s \n", lpBuffersOut->lpcszHeader);
142 | MH_EnableHook(&InternetReadFileExA);
143 | return (ret);
144 | }
145 |
146 | HINTERNET FInternetOpenUrlA(
147 | HINTERNET hInternet,
148 | LPCSTR lpszUrl,
149 | LPCSTR lpszHeaders,
150 | DWORD dwHeadersLength,
151 | DWORD dwFlags,
152 | DWORD_PTR dwContext
153 | ) {
154 | MH_DisableHook(&InternetOpenUrlA);
155 | LPWSTR wstr = new WCHAR[255];
156 | MultiByteToWideChar(CP_ACP, 0, lpszUrl, -1, wstr, 255);
157 | OutputDebugStringW(wstr);
158 | std::cout <<
159 | "HTTP verb : " << lpszUrl <<
160 | "target Object :" << lpszHeaders <<
161 | std::endl;
162 | HINTERNET ret = InternetOpenUrlA(
163 | hInternet,
164 | lpszUrl,
165 | lpszHeaders,
166 | dwHeadersLength,
167 | dwFlags,
168 | dwContext);
169 | MH_EnableHook(&InternetOpenUrlA);
170 | return (ret);
171 | }
172 |
173 | UINT FWinExec(
174 | LPCSTR lpCmdLine,
175 | UINT uCmdShow
176 | )
177 | {
178 | MH_DisableHook(&WinExec);
179 | LPWSTR wstr = new WCHAR[255];
180 | MultiByteToWideChar(CP_ACP, 0, lpCmdLine, -1, wstr, 255);
181 | OutputDebugStringW(wstr);
182 | std::cout << wstr << std::endl;
183 | UINT ret = WinExec(lpCmdLine, uCmdShow);
184 | MH_EnableHook(&WinExec);
185 | return (ret);
186 | }
187 |
188 | HINTERNET FHttpOpenRequestA(
189 | HINTERNET hConnect,
190 | LPCSTR lpszVerb,
191 | LPCSTR lpszObjectName,
192 | LPCSTR lpszVersion,
193 | LPCSTR lpszReferrer,
194 | LPCSTR* lplpszAcceptTypes,
195 | DWORD dwFlags,
196 | DWORD_PTR dwContext
197 | ) {
198 | MH_DisableHook(&HttpOpenRequestA);
199 | std::cout <<
200 | "HTTP verb : " << lpszVerb <<
201 | "target Object :" << lpszObjectName <<
202 | std::endl;
203 | HINTERNET ret = HttpOpenRequestA(
204 | hConnect,
205 | lpszVerb,
206 | lpszObjectName,
207 | lpszVersion,
208 | lpszReferrer,
209 | lplpszAcceptTypes,
210 | dwFlags,
211 | dwContext);
212 | MH_EnableHook(&HttpOpenRequestA);
213 | return (ret);
214 | }
215 |
216 | HINTERNET FInternetConnectA(
217 | HINTERNET hInternet,
218 | LPCSTR lpszServerName,
219 | INTERNET_PORT nServerPort,
220 | LPCSTR lpszUserName,
221 | LPCSTR lpszPassword,
222 | DWORD dwService,
223 | DWORD dwFlags,
224 | DWORD_PTR dwContext
225 | )
226 | {
227 | MH_DisableHook(&InternetConnectA);
228 | LPWSTR wstr = new WCHAR[255];
229 | MultiByteToWideChar(CP_ACP, 0, lpszServerName, -1, wstr, 255);
230 | OutputDebugStringW(wstr);
231 | std::cout <<
232 | "host name : " << lpszServerName <<
233 | "Username :" << lpszUserName <<
234 | "Password :" << lpszPassword <<
235 | std::endl;
236 |
237 | HINTERNET ret = InternetConnectA(
238 | hInternet,
239 | lpszServerName,
240 | nServerPort,
241 | lpszUserName,
242 | lpszPassword,
243 | dwService,
244 | dwFlags,
245 | dwContext);
246 |
247 | MH_EnableHook(&InternetConnectA);
248 | return (ret);
249 | }
250 |
251 | DNS_STATUS FDnsQueryEx(
252 | PDNS_QUERY_REQUEST pQueryRequest,
253 | PDNS_QUERY_RESULT pQueryResults,
254 | PDNS_QUERY_CANCEL pCancelHandle
255 | )
256 | {
257 | MH_DisableHook(&DnsQueryEx);
258 |
259 | if (pQueryRequest->QueryName)
260 | {
261 | OutputDebugStringW(pQueryRequest->QueryName);
262 | std::cout <<
263 | "DNS name : " << pQueryRequest->QueryName <<
264 | std::endl;
265 | }
266 | else
267 | std::cout << "local machine name" << std::endl;
268 | DNS_STATUS ret = DnsQueryEx(
269 | pQueryRequest,
270 | pQueryResults,
271 | pCancelHandle);
272 |
273 | MH_EnableHook(&DnsQueryEx);
274 |
275 | return (ret);
276 | }
277 |
278 |
279 | DNS_STATUS FDnsQuery_A(
280 | PCSTR pszName,
281 | WORD wType,
282 | DWORD Options,
283 | PVOID pExtra,
284 | PDNS_RECORD* ppQueryResults,
285 | PVOID* pReserved
286 | )
287 | {
288 | MH_DisableHook(&DnsQuery_A);
289 | LPWSTR wstr = new WCHAR[255];
290 | MultiByteToWideChar(CP_ACP, 0, pszName, -1, wstr, 255);
291 | OutputDebugStringW(wstr);
292 | std::cout <<
293 | "DNS name : " << wstr <<
294 | std::endl;
295 |
296 | DNS_STATUS ret = DnsQuery_A(
297 | pszName,
298 | wType,
299 | Options,
300 | pExtra,
301 | ppQueryResults,
302 | pReserved);
303 |
304 | MH_EnableHook(&DnsQuery_A);
305 |
306 | return (ret);
307 | }
308 |
309 | int WSAAPI Fakegetaddrinfo(
310 | PCSTR pNodeName,
311 | PCSTR pServiceName,
312 | const ADDRINFOA* pHints,
313 | PADDRINFOA* ppResult
314 | )
315 | {
316 | // Log input parameters
317 | printf("pNodeName: %s\n", pNodeName ? pNodeName : "(null)");
318 | printf("pServiceName: %s\n", pServiceName ? pServiceName : "(null)");
319 |
320 | MH_DisableHook(&getaddrinfo);
321 |
322 | int ret = getaddrinfo(pNodeName, pServiceName, pHints, ppResult);
323 |
324 |
325 | // Re-enable hook
326 | MH_EnableHook(&getaddrinfo);
327 |
328 | return ret;
329 | }
330 |
331 | int WSAAPI FakeGetAddrInfoW(
332 | PCWSTR pNodeName,
333 | PCWSTR pServiceName,
334 | const ADDRINFOW* pHints,
335 | PADDRINFOW* ppResult
336 | )
337 | {
338 | printf("pNodeName: %ws\n", pNodeName ? pNodeName : L"(null)");
339 | printf("pServiceName: %ws\n", pServiceName ? pServiceName : L"(null)");
340 |
341 | MH_DisableHook(&GetAddrInfoW);
342 |
343 | int ret = GetAddrInfoW(pNodeName, pServiceName, pHints, ppResult);
344 |
345 |
346 | MH_EnableHook(&GetAddrInfoW);
347 |
348 | return ret;
349 | }
350 |
351 | int start()
352 | {
353 | AllocConsole();
354 |
355 | FILE* f = new FILE;
356 |
357 | freopen_s(&f, "CONOUT$", "w", stdout);
358 |
359 | SetConsoleTitle(L"C2-Hunter");
360 |
361 | if (MH_Initialize() != MH_OK)
362 | {
363 | return (-1);
364 | }
365 |
366 | MH_CreateHook(&InternetConnect, &FInternetConnect, NULL);
367 |
368 | MH_CreateHook(&InternetConnectA, &FInternetConnectA, NULL);
369 |
370 | MH_CreateHook(&HttpOpenRequestA, &FHttpOpenRequestA, NULL);
371 |
372 | MH_CreateHook(&WinExec, &FWinExec, NULL);
373 |
374 | MH_CreateHook(&InternetOpenUrlA, &FInternetOpenUrlA, NULL);
375 |
376 | MH_CreateHook(&InternetReadFile, &FInternetReadFile, NULL);
377 |
378 | MH_CreateHook(&InternetReadFileExA, &FInternetReadFileExA, NULL);
379 |
380 | MH_CreateHook(&InternetWriteFile, &FInternetWriteFile, NULL);
381 |
382 | MH_CreateHook(&URLDownloadToFile, &FURLDownloadToFile, NULL);
383 |
384 | MH_CreateHook(&URLOpenStreamA, &FURLOpenStreamA, NULL);
385 |
386 | MH_CreateHook(&DnsQuery_A, &FDnsQuery_A, NULL);
387 |
388 | MH_CreateHook(&DnsQueryEx, &FDnsQueryEx, NULL);
389 |
390 | //
391 | MH_CreateHook(&getaddrinfo, &Fakegetaddrinfo, NULL);
392 | if (MH_EnableHook(&getaddrinfo) != MH_OK)
393 | {
394 | return (-1);
395 | }
396 |
397 | MH_CreateHook(&GetAddrInfoW, &FakeGetAddrInfoW, NULL);
398 | if (MH_EnableHook(&GetAddrInfoW) != MH_OK)
399 | {
400 | return (-1);
401 | }
402 |
403 | //
404 |
405 |
406 | if (MH_EnableHook(&DnsQueryEx) != MH_OK)
407 | {
408 | return (-1);
409 | }
410 |
411 | if (MH_EnableHook(&InternetConnect) != MH_OK || MH_EnableHook(&DnsQuery_A) != MH_OK)
412 | {
413 | return (-1);
414 | }
415 |
416 | if (MH_EnableHook(&InternetConnectA) != MH_OK || MH_EnableHook(&HttpOpenRequestA))
417 | {
418 | return (-1);
419 | }
420 |
421 | if (MH_EnableHook(&WinExec) != MH_OK || MH_EnableHook(&InternetOpenUrlA))
422 | {
423 | return (-1);
424 | }
425 |
426 | if (MH_EnableHook(&InternetReadFile) != MH_OK || MH_EnableHook(&InternetReadFileExA))
427 | {
428 | return (-1);
429 | }
430 |
431 | if (MH_EnableHook(&InternetWriteFile) != MH_OK || MH_EnableHook(&URLDownloadToFile))
432 | {
433 | return (-1);
434 | }
435 |
436 | if (MH_EnableHook(&URLOpenStreamA) != MH_OK)
437 | {
438 | return (-1);
439 | }
440 |
441 | return (0);
442 | }
443 |
444 |
445 | BOOL APIENTRY DllMain(HMODULE hModule,
446 | DWORD ul_reason_for_call,
447 | LPVOID lpReserved
448 | )
449 | {
450 | switch (ul_reason_for_call)
451 | {
452 | case DLL_PROCESS_ATTACH:
453 | start();
454 | case DLL_THREAD_ATTACH:
455 | case DLL_THREAD_DETACH:
456 | case DLL_PROCESS_DETACH:
457 | break;
458 | }
459 |
460 | return (TRUE);
461 | }
462 |
--------------------------------------------------------------------------------
/C2-Hunter/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 | // Windows Header Files
5 | #include
6 |
--------------------------------------------------------------------------------
/C2-Hunter/libMinHook.x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZeroMemoryEx/C2-Hunter/3bb0ec236a41b761306dcf1c814606b233da9c4b/C2-Hunter/libMinHook.x64.lib
--------------------------------------------------------------------------------
/C2-Hunter/libMinHook.x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZeroMemoryEx/C2-Hunter/3bb0ec236a41b761306dcf1c814606b233da9c4b/C2-Hunter/libMinHook.x86.lib
--------------------------------------------------------------------------------
/C2-Hunter/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 |
3 | #include "pch.h"
4 |
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 |
--------------------------------------------------------------------------------
/C2-Hunter/pch.h:
--------------------------------------------------------------------------------
1 | // pch.h: This is a precompiled header file.
2 | // Files listed below are compiled only once, improving build performance for future builds.
3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
5 | // Do not add files here that you will be updating frequently as this negates the performance advantage.
6 |
7 | #ifndef PCH_H
8 | #define PCH_H
9 |
10 | // add headers that you want to pre-compile here
11 | #include "framework.h"
12 |
13 | #endif //PCH_H
14 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # C2-Hunter
2 |
3 | * C2-Hunter is a program designed for malware analysts to extract Command and Control (C2) traffic from malwares in real-time. The program uses a unique approach by hooking into win32 connections APIs.
4 |
5 | * With C2-Hunter, malware analysts can now intercept and analyze communication in real-time, gaining valuable insights into the inner workings of cyber threats. Its ability to track C2 elements of malware makes it an essential tool for any cyber security team.
6 |
7 | # Features
8 | * Real-time extraction of C2 traffic
9 | * Bypasses malware time delays to speed up the extraction process (SOON)
10 |
11 | # Real-world malware usage
12 |
13 | * used to extract multiple C2s from malware
14 | - https://www.virustotal.com/gui/domain/stlaip578223.ddnsgeek.com
15 | - https://www.virustotal.com/gui/domain/stalhy74170.ddns.net
16 | - https://www.virustotal.com/gui/domain/stlaip74566.ddnsgeek.com
17 |
18 | 
19 |
20 | * from hack the box challenge :)
21 | 
22 |
23 |
24 | # DEMO
25 |
26 | https://user-images.githubusercontent.com/60795188/212409788-902629a3-b5c5-4038-80c8-053947d8d7c3.mp4
27 |
28 |
--------------------------------------------------------------------------------